mgeeky-Penetration-Testing-.../clouds/azure/Azure Roles
2022-01-25 12:45:14 +01:00
..
Dump-AzureRoles.ps1 Added Azure Roles. 2022-01-25 12:45:14 +01:00
README.md Added Azure Roles. 2022-01-25 12:45:14 +01:00

Synopsis

First part of this gist contains list of Azure RBAC and Azure AD roles sorted by their names.

Second part contains full definitions of each role along with their permissions assigned.

Role Definitions

Azure RBAC Roles

# RoleName RoleDescription RoleId

| 1 | Experimentation Metric Contributor | Allows for creation, writes and reads to the metric set via the metrics service APIs. | 6188b7c9-7d01-4f99-a59f-c88b630326c0 | | 2 | Project Babylon Data Curator | The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. | 9ef4ef9c-a049-46b0-82ab-dd8ac094c889 | | 3 | Storage Account Backup Contributor Role | Storage Account Backup Contributors are allowed to perform backup and restore of Storage Account. | e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 | | 4 | Reservation Purchaser | Lets you purchase reservations | f7b75c60-3036-4b75-91c3-6b41c27c1689 | | 5 | AzureML Metrics Writer (preview) | Lets you write metrics to AzureML workspace | 635dd51f-9968-44d3-b7fb-6d9a6bd613ae | | 6 | Purview role 3 (Deprecated) | Deprecated role. | ff100721-1b9d-43d8-af52-42b69c1272db | | 7 | Purview role 2 (Deprecated) | Deprecated role. | 200bba9e-f0c8-430f-892b-6f0794863803 | | 8 | Purview role 1 (Deprecated) | Deprecated role. | 8a3c2885-9b38-4fd2-9d99-91af537c1347 | | 9 | Project Babylon Data Reader | The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change. | c8d896ba-346d-4f50-bc1d-7d1c84130446 | | 10 | Project Babylon Data Source Administrator | The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change. | 05b7651b-dc44-475e-b74d-df3db49fae0f | | 11 | AgFood Platform Service Reader | Provides read access to AgFood Platform Service | 7ec7ccdc-f61e-41fe-9aaf-980df0a44eba | | 12 | AgFood Platform Service Contributor | Provides contribute access to AgFood Platform Service | 8508508a-4469-4e45-963b-2518ee0bb728 | | 13 | Schema Registry Contributor (Preview) | Read, write, and delete Schema Registry groups and schemas. | 5dffeca3-4936-4216-b2bc-10343a5abb25 | | 14 | Cognitive Services Metrics Advisor User | Access to the project. | 3b20f47b-3825-43cb-8114-4bd2201156a8 | | 15 | Schema Registry Reader (Preview) | Read and list Schema Registry groups and schemas. | 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 | | 16 | SignalR REST API Reader | Read-only access to Azure SignalR Service REST APIs | ddde6b66-c0df-4114-a159-3618637b3035 | | 17 | SignalR Service Owner | Full access to Azure SignalR Service REST APIs | 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 | | 18 | Security Detonation Chamber Submitter | Allowed to create submissions to Security Detonation Chamber | 0b555d9b-b4a7-4f43-b330-627f0e5be8f0 | | 19 | AgFood Platform Service Admin | Provides admin access to AgFood Platform Service | f8da80de-1ff9-4747-ad80-a19b7f6079e3 | | 20 | Managed HSM contributor | Lets you manage managed HSM pools, but not access to them. | 18500a29-7fe2-46b2-a342-b16a415e101d | | 21 | Autonomous Development Platform Data Reader (Preview) | Grants read access to Autonomous Development Platform data. | d63b75f7-47ea-4f27-92ac-e0d173aaf093 | | 22 | Autonomous Development Platform Data Owner (Preview) | Grants full access to Autonomous Development Platform data. | 27f8b550-c507-4db9-86f2-f4b8e816d59d | | 23 | Autonomous Development Platform Data Contributor (Preview) | Grants permissions to upload and manage new Autonomous Development Platform measurements. | b8b15564-4fa6-4a59-ab12-03e1d9594795 | | 24 | Desktop Virtualization Workspace Reader | Reader of the Desktop Virtualization Workspace. | 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d | | 25 | Disk Backup Reader | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 | | 26 | Security Detonation Chamber Submission Manager | Allowed to create and manage submissions to Security Detonation Chamber | a37b566d-3efa-4beb-a2f2-698963fa42ce | | 27 | Security Detonation Chamber Publisher | Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber | 352470b3-6a9c-4686-b503-35deb827e500 | | 28 | Microsoft.Kubernetes connected cluster role | Microsoft.Kubernetes connected cluster role. | 5548b2cf-c94c-4228-90ba-30851930a12f | | 29 | Disk Restore Operator | Provides permission to backup vault to perform disk restore. | b50d9833-a0cb-478e-945f-707fcc997c13 | | 30 | Disk Snapshot Contributor | Provides permission to backup vault to manage disk snapshots. | 7efff54f-a5b4-42b5-a1c5-5411624893ce | | 31 | Desktop Virtualization Workspace Contributor | Contributor of the Desktop Virtualization Workspace. | 21efdde3-836f-432b-bf3d-3e8e734d4b2b | | 32 | Desktop Virtualization User Session Operator | Operator of the Desktop Virtualization Uesr Session. | ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 | | 33 | Desktop Virtualization Contributor | Contributor of Desktop Virtualization. | 082f0a83-3be5-4ba1-904c-961cca79b387 | | 34 | Application Group Contributor | Contributor of the Application Group. | ca6382a4-1721-4bcf-a114-ff0c70227b6b | | 35 | Desktop Virtualization Reader | Reader of Desktop Virtualization. | 49a72310-ab8d-41df-bbb0-79b649203868 | | 36 | Desktop Virtualization Application Group Reader | Reader of the Desktop Virtualization Application Group. | aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 | | 37 | Desktop Virtualization Application Group Contributor | Contributor of the Desktop Virtualization Application Group. | 86240b0e-9422-4c43-887b-b61143f32ba8 | | 38 | Desktop Virtualization Host Pool Contributor | Contributor of the Desktop Virtualization Host Pool. | e307426c-f9b6-4e81-87de-d99efb3c32bc | | 39 | Desktop Virtualization Session Host Operator | Operator of the Desktop Virtualization Session Host. | 2ad6aaab-ead9-4eaa-8ac5-da422f562408 | | 40 | Desktop Virtualization Host Pool Reader | Reader of the Desktop Virtualization Host Pool. | ceadfde2-b300-400a-ab7b-6143895aa822 | | 41 | Key Vault Crypto User | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | 12338af0-0e69-4776-bea7-57ae8d297424 | | 42 | Key Vault Secrets Officer | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | | 43 | Key Vault Crypto Officer | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | | 44 | Cognitive Services Custom Vision Trainer | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b | | 45 | Key Vault Administrator | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e74483 | | 46 | Key Vault Crypto Service Encryption User | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. | e147488a-f6f5-4113-8e2d-b22465e65bf6 | | 47 | Azure Arc Kubernetes Viewer | Lets you view all resources in cluster/namespace, except secrets. | 63f0a09d-1495-4db4-a681-037d84835eb4 | | 48 | Key Vault Reader | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | 21090545-7ca7-4776-b22c-e363652d74d2 | | 49 | Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e6 | | 50 | Key Vault Certificates Officer | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | a4417e6f-fecd-4de8-b567-7b0420556985 | | 51 | Experimentation Reader | Experimentation Reader | 49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 | | 52 | Object Understanding Account Owner | Provides user with ingestion capabilities for Azure Object Understanding. | 4dd61c23-6743-42fe-a388-d8bdd41cb745 | | 53 | FHIR Data Writer | Role allows user or principal to read and write FHIR Data | 3f88fce4-5892-4214-ae73-ba5294559913 | | 54 | FHIR Data Exporter | Role allows user or principal to read and export FHIR Data | 3db33094-8700-4567-8da5-1501d4e7e843 | | 55 | FHIR Data Reader | Role allows user or principal to read FHIR Data | 4c8d0bbc-75d3-4935-991f-5f3c56d81508 | | 56 | Cognitive Services Custom Vision Labeler | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. | 88424f51-ebe7-446f-bc41-7fa16989e96c | | 57 | Cognitive Services Custom Vision Reader | Read-only actions in the project. Readers can't create or update the project. | 93586559-c37d-4a6b-ba08-b9f0940c2d73 | | 58 | Cognitive Services Custom Vision Deployment | Publish, unpublish or export models. Deployment can view the project but can't update. | 5c4089e1-6d96-4d2f-b296-c1bc7137275f | | 59 | Azure Maps Data Contributor | Grants access to read, write, and delete access to map related data from an Azure maps account. | 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 | | 60 | Cognitive Services Custom Vision Contributor | Full access to the project, including the ability to view, create, edit, or delete projects. | c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 | | 61 | Device Update Reader | Gives you read access to management and content operations, but does not allow making changes | e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f | | 62 | Device Update Administrator | Gives you full access to management and content operations | 02ca0879-e8e4-47a5-a61e-5c618b76e64a | | 63 | Collaborative Data Contributor | Can manage data packages of a collaborative. | daa9e50b-21df-454c-94a6-a8050adab352 | | 64 | SignalR App Server | Lets your app server access SignalR Service with AAD auth options. | 420fcaa2-552c-430f-98ca-3264be4806c7 | | 65 | SignalR REST API Owner | Full access to Azure SignalR Service REST APIs | fd53cd77-2268-407a-8f46-7e7863d0f521 | | 66 | Device Update Content Reader | Gives you read access to content operations, but does not allow making changes | d1ee9a80-8b14-47f0-bdc2-f4a351625a7b | | 67 | Cognitive Services Metrics Advisor Administrator | Full access to the project, including the system level configuration. | cb43c632-a144-4ec5-977c-e80c4affc34a | | 68 | Device Update Deployments Reader | Gives you read access to management operations, but does not allow making changes | 49e2f5d2-7741-4835-8efa-19e1fe35e47f | | 69 | Device Update Content Administrator | Gives you full access to content operations | 0378884a-3af5-44ab-8323-f5b22f9f3c98 | | 70 | Device Update Deployments Administrator | Gives you full access to management operations | e4237640-0e3d-4a46-8fda-70bc94856432 | | 71 | Azure Kubernetes Service RBAC Cluster Admin | Lets you manage all resources in the cluster. | b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b | | 72 | Azure Kubernetes Service RBAC Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | 3498e952-d568-435e-9b2c-8d77e338d7f7 | | 73 | Azure Arc Kubernetes Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | dffb1e0c-446f-4dde-a09f-99eb5cc68b96 | | 74 | Azure Arc Kubernetes Writer | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. | 5b999177-9696-4545-85c7-50de3797e5a1 | | 75 | Azure Arc Kubernetes Cluster Admin | Lets you manage all resources in the cluster. | 8393591c-06b9-48a2-a542-1bd6b377f6a2 | | 76 | Object Understanding Account Reader | Lets you read ingestion jobs for an object understanding account. | d18777c0-1514-4662-8490-608db7d334b6 | | 77 | Azure Arc Enabled Kubernetes Cluster User Role | List cluster user credentials action. | 00493d72-78f6-4148-b6c5-d3ce8e4799dd | | 78 | Services Hub Operator | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | 82200a5b-e217-47a5-b665-6d8765ee745b | | 79 | Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 7f6c6a51-bcf8-42ba-9220-52d62157d7db | | 80 | Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb | | 81 | Azure VM Managed identities restore Contributor | Azure VM Managed identities restore Contributors are allowed to perform Azure VM Restores with managed identities both user and system | 6ae96244-5829-4925-a7d3-5975537d91dd | | 82 | Azure Maps Search and Render Data Reader | Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. | 6be48352-4f82-47c9-ad5e-0acacefdb005 | | 83 | Azure Spring Cloud Config Server Contributor | Allow read, write and delete access to Azure Spring Cloud Config Server | a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b | | 84 | Azure Spring Cloud Service Registry Contributor | Allow read, write and delete access to Azure Spring Cloud Service Registry | f5880b48-c26d-48be-b172-7927bfa1c8f1 | | 85 | Azure Spring Cloud Config Server Reader | Allow read access to Azure Spring Cloud Config Server | d04c6db6-4947-4782-9e91-30a88feb7be7 | | 86 | Azure Arc VMware Administrator role | Arc VMware VM Contributor has permissions to perform all connected VMwarevSphere actions. | ddc140ed-e463-4246-9145-7c664192013f | | 87 | Azure Arc VMware Private Clouds Onboarding | Azure Arc VMware Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vCenter instances to Azure. | 67d33e57-3129-45e6-bb0b-7cc522f762fa | | 88 | Azure Arc VMware Private Cloud User | Azure Arc VMware Private Cloud User has permissions to use the VMware cloud resources to deploy VMs. | ce551c02-7c42-47e0-9deb-e3b6fc3a9a83 | | 89 | Azure Maps Contributor | Grants access all Azure Maps resource management. | dba33070-676a-4fb0-87fa-064dc56ff7fb | | 90 | Azure Arc VMware VM Contributor | Arc VMware VM Contributor has permissions to perform all VM actions. | b748a06d-6150-4f8a-aaa9-ce3940cd96cb | | 91 | Grafana Editor | Built-in Grafana Editor role | a79a5197-3a5c-4973-a920-486035ffd60f | | 92 | Automation Contributor | Manage azure automation resources and other resources using azure automation. | f353d9bd-d4a6-484e-a77a-8050b599b867 | | 93 | Grafana Viewer | Built-in Grafana Viewer role | 60921a7e-fef1-4a43-9b16-a26c52ad4769 | | 94 | Azure Relay Owner | Allows for full access to Azure Relay resources. | 2787bf04-f1f5-4bfe-8383-c8a24483ee38 | | 95 | Azure Relay Listener | Allows for listen access to Azure Relay resources. | 26e0b698-aa6d-4085-9386-aadae190014d | | 96 | CodeSigning Certificate Profile Signer | Sign files with a certificate profile. This role is in preview and subject to change. | 2837e146-70d7-4cfd-ad55-7efa6464f958 | | 97 | Azure Spring Cloud Service Registry Reader | Allow read access to Azure Spring Cloud Service Registry | cff1b556-2399-4e7e-856d-a8f754be7b65 | | 98 | Device Provisioning Service Data Contributor | Allows for full access to Device Provisioning Service data-plane operations. | dfce44e4-17b7-4bd1-a6d1-04996ec95633 | | 99 | Kubernetes Extension Contributor | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 | | 100 | Device Provisioning Service Data Reader | Allows for full read access to Device Provisioning Service data-plane properties. | 10745317-c249-44a1-a5ce-3a4353c0bbd8 | | 101 | Lab Services Reader | The lab services reader role | 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc | | 102 | Lab Assistant | The lab assistant role | ce40b423-cede-4313-a93f-9b28290b72e1 | | 103 | Lab Services Contributor | The lab services contributor role | f69b8690-cc87-41d6-b77a-a4bc3c0a966f | | 104 | Load Test Reader | View and list all load tests and load test resources but can not make any changes | 3ae3fb29-0000-4ccd-bf80-542e7b26e081 | | 105 | Cognitive Services Immersive Reader User | Provides access to create Immersive Reader sessions and call APIs | b2de6794-95db-4659-8781-7e080d3f2b9d | | 106 | Chamber Admin | Lets you manage everything under your HPC Workbench chamber. | 4e9b8407-af2e-495b-ae54-bb60a55b1b5a | | 107 | Guest Configuration Resource Contributor | Grants access to read or write to Guest Configuration resources. | 088ab73d-1256-47ae-bea9-9de8e7131f31 | | 108 | Chamber User | Lets you view everything under your HPC Workbench chamber, but not make any changes. | 4447db05-44ed-4da3-ae60-6cbece780e32 | | 109 | Lab Operator | The lab operator role | a36e6959-b6be-4b12-8e9f-ef4b474d304d | | 110 | Lab Contributor | The lab contributor role | 5daaa2af-1fe8-407c-9122-bba179798270 | | 111 | Cognitive Services Language Owner | Has access to all Read, Test, Write, Deploy and Delete functions under Language portal | f07febfe-79bc-46b1-8b37-790e26e6e498 | | 112 | Cognitive Services LUIS Reader | Has access to Read and Test functions under LUIS. | 18e81cdc-4e98-4e29-a639-e7d10c5a6226 | | 113 | Cognitive Services Language Writer | _ Has access to all Read, Test, and Write functions under Language Portal_ | f2310ca1-dc64-4889-bb49-c8e0fa3d47a8 | | 114 | Cognitive Services LUIS Owner | _ Has access to all Read, Test, Write, Deploy and Delete functions under LUIS_ | f72c8140-2111-481c-87ff-72b910f6e3f8 | | 115 | Cognitive Services Language Reader | Has access to Read and Test functions under Language portal | 7628b7b8-a8b2-4cdc-b46f-e9b35248918e | | 116 | Load Test Owner | Execute all operations on load test resources and load tests | 45bb0b16-2f0c-4e78-afaa-a07599b003f6 | | 117 | PlayFab Contributor | Provides contributor access to PlayFab resources | 0c8b84dc-067c-4039-9615-fa1a4b77c726 | | 118 | Load Test Contributor | View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. | 749a398d-560b-491b-bb21-08924219302e | | 119 | Cognitive Services LUIS Writer | Has access to all Read, Test, and Write functions under LUIS | 6322a993-d5c9-4bed-b113-e49bbea25b27 | | 120 | PlayFab Reader | Provides read access to PlayFab resources | a9a19cc5-31f4-447c-901f-56c0bb18fcaf | | 121 | Cognitive Services Speech User | Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. | f2dc8367-1007-4938-bd23-fe263f013447 | | 122 | Cognitive Services Speech Contributor | Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. | 0e75ca1e-0464-4b4d-8b93-68208a576181 | | 123 | Azure Spring Cloud Data Reader | Allow read access to Azure Spring Cloud Data | b5537268-8956-4941-a8f0-646150406f0c | | 124 | Web PubSub Service Owner (Preview) | Full access to Azure Web PubSub Service REST APIs | 12cf5a90-567b-43ae-8102-96cf46c7d9b4 | | 125 | Web PubSub Service Reader (Preview) | Read-only access to Azure Web PubSub Service REST APIs | bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf | | 126 | Media Services Media Operator | Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. | e4395492-1534-4db2-bedf-88c14621589c | | 127 | Media Services Policy Administrator | Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. | c4bba371-dacd-4a26-b320-7250bca963ae | | 128 | Media Services Live Events Administrator | Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. | 532bc159-b25e-42c0-969e-a1d439f60d77 | | 129 | Cognitive Services Face Recognizer | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. | 9894cab4-e18a-44aa-828b-cb588cd6f2d7 | | 130 | Media Services Account Administrator | Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. | 054126f8-9a2b-4f1c-a9ad-eca461f08466 | | 131 | Microsoft Sentinel Automation Contributor | Microsoft Sentinel Automation Contributor | f4c81013-99ee-4d62-a7ee-b3f1f648599a | | 132 | Quota Request Operator | Read and create quota requests, get quota request status, and create support tickets. | 0e5f05e5-9ab9-446b-b98d-1e2157c94125 | | 133 | FHIR Data Converter | Role allows user or principal to convert data from legacy format to FHIR | a1705bd2-3a8f-45a5-8683-466fcfd5cc24 | | 134 | Collaborative Runtime Operator | Can manage resources created by AICS at runtime | 7a6f0e70-c033-4fb1-828c-08514e5f4102 | | 135 | CosmosRestoreOperator | Can perform restore action for Cosmos DB database account with continuous backup mode | 5432c526-bc82-444a-b7ba-57c5b0b5b34f | | 136 | Object Anchors Account Owner | Provides user with ingestion capabilities for an object anchors account. | ca0835dd-bacc-42dd-8ed2-ed5e7230d15b | | 137 | WorkloadBuilder Migration Agent Role | WorkloadBuilder Migration Agent Role. | d17ce0a2-0697-43bc-aac5-9113337ab61c | | 138 | Object Anchors Account Reader | Lets you read ingestion jobs for an object anchors account. | 4a167cdf-cb95-4554-9203-2347fe489bd9 | | 139 | EventGrid Contributor | Lets you manage EventGrid operations. | 1e241071-0855-49ea-94dc-649edcd759de | | 140 | Security Detonation Chamber Reader | Allowed to query submission info and files from Security Detonation Chamber | 28241645-39f8-410b-ad48-87863e2951d5 | | 141 | DICOM Data Owner | Full access to DICOM data. | 58a3b984-7adf-4c20-983a-32417c86fbc8 | | 142 | EventGrid Data Sender | Allows send access to event grid events. | d5a91429-5739-47e2-a06b-3470a27159e7 | | 143 | DICOM Data Reader | Read and search DICOM data. | e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a | | 144 | Storage Table Data Reader | Allows for read access to Azure Storage tables and entities | 76199698-9eea-4c19-bc75-cec21354c6b6 | | 145 | Storage Table Data Contributor | Allows for read, write and delete access to Azure Storage tables and entities | 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 | | 146 | Azure Connected SQL Server Onboarding | Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS. | e8113dce-c529-4d33-91fa-e9b972617508 | | 147 | Azure Relay Sender | Allows for send access to Azure Relay resources. | 26baccc8-eea7-41f1-98f4-1762cc7f685d | | 148 | Grafana Admin | Built-in Grafana admin role | 22926164-76b3-42b3-bc55-97df8dab3e41 | | 149 | Disk Pool Operator | Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool. | 60fc6e62-5479-42d4-8bf4-67625fcc2840 | | 150 | AzureML Data Scientist | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. | f6c7c914-8db3-469d-8ca1-694a8f32e121 | | 151 | IoT Hub Data Reader | Allows for full read access to IoT Hub data-plane properties | b447c946-2db7-41ec-983d-d8bf3b1c77e3 | | 152 | IoT Hub Twin Contributor | Allows for read and write access to all IoT Hub device and module twins. | 494bdba2-168f-4f31-a0a1-191d2f7c028c | | 153 | AnyBuild Builder | Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities. | a2138dac-4907-4679-a376-736901ed8ad8 | | 154 | Media Services Streaming Endpoints Administrator | Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. | 99dba123-b5fe-44d5-874c-ced7199a5804 | | 155 | Stream Analytics Query Tester | Lets you perform query testing without creating a stream analytics job first | 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf | | 156 | Search Index Data Reader | Grants read access to Azure Cognitive Search index data. | 1407120a-92aa-4202-b7e9-c0e197c71c8f | | 157 | Search Index Data Contributor | Grants full access to Azure Cognitive Search index data. | 8ebe5a00-799e-43f5-93ac-243d3dce84a7 | | 158 | Test Base Reader | Let you view and download packages and test results. | 15e0f5a1-3450-4248-8e25-e2afe88a9e85 | | 159 | IoT Hub Registry Contributor | Allows for full access to IoT Hub device registry. | 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 | | 160 | IoT Hub Data Contributor | Allows for full access to IoT Hub data plane operations. | 4fc6c259-987e-4a07-842e-c321cc9d413f | | 161 | FHIR Data Contributor | Role allows user or principal full access to FHIR Data | 5a1fc7df-4bf1-4951-a576-89034ee01acd | | 162 | EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. | 2414bbcf-6497-4faf-8c65-045460748405 | | 163 | Graph Owner | Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions | b60367af-1334-4454-b71e-769d9a4f83d9 | | 164 | EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | | 165 | DocumentDB Account Contributor | Lets you manage DocumentDB accounts, but not access to them. | 5bd9cd88-fe45-4216-938b-f97437e15450 | | 166 | DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | befefa01-2a29-4197-83a8-272ff33ce314 | | 167 | Knowledge Consumer | Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query | ee361c5d-f7b5-4119-b4b6-892157c8f64c | | 168 | Lab Creator | Lets you create new labs under your Azure Lab Accounts. | b97fb8bc-a8b2-4522-a38b-dd33c7e65ead | | 169 | Key Vault Contributor | Lets you manage key vaults, but not access to them. | f25e0fa2-a7c8-4377-a976-54943a77a395 | | 170 | HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | 8d8d5a11-05d3-4bda-a417-a08778121c7c | | 171 | Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. | 03a6d094-3444-4b3d-88af-7477090a9e5e | | 172 | Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) | 72fafb9e-0641-4937-9268-a91bfd8191a3 | | 173 | Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. | add466c9-e687-43fc-8d98-dfcf8d720be5 | | 174 | Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) | 434105ed-43f6-45c7-a02f-909b2ba83430 | | 175 | Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | b24988ac-6180-42a0-ab88-20f7382dd24c | | 176 | Cosmos DB Account Reader Role | Can read Azure Cosmos DB Accounts data | fbdf93bf-df7d-467e-a4d2-9458aa1360c8 | | 177 | Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | 47b7735b-770e-4598-a7da-8b91488b4c88 | | 178 | DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | 76283e04-6283-4c54-8f91-bcf1374a3c64 | | 179 | Data Purger | Can purge analytics data | 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | | 180 | Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | | 181 | Data Factory Contributor | Create and manage data factories, as well as child resources within them. | 673868aa-7521-48a0-acc6-0f60742d39f5 | | 182 | Monitoring Contributor | Can read all monitoring data and update monitoring settings. | 749f88d5-cbae-40b8-bcfc-e573ddc772fa | | 183 | New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | 5d28c62d-5b37-4476-8438-e587778df237 | | 184 | Network Contributor | Lets you manage networks, but not access to them. | 4d97b98b-1d4f-4787-a291-c67834d212e7 | | 185 | Monitoring Metrics Publisher | Enables publishing metrics against Azure resources | 3913510d-42f4-4e42-8a64-420c390055eb | | 186 | Monitoring Reader | Can read all monitoring data. | 43d0d8ad-25c7-4714-9337-8ba259a9fe05 | | 187 | Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | c12c1c16-33a1-487b-954d-41c89c60f349 | | 188 | Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | 36243c78-bf99-498c-9df9-86d9f8d28608 | | 189 | Redis Cache Contributor | Lets you manage Redis caches, but not access to them. | e0f68234-74aa-48ed-b826-c38b57376e17 | | 190 | Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 | | 191 | Reader | View all resources, but does not allow you to make any changes. | acdd72a7-3385-48ef-bd42-f606fba81ae7 | | 192 | Logic App Contributor | Lets you manage logic app, but not access to them. | 87a39d53-fc1b-424a-814c-f7e04687dc9e | | 193 | Managed Application Operator Role | Lets you read and perform actions on Managed Application resources | c7393b34-138c-406f-901b-d8cf2b17e6ae | | 194 | Logic App Operator | Lets you read, enable and disable logic app. | 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe | | 195 | Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | 73c42c96-874c-492b-b04d-ab87d138a893 | | 196 | Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. | 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | | 197 | Management Group Contributor | Management Group Contributor Role | 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c | | 198 | Management Group Reader | Management Group Reader Role | ac63b705-f282-497d-ac71-919bf39d939d | | 199 | Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity | e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | | 200 | Managed Applications Reader | Lets you read resources in a managed app and request JIT access. | b9331d33-8a36-4f8c-b097-4f54124fdb44 | | 201 | Managed Identity Operator | Read and Assign User Assigned Identity | f1a07417-d97a-45cb-824c-7a7467783830 | | 202 | Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. | 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 | | 203 | Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs | d3881f73-407a-4167-8283-e981cbba0404 | | 204 | Automation Job Operator | Create and Manage Jobs using Automation Runbooks. | 4fe576fe-1146-4730-92eb-48519fa6bf9f | | 205 | Application Insights Snapshot Debugger | Gives user permission to use Application Insights Snapshot Debugger features | 08954f03-6346-4c2e-81c0-ec3a5cfae23b | | 206 | Attestation Reader | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | | 207 | Azure Kubernetes Service Cluster User Role | List cluster user credential action. | 4abbcc35-e782-43d8-92c5-2d3f1bd2253f | | 208 | Azure Maps Data Reader | Grants access to read map related data from an Azure maps account. | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | | 209 | Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. | 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 | | 210 | Avere Contributor | Can create and manage an Avere vFXT cluster. | 4f8fab4f-1852-4a58-a46a-8eaf358af14a | | 211 | Avere Operator | Used by the Avere vFXT cluster to manage the cluster | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | | 212 | AcrImageSigner | acr image signer | 6cef56e8-d556-48e5-a04f-b8e64114680f | | 213 | AcrDelete | acr delete | c2f4ef07-c644-48eb-af81-4b1b4947fb11 | | 214 | AcrPull | acr pull | 7f951dda-4ed3-4680-a7ca-43fe172d538d | | 215 | AcrPush | acr push | 8311e382-0749-4cb8-b61a-304f252e45ec | | 216 | API Management Service Contributor | Can manage service and the APIs | 312a565d-c81f-4fd8-895a-4e21e48d571c | | 217 | API Management Service Reader Role | Read-only access to service and APIs | 71522526-b88f-4d52-b57f-d31fc3546d0d | | 218 | Application Insights Component Contributor | Can manage Application Insights components | ae349356-3a1b-4a5e-921d-050484c6347e | | 219 | API Management Service Operator Role | Can manage service but not the APIs | e022efe7-f5ba-4159-bbe4-b44f577e9b61 | | 220 | AcrQuarantineReader | acr quarantine data reader | cdda3590-29a3-44f6-95f2-9f980659eb04 | | 221 | AcrQuarantineWriter | acr quarantine data writer | c8d4ff99-41c3-41a8-9f60-21dfdad59608 | | 222 | Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | 985d6b00-f706-48f5-a6fe-d0ca12fb668d | | 223 | ClearDB MySQL DB Contributor | Lets you manage ClearDB MySQL databases, but not access to them. | 9106cda0-8a86-4e81-b686-29a22c54effe | | 224 | Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. | 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | | 225 | CDN Profile Reader | Can view CDN profiles and their endpoints, but can't make changes. | 8f96442b-4075-438f-813d-ad51ab4019af | | 226 | Classic Network Contributor | Lets you manage classic networks, but not access to them. | b34d265f-36f7-4a0d-a4d4-e158ca92e90f | | 227 | Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | | 228 | CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account | db7b14f2-5adf-42da-9f96-f2ee17bab5cb | | 229 | Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. | b59867f0-fa02-499b-be73-45a86b5b3e1c | | 230 | Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | d73bb868-a0df-4d4d-bd69-98a00b01fccb | | 231 | Cognitive Services User | Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908 | | 232 | Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others | 00c29273-979b-4161-815c-10b084fb9324 | | 233 | Backup Reader | Can view backup services, but can't make changes | a795c7a0-d4a2-40c1-ae25-d81f01202912 | | 234 | Billing Reader | Allows read access to billing data | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | | 235 | Azure Stack Registration Owner | Lets you manage Azure Stack registrations. | 6f12a6df-dd06-4f3e-bcb1-ce8be600526a | | 236 | Backup Contributor | Lets you manage backup service,but can't create vaults and give access to others | 5e467623-bb1f-42f4-a55d-6e525e11384b | | 237 | CDN Endpoint Reader | Can view CDN endpoints, but can't make changes. | 871e35f6-b5c1-49cc-a043-bde969a0f2cd | | 238 | CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can't grant access to other users. | ec156ff8-a8d1-4d15-830c-5b80698ca432 | | 239 | CDN Endpoint Contributor | Can manage CDN endpoints, but can't grant access to other users. | 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 | | 240 | Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes | 31a002a1-acaf-453e-8a5b-297c9ca1ea24 | | 241 | BizTalk Contributor | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 | | 242 | Microsoft Sentinel Reader | Microsoft Sentinel Reader | 8d289c81-5878-46d4-8554-54e1e3d8b5cb | | 243 | Workbook Reader | Can read workbooks. | b279062a-9be3-42a0-92ae-8b3cf002ec4d | | 244 | Microsoft Sentinel Responder | Microsoft Sentinel Responder | 3e150937-b8fe-4cfb-8069-0eaf05ecd056 | | 245 | Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. | 437d2ced-4a38-4302-8479-ed2bcb43d090 | | 246 | Microsoft Sentinel Contributor | Microsoft Sentinel Contributor | ab8e14d6-4a74-4a29-9ba8-549422addade | | 247 | SignalR/Web PubSub Contributor | Create, Read, Update, and Delete SignalR service resources | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | | 248 | Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. | b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | | 249 | SignalR AccessKey Reader | Read SignalR Service Access Keys | 04165923-9d83-45d5-8227-78b77b0a687e | | 250 | Workbook Contributor | Can save shared workbooks. | e8ddcd69-c73f-4f9f-9844-4100522f16ad | | 251 | Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. | 66bb4e9e-b016-4a94-8249-4c0511c2be84 | | 252 | Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB | aba4ae5f-2193-4029-9191-0cb91df5e314 | | 253 | Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | | 254 | Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | | 255 | Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. | 2b629674-e913-4c01-ae53-ef4638d8f975 | | 256 | Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | | 257 | Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB | a7264617-510b-434b-a828-9731dc254ea7 | | 258 | Blueprint Contributor | Can manage blueprint definitions, but not assign them. | 41077137-e803-4205-871c-5a86e6a753b4 | | 259 | Desktop Virtualization User | Allows user to use the applications in an application group. | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | | 260 | Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | b12aa53e-6015-4669-85d0-8515ebb3ae7f | | 261 | Storage Blob Delegator | Allows for generation of a user delegation key which can be used to sign SAS tokens | db58b8e5-c6ad-4a2a-8342-4190687cbf4a | | 262 | Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f | | 263 | Integration Service Environment Developer | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | | 264 | Security Assessment Contributor | Lets you push assessments to Security Center | 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | | 265 | Remote Rendering Client | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | d39065c4-c120-43c9-ab0a-63eed9795f0a | | 266 | Managed Application Contributor Role | Allows for creating managed application resources. | 641177b8-a67a-45b9-a033-47bc880bb21e | | 267 | Azure Digital Twins Data Owner | Full access role for Digital Twins data-plane | bcd981a7-7f74-457b-83e1-cceb9e632ffe | | 268 | Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings | 350f8d15-c687-4448-8ae1-157740a3936d | | 269 | Azure Digital Twins Data Reader | Read-only role for Digital Twins data-plane properties | d57506d4-4c8d-48b1-8587-93c323f6a5a3 | | 270 | Integration Service Environment Contributor | Lets you manage integration service environments, but not access to them. | a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | | 271 | Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters | ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 | | 272 | App Configuration Data Reader | Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071 | | 273 | Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | | 274 | App Configuration Data Owner | Allows full access to App Configuration data. | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | | 275 | Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. | cd570a14-e51a-42ad-bac8-bafd67325302 | | 276 | Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | 91c1777a-f3dc-4fae-b103-61d183457e46 | | 277 | Experimentation Administrator | Experimentation Administrator | 7f646f1b-fa08-80eb-a33b-edd6ce5c915c | | 278 | Remote Rendering Administrator | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | 3df8b902-2a6f-47c7-8cc5-360e9b272a7e | | 279 | Cognitive Services QnA Maker Editor | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | f4cc2bf9-21be-47a1-bdf1-5c5804381025 | | 280 | Experimentation Contributor | Experimentation Contributor | 7f646f1b-fa08-80eb-a22b-edd6ce5c915c | | 281 | Cognitive Services QnA Maker Reader | Let's you read and test a KB only. | 466ccd10-b268-4a11-b098-b4849f024126 | | 282 | SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | 056cd41c-7e88-42e1-933e-88ba6a50c9c3 | | 283 | Storage Account Contributor | Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. | 17d1049b-9a84-46fb-8f53-869881c3d3ab | | 284 | SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | | 285 | Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them | 70bbe301-9835-447d-afdd-19eb3167307c | | 286 | SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | | 287 | Storage Blob Data Owner | Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. | b7e6dc6d-f1e8-4753-8033-0f276bb0955b | | 288 | Storage Blob Data Reader | Allows for read access to Azure Storage blob containers and data | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | | 289 | Storage Blob Data Contributor | Allows for read, write and delete access to Azure Storage blob containers and data | ba92f5b4-2d11-453d-a403-e96b0029c9fe | | 290 | SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. | 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 | | 291 | Storage Account Key Operator Service Role | Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts | 81a9662b-bebf-436f-a333-f67b29880f12 | | 292 | Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead | e3d13bf0-dd5a-482e-ba6b-9b8433878d10 | | 293 | Security Reader | Security Reader Role | 39bc4728-0917-49c7-9d2c-d95423bc2eb4 | | 294 | Security Admin | Security Admin Role | fb1c8493-542b-48eb-b624-b4c8fea62acd | | 295 | Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 | | 296 | Search Service Contributor | Lets you manage Search services, but not access to them. | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | | 297 | Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account | 5d51204f-eb77-4b1c-b86a-2ec626c49413 | | 298 | Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations | dbaa88c4-0c30-4179-9fb3-46319faa6149 | | 299 | Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations | 494ae006-db33-4328-bf46-533a6560a3ca | | 300 | Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them | 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 | | 301 | Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment | 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | | 302 | Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. | f526a384-b230-433a-b45c-95f59c4a2dec | | 303 | Attestation Contributor | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | | 304 | Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. | 090c5cfd-751d-490a-894a-3ce6f1109419 | | 305 | Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. | 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b | | 306 | Website Contributor | Lets you manage websites (not web plans), but not access to them. | de139f84-1756-47ae-9be6-808fbbe84772 | | 307 | Hybrid Server Onboarding | Can onboard new Hybrid servers to the Hybrid Resource Provider. | 5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb | | 308 | Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. | a638d3c7-ab3a-418d-83e6-5f17a39d4fde | | 309 | Hybrid Server Resource Administrator | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. | 48b40c6e-82e0-4eb3-90d5-19e40f49b624 | | 310 | HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. | 61ed4efc-fab3-44fd-b111-e24485cc132a | | 311 | Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | 230815da-be43-4aae-9cb4-875f7bd000aa | | 312 | Storage Queue Data Reader | Allows for read access to Azure Storage queues and queue messages | 19e7f393-937e-4f77-808e-94535e297925 | | 313 | Support Request Contributor | Lets you create and manage Support requests | cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e | | 314 | Storage Queue Data Message Sender | Allows for sending of Azure Storage queue messages | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | | 315 | Storage Queue Data Contributor | Allows for read, write, and delete access to Azure Storage queues and queue messages | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | | 316 | Storage Queue Data Message Processor | Allows for peek, receive, and delete access to Azure Storage queue messages | 8a0f0c08-91a1-4084-bc3d-661d67233fed | | 317 | Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 | | 318 | Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | 9980e02c-c2be-4d73-94e8-173b1dc7cf3c | | 319 | User Access Administrator | Lets you manage user access to Azure resources. | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 | | 320 | Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 | | 321 | Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator | 1c0163c0-47e6-4577-8991-ea5c82e286e4 |


Azure AD Roles

# RoleName RoleDescription RoleId
1 Application Administrator Can create and manage all aspects of app registrations and enterprise apps. 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
2 Application Developer Can create application registrations independent of the 'Users can register applications' setting. cf1c38e5-3621-4004-a7cb-879624dced7c
3 Attack Payload Author Can create attack payloads that an administrator can initiate later. 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f
4 Attack Simulation Administrator Can create and manage all aspects of attack simulation campaigns. c430b396-e693-46cc-96f3-db01bf8bb62a
5 Attribute Assignment Administrator Assign custom security attribute keys and values to supported Azure AD objects. 58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d
6 Attribute Assignment Reader Read custom security attribute keys and values for supported Azure AD objects. ffd52fa5-98dc-465c-991d-fc073eb59f8f
7 Attribute Definition Administrator Define and manage the definition of custom security attributes. 8424c6f0-a189-499e-bbd0-26c1753c96d4
8 Attribute Definition Reader Read the definition of custom security attributes. 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c
9 Authentication Administrator Allowed to view, set and reset authentication method information for any non-admin user. c4e39bd9-1100-46d3-8c65-fb160da0071f
10 Authentication Policy Administrator Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. 0526716b-113d-4c15-b2c8-68e3c22b9f80
11 Azure AD Joined Device Local Administrator Users assigned to this role are added to the local administrators group on Azure AD-joined devices. 9f06204d-73c1-4d4c-880a-6edb90606fd8
12 Azure DevOps Administrator Can manage Azure DevOps organization policy and settings. e3973bdf-4987-49ae-837a-ba8e231c7286
13 Azure Information Protection Administrator Can manage all aspects of the Azure Information Protection product. 7495fdc4-34c4-4d15-a289-98788ce399fd
14 B2C IEF Keyset Administrator Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). aaf43236-0c0d-4d5f-883a-6955382ac081
15 B2C IEF Policy Administrator Can create and manage trust framework policies in the Identity Experience Framework (IEF). 3edaf663-341e-4475-9f94-5c398ef6c070
16 Billing Administrator Can perform common billing related tasks like updating payment information. b0f54661-2d74-4c50-afa3-1ec803f12efe
17 Cloud App Security Administrator Can manage all aspects of the Cloud App Security product. 892c5842-a9a6-463a-8041-72aa08ca3cf6
18 Cloud Application Administrator Can create and manage all aspects of app registrations and enterprise apps except App Proxy. 158c047a-c907-4556-b7ef-446551a6b5f7
19 Cloud Device Administrator Full access to manage devices in Azure AD. 7698a772-787b-4ac8-901f-60d6b08affd2
20 Compliance Administrator Can read and manage compliance configuration and reports in Azure AD and Microsoft 365. 17315797-102d-40b4-93e0-432062caca18
21 Compliance Data Administrator Creates and manages compliance content. e6d1a23a-da11-4be4-9570-befc86d067a7
22 Conditional Access Administrator Can manage Conditional Access capabilities. b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
23 Customer LockBox Access Approver Can approve Microsoft support requests to access customer organizational data. 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91
24 Desktop Analytics Administrator Can access and manage Desktop management tools and services. 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
25 Device Join Device Join 9c094953-4995-41c8-84c8-3ebb9b32c93f
26 Device Managers Deprecated - Do Not Use. 2b499bcd-da44-4968-8aec-78e1674fa64d
27 Device Users Device Users d405c6df-0af8-4e3b-95e4-4d06e542189e
28 Directory Readers Can read basic directory information. Commonly used to grant directory read access to applications and guests. 88d8e3e3-8f55-4a1e-953a-9b9898b8876b
29 Directory Synchronization Accounts Only used by Azure AD Connect service. d29b2b05-8046-44ba-8758-1e26182fcf32
30 Directory Writers Can read and write basic directory information. For granting access to applications, not intended for users. 9360feb5-f418-4baa-8175-e2a00bac4301
31 Domain Name Administrator Can manage domain names in cloud and on-premises. 8329153b-31d0-4727-b945-745eb3bc5f31
32 Dynamics 365 Administrator Can manage all aspects of the Dynamics 365 product. 44367163-eba1-44c3-98af-f5787879f96a
33 Edge Administrator Manage all aspects of Microsoft Edge. 3f1acade-1e04-4fbc-9b69-f0302cd84aef
34 Exchange Administrator Can manage all aspects of the Exchange product. 29232cdf-9323-42fd-ade2-1d097af3e4de
35 Exchange Recipient Administrator Can create or update Exchange Online recipients within the Exchange Online organization. 31392ffb-586c-42d1-9346-e59415a2cc4e
36 External ID User Flow Administrator Can create and manage all aspects of user flows. 6e591065-9bad-43ed-90f3-e9424366d2f0
37 External ID User Flow Attribute Administrator Can create and manage the attribute schema available to all user flows. 0f971eea-41eb-4569-a71e-57bb8a3eff1e
38 External Identity Provider Administrator Can configure identity providers for use in direct federation. be2f45a1-457d-42af-a067-6ec1fa63bc45
39 Global Administrator Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. 62e90394-69f5-4237-9190-012177145e10
40 Global Reader Can read everything that a Global Administrator can, but not update anything. f2ef992c-3afb-46b9-b7cf-a126ee74c451
41 Groups Administrator Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. fdd7a751-b60b-444a-984c-02652fe8fa1c
42 Guest Inviter Can invite guest users independent of the 'members can invite guests' setting. 95e79109-95c0-4d8e-aee3-d01accf2d47b
43 Guest User Default role for guest users. Can read a limited set of directory information. 10dae51f-b6af-4016-8d66-8c2a99b929b3
44 Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk Administrators. 729827e3-9c14-49f7-bb1b-9608f156bbb8
45 Hybrid Identity Administrator Can manage AD to Azure AD cloud provisioning, Azure AD Connect, and federation settings. 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2
46 Identity Governance Administrator Manage access using Azure AD for identity governance scenarios. 45d8d3c5-c802-45c6-b32a-1d70b5e1e86e
47 Insights Administrator Has administrative access in the Microsoft 365 Insights app. eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c
48 Insights Business Leader Can view and share dashboards and insights via the M365 Insights app. 31e939ad-9672-4796-9c2e-873181342d2d
49 Intune Administrator Can manage all aspects of the Intune product. 3a2c62db-5318-420d-8d74-23affee5d9d5
50 Kaizala Administrator Can manage settings for Microsoft Kaizala. 74ef975b-6605-40af-a5d2-b9539d836353
51 Knowledge Administrator Can configure knowledge, learning, and other intelligent features. b5a8dcf3-09d5-43a9-a639-8e29ef291470
52 Knowledge Manager Has access to topic management dashboard and can manage content. 744ec460-397e-42ad-a462-8b3f9747a02c
53 License Administrator Can manage product licenses on users and groups. 4d6ac14f-3453-41d0-bef9-a3e0c569773a
54 Message Center Privacy Reader Can read security messages and updates in Office 365 Message Center only. ac16e43d-7b2d-40e0-ac05-243ff356ab5b
55 Message Center Reader Can read messages and updates for their organization in Office 365 Message Center only. 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b
56 Network Administrator Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. d37c8bed-0711-4417-ba38-b4abe66ce4c2
57 Office Apps Administrator Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices. 2b745bdf-0803-4d80-aa65-822c4493daac
58 Partner Tier1 Support Do not use - not intended for general use. 4ba39ca4-527c-499a-b93d-d9b492c50246
59 Partner Tier2 Support Do not use - not intended for general use. e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8
60 Password Administrator Can reset passwords for non-administrators and Password Administrators. 966707d0-3269-4727-9be2-8c3a10f19b9d
61 Power BI Administrator Can manage all aspects of the Power BI product. a9ea8996-122f-4c74-9520-8edcd192826c
62 Power Platform Administrator Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow. 11648597-926c-4cf3-9c36-bcebb0ba8dcc
63 Printer Administrator Can manage all aspects of printers and printer connectors. 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f
64 Printer Technician Can manage all aspects of printers and printer connectors. e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477
65 Privileged Authentication Administrator Allowed to view, set and reset authentication method information for any user (admin or non-admin). 7be44c8a-adaf-4e2a-84d6-ab2649e08a13
66 Privileged Role Administrator Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. e8611ab8-c189-46e8-94e1-60213ab1f814
67 Reports Reader Can read sign-in and audit reports. 4a5d8f65-41da-4de4-8968-e035b65339cf
68 Restricted Guest User Default role for guest users with restricted access. Can read a limited set of directory information. 2af84b1e-32c8-42b7-82bc-daa82404023b
69 Search Administrator Can create and manage all aspects of Microsoft Search settings. 0964bb5e-9bdb-4d7b-ac29-58e794862a40
70 Search Editor Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. 8835291a-918c-4fd7-a9ce-faa49f0cf7d9
71 Security Administrator Security Administrator allows ability to read and manage security configuration and reports. 194ae4cb-b126-40b2-bd5b-6091b380977d
72 Security Operator Creates and manages security events. 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f
73 Security Reader Can read security information and reports in Azure AD and Office 365. 5d6b6bb7-de71-4623-b4af-96380a352509
74 Service Support Administrator Can read service health information and manage support tickets. f023fd81-a637-4b56-95fd-791ac0226033
75 SharePoint Administrator Can manage all aspects of the SharePoint service. f28a1f50-f6e7-4571-818b-6a12f2af6b6c
76 Skype for Business Administrator Can manage all aspects of the Skype for Business product. 75941009-915a-4869-abe7-691bff18279e
77 Teams Administrator Can manage the Microsoft Teams service. 69091246-20e8-4a56-aa4d-066075b2a7a8
78 Teams Communications Administrator Can manage calling and meetings features within the Microsoft Teams service. baf37b3a-610e-45da-9e62-d9d1e5e8914b
79 Teams Communications Support Engineer Can troubleshoot communications issues within Teams using advanced tools. f70938a0-fc10-4177-9e90-2178f8765737
80 Teams Communications Support Specialist Can troubleshoot communications issues within Teams using basic tools. fcf91098-03e3-41a9-b5ba-6f0ec8188a12
81 Teams Devices Administrator Can perform management related tasks on Teams certified devices. 3d762c5a-1b6c-493f-843e-55a3b42923d4
82 Usage Summary Reports Reader Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. 75934031-6c7e-415a-99d7-48dbd49e875e
83 User Default role for member users. Can read all and write a limited set of directory information. a0b1b346-4d3e-4e8b-98f8-753987be4970
84 User Administrator Can manage all aspects of users and groups, including resetting passwords for limited admins. fe930be7-5e62-47db-91af-98c3a49a38b1
85 Windows 365 Administrator Can provision and manage all aspects of Cloud PCs. 11451d60-acb2-45eb-a7d6-43d0f0125c13
86 Windows Update Deployment Administrator Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. 32696413-001a-46ae-978c-ce0f6b3620d2
87 Workplace Device Join Workplace Device Join c34f683f-4d5a-4403-affd-6615e00e3a7f

Role Definitions

This section contains detailed definitions of each role along with their assigned permissions sets.

Azure RBAC Role Definitions


Experimentation Metric Contributor

  • Actions:

    • Microsoft.Experimentation/experimentWorkspaces/read
  • DataActions:

    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action
    • Microsoft.Experimentation/experimentWorkspaces/metricwrite/action
    • Microsoft.Experimentation/experimentWorkspaces/read

Project Babylon Data Curator

  • Actions:

    • Microsoft.ProjectBabylon/accounts/read
  • DataActions:

    • Microsoft.ProjectBabylon/accounts/data/read
    • Microsoft.ProjectBabylon/accounts/data/write

Storage Account Backup Contributor Role

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Authorization/locks/read
    • Microsoft.Authorization/locks/write
    • Microsoft.Authorization/locks/delete
    • Microsoft.Features/features/read
    • Microsoft.Features/providers/features/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/operations/read
    • Microsoft.Storage/storageAccounts/blobServices/containers/read
    • Microsoft.Storage/storageAccounts/blobServices/read
    • Microsoft.Storage/storageAccounts/blobServices/write
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.Storage/storageAccounts/restoreBlobRanges/action

Reservation Purchaser

  • Actions:
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Capacity/register/action
    • Microsoft.Compute/register/action
    • Microsoft.SQL/register/action
    • Microsoft.Consumption/register/action
    • Microsoft.Capacity/catalogs/read
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Consumption/reservationRecommendations/read
    • Microsoft.Support/supporttickets/write

AzureML Metrics Writer (preview)

  • Actions:
    • Microsoft.MachineLearningServices/workspaces/metrics/*/write

Purview role 3 (Deprecated)

  • Actions:

    • Microsoft.Purview/accounts/read
  • DataActions:

    • Microsoft.Purview/accounts/data/read

Purview role 2 (Deprecated)

  • Actions:

    • Microsoft.Purview/accounts/read
  • DataActions:

    • Microsoft.Purview/accounts/scan/read
    • Microsoft.Purview/accounts/scan/write

Purview role 1 (Deprecated)

  • Actions:

    • Microsoft.Purview/accounts/read
  • DataActions:

    • Microsoft.Purview/accounts/data/read
    • Microsoft.Purview/accounts/data/write

Project Babylon Data Reader

  • Actions:

    • Microsoft.ProjectBabylon/accounts/read
  • DataActions:

    • Microsoft.ProjectBabylon/accounts/data/read

Project Babylon Data Source Administrator

  • Actions:

    • Microsoft.ProjectBabylon/accounts/read
  • DataActions:

    • Microsoft.ProjectBabylon/accounts/scan/read
    • Microsoft.ProjectBabylon/accounts/scan/write

AgFood Platform Service Reader

  • DataActions:
    • Microsoft.AgFoodPlatform/*/read

AgFood Platform Service Contributor

  • DataActions:

    • Microsoft.AgFoodPlatform/*/action
    • Microsoft.AgFoodPlatform/*/read
    • Microsoft.AgFoodPlatform/*/write
  • NotDataActions:

    • Microsoft.AgFoodPlatform/farmers/write
    • Microsoft.AgFoodPlatform/deletionJobs/*/write

Schema Registry Contributor (Preview)

  • Actions:

    • Microsoft.EventHub/namespaces/schemagroups/*
  • DataActions:

    • Microsoft.EventHub/namespaces/schemas/*

Cognitive Services Metrics Advisor User

  • Actions:

    • Microsoft.CognitiveServices/*/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
  • NotDataActions:

    • Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/*

Schema Registry Reader (Preview)

  • Actions:

    • Microsoft.EventHub/namespaces/schemagroups/read
  • DataActions:

    • Microsoft.EventHub/namespaces/schemas/read

SignalR REST API Reader

  • DataActions:
    • Microsoft.SignalRService/SignalR/group/read
    • Microsoft.SignalRService/SignalR/clientConnection/read
    • Microsoft.SignalRService/SignalR/user/read

SignalR Service Owner

  • DataActions:
    • Microsoft.SignalRService/SignalR/auth/accessKey/action
    • Microsoft.SignalRService/SignalR/auth/clientToken/action
    • Microsoft.SignalRService/SignalR/hub/send/action
    • Microsoft.SignalRService/SignalR/group/send/action
    • Microsoft.SignalRService/SignalR/group/read
    • Microsoft.SignalRService/SignalR/group/write
    • Microsoft.SignalRService/SignalR/clientConnection/send/action
    • Microsoft.SignalRService/SignalR/clientConnection/read
    • Microsoft.SignalRService/SignalR/clientConnection/write
    • Microsoft.SignalRService/SignalR/serverConnection/write
    • Microsoft.SignalRService/SignalR/user/send/action
    • Microsoft.SignalRService/SignalR/user/read
    • Microsoft.SignalRService/SignalR/user/write

Security Detonation Chamber Submitter

  • DataActions:
    • Microsoft.SecurityDetonation/chambers/submissions/delete
    • Microsoft.SecurityDetonation/chambers/submissions/write
    • Microsoft.SecurityDetonation/chambers/submissions/read
    • Microsoft.SecurityDetonation/chambers/submissions/files/read
    • Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read
    • Microsoft.SecurityDetonation/chambers/platforms/metadata/read
    • Microsoft.SecurityDetonation/chambers/workflows/metadata/read
    • Microsoft.SecurityDetonation/chambers/toolsets/metadata/read

AgFood Platform Service Admin

  • DataActions:
    • Microsoft.AgFoodPlatform/*

Managed HSM contributor

  • Actions:
    • Microsoft.KeyVault/managedHSMs/*

Autonomous Development Platform Data Reader (Preview)

  • Actions:

    • Microsoft.AutonomousDevelopmentPlatform/*/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
  • DataActions:

    • Microsoft.AutonomousDevelopmentPlatform/*/read

Autonomous Development Platform Data Owner (Preview)

  • Actions:

    • Microsoft.AutonomousDevelopmentPlatform/*/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
  • DataActions:

    • Microsoft.AutonomousDevelopmentPlatform/*

Autonomous Development Platform Data Contributor (Preview)

  • Actions:

    • Microsoft.AutonomousDevelopmentPlatform/*/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
  • DataActions:

    • Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/*
    • Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/*
    • Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/*
    • Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurementCollections/*
    • Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/*
    • Microsoft.AutonomousDevelopmentPlatform/workspaces/discoveries/*
    • Microsoft.AutonomousDevelopmentPlatform/workspaces/uploads/*
    • Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/*
    • Microsoft.AutonomousDevelopmentPlatform/workspaces/measurementCollections/*
  • NotDataActions:

    • Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/action
    • Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/changeState/action

Desktop Virtualization Workspace Reader

  • Actions:
    • Microsoft.DesktopVirtualization/workspaces/read
    • Microsoft.DesktopVirtualization/applicationgroups/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/read
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/read
    • Microsoft.Support/*

Disk Backup Reader

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Compute/disks/read
    • Microsoft.Compute/disks/beginGetAccess/action

Security Detonation Chamber Submission Manager

  • DataActions:
    • Microsoft.SecurityDetonation/chambers/submissions/delete
    • Microsoft.SecurityDetonation/chambers/submissions/write
    • Microsoft.SecurityDetonation/chambers/submissions/read
    • Microsoft.SecurityDetonation/chambers/submissions/files/read
    • Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read
    • Microsoft.SecurityDetonation/chambers/submissions/adminview/read
    • Microsoft.SecurityDetonation/chambers/submissions/analystview/read
    • Microsoft.SecurityDetonation/chambers/submissions/publicview/read
    • Microsoft.SecurityDetonation/chambers/platforms/metadata/read
    • Microsoft.SecurityDetonation/chambers/workflows/metadata/read
    • Microsoft.SecurityDetonation/chambers/toolsets/metadata/read

Security Detonation Chamber Publisher

  • DataActions:
    • Microsoft.SecurityDetonation/chambers/platforms/read
    • Microsoft.SecurityDetonation/chambers/platforms/write
    • Microsoft.SecurityDetonation/chambers/platforms/delete
    • Microsoft.SecurityDetonation/chambers/platforms/metadata/read
    • Microsoft.SecurityDetonation/chambers/workflows/read
    • Microsoft.SecurityDetonation/chambers/workflows/write
    • Microsoft.SecurityDetonation/chambers/workflows/delete
    • Microsoft.SecurityDetonation/chambers/workflows/metadata/read
    • Microsoft.SecurityDetonation/chambers/toolsets/read
    • Microsoft.SecurityDetonation/chambers/toolsets/write
    • Microsoft.SecurityDetonation/chambers/toolsets/delete
    • Microsoft.SecurityDetonation/chambers/toolsets/metadata/read
    • Microsoft.SecurityDetonation/chambers/publishRequests/read
    • Microsoft.SecurityDetonation/chambers/publishRequests/cancel/action

Microsoft.Kubernetes connected cluster role

  • Actions:
    • Microsoft.Kubernetes/connectedClusters/read
    • Microsoft.Kubernetes/connectedClusters/write
    • Microsoft.Kubernetes/connectedClusters/delete
    • Microsoft.Kubernetes/registeredSubscriptions/read

Disk Restore Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Compute/disks/write
    • Microsoft.Compute/disks/read

Disk Snapshot Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Compute/snapshots/delete
    • Microsoft.Compute/snapshots/write
    • Microsoft.Compute/snapshots/read
    • Microsoft.Compute/snapshots/beginGetAccess/action
    • Microsoft.Compute/snapshots/endGetAccess/action
    • Microsoft.Compute/disks/beginGetAccess/action
    • Microsoft.Storage/storageAccounts/listkeys/action
    • Microsoft.Storage/storageAccounts/write
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.Storage/storageAccounts/delete

Desktop Virtualization Workspace Contributor

  • Actions:
    • Microsoft.DesktopVirtualization/workspaces/*
    • Microsoft.DesktopVirtualization/applicationgroups/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Support/*

Desktop Virtualization User Session Operator

  • Actions:
    • Microsoft.DesktopVirtualization/hostpools/read
    • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
    • Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Support/*

Desktop Virtualization Contributor

  • Actions:
    • Microsoft.DesktopVirtualization/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Support/*

Application Group Contributor

  • Actions:
    • Microsoft.DesktopVirtualization/applicationgroups/*
    • Microsoft.DesktopVirtualization/hostpools/read
    • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
    • Microsoft.DesktopVirtualization/workspaces/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Support/*

Desktop Virtualization Reader

  • Actions:
    • Microsoft.DesktopVirtualization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/read
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/read
    • Microsoft.Support/*

Desktop Virtualization Application Group Reader

  • Actions:
    • Microsoft.DesktopVirtualization/applicationgroups/*/read
    • Microsoft.DesktopVirtualization/applicationgroups/read
    • Microsoft.DesktopVirtualization/hostpools/read
    • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/read
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/read
    • Microsoft.Support/*

Desktop Virtualization Application Group Contributor

  • Actions:
    • Microsoft.DesktopVirtualization/applicationgroups/*
    • Microsoft.DesktopVirtualization/hostpools/read
    • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Support/*

Desktop Virtualization Host Pool Contributor

  • Actions:
    • Microsoft.DesktopVirtualization/hostpools/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Support/*

Desktop Virtualization Session Host Operator

  • Actions:
    • Microsoft.DesktopVirtualization/hostpools/read
    • Microsoft.DesktopVirtualization/hostpools/sessionhosts/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Support/*

Desktop Virtualization Host Pool Reader

  • Actions:
    • Microsoft.DesktopVirtualization/hostpools/*/read
    • Microsoft.DesktopVirtualization/hostpools/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/read
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/read
    • Microsoft.Support/*

Key Vault Crypto User

  • DataActions:
    • Microsoft.KeyVault/vaults/keys/read
    • Microsoft.KeyVault/vaults/keys/update/action
    • Microsoft.KeyVault/vaults/keys/backup/action
    • Microsoft.KeyVault/vaults/keys/encrypt/action
    • Microsoft.KeyVault/vaults/keys/decrypt/action
    • Microsoft.KeyVault/vaults/keys/wrap/action
    • Microsoft.KeyVault/vaults/keys/unwrap/action
    • Microsoft.KeyVault/vaults/keys/sign/action
    • Microsoft.KeyVault/vaults/keys/verify/action

Key Vault Secrets Officer

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.KeyVault/checkNameAvailability/read
    • Microsoft.KeyVault/deletedVaults/read
    • Microsoft.KeyVault/locations/*/read
    • Microsoft.KeyVault/vaults/*/read
    • Microsoft.KeyVault/operations/read
  • DataActions:

    • Microsoft.KeyVault/vaults/secrets/*

Key Vault Crypto Officer

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.KeyVault/checkNameAvailability/read
    • Microsoft.KeyVault/deletedVaults/read
    • Microsoft.KeyVault/locations/*/read
    • Microsoft.KeyVault/vaults/*/read
    • Microsoft.KeyVault/operations/read
  • DataActions:

    • Microsoft.KeyVault/vaults/keys/*
    • Microsoft.KeyVault/vaults/keyrotationpolicies/*

Cognitive Services Custom Vision Trainer

  • Actions:

    • Microsoft.CognitiveServices/*/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/CustomVision/*
  • NotDataActions:

    • Microsoft.CognitiveServices/accounts/CustomVision/projects/action
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/delete
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read

Key Vault Administrator

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.KeyVault/checkNameAvailability/read
    • Microsoft.KeyVault/deletedVaults/read
    • Microsoft.KeyVault/locations/*/read
    • Microsoft.KeyVault/vaults/*/read
    • Microsoft.KeyVault/operations/read
  • DataActions:

    • Microsoft.KeyVault/vaults/*

Key Vault Crypto Service Encryption User

  • Actions:

    • Microsoft.EventGrid/eventSubscriptions/write
    • Microsoft.EventGrid/eventSubscriptions/read
    • Microsoft.EventGrid/eventSubscriptions/delete
  • DataActions:

    • Microsoft.KeyVault/vaults/keys/read
    • Microsoft.KeyVault/vaults/keys/wrap/action
    • Microsoft.KeyVault/vaults/keys/unwrap/action

Azure Arc Kubernetes Viewer

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • DataActions:

    • Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
    • Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read
    • Microsoft.Kubernetes/connectedClusters/apps/deployments/read
    • Microsoft.Kubernetes/connectedClusters/apps/replicasets/read
    • Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read
    • Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read
    • Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read
    • Microsoft.Kubernetes/connectedClusters/batch/jobs/read
    • Microsoft.Kubernetes/connectedClusters/configmaps/read
    • Microsoft.Kubernetes/connectedClusters/endpoints/read
    • Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
    • Microsoft.Kubernetes/connectedClusters/events/read
    • Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read
    • Microsoft.Kubernetes/connectedClusters/extensions/deployments/read
    • Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read
    • Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read
    • Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read
    • Microsoft.Kubernetes/connectedClusters/limitranges/read
    • Microsoft.Kubernetes/connectedClusters/namespaces/read
    • Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read
    • Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read
    • Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read
    • Microsoft.Kubernetes/connectedClusters/pods/read
    • Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read
    • Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read
    • Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read
    • Microsoft.Kubernetes/connectedClusters/resourcequotas/read
    • Microsoft.Kubernetes/connectedClusters/serviceaccounts/read
    • Microsoft.Kubernetes/connectedClusters/services/read

Key Vault Reader

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.KeyVault/checkNameAvailability/read
    • Microsoft.KeyVault/deletedVaults/read
    • Microsoft.KeyVault/locations/*/read
    • Microsoft.KeyVault/vaults/*/read
    • Microsoft.KeyVault/operations/read
  • DataActions:

    • Microsoft.KeyVault/vaults/*/read
    • Microsoft.KeyVault/vaults/secrets/readMetadata/action

Key Vault Secrets User

  • DataActions:
    • Microsoft.KeyVault/vaults/secrets/getSecret/action
    • Microsoft.KeyVault/vaults/secrets/readMetadata/action

Key Vault Certificates Officer

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.KeyVault/checkNameAvailability/read
    • Microsoft.KeyVault/deletedVaults/read
    • Microsoft.KeyVault/locations/*/read
    • Microsoft.KeyVault/vaults/*/read
    • Microsoft.KeyVault/operations/read
  • DataActions:

    • Microsoft.KeyVault/vaults/certificatecas/*
    • Microsoft.KeyVault/vaults/certificates/*

Experimentation Reader

  • Actions:

    • Microsoft.Experimentation/experimentWorkspaces/read
  • DataActions:

    • Microsoft.Experimentation/experimentWorkspaces/read
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read

Object Understanding Account Owner

  • DataActions:
    • Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action
    • Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read

FHIR Data Writer

  • DataActions:

    • Microsoft.HealthcareApis/services/fhir/resources/*
    • Microsoft.HealthcareApis/workspaces/fhirservices/resources/*
  • NotDataActions:

    • Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action
    • Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action

FHIR Data Exporter

  • DataActions:
    • Microsoft.HealthcareApis/services/fhir/resources/read
    • Microsoft.HealthcareApis/services/fhir/resources/export/action
    • Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
    • Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action

FHIR Data Reader

  • DataActions:
    • Microsoft.HealthcareApis/services/fhir/resources/read
    • Microsoft.HealthcareApis/workspaces/fhirservices/resources/read

Cognitive Services Custom Vision Labeler

  • Actions:

    • Microsoft.CognitiveServices/*/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/CustomVision/*/read
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action
  • NotDataActions:

    • Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read

Cognitive Services Custom Vision Reader

  • Actions:

    • Microsoft.CognitiveServices/*/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/CustomVision/*/read
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action
  • NotDataActions:

    • Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read

Cognitive Services Custom Vision Deployment

  • Actions:

    • Microsoft.CognitiveServices/*/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/CustomVision/*/read
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*
    • Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*
    • Microsoft.CognitiveServices/accounts/CustomVision/classify/*
    • Microsoft.CognitiveServices/accounts/CustomVision/detect/*
  • NotDataActions:

    • Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read

Azure Maps Data Contributor

  • DataActions:
    • Microsoft.Maps/accounts/*/read
    • Microsoft.Maps/accounts/*/write
    • Microsoft.Maps/accounts/*/delete
    • Microsoft.Maps/accounts/*/action

Cognitive Services Custom Vision Contributor

  • Actions:

    • Microsoft.CognitiveServices/*/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/CustomVision/*

Device Update Reader

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Insights/alertRules/*
  • DataActions:

    • Microsoft.DeviceUpdate/accounts/instances/updates/read
    • Microsoft.DeviceUpdate/accounts/instances/management/read

Device Update Administrator

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Insights/alertRules/*
  • DataActions:

    • Microsoft.DeviceUpdate/accounts/instances/updates/read
    • Microsoft.DeviceUpdate/accounts/instances/updates/write
    • Microsoft.DeviceUpdate/accounts/instances/updates/delete
    • Microsoft.DeviceUpdate/accounts/instances/management/read
    • Microsoft.DeviceUpdate/accounts/instances/management/write
    • Microsoft.DeviceUpdate/accounts/instances/management/delete

Collaborative Data Contributor

  • Actions:
    • Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/read
    • Microsoft.IndustryDataLifecycle/memberCollaboratives/*/read
    • Microsoft.IndustryDataLifecycle/locations/dataPackages/*
    • Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/*
    • Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/action
    • Microsoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/*
    • Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/*
    • Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/action
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

SignalR App Server

  • DataActions:
    • Microsoft.SignalRService/SignalR/auth/accessKey/action
    • Microsoft.SignalRService/SignalR/serverConnection/write
    • Microsoft.SignalRService/SignalR/clientConnection/write

SignalR REST API Owner

  • DataActions:
    • Microsoft.SignalRService/SignalR/auth/clientToken/action
    • Microsoft.SignalRService/SignalR/hub/send/action
    • Microsoft.SignalRService/SignalR/group/send/action
    • Microsoft.SignalRService/SignalR/group/read
    • Microsoft.SignalRService/SignalR/group/write
    • Microsoft.SignalRService/SignalR/clientConnection/send/action
    • Microsoft.SignalRService/SignalR/clientConnection/read
    • Microsoft.SignalRService/SignalR/clientConnection/write
    • Microsoft.SignalRService/SignalR/user/send/action
    • Microsoft.SignalRService/SignalR/user/read
    • Microsoft.SignalRService/SignalR/user/write

Device Update Content Reader

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Insights/alertRules/*
  • DataActions:

    • Microsoft.DeviceUpdate/accounts/instances/updates/read

Cognitive Services Metrics Advisor Administrator

  • Actions:

    • Microsoft.CognitiveServices/*/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/MetricsAdvisor/*

Device Update Deployments Reader

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Insights/alertRules/*
  • DataActions:

    • Microsoft.DeviceUpdate/accounts/instances/management/read
    • Microsoft.DeviceUpdate/accounts/instances/updates/read

Device Update Content Administrator

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Insights/alertRules/*
  • DataActions:

    • Microsoft.DeviceUpdate/accounts/instances/updates/read
    • Microsoft.DeviceUpdate/accounts/instances/updates/write
    • Microsoft.DeviceUpdate/accounts/instances/updates/delete

Device Update Deployments Administrator

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Insights/alertRules/*
  • DataActions:

    • Microsoft.DeviceUpdate/accounts/instances/management/read
    • Microsoft.DeviceUpdate/accounts/instances/management/write
    • Microsoft.DeviceUpdate/accounts/instances/management/delete
    • Microsoft.DeviceUpdate/accounts/instances/updates/read

Azure Kubernetes Service RBAC Cluster Admin

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • DataActions:

    • Microsoft.ContainerService/managedClusters/*

Azure Kubernetes Service RBAC Admin

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • DataActions:

    • Microsoft.ContainerService/managedClusters/*
  • NotDataActions:

    • Microsoft.ContainerService/managedClusters/resourcequotas/write
    • Microsoft.ContainerService/managedClusters/resourcequotas/delete
    • Microsoft.ContainerService/managedClusters/namespaces/write
    • Microsoft.ContainerService/managedClusters/namespaces/delete

Azure Arc Kubernetes Admin

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • DataActions:

    • Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
    • Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
    • Microsoft.Kubernetes/connectedClusters/apps/deployments/*
    • Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
    • Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
    • Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write
    • Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
    • Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
    • Microsoft.Kubernetes/connectedClusters/batch/jobs/*
    • Microsoft.Kubernetes/connectedClusters/configmaps/*
    • Microsoft.Kubernetes/connectedClusters/endpoints/*
    • Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
    • Microsoft.Kubernetes/connectedClusters/events/read
    • Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
    • Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
    • Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
    • Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
    • Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
    • Microsoft.Kubernetes/connectedClusters/limitranges/read
    • Microsoft.Kubernetes/connectedClusters/namespaces/read
    • Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
    • Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
    • Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
    • Microsoft.Kubernetes/connectedClusters/pods/*
    • Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
    • Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
    • Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
    • Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
    • Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
    • Microsoft.Kubernetes/connectedClusters/resourcequotas/read
    • Microsoft.Kubernetes/connectedClusters/secrets/*
    • Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
    • Microsoft.Kubernetes/connectedClusters/services/*

Azure Arc Kubernetes Writer

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • DataActions:

    • Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
    • Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
    • Microsoft.Kubernetes/connectedClusters/apps/deployments/*
    • Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
    • Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
    • Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
    • Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
    • Microsoft.Kubernetes/connectedClusters/batch/jobs/*
    • Microsoft.Kubernetes/connectedClusters/configmaps/*
    • Microsoft.Kubernetes/connectedClusters/endpoints/*
    • Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
    • Microsoft.Kubernetes/connectedClusters/events/read
    • Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
    • Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
    • Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
    • Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
    • Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
    • Microsoft.Kubernetes/connectedClusters/limitranges/read
    • Microsoft.Kubernetes/connectedClusters/namespaces/read
    • Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
    • Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
    • Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
    • Microsoft.Kubernetes/connectedClusters/pods/*
    • Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
    • Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
    • Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
    • Microsoft.Kubernetes/connectedClusters/resourcequotas/read
    • Microsoft.Kubernetes/connectedClusters/secrets/*
    • Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
    • Microsoft.Kubernetes/connectedClusters/services/*

Azure Arc Kubernetes Cluster Admin

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • DataActions:

    • Microsoft.Kubernetes/connectedClusters/*

Object Understanding Account Reader

  • DataActions:
    • Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read

Azure Arc Enabled Kubernetes Cluster User Role

  • Actions:
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Support/*

Services Hub Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.ServicesHub/connectors/write
    • Microsoft.ServicesHub/connectors/read
    • Microsoft.ServicesHub/connectors/delete
    • Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action
    • Microsoft.ServicesHub/supportOfferingEntitlement/read
    • Microsoft.ServicesHub/workspaces/read

Azure Kubernetes Service RBAC Reader

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • DataActions:

    • Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read
    • Microsoft.ContainerService/managedClusters/apps/daemonsets/read
    • Microsoft.ContainerService/managedClusters/apps/deployments/read
    • Microsoft.ContainerService/managedClusters/apps/replicasets/read
    • Microsoft.ContainerService/managedClusters/apps/statefulsets/read
    • Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read
    • Microsoft.ContainerService/managedClusters/batch/cronjobs/read
    • Microsoft.ContainerService/managedClusters/batch/jobs/read
    • Microsoft.ContainerService/managedClusters/configmaps/read
    • Microsoft.ContainerService/managedClusters/endpoints/read
    • Microsoft.ContainerService/managedClusters/events.k8s.io/events/read
    • Microsoft.ContainerService/managedClusters/events/read
    • Microsoft.ContainerService/managedClusters/extensions/daemonsets/read
    • Microsoft.ContainerService/managedClusters/extensions/deployments/read
    • Microsoft.ContainerService/managedClusters/extensions/ingresses/read
    • Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read
    • Microsoft.ContainerService/managedClusters/extensions/replicasets/read
    • Microsoft.ContainerService/managedClusters/limitranges/read
    • Microsoft.ContainerService/managedClusters/namespaces/read
    • Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read
    • Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read
    • Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read
    • Microsoft.ContainerService/managedClusters/pods/read
    • Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read
    • Microsoft.ContainerService/managedClusters/replicationcontrollers/read
    • Microsoft.ContainerService/managedClusters/replicationcontrollers/read
    • Microsoft.ContainerService/managedClusters/resourcequotas/read
    • Microsoft.ContainerService/managedClusters/serviceaccounts/read
    • Microsoft.ContainerService/managedClusters/services/read

Azure Kubernetes Service RBAC Writer

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • DataActions:

    • Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read
    • Microsoft.ContainerService/managedClusters/apps/daemonsets/*
    • Microsoft.ContainerService/managedClusters/apps/deployments/*
    • Microsoft.ContainerService/managedClusters/apps/replicasets/*
    • Microsoft.ContainerService/managedClusters/apps/statefulsets/*
    • Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
    • Microsoft.ContainerService/managedClusters/batch/cronjobs/*
    • Microsoft.ContainerService/managedClusters/batch/jobs/*
    • Microsoft.ContainerService/managedClusters/configmaps/*
    • Microsoft.ContainerService/managedClusters/endpoints/*
    • Microsoft.ContainerService/managedClusters/events.k8s.io/events/read
    • Microsoft.ContainerService/managedClusters/events/read
    • Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
    • Microsoft.ContainerService/managedClusters/extensions/deployments/*
    • Microsoft.ContainerService/managedClusters/extensions/ingresses/*
    • Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
    • Microsoft.ContainerService/managedClusters/extensions/replicasets/*
    • Microsoft.ContainerService/managedClusters/limitranges/read
    • Microsoft.ContainerService/managedClusters/namespaces/read
    • Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
    • Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
    • Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
    • Microsoft.ContainerService/managedClusters/pods/*
    • Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
    • Microsoft.ContainerService/managedClusters/replicationcontrollers/*
    • Microsoft.ContainerService/managedClusters/replicationcontrollers/*
    • Microsoft.ContainerService/managedClusters/resourcequotas/read
    • Microsoft.ContainerService/managedClusters/secrets/*
    • Microsoft.ContainerService/managedClusters/serviceaccounts/*
    • Microsoft.ContainerService/managedClusters/services/*

Azure VM Managed identities restore Contributor

  • Actions:
    • Microsoft.Authorization/*/read

Azure Maps Search and Render Data Reader

  • DataActions:
    • Microsoft.Maps/accounts/services/render/read
    • Microsoft.Maps/accounts/services/search/read

Azure Spring Cloud Config Server Contributor

  • DataActions:
    • Microsoft.AppPlatform/Spring/configService/read
    • Microsoft.AppPlatform/Spring/configService/write
    • Microsoft.AppPlatform/Spring/configService/delete

Azure Spring Cloud Service Registry Contributor

  • DataActions:
    • Microsoft.AppPlatform/Spring/eurekaService/read
    • Microsoft.AppPlatform/Spring/eurekaService/write
    • Microsoft.AppPlatform/Spring/eurekaService/delete

Azure Spring Cloud Config Server Reader

  • DataActions:
    • Microsoft.AppPlatform/Spring/configService/read

Azure Arc VMware Administrator role

  • Actions:
    • Microsoft.ConnectedVMwarevSphere/*
    • Microsoft.Insights/AlertRules/Write
    • Microsoft.Insights/AlertRules/Delete
    • Microsoft.Insights/AlertRules/Read
    • Microsoft.Insights/AlertRules/Activated/Action
    • Microsoft.Insights/AlertRules/Resolved/Action
    • Microsoft.Insights/AlertRules/Throttled/Action
    • Microsoft.Insights/AlertRules/Incidents/Read
    • Microsoft.Resources/deployments/read
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/deployments/delete
    • Microsoft.Resources/deployments/cancel/action
    • Microsoft.Resources/deployments/validate/action
    • Microsoft.Resources/deployments/whatIf/action
    • Microsoft.Resources/deployments/exportTemplate/action
    • Microsoft.Resources/deployments/operations/read
    • Microsoft.Resources/deployments/operationstatuses/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/write
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/subscriptions/operationresults/read

Azure Arc VMware Private Clouds Onboarding

  • Actions:
    • Microsoft.ConnectedVMwarevSphere/vcenters/Write
    • Microsoft.ConnectedVMwarevSphere/vcenters/Read
    • Microsoft.ConnectedVMwarevSphere/vcenters/Delete
    • Microsoft.Insights/AlertRules/Write
    • Microsoft.Insights/AlertRules/Delete
    • Microsoft.Insights/AlertRules/Read
    • Microsoft.Insights/AlertRules/Activated/Action
    • Microsoft.Insights/AlertRules/Resolved/Action
    • Microsoft.Insights/AlertRules/Throttled/Action
    • Microsoft.Insights/AlertRules/Incidents/Read
    • Microsoft.Resources/deployments/read
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/deployments/delete
    • Microsoft.Resources/deployments/cancel/action
    • Microsoft.Resources/deployments/validate/action
    • Microsoft.Resources/deployments/whatIf/action
    • Microsoft.Resources/deployments/exportTemplate/action
    • Microsoft.Resources/deployments/operations/read
    • Microsoft.Resources/deployments/operationstatuses/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/write
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.KubernetesConfiguration/extensions/Write
    • Microsoft.KubernetesConfiguration/extensions/Read
    • Microsoft.KubernetesConfiguration/extensions/Delete
    • Microsoft.KubernetesConfiguration/operations/read
    • Microsoft.ExtendedLocation/customLocations/Read
    • Microsoft.ExtendedLocation/customLocations/Write
    • Microsoft.ExtendedLocation/customLocations/Delete
    • Microsoft.ExtendedLocation/customLocations/deploy/action
    • Microsoft.ResourceConnector/appliances/Read
    • Microsoft.ResourceConnector/appliances/Write
    • Microsoft.ResourceConnector/appliances/Delete

Azure Arc VMware Private Cloud User

  • Actions:
    • Microsoft.Insights/AlertRules/Write
    • Microsoft.Insights/AlertRules/Delete
    • Microsoft.Insights/AlertRules/Read
    • Microsoft.Insights/AlertRules/Activated/Action
    • Microsoft.Insights/AlertRules/Resolved/Action
    • Microsoft.Insights/AlertRules/Throttled/Action
    • Microsoft.Insights/AlertRules/Incidents/Read
    • Microsoft.Resources/deployments/read
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/deployments/delete
    • Microsoft.Resources/deployments/cancel/action
    • Microsoft.Resources/deployments/validate/action
    • Microsoft.Resources/deployments/whatIf/action
    • Microsoft.Resources/deployments/exportTemplate/action
    • Microsoft.Resources/deployments/operations/read
    • Microsoft.Resources/deployments/operationstatuses/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/write
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.ConnectedVMwarevSphere/virtualnetworks/join/action
    • Microsoft.ConnectedVMwarevSphere/virtualnetworks/Read
    • Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/clone/action
    • Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/Read
    • Microsoft.ConnectedVMwarevSphere/resourcepools/deploy/action
    • Microsoft.ConnectedVMwarevSphere/resourcepools/Read
    • Microsoft.ConnectedVMwarevSphere/hosts/deploy/action
    • Microsoft.ConnectedVMwarevSphere/hosts/Read
    • Microsoft.ConnectedVMwarevSphere/clusters/deploy/action
    • Microsoft.ConnectedVMwarevSphere/clusters/Read
    • Microsoft.ConnectedVMwarevSphere/datastores/allocateSpace/action
    • Microsoft.ConnectedVMwarevSphere/datastores/Read

Azure Maps Contributor

  • Actions:
    • Microsoft.Maps/*
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read

Azure Arc VMware VM Contributor

  • Actions:
    • Microsoft.ConnectedVMwarevSphere/virtualmachines/*
    • Microsoft.Insights/AlertRules/Write
    • Microsoft.Insights/AlertRules/Delete
    • Microsoft.Insights/AlertRules/Read
    • Microsoft.Insights/AlertRules/Activated/Action
    • Microsoft.Insights/AlertRules/Resolved/Action
    • Microsoft.Insights/AlertRules/Throttled/Action
    • Microsoft.Insights/AlertRules/Incidents/Read
    • Microsoft.Resources/deployments/read
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/deployments/delete
    • Microsoft.Resources/deployments/cancel/action
    • Microsoft.Resources/deployments/validate/action
    • Microsoft.Resources/deployments/whatIf/action
    • Microsoft.Resources/deployments/exportTemplate/action
    • Microsoft.Resources/deployments/operations/read
    • Microsoft.Resources/deployments/operationstatuses/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/write
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/subscriptions/operationresults/read

Grafana Editor

  • DataActions:
    • Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action

Automation Contributor

  • Actions:
    • Microsoft.Automation/automationAccounts/*
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Insights/ActionGroups/*
    • Microsoft.Insights/ActivityLogAlerts/*
    • Microsoft.Insights/MetricAlerts/*
    • Microsoft.Insights/ScheduledQueryRules/*
    • Microsoft.Insights/diagnosticSettings/*
    • Microsoft.OperationalInsights/workspaces/sharedKeys/action

Grafana Viewer

  • DataActions:
    • Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action

Azure Relay Owner

  • Actions:

    • Microsoft.Relay/*
  • DataActions:

    • Microsoft.Relay/*

Azure Relay Listener

  • Actions:

    • Microsoft.Relay/*/wcfRelays/read
    • Microsoft.Relay/*/hybridConnections/read
  • DataActions:

    • Microsoft.Relay/*/listen/action

CodeSigning Certificate Profile Signer

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
  • DataActions:

    • Microsoft.CodeSigning/certificateProfiles/Sign/action

Azure Spring Cloud Service Registry Reader

  • DataActions:
    • Microsoft.AppPlatform/Spring/eurekaService/read

Device Provisioning Service Data Contributor

  • DataActions:
    • Microsoft.Devices/provisioningServices/*

Kubernetes Extension Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.KubernetesConfiguration/extensions/write
    • Microsoft.KubernetesConfiguration/extensions/read
    • Microsoft.KubernetesConfiguration/extensions/delete
    • Microsoft.KubernetesConfiguration/extensions/operations/read

Device Provisioning Service Data Reader

  • DataActions:
    • Microsoft.Devices/provisioningServices/*/read

Lab Services Reader

  • Actions:
    • Microsoft.LabServices/*/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read

Lab Assistant

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.LabServices/labPlans/images/read
    • Microsoft.LabServices/labPlans/read
    • Microsoft.LabServices/labs/read
    • Microsoft.LabServices/labs/schedules/read
    • Microsoft.LabServices/labs/users/read
    • Microsoft.LabServices/labs/users/invite/action
    • Microsoft.LabServices/labs/virtualMachines/read
    • Microsoft.LabServices/labs/virtualMachines/start/action
    • Microsoft.LabServices/labs/virtualMachines/stop/action
    • Microsoft.LabServices/labs/virtualMachines/reimage/action
    • Microsoft.LabServices/labs/virtualMachines/redeploy/action
    • Microsoft.LabServices/locations/usages/read
    • Microsoft.LabServices/skus/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read

Lab Services Contributor

  • Actions:

    • Microsoft.LabServices/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
  • DataActions:

    • Microsoft.LabServices/labPlans/createLab/action

Load Test Reader

  • Actions:

    • Microsoft.LoadTestService/*/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Insights/alertRules/*
  • DataActions:

    • Microsoft.LoadTestService/loadtests/readTest/action

Cognitive Services Immersive Reader User

  • DataActions:
    • Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action

Chamber Admin

  • Actions:
    • Microsoft.HpcWorkbench/*/read
    • Microsoft.HpcWorkbench/instances/chambers/*
    • Microsoft.HpcWorkbench/instances/consortiums/*/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read

Guest Configuration Resource Contributor

  • Actions:
    • Microsoft.GuestConfiguration/guestConfigurationAssignments/write
    • Microsoft.GuestConfiguration/guestConfigurationAssignments/read
    • Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read

Chamber User

  • Actions:
    • Microsoft.HpcWorkbench/instances/chambers/*/read
    • Microsoft.HpcWorkbench/instances/consortiums/*/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read

Lab Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.LabServices/labPlans/images/read
    • Microsoft.LabServices/labPlans/read
    • Microsoft.LabServices/labPlans/saveImage/action
    • Microsoft.LabServices/labs/publish/action
    • Microsoft.LabServices/labs/read
    • Microsoft.LabServices/labs/schedules/read
    • Microsoft.LabServices/labs/schedules/write
    • Microsoft.LabServices/labs/schedules/delete
    • Microsoft.LabServices/labs/users/read
    • Microsoft.LabServices/labs/users/write
    • Microsoft.LabServices/labs/users/delete
    • Microsoft.LabServices/labs/users/invite/action
    • Microsoft.LabServices/labs/virtualMachines/read
    • Microsoft.LabServices/labs/virtualMachines/start/action
    • Microsoft.LabServices/labs/virtualMachines/stop/action
    • Microsoft.LabServices/labs/virtualMachines/reimage/action
    • Microsoft.LabServices/labs/virtualMachines/redeploy/action
    • Microsoft.LabServices/labs/virtualMachines/resetPassword/action
    • Microsoft.LabServices/locations/usages/read
    • Microsoft.LabServices/skus/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read

Lab Contributor

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.LabServices/labPlans/images/read
    • Microsoft.LabServices/labPlans/read
    • Microsoft.LabServices/labPlans/saveImage/action
    • Microsoft.LabServices/labs/read
    • Microsoft.LabServices/labs/write
    • Microsoft.LabServices/labs/delete
    • Microsoft.LabServices/labs/publish/action
    • Microsoft.LabServices/labs/syncGroup/action
    • Microsoft.LabServices/labs/schedules/read
    • Microsoft.LabServices/labs/schedules/write
    • Microsoft.LabServices/labs/schedules/delete
    • Microsoft.LabServices/labs/users/read
    • Microsoft.LabServices/labs/users/write
    • Microsoft.LabServices/labs/users/delete
    • Microsoft.LabServices/labs/users/invite/action
    • Microsoft.LabServices/labs/virtualMachines/read
    • Microsoft.LabServices/labs/virtualMachines/start/action
    • Microsoft.LabServices/labs/virtualMachines/stop/action
    • Microsoft.LabServices/labs/virtualMachines/reimage/action
    • Microsoft.LabServices/labs/virtualMachines/redeploy/action
    • Microsoft.LabServices/labs/virtualMachines/resetPassword/action
    • Microsoft.LabServices/locations/usages/read
    • Microsoft.LabServices/skus/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
  • DataActions:

    • Microsoft.LabServices/labPlans/createLab/action

Cognitive Services Language Owner

  • Actions:

    • Microsoft.CognitiveServices/*/read
    • Microsoft.CognitiveServices/accounts/listkeys/action
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleDefinitions/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/LanguageAuthoring/*
    • Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*

Cognitive Services LUIS Reader

  • Actions:

    • Microsoft.CognitiveServices/*/read
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleDefinitions/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/LUIS/*/read
    • Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write

Cognitive Services Language Writer

  • Actions:

    • Microsoft.CognitiveServices/*/read
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleDefinitions/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/LanguageAuthoring/*
    • Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*
  • NotDataActions:

    • Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/action
    • Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write

Cognitive Services LUIS Owner

  • Actions:

    • Microsoft.CognitiveServices/*/read
    • Microsoft.CognitiveServices/accounts/listkeys/action
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleDefinitions/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/LUIS/*

Cognitive Services Language Reader

  • Actions:

    • Microsoft.CognitiveServices/*/read
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleDefinitions/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/LanguageAuthoring/*/read
    • Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*/read
    • Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action

Load Test Owner

  • Actions:

    • Microsoft.LoadTestService/*
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Insights/alertRules/*
  • DataActions:

    • Microsoft.LoadTestService/*

PlayFab Contributor

  • Actions:
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.PlayFab/*/read
    • Microsoft.PlayFab/*/write
    • Microsoft.PlayFab/*/delete

Load Test Contributor

  • Actions:

    • Microsoft.LoadTestService/*/read
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Insights/alertRules/*
  • DataActions:

    • Microsoft.LoadTestService/loadtests/*

Cognitive Services LUIS Writer

  • Actions:

    • Microsoft.CognitiveServices/*/read
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleDefinitions/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/LUIS/*
  • NotDataActions:

    • Microsoft.CognitiveServices/accounts/LUIS/apps/delete
    • Microsoft.CognitiveServices/accounts/LUIS/apps/move/action
    • Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action
    • Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write
    • Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action
    • Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete

PlayFab Reader

  • Actions:
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Authorization/*/read
    • Microsoft.PlayFab/*/read

Cognitive Services Speech User

  • Actions:

    • Microsoft.CognitiveServices/*/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/SpeechServices/*/read
    • Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write
    • Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete
    • Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read
    • Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action
    • Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/*/action
    • Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/*/action
    • Microsoft.CognitiveServices/accounts/CustomVoice/*/read
    • Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/*
    • Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/*
  • NotDataActions:

    • Microsoft.CognitiveServices/accounts/CustomVoice/trainingsets/files/read
    • Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read
    • Microsoft.CognitiveServices/accounts/CustomVoice/trainingsets/utterances/read

Cognitive Services Speech Contributor

  • Actions:

    • Microsoft.CognitiveServices/*/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/SpeechServices/*
    • Microsoft.CognitiveServices/accounts/CustomVoice/*

Azure Spring Cloud Data Reader

  • DataActions:
    • Microsoft.AppPlatform/Spring/*/read

Web PubSub Service Owner (Preview)

  • DataActions:
    • Microsoft.SignalRService/WebPubSub/*

Web PubSub Service Reader (Preview)

  • DataActions:
    • Microsoft.SignalRService/WebPubSub/*/read

Media Services Media Operator

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/metrics/read
    • Microsoft.Insights/metricDefinitions/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Media/mediaservices/*/read
    • Microsoft.Media/mediaservices/assets/*
    • Microsoft.Media/mediaservices/assets/assetfilters/*
    • Microsoft.Media/mediaservices/streamingLocators/*
    • Microsoft.Media/mediaservices/transforms/jobs/*
  • NotActions:

    • Microsoft.Media/mediaservices/assets/getEncryptionKey/action
    • Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action

Media Services Policy Administrator

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/metrics/read
    • Microsoft.Insights/metricDefinitions/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Media/mediaservices/*/read
    • Microsoft.Media/mediaservices/assets/listStreamingLocators/action
    • Microsoft.Media/mediaservices/streamingLocators/listPaths/action
    • Microsoft.Media/mediaservices/accountFilters/*
    • Microsoft.Media/mediaservices/streamingPolicies/*
    • Microsoft.Media/mediaservices/contentKeyPolicies/*
    • Microsoft.Media/mediaservices/transforms/*
  • NotActions:

    • Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action

Media Services Live Events Administrator

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/metrics/read
    • Microsoft.Insights/metricDefinitions/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Media/mediaservices/*/read
    • Microsoft.Media/mediaservices/assets/*
    • Microsoft.Media/mediaservices/assets/assetfilters/*
    • Microsoft.Media/mediaservices/streamingLocators/*
    • Microsoft.Media/mediaservices/liveEvents/*
  • NotActions:

    • Microsoft.Media/mediaservices/assets/getEncryptionKey/action
    • Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action

Cognitive Services Face Recognizer

  • DataActions:
    • Microsoft.CognitiveServices/accounts/Face/detect/action
    • Microsoft.CognitiveServices/accounts/Face/verify/action
    • Microsoft.CognitiveServices/accounts/Face/identify/action
    • Microsoft.CognitiveServices/accounts/Face/group/action
    • Microsoft.CognitiveServices/accounts/Face/findsimilars/action

Media Services Account Administrator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/metrics/read
    • Microsoft.Insights/metricDefinitions/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Media/mediaservices/*/read
    • Microsoft.Media/mediaservices/assets/listStreamingLocators/action
    • Microsoft.Media/mediaservices/streamingLocators/listPaths/action
    • Microsoft.Media/mediaservices/write
    • Microsoft.Media/mediaservices/delete
    • Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action
    • Microsoft.Media/mediaservices/privateEndpointConnections/*

Microsoft Sentinel Automation Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Logic/workflows/triggers/read
    • Microsoft.Logic/workflows/triggers/listCallbackUrl/action
    • Microsoft.Logic/workflows/runs/read

Quota Request Operator

  • Actions:
    • Microsoft.Capacity/resourceProviders/locations/serviceLimits/read
    • Microsoft.Capacity/resourceProviders/locations/serviceLimits/write
    • Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read
    • Microsoft.Capacity/register/action
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

FHIR Data Converter

  • DataActions:
    • Microsoft.HealthcareApis/services/fhir/resources/convertData/action
    • Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action

Collaborative Runtime Operator

  • Actions:
    • Microsoft.IndustryDataLifecycle/derivedModels/*
    • Microsoft.IndustryDataLifecycle/pipelineSets/*
    • Microsoft.IndustryDataLifecycle/modelMappings/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

CosmosRestoreOperator

  • Actions:
    • Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action
    • Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read
    • Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read

Object Anchors Account Owner

  • DataActions:
    • Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/action
    • Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read

WorkloadBuilder Migration Agent Role

  • Actions:
    • Microsoft.WorkloadBuilder/migrationAgents/Read
    • Microsoft.WorkloadBuilder/migrationAgents/Write

Object Anchors Account Reader

  • DataActions:
    • Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read

EventGrid Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.EventGrid/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Security Detonation Chamber Reader

  • DataActions:
    • Microsoft.SecurityDetonation/chambers/submissions/read
    • Microsoft.SecurityDetonation/chambers/submissions/files/read

DICOM Data Owner

  • DataActions:
    • Microsoft.HealthcareApis/workspaces/dicomservices/resources/*

EventGrid Data Sender

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.EventGrid/topics/read
    • Microsoft.EventGrid/domains/read
    • Microsoft.EventGrid/partnerNamespaces/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
  • DataActions:

    • Microsoft.EventGrid/events/send/action

DICOM Data Reader

  • DataActions:
    • Microsoft.HealthcareApis/workspaces/dicomservices/resources/read

Storage Table Data Reader

  • Actions:

    • Microsoft.Storage/storageAccounts/tableServices/tables/read
  • DataActions:

    • Microsoft.Storage/storageAccounts/tableServices/tables/entities/read

Storage Table Data Contributor

  • Actions:

    • Microsoft.Storage/storageAccounts/tableServices/tables/read
    • Microsoft.Storage/storageAccounts/tableServices/tables/write
    • Microsoft.Storage/storageAccounts/tableServices/tables/delete
  • DataActions:

    • Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
    • Microsoft.Storage/storageAccounts/tableServices/tables/entities/write
    • Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete
    • Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action
    • Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action

Azure Connected SQL Server Onboarding

  • Actions:
    • Microsoft.AzureArcData/sqlServerInstances/read
    • Microsoft.AzureArcData/sqlServerInstances/write

Azure Relay Sender

  • Actions:

    • Microsoft.Relay/*/wcfRelays/read
    • Microsoft.Relay/*/hybridConnections/read
  • DataActions:

    • Microsoft.Relay/*/send/action

Grafana Admin

  • DataActions:
    • Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action

Disk Pool Operator

  • Actions:
    • Microsoft.Compute/disks/write
    • Microsoft.Compute/disks/read
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read

AzureML Data Scientist

  • Actions:

    • Microsoft.MachineLearningServices/workspaces/*/read
    • Microsoft.MachineLearningServices/workspaces/*/action
    • Microsoft.MachineLearningServices/workspaces/*/delete
    • Microsoft.MachineLearningServices/workspaces/*/write
  • NotActions:

    • Microsoft.MachineLearningServices/workspaces/delete
    • Microsoft.MachineLearningServices/workspaces/write
    • Microsoft.MachineLearningServices/workspaces/computes/*/write
    • Microsoft.MachineLearningServices/workspaces/computes/*/delete
    • Microsoft.MachineLearningServices/workspaces/computes/listKeys/action
    • Microsoft.MachineLearningServices/workspaces/listKeys/action

IoT Hub Data Reader

  • DataActions:
    • Microsoft.Devices/IotHubs/*/read
    • Microsoft.Devices/IotHubs/fileUpload/notifications/action

IoT Hub Twin Contributor

  • DataActions:
    • Microsoft.Devices/IotHubs/twins/*

AnyBuild Builder

  • DataActions:
    • Microsoft.AnyBuild/clusters/build/write
    • Microsoft.AnyBuild/clusters/build/read

Media Services Streaming Endpoints Administrator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/metrics/read
    • Microsoft.Insights/metricDefinitions/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Media/mediaservices/*/read
    • Microsoft.Media/mediaservices/assets/listStreamingLocators/action
    • Microsoft.Media/mediaservices/streamingLocators/listPaths/action
    • Microsoft.Media/mediaservices/streamingEndpoints/*

Stream Analytics Query Tester

  • Actions:
    • Microsoft.StreamAnalytics/locations/TestQuery/action
    • Microsoft.StreamAnalytics/locations/OperationResults/read
    • Microsoft.StreamAnalytics/locations/SampleInput/action
    • Microsoft.StreamAnalytics/locations/CompileQuery/action

Search Index Data Reader

  • DataActions:
    • Microsoft.Search/searchServices/indexes/documents/read

Search Index Data Contributor

  • DataActions:
    • Microsoft.Search/searchServices/indexes/documents/*

Test Base Reader

  • Actions:
    • Microsoft.TestBase/testBaseAccounts/packages/testResults/getDownloadUrl/action
    • Microsoft.TestBase/testBaseAccounts/packages/testResults/getVideoDownloadUrl/action
    • Microsoft.TestBase/testBaseAccounts/packages/getDownloadUrl/action
    • Microsoft.TestBase/*/read
    • Microsoft.TestBase/testBaseAccounts/customerEvents/write
    • Microsoft.TestBase/testBaseAccounts/customerEvents/delete

IoT Hub Registry Contributor

  • DataActions:
    • Microsoft.Devices/IotHubs/devices/*

IoT Hub Data Contributor

  • DataActions:
    • Microsoft.Devices/IotHubs/*

FHIR Data Contributor

  • DataActions:
    • Microsoft.HealthcareApis/services/fhir/resources/*
    • Microsoft.HealthcareApis/workspaces/fhirservices/resources/*

EventGrid EventSubscription Reader

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.EventGrid/eventSubscriptions/read
    • Microsoft.EventGrid/topicTypes/eventSubscriptions/read
    • Microsoft.EventGrid/locations/eventSubscriptions/read
    • Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read

Graph Owner

  • Actions:
    • Microsoft.EnterpriseKnowledgeGraph/services/conflation/read
    • Microsoft.EnterpriseKnowledgeGraph/services/conflation/write
    • Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/read
    • Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/write
    • Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read
    • Microsoft.EnterpriseKnowledgeGraph/services/knowledge/write
    • Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/read
    • Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/write
    • Microsoft.EnterpriseKnowledgeGraph/services/ingestion/read
    • Microsoft.EnterpriseKnowledgeGraph/services/ingestion/write
    • Microsoft.EnterpriseKnowledgeGraph/services/ontology/read
    • Microsoft.EnterpriseKnowledgeGraph/services/ontology/write
    • Microsoft.EnterpriseKnowledgeGraph/services/delete
    • Microsoft.EnterpriseKnowledgeGraph/operations/read

EventGrid EventSubscription Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.EventGrid/eventSubscriptions/*
    • Microsoft.EventGrid/topicTypes/eventSubscriptions/read
    • Microsoft.EventGrid/locations/eventSubscriptions/read
    • Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

DocumentDB Account Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.DocumentDb/databaseAccounts/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action

DNS Zone Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Network/dnsZones/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Knowledge Consumer

  • Actions:
    • Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read

Lab Creator

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.LabServices/labAccounts/*/read
    • Microsoft.LabServices/labAccounts/createLab/action
    • Microsoft.LabServices/labAccounts/getPricingAndAvailability/action
    • Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action
    • Microsoft.Insights/alertRules/*
    • Microsoft.LabServices/labPlans/images/read
    • Microsoft.LabServices/labPlans/read
    • Microsoft.LabServices/labPlans/saveImage/action
    • Microsoft.LabServices/labs/read
    • Microsoft.LabServices/labs/schedules/read
    • Microsoft.LabServices/labs/users/read
    • Microsoft.LabServices/labs/virtualMachines/read
    • Microsoft.LabServices/locations/usages/read
    • Microsoft.LabServices/skus/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • DataActions:

    • Microsoft.LabServices/labPlans/createLab/action

Key Vault Contributor

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.KeyVault/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • NotActions:

    • Microsoft.KeyVault/locations/deletedVaults/purge/action
    • Microsoft.KeyVault/hsmPools/*
    • Microsoft.KeyVault/managedHsms/*

HDInsight Domain Services Contributor

  • Actions:
    • Microsoft.AAD/*/read
    • Microsoft.AAD/domainServices/*/read
    • Microsoft.AAD/domainServices/oucontainer/*

Intelligent Systems Account Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.IntelligentSystems/accounts/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Cost Management Reader

  • Actions:
    • Microsoft.Consumption/*/read
    • Microsoft.CostManagement/*/read
    • Microsoft.Billing/billingPeriods/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Advisor/configurations/read
    • Microsoft.Advisor/recommendations/read
    • Microsoft.Management/managementGroups/read
    • Microsoft.Billing/billingProperty/read

Data Box Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Databox/*

Cost Management Contributor

  • Actions:
    • Microsoft.Consumption/*
    • Microsoft.CostManagement/*
    • Microsoft.Billing/billingPeriods/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Advisor/configurations/read
    • Microsoft.Advisor/recommendations/read
    • Microsoft.Management/managementGroups/read
    • Microsoft.Billing/billingProperty/read

Contributor

  • Actions:

    • *
  • NotActions:

    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action

Cosmos DB Account Reader Role

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.DocumentDB/*/read
    • Microsoft.DocumentDB/databaseAccounts/readonlykeys/action
    • Microsoft.Insights/MetricDefinitions/read
    • Microsoft.Insights/Metrics/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Data Lake Analytics Developer

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.BigAnalytics/accounts/*
    • Microsoft.DataLakeAnalytics/accounts/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • NotActions:

    • Microsoft.BigAnalytics/accounts/Delete
    • Microsoft.BigAnalytics/accounts/TakeOwnership/action
    • Microsoft.BigAnalytics/accounts/Write
    • Microsoft.DataLakeAnalytics/accounts/Delete
    • Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action
    • Microsoft.DataLakeAnalytics/accounts/Write
    • Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write
    • Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete
    • Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write
    • Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete
    • Microsoft.DataLakeAnalytics/accounts/firewallRules/Write
    • Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete
    • Microsoft.DataLakeAnalytics/accounts/computePolicies/Write
    • Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete

DevTest Labs User

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Compute/availabilitySets/read
    • Microsoft.Compute/virtualMachines/*/read
    • Microsoft.Compute/virtualMachines/deallocate/action
    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Compute/virtualMachines/restart/action
    • Microsoft.Compute/virtualMachines/start/action
    • Microsoft.DevTestLab/*/read
    • Microsoft.DevTestLab/labs/claimAnyVm/action
    • Microsoft.DevTestLab/labs/createEnvironment/action
    • Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action
    • Microsoft.DevTestLab/labs/formulas/delete
    • Microsoft.DevTestLab/labs/formulas/read
    • Microsoft.DevTestLab/labs/formulas/write
    • Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action
    • Microsoft.DevTestLab/labs/virtualMachines/claim/action
    • Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action
    • Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action
    • Microsoft.Network/loadBalancers/backendAddressPools/join/action
    • Microsoft.Network/loadBalancers/inboundNatRules/join/action
    • Microsoft.Network/networkInterfaces/*/read
    • Microsoft.Network/networkInterfaces/join/action
    • Microsoft.Network/networkInterfaces/read
    • Microsoft.Network/networkInterfaces/write
    • Microsoft.Network/publicIPAddresses/*/read
    • Microsoft.Network/publicIPAddresses/join/action
    • Microsoft.Network/publicIPAddresses/read
    • Microsoft.Network/virtualNetworks/subnets/join/action
    • Microsoft.Resources/deployments/operations/read
    • Microsoft.Resources/deployments/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/listKeys/action
  • NotActions:

    • Microsoft.Compute/virtualMachines/vmSizes/read

Data Purger

  • Actions:
    • Microsoft.Insights/components/*/read
    • Microsoft.Insights/components/purge/action
    • Microsoft.OperationalInsights/workspaces/*/read
    • Microsoft.OperationalInsights/workspaces/purge/action

Data Box Reader

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Databox/*/read
    • Microsoft.Databox/jobs/listsecrets/action
    • Microsoft.Databox/jobs/listcredentials/action
    • Microsoft.Databox/locations/availableSkus/action
    • Microsoft.Databox/locations/validateInputs/action
    • Microsoft.Databox/locations/regionConfiguration/action
    • Microsoft.Databox/locations/validateAddress/action
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Support/*

Data Factory Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.DataFactory/dataFactories/*
    • Microsoft.DataFactory/factories/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.EventGrid/eventSubscriptions/write

Monitoring Contributor

  • Actions:
    • */read
    • Microsoft.AlertsManagement/alerts/*
    • Microsoft.AlertsManagement/alertsSummary/*
    • Microsoft.Insights/actiongroups/*
    • Microsoft.Insights/activityLogAlerts/*
    • Microsoft.Insights/AlertRules/*
    • Microsoft.Insights/components/*
    • Microsoft.Insights/dataCollectionEndpoints/*
    • Microsoft.Insights/dataCollectionRules/*
    • Microsoft.Insights/dataCollectionRuleAssociations/*
    • Microsoft.Insights/DiagnosticSettings/*
    • Microsoft.Insights/eventtypes/*
    • Microsoft.Insights/LogDefinitions/*
    • Microsoft.Insights/metricalerts/*
    • Microsoft.Insights/MetricDefinitions/*
    • Microsoft.Insights/Metrics/*
    • Microsoft.Insights/Register/Action
    • Microsoft.Insights/scheduledqueryrules/*
    • Microsoft.Insights/webtests/*
    • Microsoft.Insights/workbooks/*
    • Microsoft.Insights/workbooktemplates/*
    • Microsoft.Insights/privateLinkScopes/*
    • Microsoft.Insights/privateLinkScopeOperationStatuses/*
    • Microsoft.OperationalInsights/workspaces/write
    • Microsoft.OperationalInsights/workspaces/intelligencepacks/*
    • Microsoft.OperationalInsights/workspaces/savedSearches/*
    • Microsoft.OperationalInsights/workspaces/search/action
    • Microsoft.OperationalInsights/workspaces/sharedKeys/action
    • Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*
    • Microsoft.Support/*
    • Microsoft.WorkloadMonitor/monitors/*
    • Microsoft.AlertsManagement/smartDetectorAlertRules/*
    • Microsoft.AlertsManagement/actionRules/*
    • Microsoft.AlertsManagement/smartGroups/*

New Relic APM Account Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • NewRelic.APM/accounts/*

Network Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Network/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Monitoring Metrics Publisher

  • Actions:

    • Microsoft.Insights/Register/Action
    • Microsoft.Support/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
  • DataActions:

    • Microsoft.Insights/Metrics/Write
    • Microsoft.Insights/Telemetry/Write

Monitoring Reader

  • Actions:
    • */read
    • Microsoft.OperationalInsights/workspaces/search/action
    • Microsoft.Support/*

Reader and Data Access

  • Actions:
    • Microsoft.Storage/storageAccounts/listKeys/action
    • Microsoft.Storage/storageAccounts/ListAccountSas/action
    • Microsoft.Storage/storageAccounts/read

Resource Policy Contributor

  • Actions:
    • */read
    • Microsoft.Authorization/policyassignments/*
    • Microsoft.Authorization/policydefinitions/*
    • Microsoft.Authorization/policyexemptions/*
    • Microsoft.Authorization/policysetdefinitions/*
    • Microsoft.PolicyInsights/*
    • Microsoft.Support/*

Redis Cache Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Cache/register/action
    • Microsoft.Cache/redis/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Owner

  • Actions:
    • *

Reader

  • Actions:
    • */read

Logic App Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.ClassicStorage/storageAccounts/listKeys/action
    • Microsoft.ClassicStorage/storageAccounts/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/metricAlerts/*
    • Microsoft.Insights/diagnosticSettings/*
    • Microsoft.Insights/logdefinitions/*
    • Microsoft.Insights/metricDefinitions/*
    • Microsoft.Logic/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/listkeys/action
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.Support/*
    • Microsoft.Web/connectionGateways/*
    • Microsoft.Web/connections/*
    • Microsoft.Web/customApis/*
    • Microsoft.Web/serverFarms/join/action
    • Microsoft.Web/serverFarms/read
    • Microsoft.Web/sites/functions/listSecrets/action

Managed Application Operator Role

  • Actions:
    • */read
    • Microsoft.Solutions/applications/read
    • Microsoft.Solutions/*/action

Logic App Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*/read
    • Microsoft.Insights/metricAlerts/*/read
    • Microsoft.Insights/diagnosticSettings/*/read
    • Microsoft.Insights/metricDefinitions/*/read
    • Microsoft.Logic/*/read
    • Microsoft.Logic/workflows/disable/action
    • Microsoft.Logic/workflows/enable/action
    • Microsoft.Logic/workflows/validate/action
    • Microsoft.Resources/deployments/operations/read
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Web/connectionGateways/*/read
    • Microsoft.Web/connections/*/read
    • Microsoft.Web/customApis/*/read
    • Microsoft.Web/serverFarms/read

Log Analytics Reader

  • Actions:

    • */read
    • Microsoft.OperationalInsights/workspaces/analytics/query/action
    • Microsoft.OperationalInsights/workspaces/search/action
    • Microsoft.Support/*
  • NotActions:

    • Microsoft.OperationalInsights/workspaces/sharedKeys/read

Log Analytics Contributor

  • Actions:
    • */read
    • Microsoft.ClassicCompute/virtualMachines/extensions/*
    • Microsoft.ClassicStorage/storageAccounts/listKeys/action
    • Microsoft.Compute/virtualMachines/extensions/*
    • Microsoft.HybridCompute/machines/extensions/write
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/diagnosticSettings/*
    • Microsoft.OperationalInsights/*
    • Microsoft.OperationsManagement/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/*
    • Microsoft.Storage/storageAccounts/listKeys/action
    • Microsoft.Support/*

Management Group Contributor

  • Actions:
    • Microsoft.Management/managementGroups/delete
    • Microsoft.Management/managementGroups/read
    • Microsoft.Management/managementGroups/subscriptions/delete
    • Microsoft.Management/managementGroups/subscriptions/write
    • Microsoft.Management/managementGroups/write
    • Microsoft.Management/managementGroups/subscriptions/read

Management Group Reader

  • Actions:
    • Microsoft.Management/managementGroups/read
    • Microsoft.Management/managementGroups/subscriptions/read

Managed Identity Contributor

  • Actions:
    • Microsoft.ManagedIdentity/userAssignedIdentities/read
    • Microsoft.ManagedIdentity/userAssignedIdentities/write
    • Microsoft.ManagedIdentity/userAssignedIdentities/delete
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Support/*

Managed Applications Reader

  • Actions:
    • */read
    • Microsoft.Resources/deployments/*
    • Microsoft.Solutions/jitRequests/*

Managed Identity Operator

  • Actions:
    • Microsoft.ManagedIdentity/userAssignedIdentities/*/read
    • Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Support/*

Automation Runbook Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Automation/automationAccounts/runbooks/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Automation Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read
    • Microsoft.Automation/automationAccounts/jobs/read
    • Microsoft.Automation/automationAccounts/jobs/resume/action
    • Microsoft.Automation/automationAccounts/jobs/stop/action
    • Microsoft.Automation/automationAccounts/jobs/streams/read
    • Microsoft.Automation/automationAccounts/jobs/suspend/action
    • Microsoft.Automation/automationAccounts/jobs/write
    • Microsoft.Automation/automationAccounts/jobSchedules/read
    • Microsoft.Automation/automationAccounts/jobSchedules/write
    • Microsoft.Automation/automationAccounts/linkedWorkspace/read
    • Microsoft.Automation/automationAccounts/read
    • Microsoft.Automation/automationAccounts/runbooks/read
    • Microsoft.Automation/automationAccounts/schedules/read
    • Microsoft.Automation/automationAccounts/schedules/write
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Automation/automationAccounts/jobs/output/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Automation Job Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read
    • Microsoft.Automation/automationAccounts/jobs/read
    • Microsoft.Automation/automationAccounts/jobs/resume/action
    • Microsoft.Automation/automationAccounts/jobs/stop/action
    • Microsoft.Automation/automationAccounts/jobs/streams/read
    • Microsoft.Automation/automationAccounts/jobs/suspend/action
    • Microsoft.Automation/automationAccounts/jobs/write
    • Microsoft.Automation/automationAccounts/jobs/output/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Application Insights Snapshot Debugger

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/components/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Attestation Reader

  • Actions:
    • Microsoft.Attestation/attestationProviders/attestation/read

Azure Kubernetes Service Cluster User Role

  • Actions:
    • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
    • Microsoft.ContainerService/managedClusters/read

Azure Maps Data Reader

  • DataActions:
    • Microsoft.Maps/accounts/*/read

Azure Kubernetes Service Cluster Admin Role

  • Actions:
    • Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
    • Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action
    • Microsoft.ContainerService/managedClusters/read

Avere Contributor

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Compute/*/read
    • Microsoft.Compute/availabilitySets/*
    • Microsoft.Compute/proximityPlacementGroups/*
    • Microsoft.Compute/virtualMachines/*
    • Microsoft.Compute/disks/*
    • Microsoft.Network/*/read
    • Microsoft.Network/networkInterfaces/*
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/subnets/read
    • Microsoft.Network/virtualNetworks/subnets/join/action
    • Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
    • Microsoft.Network/networkSecurityGroups/join/action
    • Microsoft.Resources/deployments/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/*/read
    • Microsoft.Storage/storageAccounts/*
    • Microsoft.Support/*
    • Microsoft.Resources/subscriptions/resourceGroups/resources/read
  • DataActions:

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write

Avere Operator

  • Actions:

    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Network/networkInterfaces/read
    • Microsoft.Network/networkInterfaces/write
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/subnets/read
    • Microsoft.Network/virtualNetworks/subnets/join/action
    • Microsoft.Network/networkSecurityGroups/join/action
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/blobServices/containers/delete
    • Microsoft.Storage/storageAccounts/blobServices/containers/read
    • Microsoft.Storage/storageAccounts/blobServices/containers/write
  • DataActions:

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write

AcrImageSigner

  • Actions:

    • Microsoft.ContainerRegistry/registries/sign/write
  • DataActions:

    • Microsoft.ContainerRegistry/registries/trustedCollections/write

AcrDelete

  • Actions:
    • Microsoft.ContainerRegistry/registries/artifacts/delete

AcrPull

  • Actions:
    • Microsoft.ContainerRegistry/registries/pull/read

AcrPush

  • Actions:
    • Microsoft.ContainerRegistry/registries/pull/read
    • Microsoft.ContainerRegistry/registries/push/write

API Management Service Contributor

  • Actions:
    • Microsoft.ApiManagement/service/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

API Management Service Reader Role

  • Actions:

    • Microsoft.ApiManagement/service/*/read
    • Microsoft.ApiManagement/service/read
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • NotActions:

    • Microsoft.ApiManagement/service/users/keys/read

Application Insights Component Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/generateLiveToken/read
    • Microsoft.Insights/metricAlerts/*
    • Microsoft.Insights/components/*
    • Microsoft.Insights/scheduledqueryrules/*
    • Microsoft.Insights/topology/read
    • Microsoft.Insights/transactions/read
    • Microsoft.Insights/webtests/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

API Management Service Operator Role

  • Actions:

    • Microsoft.ApiManagement/service/*/read
    • Microsoft.ApiManagement/service/backup/action
    • Microsoft.ApiManagement/service/delete
    • Microsoft.ApiManagement/service/managedeployments/action
    • Microsoft.ApiManagement/service/read
    • Microsoft.ApiManagement/service/restore/action
    • Microsoft.ApiManagement/service/updatecertificate/action
    • Microsoft.ApiManagement/service/updatehostname/action
    • Microsoft.ApiManagement/service/write
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • NotActions:

    • Microsoft.ApiManagement/service/users/keys/read

AcrQuarantineReader

  • Actions:

    • Microsoft.ContainerRegistry/registries/quarantine/read
  • DataActions:

    • Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read

AcrQuarantineWriter

  • Actions:

    • Microsoft.ContainerRegistry/registries/quarantine/read
    • Microsoft.ContainerRegistry/registries/quarantine/write
  • DataActions:

    • Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read
    • Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write

Classic Storage Account Key Operator Service Role

  • Actions:
    • Microsoft.ClassicStorage/storageAccounts/listkeys/action
    • Microsoft.ClassicStorage/storageAccounts/regeneratekey/action

ClearDB MySQL DB Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • successbricks.cleardb/databases/*

Classic Storage Account Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.ClassicStorage/storageAccounts/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

CDN Profile Reader

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Cdn/edgenodes/read
    • Microsoft.Cdn/operationresults/*
    • Microsoft.Cdn/profiles/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Classic Network Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.ClassicNetwork/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Cognitive Services Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.CognitiveServices/*
    • Microsoft.Features/features/read
    • Microsoft.Features/providers/features/read
    • Microsoft.Features/providers/features/register/action
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/diagnosticSettings/*
    • Microsoft.Insights/logDefinitions/read
    • Microsoft.Insights/metricdefinitions/read
    • Microsoft.Insights/metrics/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/deployments/operations/read
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourcegroups/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

CosmosBackupOperator

  • Actions:
    • Microsoft.DocumentDB/databaseAccounts/backup/action
    • Microsoft.DocumentDB/databaseAccounts/restore/action

Cognitive Services Data Reader (Preview)

  • DataActions:
    • Microsoft.CognitiveServices/*/read

Classic Virtual Machine Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.ClassicCompute/domainNames/*
    • Microsoft.ClassicCompute/virtualMachines/*
    • Microsoft.ClassicNetwork/networkSecurityGroups/join/action
    • Microsoft.ClassicNetwork/reservedIps/link/action
    • Microsoft.ClassicNetwork/reservedIps/read
    • Microsoft.ClassicNetwork/virtualNetworks/join/action
    • Microsoft.ClassicNetwork/virtualNetworks/read
    • Microsoft.ClassicStorage/storageAccounts/disks/read
    • Microsoft.ClassicStorage/storageAccounts/images/read
    • Microsoft.ClassicStorage/storageAccounts/listKeys/action
    • Microsoft.ClassicStorage/storageAccounts/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Cognitive Services User

  • Actions:

    • Microsoft.CognitiveServices/*/read
    • Microsoft.CognitiveServices/accounts/listkeys/action
    • Microsoft.Insights/alertRules/read
    • Microsoft.Insights/diagnosticSettings/read
    • Microsoft.Insights/logDefinitions/read
    • Microsoft.Insights/metricdefinitions/read
    • Microsoft.Insights/metrics/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/operations/read
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • DataActions:

    • Microsoft.CognitiveServices/*

Backup Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action
    • Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action
    • Microsoft.RecoveryServices/Vaults/backupJobs/*
    • Microsoft.RecoveryServices/Vaults/backupJobsExport/action
    • Microsoft.RecoveryServices/Vaults/backupOperationResults/*
    • Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read
    • Microsoft.RecoveryServices/Vaults/backupPolicies/read
    • Microsoft.RecoveryServices/Vaults/backupProtectableItems/*
    • Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
    • Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read
    • Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
    • Microsoft.RecoveryServices/Vaults/certificates/write
    • Microsoft.RecoveryServices/Vaults/extendedInformation/read
    • Microsoft.RecoveryServices/Vaults/extendedInformation/write
    • Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
    • Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
    • Microsoft.RecoveryServices/Vaults/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/write
    • Microsoft.RecoveryServices/Vaults/usages/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
    • Microsoft.RecoveryServices/Vaults/backupValidateOperation/action
    • Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action
    • Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read
    • Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read
    • Microsoft.RecoveryServices/Vaults/backupOperations/read
    • Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action
    • Microsoft.RecoveryServices/Vaults/backupEngines/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
    • Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read
    • Microsoft.RecoveryServices/locations/backupStatus/action
    • Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
    • Microsoft.RecoveryServices/locations/backupValidateFeatures/action
    • Microsoft.RecoveryServices/locations/backupAadProperties/read
    • Microsoft.RecoveryServices/locations/backupCrrJobs/action
    • Microsoft.RecoveryServices/locations/backupCrrJob/action
    • Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action
    • Microsoft.RecoveryServices/locations/backupCrrOperationResults/read
    • Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read
    • Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
    • Microsoft.RecoveryServices/operations/read
    • Microsoft.RecoveryServices/locations/operationStatus/read
    • Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
    • Microsoft.Support/*
    • Microsoft.DataProtection/backupVaults/backupInstances/read
    • Microsoft.DataProtection/backupVaults/backupInstances/read
    • Microsoft.DataProtection/backupVaults/backupPolicies/read
    • Microsoft.DataProtection/backupVaults/backupPolicies/read
    • Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
    • Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
    • Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
    • Microsoft.DataProtection/backupVaults/read
    • Microsoft.DataProtection/backupVaults/operationResults/read
    • Microsoft.DataProtection/backupVaults/read
    • Microsoft.DataProtection/backupVaults/read
    • Microsoft.DataProtection/locations/operationStatus/read
    • Microsoft.DataProtection/locations/operationResults/read
    • Microsoft.DataProtection/providers/operations/read

Backup Reader

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.RecoveryServices/locations/allocatedStamp/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read
    • Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read
    • Microsoft.RecoveryServices/Vaults/backupJobs/read
    • Microsoft.RecoveryServices/Vaults/backupJobsExport/action
    • Microsoft.RecoveryServices/Vaults/backupOperationResults/read
    • Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read
    • Microsoft.RecoveryServices/Vaults/backupPolicies/read
    • Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
    • Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read
    • Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
    • Microsoft.RecoveryServices/Vaults/extendedInformation/read
    • Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
    • Microsoft.RecoveryServices/Vaults/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/read
    • Microsoft.RecoveryServices/Vaults/backupstorageconfig/read
    • Microsoft.RecoveryServices/Vaults/backupconfig/read
    • Microsoft.RecoveryServices/Vaults/backupOperations/read
    • Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read
    • Microsoft.RecoveryServices/Vaults/backupEngines/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read
    • Microsoft.RecoveryServices/locations/backupStatus/action
    • Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
    • Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
    • Microsoft.RecoveryServices/operations/read
    • Microsoft.RecoveryServices/locations/operationStatus/read
    • Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
    • Microsoft.RecoveryServices/Vaults/usages/read
    • Microsoft.RecoveryServices/locations/backupValidateFeatures/action
    • Microsoft.RecoveryServices/locations/backupCrrJobs/action
    • Microsoft.RecoveryServices/locations/backupCrrJob/action
    • Microsoft.RecoveryServices/locations/backupCrrOperationResults/read
    • Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read
    • Microsoft.DataProtection/locations/getBackupStatus/action
    • Microsoft.DataProtection/backupVaults/backupInstances/write
    • Microsoft.DataProtection/backupVaults/backupInstances/read
    • Microsoft.DataProtection/backupVaults/backupInstances/read
    • Microsoft.DataProtection/backupVaults/backupInstances/backup/action
    • Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
    • Microsoft.DataProtection/backupVaults/backupInstances/restore/action
    • Microsoft.DataProtection/backupVaults/backupPolicies/read
    • Microsoft.DataProtection/backupVaults/backupPolicies/read
    • Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
    • Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
    • Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
    • Microsoft.DataProtection/backupVaults/read
    • Microsoft.DataProtection/backupVaults/operationResults/read
    • Microsoft.DataProtection/backupVaults/read
    • Microsoft.DataProtection/backupVaults/read
    • Microsoft.DataProtection/locations/operationStatus/read
    • Microsoft.DataProtection/locations/operationResults/read
    • Microsoft.DataProtection/backupVaults/validateForBackup/action
    • Microsoft.DataProtection/providers/operations/read

Billing Reader

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Billing/*/read
    • Microsoft.Commerce/*/read
    • Microsoft.Consumption/*/read
    • Microsoft.Management/managementGroups/read
    • Microsoft.CostManagement/*/read
    • Microsoft.Support/*

Azure Stack Registration Owner

  • Actions:
    • Microsoft.AzureStack/edgeSubscriptions/read
    • Microsoft.AzureStack/registrations/products/*/action
    • Microsoft.AzureStack/registrations/products/read
    • Microsoft.AzureStack/registrations/read

Backup Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.RecoveryServices/locations/*
    • Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*
    • Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action
    • Microsoft.RecoveryServices/Vaults/backupJobs/*
    • Microsoft.RecoveryServices/Vaults/backupJobsExport/action
    • Microsoft.RecoveryServices/Vaults/backupOperationResults/*
    • Microsoft.RecoveryServices/Vaults/backupPolicies/*
    • Microsoft.RecoveryServices/Vaults/backupProtectableItems/*
    • Microsoft.RecoveryServices/Vaults/backupProtectedItems/*
    • Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*
    • Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*
    • Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
    • Microsoft.RecoveryServices/Vaults/certificates/*
    • Microsoft.RecoveryServices/Vaults/extendedInformation/*
    • Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
    • Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
    • Microsoft.RecoveryServices/Vaults/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/*
    • Microsoft.RecoveryServices/Vaults/usages/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
    • Microsoft.RecoveryServices/Vaults/backupconfig/*
    • Microsoft.RecoveryServices/Vaults/backupValidateOperation/action
    • Microsoft.RecoveryServices/Vaults/write
    • Microsoft.RecoveryServices/Vaults/backupOperations/read
    • Microsoft.RecoveryServices/Vaults/backupEngines/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read
    • Microsoft.RecoveryServices/locations/backupStatus/action
    • Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
    • Microsoft.RecoveryServices/locations/backupValidateFeatures/action
    • Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
    • Microsoft.RecoveryServices/operations/read
    • Microsoft.RecoveryServices/locations/operationStatus/read
    • Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
    • Microsoft.Support/*
    • Microsoft.DataProtection/locations/getBackupStatus/action
    • Microsoft.DataProtection/backupVaults/backupInstances/write
    • Microsoft.DataProtection/backupVaults/backupInstances/delete
    • Microsoft.DataProtection/backupVaults/backupInstances/read
    • Microsoft.DataProtection/backupVaults/backupInstances/read
    • Microsoft.DataProtection/backupVaults/backupInstances/backup/action
    • Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
    • Microsoft.DataProtection/backupVaults/backupInstances/restore/action
    • Microsoft.DataProtection/backupVaults/backupPolicies/write
    • Microsoft.DataProtection/backupVaults/backupPolicies/delete
    • Microsoft.DataProtection/backupVaults/backupPolicies/read
    • Microsoft.DataProtection/backupVaults/backupPolicies/read
    • Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
    • Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
    • Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
    • Microsoft.DataProtection/backupVaults/write
    • Microsoft.DataProtection/backupVaults/read
    • Microsoft.DataProtection/backupVaults/operationResults/read
    • Microsoft.DataProtection/locations/checkNameAvailability/action
    • Microsoft.DataProtection/backupVaults/read
    • Microsoft.DataProtection/backupVaults/read
    • Microsoft.DataProtection/locations/operationStatus/read
    • Microsoft.DataProtection/locations/operationResults/read
    • Microsoft.DataProtection/backupVaults/validateForBackup/action
    • Microsoft.DataProtection/providers/operations/read

CDN Endpoint Reader

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Cdn/edgenodes/read
    • Microsoft.Cdn/operationresults/*
    • Microsoft.Cdn/profiles/endpoints/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

CDN Profile Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Cdn/edgenodes/read
    • Microsoft.Cdn/operationresults/*
    • Microsoft.Cdn/profiles/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

CDN Endpoint Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Cdn/edgenodes/read
    • Microsoft.Cdn/operationresults/*
    • Microsoft.Cdn/profiles/endpoints/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Blockchain Member Node Access (Preview)

  • Actions:

    • Microsoft.Blockchain/blockchainMembers/transactionNodes/read
  • DataActions:

    • Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action

BizTalk Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.BizTalkServices/BizTalk/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Microsoft Sentinel Reader

  • Actions:
    • Microsoft.SecurityInsights/*/read
    • Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action
    • Microsoft.SecurityInsights/threatIntelligence/indicators/query/action
    • Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action
    • Microsoft.OperationalInsights/workspaces/analytics/query/action
    • Microsoft.OperationalInsights/workspaces/*/read
    • Microsoft.OperationalInsights/workspaces/LinkedServices/read
    • Microsoft.OperationalInsights/workspaces/savedSearches/read
    • Microsoft.OperationsManagement/solutions/read
    • Microsoft.OperationalInsights/workspaces/query/read
    • Microsoft.OperationalInsights/workspaces/query/*/read
    • Microsoft.OperationalInsights/querypacks/*/read
    • Microsoft.OperationalInsights/workspaces/dataSources/read
    • Microsoft.Insights/workbooks/read
    • Microsoft.Insights/myworkbooks/read
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Workbook Reader

  • Actions:
    • microsoft.insights/workbooks/read
    • microsoft.insights/workbooktemplates/read

Microsoft Sentinel Responder

  • Actions:

    • Microsoft.SecurityInsights/*/read
    • Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action
    • Microsoft.SecurityInsights/automationRules/*
    • Microsoft.SecurityInsights/cases/*
    • Microsoft.SecurityInsights/incidents/*
    • Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action
    • Microsoft.SecurityInsights/threatIntelligence/indicators/query/action
    • Microsoft.SecurityInsights/threatIntelligence/bulkTag/action
    • Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action
    • Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action
    • Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action
    • Microsoft.OperationalInsights/workspaces/analytics/query/action
    • Microsoft.OperationalInsights/workspaces/*/read
    • Microsoft.OperationalInsights/workspaces/dataSources/read
    • Microsoft.OperationalInsights/workspaces/savedSearches/read
    • Microsoft.OperationsManagement/solutions/read
    • Microsoft.OperationalInsights/workspaces/query/read
    • Microsoft.OperationalInsights/workspaces/query/*/read
    • Microsoft.OperationalInsights/workspaces/dataSources/read
    • Microsoft.OperationalInsights/querypacks/*/read
    • Microsoft.Insights/workbooks/read
    • Microsoft.Insights/myworkbooks/read
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
  • NotActions:

    • Microsoft.SecurityInsights/cases/*/Delete
    • Microsoft.SecurityInsights/incidents/*/Delete

Blueprint Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Blueprint/blueprintAssignments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Support/*

Microsoft Sentinel Contributor

  • Actions:
    • Microsoft.SecurityInsights/*
    • Microsoft.OperationalInsights/workspaces/analytics/query/action
    • Microsoft.OperationalInsights/workspaces/*/read
    • Microsoft.OperationalInsights/workspaces/savedSearches/*
    • Microsoft.OperationsManagement/solutions/read
    • Microsoft.OperationalInsights/workspaces/query/read
    • Microsoft.OperationalInsights/workspaces/query/*/read
    • Microsoft.OperationalInsights/workspaces/dataSources/read
    • Microsoft.OperationalInsights/querypacks/*/read
    • Microsoft.Insights/workbooks/*
    • Microsoft.Insights/myworkbooks/read
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

SignalR/Web PubSub Contributor

  • Actions:
    • Microsoft.SignalRService/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Support/*

Azure Connected Machine Onboarding

  • Actions:
    • Microsoft.HybridCompute/machines/read
    • Microsoft.HybridCompute/machines/write
    • Microsoft.HybridCompute/privateLinkScopes/read
    • Microsoft.GuestConfiguration/guestConfigurationAssignments/read

SignalR AccessKey Reader

  • Actions:
    • Microsoft.SignalRService/*/read
    • Microsoft.SignalRService/SignalR/listkeys/action
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Workbook Contributor

  • Actions:
    • Microsoft.Insights/workbooks/write
    • Microsoft.Insights/workbooks/delete
    • Microsoft.Insights/workbooks/read
    • Microsoft.Insights/workbooktemplates/write
    • Microsoft.Insights/workbooktemplates/delete
    • Microsoft.Insights/workbooktemplates/read

Policy Insights Data Writer (Preview)

  • Actions:

    • Microsoft.Authorization/policyassignments/read
    • Microsoft.Authorization/policydefinitions/read
    • Microsoft.Authorization/policyexemptions/read
    • Microsoft.Authorization/policysetdefinitions/read
  • DataActions:

    • Microsoft.PolicyInsights/checkDataPolicyCompliance/action
    • Microsoft.PolicyInsights/policyEvents/logDataEvents/action

Storage File Data SMB Share Reader

  • DataActions:
    • Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read

Storage File Data SMB Share Contributor

  • DataActions:
    • Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
    • Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write
    • Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete

Azure Service Bus Data Sender

  • Actions:

    • Microsoft.ServiceBus/*/queues/read
    • Microsoft.ServiceBus/*/topics/read
    • Microsoft.ServiceBus/*/topics/subscriptions/read
  • DataActions:

    • Microsoft.ServiceBus/*/send/action

Azure Event Hubs Data Sender

  • Actions:

    • Microsoft.EventHub/*/eventhubs/read
  • DataActions:

    • Microsoft.EventHub/*/send/action

Azure Service Bus Data Receiver

  • Actions:

    • Microsoft.ServiceBus/*/queues/read
    • Microsoft.ServiceBus/*/topics/read
    • Microsoft.ServiceBus/*/topics/subscriptions/read
  • DataActions:

    • Microsoft.ServiceBus/*/receive/action

Storage File Data SMB Share Elevated Contributor

  • DataActions:
    • Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
    • Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write
    • Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete
    • Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action

Blueprint Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Blueprint/blueprints/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Support/*

Desktop Virtualization User

  • DataActions:
    • Microsoft.DesktopVirtualization/applicationGroups/useApplications/action

Private DNS Zone Contributor

  • Actions:
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Network/privateDnsZones/*
    • Microsoft.Network/privateDnsOperationResults/*
    • Microsoft.Network/privateDnsOperationStatuses/*
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/join/action
    • Microsoft.Authorization/*/read

Storage Blob Delegator

  • Actions:
    • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action

Tag Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/subscriptions/resourceGroups/resources/read
    • Microsoft.Resources/subscriptions/resources/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.Support/*
    • Microsoft.Resources/tags/*

Integration Service Environment Developer

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Support/*
    • Microsoft.Logic/integrationServiceEnvironments/read
    • Microsoft.Logic/integrationServiceEnvironments/*/join/action

Security Assessment Contributor

  • Actions:
    • Microsoft.Security/assessments/write

Remote Rendering Client

  • DataActions:
    • Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read
    • Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action
    • Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete
    • Microsoft.MixedReality/RemoteRenderingAccounts/render/read
    • Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read

Managed Application Contributor Role

  • Actions:
    • */read
    • Microsoft.Solutions/applications/*
    • Microsoft.Solutions/register/action
    • Microsoft.Resources/subscriptions/resourceGroups/*
    • Microsoft.Resources/deployments/*

Azure Digital Twins Data Owner

  • DataActions:
    • Microsoft.DigitalTwins/eventroutes/*
    • Microsoft.DigitalTwins/digitaltwins/*
    • Microsoft.DigitalTwins/digitaltwins/commands/*
    • Microsoft.DigitalTwins/digitaltwins/relationships/*
    • Microsoft.DigitalTwins/models/*
    • Microsoft.DigitalTwins/query/*

Hierarchy Settings Administrator

  • Actions:
    • Microsoft.Management/managementGroups/settings/write
    • Microsoft.Management/managementGroups/settings/delete

Azure Digital Twins Data Reader

  • DataActions:
    • Microsoft.DigitalTwins/digitaltwins/read
    • Microsoft.DigitalTwins/digitaltwins/relationships/read
    • Microsoft.DigitalTwins/eventroutes/read
    • Microsoft.DigitalTwins/models/read
    • Microsoft.DigitalTwins/query/action

Integration Service Environment Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Support/*
    • Microsoft.Logic/integrationServiceEnvironments/*

Azure Kubernetes Service Contributor Role

  • Actions:
    • Microsoft.ContainerService/managedClusters/read
    • Microsoft.ContainerService/managedClusters/write
    • Microsoft.Resources/deployments/*

App Configuration Data Reader

  • DataActions:
    • Microsoft.AppConfiguration/configurationStores/*/read

Kubernetes Cluster - Azure Arc Onboarding

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Resources/deployments/write
    • Microsoft.Resources/subscriptions/operationresults/read
    • Microsoft.Resources/subscriptions/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Kubernetes/connectedClusters/Write
    • Microsoft.Kubernetes/connectedClusters/read
    • Microsoft.Support/*

App Configuration Data Owner

  • DataActions:
    • Microsoft.AppConfiguration/configurationStores/*/read
    • Microsoft.AppConfiguration/configurationStores/*/write
    • Microsoft.AppConfiguration/configurationStores/*/delete

Azure Connected Machine Resource Administrator

  • Actions:
    • Microsoft.HybridCompute/machines/read
    • Microsoft.HybridCompute/machines/write
    • Microsoft.HybridCompute/machines/delete
    • Microsoft.HybridCompute/machines/UpgradeExtensions/action
    • Microsoft.HybridCompute/machines/extensions/read
    • Microsoft.HybridCompute/machines/extensions/write
    • Microsoft.HybridCompute/machines/extensions/delete
    • Microsoft.HybridCompute/privateLinkScopes/*
    • Microsoft.HybridCompute/*/read
    • Microsoft.Resources/deployments/*

Managed Services Registration assignment Delete Role

  • Actions:
    • Microsoft.ManagedServices/registrationAssignments/read
    • Microsoft.ManagedServices/registrationAssignments/delete
    • Microsoft.ManagedServices/operationStatuses/read

Experimentation Administrator

  • Actions:

    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Experimentation/experimentWorkspaces/read
  • DataActions:

    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action
    • Microsoft.Experimentation/experimentWorkspaces/read
    • Microsoft.Experimentation/experimentWorkspaces/write
    • Microsoft.Experimentation/experimentWorkspaces/delete
    • Microsoft.Experimentation/experimentWorkspaces/admin/action
    • Microsoft.Experimentation/experimentWorkspaces/metricwrite/action
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action

Remote Rendering Administrator

  • DataActions:
    • Microsoft.MixedReality/RemoteRenderingAccounts/convert/action
    • Microsoft.MixedReality/RemoteRenderingAccounts/convert/read
    • Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete
    • Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read
    • Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action
    • Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete
    • Microsoft.MixedReality/RemoteRenderingAccounts/render/read
    • Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read

Cognitive Services QnA Maker Editor

  • Actions:

    • Microsoft.CognitiveServices/*/read
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleDefinitions/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read
    • Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read
    • Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write
    • Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write
    • Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action
    • Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action
    • Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read
    • Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write
    • Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read
    • Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action
    • Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read
    • Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write
    • Microsoft.CognitiveServices/accounts/QnAMaker/operations/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read

Experimentation Contributor

  • Actions:

    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Experimentation/experimentWorkspaces/read
  • DataActions:

    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action
    • Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action
    • Microsoft.Experimentation/experimentWorkspaces/read
    • Microsoft.Experimentation/experimentWorkspaces/write
    • Microsoft.Experimentation/experimentWorkspaces/delete

Cognitive Services QnA Maker Reader

  • Actions:

    • Microsoft.CognitiveServices/*/read
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleDefinitions/read
  • DataActions:

    • Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read
    • Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read
    • Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action
    • Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read
    • Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read
    • Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read
    • Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read
    • Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read

SQL Security Manager

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Sql/locations/administratorAzureAsyncOperation/read
    • Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
    • Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
    • Microsoft.Sql/managedInstances/securityAlertPolicies/*
    • Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*
    • Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
    • Microsoft.Sql/servers/auditingSettings/*
    • Microsoft.Sql/servers/extendedAuditingSettings/read
    • Microsoft.Sql/servers/databases/auditingSettings/*
    • Microsoft.Sql/servers/databases/auditRecords/read
    • Microsoft.Sql/servers/databases/currentSensitivityLabels/*
    • Microsoft.Sql/servers/databases/dataMaskingPolicies/*
    • Microsoft.Sql/servers/databases/extendedAuditingSettings/read
    • Microsoft.Sql/servers/databases/read
    • Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
    • Microsoft.Sql/servers/databases/schemas/read
    • Microsoft.Sql/servers/databases/schemas/tables/columns/read
    • Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
    • Microsoft.Sql/servers/databases/schemas/tables/read
    • Microsoft.Sql/servers/databases/securityAlertPolicies/*
    • Microsoft.Sql/servers/databases/securityMetrics/*
    • Microsoft.Sql/servers/databases/sensitivityLabels/*
    • Microsoft.Sql/servers/databases/transparentDataEncryption/*
    • Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
    • Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
    • Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
    • Microsoft.Sql/servers/devOpsAuditingSettings/*
    • Microsoft.Sql/servers/firewallRules/*
    • Microsoft.Sql/servers/read
    • Microsoft.Sql/servers/securityAlertPolicies/*
    • Microsoft.Sql/servers/vulnerabilityAssessments/*
    • Microsoft.Support/*
    • Microsoft.Sql/servers/azureADOnlyAuthentications/*
    • Microsoft.Sql/managedInstances/read
    • Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*
    • Microsoft.Security/sqlVulnerabilityAssessments/*
    • Microsoft.Sql/managedInstances/administrators/read
    • Microsoft.Sql/servers/administrators/read

Storage Account Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/diagnosticSettings/*
    • Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/*
    • Microsoft.Support/*

SQL DB Contributor

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Sql/locations/*/read
    • Microsoft.Sql/servers/databases/*
    • Microsoft.Sql/servers/read
    • Microsoft.Support/*
    • Microsoft.Insights/metrics/read
    • Microsoft.Insights/metricDefinitions/read
  • NotActions:

    • Microsoft.Sql/servers/databases/ledgerDigestUploads/write
    • Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action
    • Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
    • Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
    • Microsoft.Sql/managedInstances/securityAlertPolicies/*
    • Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
    • Microsoft.Sql/servers/databases/auditingSettings/*
    • Microsoft.Sql/servers/databases/auditRecords/read
    • Microsoft.Sql/servers/databases/currentSensitivityLabels/*
    • Microsoft.Sql/servers/databases/dataMaskingPolicies/*
    • Microsoft.Sql/servers/databases/extendedAuditingSettings/*
    • Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
    • Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
    • Microsoft.Sql/servers/databases/securityAlertPolicies/*
    • Microsoft.Sql/servers/databases/securityMetrics/*
    • Microsoft.Sql/servers/databases/sensitivityLabels/*
    • Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
    • Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
    • Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
    • Microsoft.Sql/servers/vulnerabilityAssessments/*

Spatial Anchors Account Owner

  • DataActions:
    • Microsoft.MixedReality/SpatialAnchorsAccounts/create/action
    • Microsoft.MixedReality/SpatialAnchorsAccounts/delete
    • Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/query/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/write

SQL Managed Instance Contributor

  • Actions:

    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Network/networkSecurityGroups/*
    • Microsoft.Network/routeTables/*
    • Microsoft.Sql/locations/*/read
    • Microsoft.Sql/locations/instanceFailoverGroups/*
    • Microsoft.Sql/managedInstances/*
    • Microsoft.Support/*
    • Microsoft.Network/virtualNetworks/subnets/*
    • Microsoft.Network/virtualNetworks/*
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/metrics/read
    • Microsoft.Insights/metricDefinitions/read
  • NotActions:

    • Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete
    • Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write

Storage Blob Data Owner

  • Actions:

    • Microsoft.Storage/storageAccounts/blobServices/containers/*
    • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • DataActions:

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*

Storage Blob Data Reader

  • Actions:

    • Microsoft.Storage/storageAccounts/blobServices/containers/read
    • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • DataActions:

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Storage Blob Data Contributor

  • Actions:

    • Microsoft.Storage/storageAccounts/blobServices/containers/delete
    • Microsoft.Storage/storageAccounts/blobServices/containers/read
    • Microsoft.Storage/storageAccounts/blobServices/containers/write
    • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • DataActions:

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

SQL Server Contributor

  • Actions:

    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Sql/locations/*/read
    • Microsoft.Sql/servers/*
    • Microsoft.Support/*
    • Microsoft.Insights/metrics/read
    • Microsoft.Insights/metricDefinitions/read
  • NotActions:

    • Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
    • Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
    • Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
    • Microsoft.Sql/managedInstances/securityAlertPolicies/*
    • Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
    • Microsoft.Sql/servers/auditingSettings/*
    • Microsoft.Sql/servers/databases/auditingSettings/*
    • Microsoft.Sql/servers/databases/auditRecords/read
    • Microsoft.Sql/servers/databases/currentSensitivityLabels/*
    • Microsoft.Sql/servers/databases/dataMaskingPolicies/*
    • Microsoft.Sql/servers/databases/extendedAuditingSettings/*
    • Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
    • Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
    • Microsoft.Sql/servers/databases/securityAlertPolicies/*
    • Microsoft.Sql/servers/databases/securityMetrics/*
    • Microsoft.Sql/servers/databases/sensitivityLabels/*
    • Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
    • Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
    • Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
    • Microsoft.Sql/servers/devOpsAuditingSettings/*
    • Microsoft.Sql/servers/extendedAuditingSettings/*
    • Microsoft.Sql/servers/securityAlertPolicies/*
    • Microsoft.Sql/servers/vulnerabilityAssessments/*
    • Microsoft.Sql/servers/azureADOnlyAuthentications/delete
    • Microsoft.Sql/servers/azureADOnlyAuthentications/write

Storage Account Key Operator Service Role

  • Actions:
    • Microsoft.Storage/storageAccounts/listkeys/action
    • Microsoft.Storage/storageAccounts/regeneratekey/action

Security Manager (Legacy)

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.ClassicCompute/*/read
    • Microsoft.ClassicCompute/virtualMachines/*/write
    • Microsoft.ClassicNetwork/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Security/*
    • Microsoft.Support/*

Security Reader

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/read
    • Microsoft.operationalInsights/workspaces/*/read
    • Microsoft.Resources/deployments/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Security/*/read
    • Microsoft.IoTSecurity/*/read
    • Microsoft.Support/*/read
    • Microsoft.Security/iotDefenderSettings/packageDownloads/action
    • Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action
    • Microsoft.Security/iotSensors/downloadResetPassword/action
    • Microsoft.IoTSecurity/defenderSettings/packageDownloads/action
    • Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action
    • Microsoft.Management/managementGroups/read

Security Admin

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Authorization/policyAssignments/*
    • Microsoft.Authorization/policyDefinitions/*
    • Microsoft.Authorization/policyExemptions/*
    • Microsoft.Authorization/policySetDefinitions/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.Management/managementGroups/read
    • Microsoft.operationalInsights/workspaces/*/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Security/*
    • Microsoft.IoTSecurity/*
    • Microsoft.Support/*

Scheduler Job Collections Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Scheduler/jobcollections/*
    • Microsoft.Support/*

Search Service Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Search/searchServices/*
    • Microsoft.Support/*

Spatial Anchors Account Reader

  • DataActions:
    • Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/query/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read

Site Recovery Reader

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.RecoveryServices/locations/allocatedStamp/read
    • Microsoft.RecoveryServices/Vaults/extendedInformation/read
    • Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
    • Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
    • Microsoft.RecoveryServices/Vaults/read
    • Microsoft.RecoveryServices/Vaults/refreshContainers/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/read
    • Microsoft.RecoveryServices/vaults/replicationAlertSettings/read
    • Microsoft.RecoveryServices/vaults/replicationEvents/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read
    • Microsoft.RecoveryServices/vaults/replicationJobs/read
    • Microsoft.RecoveryServices/vaults/replicationPolicies/read
    • Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read
    • Microsoft.RecoveryServices/vaults/replicationVaultSettings/read
    • Microsoft.RecoveryServices/Vaults/storageConfig/read
    • Microsoft.RecoveryServices/Vaults/tokenInfo/read
    • Microsoft.RecoveryServices/Vaults/usages/read
    • Microsoft.RecoveryServices/Vaults/vaultTokens/read
    • Microsoft.Support/*

Site Recovery Operator

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.RecoveryServices/locations/allocatedStamp/read
    • Microsoft.RecoveryServices/locations/allocateStamp/action
    • Microsoft.RecoveryServices/Vaults/extendedInformation/read
    • Microsoft.RecoveryServices/Vaults/read
    • Microsoft.RecoveryServices/Vaults/refreshContainers/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/read
    • Microsoft.RecoveryServices/vaults/replicationAlertSettings/read
    • Microsoft.RecoveryServices/vaults/replicationEvents/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read
    • Microsoft.RecoveryServices/vaults/replicationJobs/*
    • Microsoft.RecoveryServices/vaults/replicationPolicies/read
    • Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action
    • Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action
    • Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read
    • Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action
    • Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action
    • Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action
    • Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action
    • Microsoft.RecoveryServices/vaults/replicationVaultSettings/read
    • Microsoft.RecoveryServices/Vaults/monitoringAlerts/*
    • Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
    • Microsoft.RecoveryServices/Vaults/storageConfig/read
    • Microsoft.RecoveryServices/Vaults/tokenInfo/read
    • Microsoft.RecoveryServices/Vaults/usages/read
    • Microsoft.RecoveryServices/Vaults/vaultTokens/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.Support/*

Spatial Anchors Account Contributor

  • DataActions:
    • Microsoft.MixedReality/SpatialAnchorsAccounts/create/action
    • Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/query/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read
    • Microsoft.MixedReality/SpatialAnchorsAccounts/write

Site Recovery Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.RecoveryServices/locations/allocatedStamp/read
    • Microsoft.RecoveryServices/locations/allocateStamp/action
    • Microsoft.RecoveryServices/Vaults/certificates/write
    • Microsoft.RecoveryServices/Vaults/extendedInformation/*
    • Microsoft.RecoveryServices/Vaults/read
    • Microsoft.RecoveryServices/Vaults/refreshContainers/read
    • Microsoft.RecoveryServices/Vaults/registeredIdentities/*
    • Microsoft.RecoveryServices/vaults/replicationAlertSettings/*
    • Microsoft.RecoveryServices/vaults/replicationEvents/read
    • Microsoft.RecoveryServices/vaults/replicationFabrics/*
    • Microsoft.RecoveryServices/vaults/replicationJobs/*
    • Microsoft.RecoveryServices/vaults/replicationPolicies/*
    • Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*
    • Microsoft.RecoveryServices/vaults/replicationVaultSettings/*
    • Microsoft.RecoveryServices/Vaults/storageConfig/*
    • Microsoft.RecoveryServices/Vaults/tokenInfo/read
    • Microsoft.RecoveryServices/Vaults/usages/read
    • Microsoft.RecoveryServices/Vaults/vaultTokens/read
    • Microsoft.RecoveryServices/Vaults/monitoringAlerts/*
    • Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.RecoveryServices/vaults/replicationOperationStatus/read
    • Microsoft.Support/*

Azure Event Hubs Data Owner

  • Actions:

    • Microsoft.EventHub/*
  • DataActions:

    • Microsoft.EventHub/*

Attestation Contributor

  • Actions:
    • Microsoft.Attestation/attestationProviders/attestation/read
    • Microsoft.Attestation/attestationProviders/attestation/write
    • Microsoft.Attestation/attestationProviders/attestation/delete

Azure Service Bus Data Owner

  • Actions:

    • Microsoft.ServiceBus/*
  • DataActions:

    • Microsoft.ServiceBus/*

Web Plan Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Web/serverFarms/*
    • Microsoft.Web/hostingEnvironments/Join/Action

Website Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Insights/components/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Web/certificates/*
    • Microsoft.Web/listSitesAssignedToHostName/read
    • Microsoft.Web/serverFarms/join/action
    • Microsoft.Web/serverFarms/read
    • Microsoft.Web/sites/*

Hybrid Server Onboarding

  • Actions:
    • Microsoft.HybridCompute/machines/read
    • Microsoft.HybridCompute/machines/write

Azure Event Hubs Data Receiver

  • Actions:

    • Microsoft.EventHub/*/eventhubs/consumergroups/read
  • DataActions:

    • Microsoft.EventHub/*/receive/action

Hybrid Server Resource Administrator

  • Actions:
    • Microsoft.HybridCompute/machines/*
    • Microsoft.HybridCompute/*/read

HDInsight Cluster Operator

  • Actions:
    • Microsoft.HDInsight/*/read
    • Microsoft.HDInsight/clusters/getGatewaySettings/action
    • Microsoft.HDInsight/clusters/updateGatewaySettings/action
    • Microsoft.HDInsight/clusters/configurations/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Resources/deployments/operations/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Authorization/*/read
    • Microsoft.Support/*

Cosmos DB Operator

  • Actions:

    • Microsoft.DocumentDb/databaseAccounts/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.Authorization/*/read
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*
    • Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
  • NotActions:

    • Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*
    • Microsoft.DocumentDB/databaseAccounts/regenerateKey/*
    • Microsoft.DocumentDB/databaseAccounts/listKeys/*
    • Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*
    • Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write
    • Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete
    • Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write
    • Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete

Storage Queue Data Reader

  • Actions:

    • Microsoft.Storage/storageAccounts/queueServices/queues/read
  • DataActions:

    • Microsoft.Storage/storageAccounts/queueServices/queues/messages/read

Support Request Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Storage Queue Data Message Sender

  • DataActions:
    • Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action

Storage Queue Data Contributor

  • Actions:

    • Microsoft.Storage/storageAccounts/queueServices/queues/delete
    • Microsoft.Storage/storageAccounts/queueServices/queues/read
    • Microsoft.Storage/storageAccounts/queueServices/queues/write
  • DataActions:

    • Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete
    • Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
    • Microsoft.Storage/storageAccounts/queueServices/queues/messages/write
    • Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action

Storage Queue Data Message Processor

  • DataActions:
    • Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
    • Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action

Virtual Machine User Login

  • Actions:

    • Microsoft.Network/publicIPAddresses/read
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/loadBalancers/read
    • Microsoft.Network/networkInterfaces/read
    • Microsoft.Compute/virtualMachines/*/read
    • Microsoft.HybridCompute/machines/*/read
    • Microsoft.HybridConnectivity/endpoints/listCredentials/action
  • DataActions:

    • Microsoft.Compute/virtualMachines/login/action
    • Microsoft.HybridCompute/machines/login/action

Virtual Machine Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Compute/availabilitySets/*
    • Microsoft.Compute/locations/*
    • Microsoft.Compute/virtualMachines/*
    • Microsoft.Compute/virtualMachineScaleSets/*
    • Microsoft.Compute/cloudServices/*
    • Microsoft.Compute/disks/write
    • Microsoft.Compute/disks/read
    • Microsoft.Compute/disks/delete
    • Microsoft.DevTestLab/schedules/*
    • Microsoft.Insights/alertRules/*
    • Microsoft.Network/applicationGateways/backendAddressPools/join/action
    • Microsoft.Network/loadBalancers/backendAddressPools/join/action
    • Microsoft.Network/loadBalancers/inboundNatPools/join/action
    • Microsoft.Network/loadBalancers/inboundNatRules/join/action
    • Microsoft.Network/loadBalancers/probes/join/action
    • Microsoft.Network/loadBalancers/read
    • Microsoft.Network/locations/*
    • Microsoft.Network/networkInterfaces/*
    • Microsoft.Network/networkSecurityGroups/join/action
    • Microsoft.Network/networkSecurityGroups/read
    • Microsoft.Network/publicIPAddresses/join/action
    • Microsoft.Network/publicIPAddresses/read
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/subnets/join/action
    • Microsoft.RecoveryServices/locations/*
    • Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
    • Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
    • Microsoft.RecoveryServices/Vaults/backupPolicies/read
    • Microsoft.RecoveryServices/Vaults/backupPolicies/write
    • Microsoft.RecoveryServices/Vaults/read
    • Microsoft.RecoveryServices/Vaults/usages/read
    • Microsoft.RecoveryServices/Vaults/write
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.SerialConsole/serialPorts/connect/action
    • Microsoft.SqlVirtualMachine/*
    • Microsoft.Storage/storageAccounts/listKeys/action
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.Support/*

User Access Administrator

  • Actions:
    • */read
    • Microsoft.Authorization/*
    • Microsoft.Support/*

Traffic Manager Contributor

  • Actions:
    • Microsoft.Authorization/*/read
    • Microsoft.Insights/alertRules/*
    • Microsoft.Network/trafficManagerProfiles/*
    • Microsoft.ResourceHealth/availabilityStatuses/read
    • Microsoft.Resources/deployments/*
    • Microsoft.Resources/subscriptions/resourceGroups/read
    • Microsoft.Support/*

Virtual Machine Administrator Login

  • Actions:

    • Microsoft.Network/publicIPAddresses/read
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/loadBalancers/read
    • Microsoft.Network/networkInterfaces/read
    • Microsoft.Compute/virtualMachines/*/read
    • Microsoft.HybridCompute/machines/*/read
    • Microsoft.HybridConnectivity/endpoints/listCredentials/action
  • DataActions:

    • Microsoft.Compute/virtualMachines/login/action
    • Microsoft.Compute/virtualMachines/loginAsAdmin/action
    • Microsoft.HybridCompute/machines/login/action
    • Microsoft.HybridCompute/machines/loginAsAdmin/action

Azure AD Role Definitions


Application Administrator

  • microsoft.directory/applications/create
  • microsoft.directory/applications/delete
  • microsoft.directory/applications/applicationProxy/read
  • microsoft.directory/applications/applicationProxy/update
  • microsoft.directory/applications/applicationProxyAuthentication/update
  • microsoft.directory/applications/applicationProxySslCertificate/update
  • microsoft.directory/applications/applicationProxyUrlSettings/update
  • microsoft.directory/applications/appRoles/update
  • microsoft.directory/applications/audience/update
  • microsoft.directory/applications/authentication/update
  • microsoft.directory/applications/basic/update
  • microsoft.directory/applications/credentials/update
  • microsoft.directory/applications/extensionProperties/update
  • microsoft.directory/applications/notes/update
  • microsoft.directory/applications/owners/update
  • microsoft.directory/applications/permissions/update
  • microsoft.directory/applications/policies/update
  • microsoft.directory/applications/tag/update
  • microsoft.directory/applications/verification/update
  • microsoft.directory/applications/synchronization/standard/read
  • microsoft.directory/applicationTemplates/instantiate
  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/connectors/create
  • microsoft.directory/connectors/allProperties/read
  • microsoft.directory/connectorGroups/create
  • microsoft.directory/connectorGroups/delete
  • microsoft.directory/connectorGroups/allProperties/read
  • microsoft.directory/connectorGroups/allProperties/update
  • microsoft.directory/customAuthenticationExtensions/allProperties/allTasks
  • microsoft.directory/deletedItems.applications/delete
  • microsoft.directory/deletedItems.applications/restore
  • microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks
  • microsoft.directory/applicationPolicies/create
  • microsoft.directory/applicationPolicies/delete
  • microsoft.directory/applicationPolicies/standard/read
  • microsoft.directory/applicationPolicies/owners/read
  • microsoft.directory/applicationPolicies/policyAppliedTo/read
  • microsoft.directory/applicationPolicies/basic/update
  • microsoft.directory/applicationPolicies/owners/update
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/servicePrincipals/create
  • microsoft.directory/servicePrincipals/delete
  • microsoft.directory/servicePrincipals/disable
  • microsoft.directory/servicePrincipals/enable
  • microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials
  • microsoft.directory/servicePrincipals/synchronizationCredentials/manage
  • microsoft.directory/servicePrincipals/synchronizationJobs/manage
  • microsoft.directory/servicePrincipals/synchronizationSchema/manage
  • microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials
  • microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/servicePrincipals/audience/update
  • microsoft.directory/servicePrincipals/authentication/update
  • microsoft.directory/servicePrincipals/basic/update
  • microsoft.directory/servicePrincipals/credentials/update
  • microsoft.directory/servicePrincipals/notes/update
  • microsoft.directory/servicePrincipals/owners/update
  • microsoft.directory/servicePrincipals/permissions/update
  • microsoft.directory/servicePrincipals/policies/update
  • microsoft.directory/servicePrincipals/tag/update
  • microsoft.directory/servicePrincipals/synchronization/standard/read
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Application Developer

  • microsoft.directory/applications/createAsOwner
  • microsoft.directory/oAuth2PermissionGrants/createAsOwner
  • microsoft.directory/servicePrincipals/createAsOwner

Attack Payload Author

  • microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks
  • microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read

Attack Simulation Administrator

  • microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks
  • microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read
  • microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks

Attribute Assignment Administrator

  • microsoft.directory/attributeSets/allProperties/read
  • microsoft.directory/customSecurityAttributeDefinitions/allProperties/read
  • microsoft.directory/devices/customSecurityAttributes/read
  • microsoft.directory/devices/customSecurityAttributes/update
  • microsoft.directory/servicePrincipals/customSecurityAttributes/read
  • microsoft.directory/servicePrincipals/customSecurityAttributes/update
  • microsoft.directory/users/customSecurityAttributes/read
  • microsoft.directory/users/customSecurityAttributes/update

Attribute Assignment Reader

  • microsoft.directory/attributeSets/allProperties/read
  • microsoft.directory/customSecurityAttributeDefinitions/allProperties/read
  • microsoft.directory/devices/customSecurityAttributes/read
  • microsoft.directory/servicePrincipals/customSecurityAttributes/read
  • microsoft.directory/users/customSecurityAttributes/read

Attribute Definition Administrator

  • microsoft.directory/attributeSets/allProperties/allTasks
  • microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks

Attribute Definition Reader

  • microsoft.directory/attributeSets/allProperties/read
  • microsoft.directory/customSecurityAttributeDefinitions/allProperties/read

Authentication Administrator

  • microsoft.directory/users/authenticationMethods/create
  • microsoft.directory/users/authenticationMethods/delete
  • microsoft.directory/users/authenticationMethods/standard/restrictedRead
  • microsoft.directory/users/authenticationMethods/basic/update
  • microsoft.directory/users/invalidateAllRefreshTokens
  • microsoft.directory/users/password/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Authentication Policy Administrator

  • microsoft.directory/organization/strongAuthentication/allTasks
  • microsoft.directory/userCredentialPolicies/create
  • microsoft.directory/userCredentialPolicies/delete
  • microsoft.directory/userCredentialPolicies/standard/read
  • microsoft.directory/userCredentialPolicies/owners/read
  • microsoft.directory/userCredentialPolicies/policyAppliedTo/read
  • microsoft.directory/userCredentialPolicies/basic/update
  • microsoft.directory/userCredentialPolicies/owners/update
  • microsoft.directory/userCredentialPolicies/tenantDefault/update
  • microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read
  • microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke
  • microsoft.directory/verifiableCredentials/configuration/contracts/create
  • microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read
  • microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update
  • microsoft.directory/verifiableCredentials/configuration/create
  • microsoft.directory/verifiableCredentials/configuration/delete
  • microsoft.directory/verifiableCredentials/configuration/allProperties/read
  • microsoft.directory/verifiableCredentials/configuration/allProperties/update
  • microsoft.azure.supportTickets/allEntities/allTasks

Azure AD Joined Device Local Administrator

  • microsoft.directory/groupSettings/standard/read
  • microsoft.directory/groupSettingTemplates/standard/read

Azure DevOps Administrator

  • microsoft.azure.devOps/allEntities/allTasks

Azure Information Protection Administrator

  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.azure.informationProtection/allEntities/allTasks
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

B2C IEF Keyset Administrator

  • microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks

B2C IEF Policy Administrator

  • microsoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks

Billing Administrator

  • microsoft.directory/organization/basic/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.commerce.billing/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Cloud App Security Administrator

  • microsoft.directory/cloudAppSecurity/allProperties/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Cloud Application Administrator

  • microsoft.directory/applications/create
  • microsoft.directory/applications/delete
  • microsoft.directory/applications/appRoles/update
  • microsoft.directory/applications/audience/update
  • microsoft.directory/applications/authentication/update
  • microsoft.directory/applications/basic/update
  • microsoft.directory/applications/credentials/update
  • microsoft.directory/applications/extensionProperties/update
  • microsoft.directory/applications/notes/update
  • microsoft.directory/applications/owners/update
  • microsoft.directory/applications/permissions/update
  • microsoft.directory/applications/policies/update
  • microsoft.directory/applications/tag/update
  • microsoft.directory/applications/verification/update
  • microsoft.directory/applications/synchronization/standard/read
  • microsoft.directory/applicationTemplates/instantiate
  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/deletedItems.applications/delete
  • microsoft.directory/deletedItems.applications/restore
  • microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks
  • microsoft.directory/applicationPolicies/create
  • microsoft.directory/applicationPolicies/delete
  • microsoft.directory/applicationPolicies/standard/read
  • microsoft.directory/applicationPolicies/owners/read
  • microsoft.directory/applicationPolicies/policyAppliedTo/read
  • microsoft.directory/applicationPolicies/basic/update
  • microsoft.directory/applicationPolicies/owners/update
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/servicePrincipals/create
  • microsoft.directory/servicePrincipals/delete
  • microsoft.directory/servicePrincipals/disable
  • microsoft.directory/servicePrincipals/enable
  • microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials
  • microsoft.directory/servicePrincipals/synchronizationCredentials/manage
  • microsoft.directory/servicePrincipals/synchronizationJobs/manage
  • microsoft.directory/servicePrincipals/synchronizationSchema/manage
  • microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials
  • microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/servicePrincipals/audience/update
  • microsoft.directory/servicePrincipals/authentication/update
  • microsoft.directory/servicePrincipals/basic/update
  • microsoft.directory/servicePrincipals/credentials/update
  • microsoft.directory/servicePrincipals/notes/update
  • microsoft.directory/servicePrincipals/owners/update
  • microsoft.directory/servicePrincipals/permissions/update
  • microsoft.directory/servicePrincipals/policies/update
  • microsoft.directory/servicePrincipals/tag/update
  • microsoft.directory/servicePrincipals/synchronization/standard/read
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Cloud Device Administrator

  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/bitlockerKeys/key/read
  • microsoft.directory/devices/delete
  • microsoft.directory/devices/disable
  • microsoft.directory/devices/enable
  • microsoft.directory/deviceManagementPolicies/standard/read
  • microsoft.directory/deviceManagementPolicies/basic/update
  • microsoft.directory/deviceRegistrationPolicy/standard/read
  • microsoft.directory/deviceRegistrationPolicy/basic/update
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks

Compliance Administrator

  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.directory/entitlementManagement/allProperties/read
  • microsoft.office365.complianceManager/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Compliance Data Administrator

  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/cloudAppSecurity/allProperties/allTasks
  • microsoft.azure.informationProtection/allEntities/allTasks
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.complianceManager/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Conditional Access Administrator

  • microsoft.directory/conditionalAccessPolicies/create
  • microsoft.directory/conditionalAccessPolicies/delete
  • microsoft.directory/conditionalAccessPolicies/standard/read
  • microsoft.directory/conditionalAccessPolicies/owners/read
  • microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read
  • microsoft.directory/conditionalAccessPolicies/basic/update
  • microsoft.directory/conditionalAccessPolicies/owners/update
  • microsoft.directory/conditionalAccessPolicies/tenantDefault/update
  • microsoft.directory/crossTenantAccessPolicies/create
  • microsoft.directory/crossTenantAccessPolicies/delete
  • microsoft.directory/crossTenantAccessPolicies/standard/read
  • microsoft.directory/crossTenantAccessPolicies/owners/read
  • microsoft.directory/crossTenantAccessPolicies/policyAppliedTo/read
  • microsoft.directory/crossTenantAccessPolicies/basic/update
  • microsoft.directory/crossTenantAccessPolicies/owners/update
  • microsoft.directory/crossTenantAccessPolicies/tenantDefault/update

Customer LockBox Access Approver

  • microsoft.office365.lockbox/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Desktop Analytics Administrator

  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.desktopAnalytics/allEntities/allTasks

Device Join


Device Managers

  • microsoft.directory/devices/standard/read
  • microsoft.directory/devices/memberOf/read
  • microsoft.directory/devices/registeredOwners/read
  • microsoft.directory/devices/registeredUsers/read
  • microsoft.directory/devices/basic/update
  • microsoft.directory/devices/extensionAttributeSet1/update
  • microsoft.directory/devices/extensionAttributeSet2/update
  • microsoft.directory/devices/extensionAttributeSet3/update
  • microsoft.directory/devices/registeredOwners/update
  • microsoft.directory/devices/registeredUsers/update

Device Users


Directory Readers

  • microsoft.directory/administrativeUnits/standard/read
  • microsoft.directory/administrativeUnits/members/read
  • microsoft.directory/applications/standard/read
  • microsoft.directory/applications/owners/read
  • microsoft.directory/applications/policies/read
  • microsoft.directory/contacts/standard/read
  • microsoft.directory/contacts/memberOf/read
  • microsoft.directory/contracts/standard/read
  • microsoft.directory/devices/standard/read
  • microsoft.directory/devices/memberOf/read
  • microsoft.directory/devices/registeredOwners/read
  • microsoft.directory/devices/registeredUsers/read
  • microsoft.directory/directoryRoles/standard/read
  • microsoft.directory/directoryRoles/eligibleMembers/read
  • microsoft.directory/directoryRoles/members/read
  • microsoft.directory/domains/standard/read
  • microsoft.directory/groups/standard/read
  • microsoft.directory/groups/appRoleAssignments/read
  • microsoft.directory/groups/memberOf/read
  • microsoft.directory/groups/members/read
  • microsoft.directory/groups/owners/read
  • microsoft.directory/groups/settings/read
  • microsoft.directory/groupSettings/standard/read
  • microsoft.directory/groupSettingTemplates/standard/read
  • microsoft.directory/oAuth2PermissionGrants/standard/read
  • microsoft.directory/organization/standard/read
  • microsoft.directory/organization/trustedCAsForPasswordlessAuth/read
  • microsoft.directory/applicationPolicies/standard/read
  • microsoft.directory/roleAssignments/standard/read
  • microsoft.directory/roleDefinitions/standard/read
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/read
  • microsoft.directory/servicePrincipals/appRoleAssignments/read
  • microsoft.directory/servicePrincipals/standard/read
  • microsoft.directory/servicePrincipals/memberOf/read
  • microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read
  • microsoft.directory/servicePrincipals/owners/read
  • microsoft.directory/servicePrincipals/ownedObjects/read
  • microsoft.directory/servicePrincipals/policies/read
  • microsoft.directory/subscribedSkus/standard/read
  • microsoft.directory/users/standard/read
  • microsoft.directory/users/appRoleAssignments/read
  • microsoft.directory/users/deviceForResourceAccount/read
  • microsoft.directory/users/directReports/read
  • microsoft.directory/users/licenseDetails/read
  • microsoft.directory/users/manager/read
  • microsoft.directory/users/memberOf/read
  • microsoft.directory/users/oAuth2PermissionGrants/read
  • microsoft.directory/users/ownedDevices/read
  • microsoft.directory/users/ownedObjects/read
  • microsoft.directory/users/photo/read
  • microsoft.directory/users/registeredDevices/read
  • microsoft.directory/users/scopedRoleMemberOf/read

Directory Synchronization Accounts

  • microsoft.directory/applications/create
  • microsoft.directory/applications/delete
  • microsoft.directory/applications/appRoles/update
  • microsoft.directory/applications/audience/update
  • microsoft.directory/applications/authentication/update
  • microsoft.directory/applications/basic/update
  • microsoft.directory/applications/credentials/update
  • microsoft.directory/applications/notes/update
  • microsoft.directory/applications/owners/update
  • microsoft.directory/applications/permissions/update
  • microsoft.directory/applications/policies/update
  • microsoft.directory/applications/tag/update
  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks
  • microsoft.directory/organization/dirSync/update
  • microsoft.directory/passwordHashSync/allProperties/allTasks
  • microsoft.directory/policies/create
  • microsoft.directory/policies/delete
  • microsoft.directory/policies/standard/read
  • microsoft.directory/policies/owners/read
  • microsoft.directory/policies/policyAppliedTo/read
  • microsoft.directory/policies/basic/update
  • microsoft.directory/policies/owners/update
  • microsoft.directory/policies/tenantDefault/update
  • microsoft.directory/servicePrincipals/create
  • microsoft.directory/servicePrincipals/delete
  • microsoft.directory/servicePrincipals/enable
  • microsoft.directory/servicePrincipals/disable
  • microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials
  • microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/read
  • microsoft.directory/servicePrincipals/appRoleAssignments/read
  • microsoft.directory/servicePrincipals/standard/read
  • microsoft.directory/servicePrincipals/memberOf/read
  • microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read
  • microsoft.directory/servicePrincipals/owners/read
  • microsoft.directory/servicePrincipals/ownedObjects/read
  • microsoft.directory/servicePrincipals/policies/read
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/servicePrincipals/audience/update
  • microsoft.directory/servicePrincipals/authentication/update
  • microsoft.directory/servicePrincipals/basic/update
  • microsoft.directory/servicePrincipals/credentials/update
  • microsoft.directory/servicePrincipals/notes/update
  • microsoft.directory/servicePrincipals/owners/update
  • microsoft.directory/servicePrincipals/permissions/update
  • microsoft.directory/servicePrincipals/policies/update
  • microsoft.directory/servicePrincipals/tag/update

Directory Writers

  • microsoft.directory/applications/extensionProperties/update
  • microsoft.directory/groups/assignLicense
  • microsoft.directory/groups/create
  • microsoft.directory/groups/reprocessLicenseAssignment
  • microsoft.directory/groups/basic/update
  • microsoft.directory/groups/classification/update
  • microsoft.directory/groups/dynamicMembershipRule/update
  • microsoft.directory/groups/groupType/update
  • microsoft.directory/groups/members/update
  • microsoft.directory/groups/onPremWriteBack/update
  • microsoft.directory/groups/owners/update
  • microsoft.directory/groups/settings/update
  • microsoft.directory/groups/visibility/update
  • microsoft.directory/groupSettings/create
  • microsoft.directory/groupSettings/delete
  • microsoft.directory/groupSettings/basic/update
  • microsoft.directory/oAuth2PermissionGrants/create
  • microsoft.directory/oAuth2PermissionGrants/basic/update
  • microsoft.directory/servicePrincipals/synchronizationCredentials/manage
  • microsoft.directory/servicePrincipals/synchronizationJobs/manage
  • microsoft.directory/servicePrincipals/synchronizationSchema/manage
  • microsoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/users/assignLicense
  • microsoft.directory/users/create
  • microsoft.directory/users/disable
  • microsoft.directory/users/enable
  • microsoft.directory/users/invalidateAllRefreshTokens
  • microsoft.directory/users/inviteGuest
  • microsoft.directory/users/reprocessLicenseAssignment
  • microsoft.directory/users/basic/update
  • microsoft.directory/users/manager/update
  • microsoft.directory/users/photo/update
  • microsoft.directory/users/userPrincipalName/update

Domain Name Administrator

  • microsoft.directory/domains/allProperties/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Dynamics 365 Administrator

  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.dynamics365/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Edge Administrator

  • microsoft.edge/allEntities/allProperties/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Exchange Administrator

  • microsoft.directory/groups/hiddenMembers/read
  • microsoft.directory/groups.unified/create
  • microsoft.directory/groups.unified/delete
  • microsoft.directory/groups.unified/restore
  • microsoft.directory/groups.unified/basic/update
  • microsoft.directory/groups.unified/members/update
  • microsoft.directory/groups.unified/owners/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.exchange/allEntities/basic/allTasks
  • microsoft.office365.network/performance/allProperties/read
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.usageReports/allEntities/allProperties/read
  • microsoft.office365.webPortal/allEntities/standard/read

Exchange Recipient Administrator

  • microsoft.office365.exchange/allRecipients/allProperties/allTasks
  • microsoft.office365.exchange/messageTracking/allProperties/allTasks
  • microsoft.office365.exchange/migration/allProperties/allTasks

External ID User Flow Administrator

  • microsoft.directory/b2cUserFlow/allProperties/allTasks

External ID User Flow Attribute Administrator

  • microsoft.directory/b2cUserAttribute/allProperties/allTasks

External Identity Provider Administrator

  • microsoft.directory/identityProviders/allProperties/allTasks

Global Administrator

  • microsoft.directory/accessReviews/allProperties/allTasks
  • microsoft.directory/administrativeUnits/allProperties/allTasks
  • microsoft.directory/applications/allProperties/allTasks
  • microsoft.directory/applications/synchronization/standard/read
  • microsoft.directory/applicationTemplates/instantiate
  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/users/authenticationMethods/create
  • microsoft.directory/users/authenticationMethods/delete
  • microsoft.directory/users/authenticationMethods/standard/read
  • microsoft.directory/users/authenticationMethods/basic/update
  • microsoft.directory/authorizationPolicy/allProperties/allTasks
  • microsoft.directory/bitlockerKeys/key/read
  • microsoft.directory/cloudAppSecurity/allProperties/allTasks
  • microsoft.directory/connectors/create
  • microsoft.directory/connectors/allProperties/read
  • microsoft.directory/connectorGroups/create
  • microsoft.directory/connectorGroups/delete
  • microsoft.directory/connectorGroups/allProperties/read
  • microsoft.directory/connectorGroups/allProperties/update
  • microsoft.directory/contacts/allProperties/allTasks
  • microsoft.directory/contracts/allProperties/allTasks
  • microsoft.directory/customAuthenticationExtensions/allProperties/allTasks
  • microsoft.directory/deletedItems/delete
  • microsoft.directory/deletedItems/restore
  • microsoft.directory/devices/allProperties/allTasks
  • microsoft.directory/deviceManagementPolicies/standard/read
  • microsoft.directory/deviceManagementPolicies/basic/update
  • microsoft.directory/deviceRegistrationPolicy/standard/read
  • microsoft.directory/deviceRegistrationPolicy/basic/update
  • microsoft.directory/directoryRoles/allProperties/allTasks
  • microsoft.directory/directoryRoleTemplates/allProperties/allTasks
  • microsoft.directory/domains/allProperties/allTasks
  • microsoft.directory/entitlementManagement/allProperties/allTasks
  • microsoft.directory/groups/allProperties/allTasks
  • microsoft.directory/groupsAssignableToRoles/create
  • microsoft.directory/groupsAssignableToRoles/delete
  • microsoft.directory/groupsAssignableToRoles/restore
  • microsoft.directory/groupsAssignableToRoles/allProperties/update
  • microsoft.directory/groupSettings/allProperties/allTasks
  • microsoft.directory/groupSettingTemplates/allProperties/allTasks
  • microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks
  • microsoft.directory/identityProtection/allProperties/allTasks
  • microsoft.directory/loginOrganizationBranding/allProperties/allTasks
  • microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks
  • microsoft.directory/organization/allProperties/allTasks
  • microsoft.directory/passwordHashSync/allProperties/allTasks
  • microsoft.directory/policies/allProperties/allTasks
  • microsoft.directory/conditionalAccessPolicies/allProperties/allTasks
  • microsoft.directory/crossTenantAccessPolicies/allProperties/allTasks
  • microsoft.directory/privilegedIdentityManagement/allProperties/read
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/roleAssignments/allProperties/allTasks
  • microsoft.directory/roleDefinitions/allProperties/allTasks
  • microsoft.directory/scopedRoleMemberships/allProperties/allTasks
  • microsoft.directory/serviceAction/activateService
  • microsoft.directory/serviceAction/disableDirectoryFeature
  • microsoft.directory/serviceAction/enableDirectoryFeature
  • microsoft.directory/serviceAction/getAvailableExtentionProperties
  • microsoft.directory/servicePrincipals/allProperties/allTasks
  • microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin
  • microsoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions
  • microsoft.directory/servicePrincipals/synchronization/standard/read
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.directory/subscribedSkus/allProperties/allTasks
  • microsoft.directory/users/allProperties/allTasks
  • microsoft.directory/permissionGrantPolicies/create
  • microsoft.directory/permissionGrantPolicies/delete
  • microsoft.directory/permissionGrantPolicies/standard/read
  • microsoft.directory/permissionGrantPolicies/basic/update
  • microsoft.directory/servicePrincipalCreationPolicies/create
  • microsoft.directory/servicePrincipalCreationPolicies/delete
  • microsoft.directory/servicePrincipalCreationPolicies/standard/read
  • microsoft.directory/servicePrincipalCreationPolicies/basic/update
  • microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read
  • microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke
  • microsoft.directory/verifiableCredentials/configuration/contracts/create
  • microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read
  • microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update
  • microsoft.directory/verifiableCredentials/configuration/create
  • microsoft.directory/verifiableCredentials/configuration/delete
  • microsoft.directory/verifiableCredentials/configuration/allProperties/read
  • microsoft.directory/verifiableCredentials/configuration/allProperties/update
  • microsoft.azure.advancedThreatProtection/allEntities/allTasks
  • microsoft.azure.informationProtection/allEntities/allTasks
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.cloudPC/allEntities/allProperties/allTasks
  • microsoft.commerce.billing/allEntities/allTasks
  • microsoft.dynamics365/allEntities/allTasks
  • microsoft.edge/allEntities/allProperties/allTasks
  • microsoft.flow/allEntities/allTasks
  • microsoft.intune/allEntities/allTasks
  • microsoft.office365.complianceManager/allEntities/allTasks
  • microsoft.office365.desktopAnalytics/allEntities/allTasks
  • microsoft.office365.exchange/allEntities/basic/allTasks
  • microsoft.office365.knowledge/contentUnderstanding/allProperties/allTasks
  • microsoft.office365.knowledge/contentUnderstanding/analytics/allProperties/read
  • microsoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks
  • microsoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasks
  • microsoft.office365.knowledge/learningSources/allProperties/allTasks
  • microsoft.office365.lockbox/allEntities/allTasks
  • microsoft.office365.messageCenter/messages/read
  • microsoft.office365.messageCenter/securityMessages/read
  • microsoft.office365.network/performance/allProperties/read
  • microsoft.office365.protectionCenter/allEntities/allProperties/allTasks
  • microsoft.office365.search/content/manage
  • microsoft.office365.securityComplianceCenter/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.sharePoint/allEntities/allTasks
  • microsoft.office365.skypeForBusiness/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.usageReports/allEntities/allProperties/read
  • microsoft.office365.userCommunication/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read
  • microsoft.office365.yammer/allEntities/allProperties/allTasks
  • microsoft.powerApps/allEntities/allTasks
  • microsoft.powerApps.powerBI/allEntities/allTasks
  • microsoft.teams/allEntities/allProperties/allTasks
  • microsoft.windows.defenderAdvancedThreatProtection/allEntities/allTasks
  • microsoft.windows.updatesDeployments/allEntities/allProperties/allTasks

Global Reader

  • microsoft.directory/accessReviews/allProperties/read
  • microsoft.directory/administrativeUnits/allProperties/read
  • microsoft.directory/applications/allProperties/read
  • microsoft.directory/applications/synchronization/standard/read
  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/users/authenticationMethods/standard/restrictedRead
  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/bitlockerKeys/key/read
  • microsoft.directory/cloudAppSecurity/allProperties/read
  • microsoft.directory/connectors/allProperties/read
  • microsoft.directory/connectorGroups/allProperties/read
  • microsoft.directory/contacts/allProperties/read
  • microsoft.directory/customAuthenticationExtensions/allProperties/read
  • microsoft.directory/devices/allProperties/read
  • microsoft.directory/directoryRoles/allProperties/read
  • microsoft.directory/directoryRoleTemplates/allProperties/read
  • microsoft.directory/domains/allProperties/read
  • microsoft.directory/entitlementManagement/allProperties/read
  • microsoft.directory/groups/allProperties/read
  • microsoft.directory/groupSettings/allProperties/read
  • microsoft.directory/groupSettingTemplates/allProperties/read
  • microsoft.directory/identityProtection/allProperties/read
  • microsoft.directory/loginOrganizationBranding/allProperties/read
  • microsoft.directory/oAuth2PermissionGrants/allProperties/read
  • microsoft.directory/organization/allProperties/read
  • microsoft.directory/permissionGrantPolicies/standard/read
  • microsoft.directory/policies/allProperties/read
  • microsoft.directory/conditionalAccessPolicies/allProperties/read
  • microsoft.directory/crossTenantAccessPolicies/allProperties/read
  • microsoft.directory/deviceManagementPolicies/standard/read
  • microsoft.directory/deviceRegistrationPolicy/standard/read
  • microsoft.directory/privilegedIdentityManagement/allProperties/read
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/roleAssignments/allProperties/read
  • microsoft.directory/roleDefinitions/allProperties/read
  • microsoft.directory/scopedRoleMemberships/allProperties/read
  • microsoft.directory/serviceAction/getAvailableExtentionProperties
  • microsoft.directory/servicePrincipals/allProperties/read
  • microsoft.directory/servicePrincipalCreationPolicies/standard/read
  • microsoft.directory/servicePrincipals/synchronization/standard/read
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.directory/subscribedSkus/allProperties/read
  • microsoft.directory/users/allProperties/read
  • microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read
  • microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read
  • microsoft.directory/verifiableCredentials/configuration/allProperties/read
  • microsoft.cloudPC/allEntities/allProperties/read
  • microsoft.commerce.billing/allEntities/read
  • microsoft.edge/allEntities/allProperties/read
  • microsoft.office365.exchange/allEntities/standard/read
  • microsoft.office365.messageCenter/messages/read
  • microsoft.office365.messageCenter/securityMessages/read
  • microsoft.office365.network/performance/allProperties/read
  • microsoft.office365.protectionCenter/allEntities/allProperties/read
  • microsoft.office365.securityComplianceCenter/allEntities/read
  • microsoft.office365.usageReports/allEntities/allProperties/read
  • microsoft.office365.webPortal/allEntities/standard/read
  • microsoft.office365.yammer/allEntities/allProperties/read
  • microsoft.teams/allEntities/allProperties/read
  • microsoft.windows.updatesDeployments/allEntities/allProperties/read

Groups Administrator

  • microsoft.directory/deletedItems.groups/delete
  • microsoft.directory/deletedItems.groups/restore
  • microsoft.directory/groups/assignLicense
  • microsoft.directory/groups/create
  • microsoft.directory/groups/delete
  • microsoft.directory/groups/hiddenMembers/read
  • microsoft.directory/groups/reprocessLicenseAssignment
  • microsoft.directory/groups/restore
  • microsoft.directory/groups/basic/update
  • microsoft.directory/groups/classification/update
  • microsoft.directory/groups/dynamicMembershipRule/update
  • microsoft.directory/groups/groupType/update
  • microsoft.directory/groups/members/update
  • microsoft.directory/groups/onPremWriteBack/update
  • microsoft.directory/groups/owners/update
  • microsoft.directory/groups/settings/update
  • microsoft.directory/groups/visibility/update
  • microsoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Guest Inviter

  • microsoft.directory/users/inviteGuest
  • microsoft.directory/users/standard/read
  • microsoft.directory/users/appRoleAssignments/read
  • microsoft.directory/users/deviceForResourceAccount/read
  • microsoft.directory/users/directReports/read
  • microsoft.directory/users/licenseDetails/read
  • microsoft.directory/users/manager/read
  • microsoft.directory/users/memberOf/read
  • microsoft.directory/users/oAuth2PermissionGrants/read
  • microsoft.directory/users/ownedDevices/read
  • microsoft.directory/users/ownedObjects/read
  • microsoft.directory/users/photo/read
  • microsoft.directory/users/registeredDevices/read
  • microsoft.directory/users/scopedRoleMemberOf/read

Guest User

  • microsoft.directory/applications/standard/limitedRead
  • microsoft.directory/applications/owners/limitedRead
  • microsoft.directory/applications/policies/limitedRead
  • microsoft.directory/domains/standard/read
  • microsoft.directory/groups/standard/limitedRead
  • microsoft.directory/groups/appRoleAssignments/limitedRead
  • microsoft.directory/groups/memberOf/limitedRead
  • microsoft.directory/groups/members/limitedRead
  • microsoft.directory/groups/owners/limitedRead
  • microsoft.directory/groups/settings/limitedRead
  • microsoft.directory/organization/basicProfile/read
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/limitedRead
  • microsoft.directory/servicePrincipals/appRoleAssignments/limitedRead
  • microsoft.directory/servicePrincipals/standard/limitedRead
  • microsoft.directory/servicePrincipals/memberOf/limitedRead
  • microsoft.directory/servicePrincipals/oAuth2PermissionGrants/limitedRead
  • microsoft.directory/servicePrincipals/owners/limitedRead
  • microsoft.directory/servicePrincipals/ownedObjects/limitedRead
  • microsoft.directory/servicePrincipals/policies/limitedRead
  • microsoft.directory/users/inviteGuest
  • microsoft.directory/users/guestBasicProfile/limitedRead
  • microsoft.directory/users/standard/read
  • microsoft.directory/users/appRoleAssignments/read
  • microsoft.directory/users/deviceForResourceAccount/read
  • microsoft.directory/users/directReports/read
  • microsoft.directory/users/eligibleMemberOf/read
  • microsoft.directory/users/licenseDetails/read
  • microsoft.directory/users/manager/read
  • microsoft.directory/users/memberOf/read
  • microsoft.directory/users/oAuth2PermissionGrants/read
  • microsoft.directory/users/ownedDevices/read
  • microsoft.directory/users/ownedObjects/read
  • microsoft.directory/users/pendingMemberOf/read
  • microsoft.directory/users/photo/read
  • microsoft.directory/users/registeredDevices/read
  • microsoft.directory/users/scopedRoleMemberOf/read
  • microsoft.directory/users/password/update

Helpdesk Administrator

  • microsoft.directory/bitlockerKeys/key/read
  • microsoft.directory/users/invalidateAllRefreshTokens
  • microsoft.directory/users/password/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Hybrid Identity Administrator

  • microsoft.directory/applications/create
  • microsoft.directory/applications/delete
  • microsoft.directory/applications/appRoles/update
  • microsoft.directory/applications/audience/update
  • microsoft.directory/applications/authentication/update
  • microsoft.directory/applications/basic/update
  • microsoft.directory/applications/notes/update
  • microsoft.directory/applications/owners/update
  • microsoft.directory/applications/permissions/update
  • microsoft.directory/applications/policies/update
  • microsoft.directory/applications/tag/update
  • microsoft.directory/applications/synchronization/standard/read
  • microsoft.directory/applicationTemplates/instantiate
  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/cloudProvisioning/allProperties/allTasks
  • microsoft.directory/deletedItems.applications/delete
  • microsoft.directory/deletedItems.applications/restore
  • microsoft.directory/domains/allProperties/read
  • microsoft.directory/domains/federation/update
  • microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks
  • microsoft.directory/organization/dirSync/update
  • microsoft.directory/passwordHashSync/allProperties/allTasks
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/servicePrincipals/create
  • microsoft.directory/servicePrincipals/delete
  • microsoft.directory/servicePrincipals/disable
  • microsoft.directory/servicePrincipals/enable
  • microsoft.directory/servicePrincipals/synchronizationCredentials/manage
  • microsoft.directory/servicePrincipals/synchronizationJobs/manage
  • microsoft.directory/servicePrincipals/synchronizationSchema/manage
  • microsoft.directory/servicePrincipals/audience/update
  • microsoft.directory/servicePrincipals/authentication/update
  • microsoft.directory/servicePrincipals/basic/update
  • microsoft.directory/servicePrincipals/notes/update
  • microsoft.directory/servicePrincipals/owners/update
  • microsoft.directory/servicePrincipals/permissions/update
  • microsoft.directory/servicePrincipals/policies/update
  • microsoft.directory/servicePrincipals/tag/update
  • microsoft.directory/servicePrincipals/synchronization/standard/read
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.messageCenter/messages/read
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Identity Governance Administrator

  • microsoft.directory/accessReviews/allProperties/allTasks
  • microsoft.directory/entitlementManagement/allProperties/allTasks
  • microsoft.directory/groups/members/update
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update

Insights Administrator

  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.insights/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Insights Business Leader

  • microsoft.insights/reports/read
  • microsoft.insights/programs/update

Intune Administrator

  • microsoft.directory/bitlockerKeys/key/read
  • microsoft.directory/contacts/create
  • microsoft.directory/contacts/delete
  • microsoft.directory/contacts/basic/update
  • microsoft.directory/devices/create
  • microsoft.directory/devices/delete
  • microsoft.directory/devices/disable
  • microsoft.directory/devices/enable
  • microsoft.directory/devices/basic/update
  • microsoft.directory/devices/extensionAttributeSet1/update
  • microsoft.directory/devices/extensionAttributeSet2/update
  • microsoft.directory/devices/extensionAttributeSet3/update
  • microsoft.directory/devices/registeredOwners/update
  • microsoft.directory/devices/registeredUsers/update
  • microsoft.directory/deviceManagementPolicies/standard/read
  • microsoft.directory/deviceRegistrationPolicy/standard/read
  • microsoft.directory/groups/hiddenMembers/read
  • microsoft.directory/groups.security/create
  • microsoft.directory/groups.security/delete
  • microsoft.directory/groups.security/basic/update
  • microsoft.directory/groups.security/classification/update
  • microsoft.directory/groups.security/dynamicMembershipRule/update
  • microsoft.directory/groups.security/members/update
  • microsoft.directory/groups.security/owners/update
  • microsoft.directory/groups.security/visibility/update
  • microsoft.directory/users/basic/update
  • microsoft.directory/users/manager/update
  • microsoft.directory/users/photo/update
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.cloudPC/allEntities/allProperties/allTasks
  • microsoft.intune/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Kaizala Administrator

  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Knowledge Administrator

  • microsoft.directory/groups.security/create
  • microsoft.directory/groups.security/createAsOwner
  • microsoft.directory/groups.security/delete
  • microsoft.directory/groups.security/basic/update
  • microsoft.directory/groups.security/members/update
  • microsoft.directory/groups.security/owners/update
  • microsoft.office365.knowledge/contentUnderstanding/allProperties/allTasks
  • microsoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks
  • microsoft.office365.knowledge/learningSources/allProperties/allTasks
  • microsoft.office365.protectionCenter/sensitivityLabels/allProperties/read
  • microsoft.office365.sharePoint/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Knowledge Manager

  • microsoft.directory/groups.security/create
  • microsoft.directory/groups.security/createAsOwner
  • microsoft.directory/groups.security/delete
  • microsoft.directory/groups.security/basic/update
  • microsoft.directory/groups.security/members/update
  • microsoft.directory/groups.security/owners/update
  • microsoft.office365.knowledge/contentUnderstanding/analytics/allProperties/read
  • microsoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasks
  • microsoft.office365.sharePoint/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

License Administrator

  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/groups/assignLicense
  • microsoft.directory/groups/reprocessLicenseAssignment
  • microsoft.directory/users/assignLicense
  • microsoft.directory/users/reprocessLicenseAssignment
  • microsoft.directory/users/usageLocation/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Message Center Privacy Reader

  • microsoft.office365.messageCenter/messages/read
  • microsoft.office365.messageCenter/securityMessages/read
  • microsoft.office365.webPortal/allEntities/standard/read

Message Center Reader

  • microsoft.office365.messageCenter/messages/read
  • microsoft.office365.webPortal/allEntities/standard/read

Network Administrator

  • microsoft.office365.network/locations/allProperties/allTasks
  • microsoft.office365.network/performance/allProperties/read
  • microsoft.office365.webPortal/allEntities/standard/read

Office Apps Administrator

  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.messageCenter/messages/read
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.userCommunication/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Partner Tier1 Support

  • microsoft.directory/applications/appRoles/update
  • microsoft.directory/applications/audience/update
  • microsoft.directory/applications/authentication/update
  • microsoft.directory/applications/basic/update
  • microsoft.directory/applications/credentials/update
  • microsoft.directory/applications/notes/update
  • microsoft.directory/applications/owners/update
  • microsoft.directory/applications/permissions/update
  • microsoft.directory/applications/policies/update
  • microsoft.directory/applications/tag/update
  • microsoft.directory/contacts/create
  • microsoft.directory/contacts/delete
  • microsoft.directory/contacts/basic/update
  • microsoft.directory/deletedItems.groups/restore
  • microsoft.directory/groups/create
  • microsoft.directory/groups/delete
  • microsoft.directory/groups/restore
  • microsoft.directory/groups/members/update
  • microsoft.directory/groups/owners/update
  • microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/users/assignLicense
  • microsoft.directory/users/create
  • microsoft.directory/users/delete
  • microsoft.directory/users/disable
  • microsoft.directory/users/enable
  • microsoft.directory/users/invalidateAllRefreshTokens
  • microsoft.directory/users/restore
  • microsoft.directory/users/basic/update
  • microsoft.directory/users/manager/update
  • microsoft.directory/users/password/update
  • microsoft.directory/users/photo/update
  • microsoft.directory/users/userPrincipalName/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Partner Tier2 Support

  • microsoft.directory/applications/appRoles/update
  • microsoft.directory/applications/audience/update
  • microsoft.directory/applications/authentication/update
  • microsoft.directory/applications/basic/update
  • microsoft.directory/applications/credentials/update
  • microsoft.directory/applications/notes/update
  • microsoft.directory/applications/owners/update
  • microsoft.directory/applications/permissions/update
  • microsoft.directory/applications/policies/update
  • microsoft.directory/applications/tag/update
  • microsoft.directory/contacts/create
  • microsoft.directory/contacts/delete
  • microsoft.directory/contacts/basic/update
  • microsoft.directory/deletedItems.groups/restore
  • microsoft.directory/domains/allProperties/allTasks
  • microsoft.directory/groups/create
  • microsoft.directory/groups/delete
  • microsoft.directory/groups/restore
  • microsoft.directory/groups/members/update
  • microsoft.directory/groups/owners/update
  • microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks
  • microsoft.directory/organization/basic/update
  • microsoft.directory/roleAssignments/allProperties/allTasks
  • microsoft.directory/roleDefinitions/allProperties/allTasks
  • microsoft.directory/scopedRoleMemberships/allProperties/allTasks
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/subscribedSkus/standard/read
  • microsoft.directory/users/assignLicense
  • microsoft.directory/users/create
  • microsoft.directory/users/delete
  • microsoft.directory/users/disable
  • microsoft.directory/users/enable
  • microsoft.directory/users/invalidateAllRefreshTokens
  • microsoft.directory/users/restore
  • microsoft.directory/users/basic/update
  • microsoft.directory/users/manager/update
  • microsoft.directory/users/password/update
  • microsoft.directory/users/photo/update
  • microsoft.directory/users/userPrincipalName/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Password Administrator

  • microsoft.directory/users/password/update
  • microsoft.office365.webPortal/allEntities/standard/read

Power BI Administrator

  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read
  • microsoft.powerApps.powerBI/allEntities/allTasks

Power Platform Administrator

  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.dynamics365/allEntities/allTasks
  • microsoft.flow/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read
  • microsoft.powerApps/allEntities/allTasks

Printer Administrator

  • microsoft.azure.print/allEntities/allProperties/allTasks

Printer Technician

  • microsoft.azure.print/connectors/allProperties/read
  • microsoft.azure.print/printers/allProperties/read
  • microsoft.azure.print/printers/register
  • microsoft.azure.print/printers/unregister
  • microsoft.azure.print/printers/basic/update

Privileged Authentication Administrator

  • microsoft.directory/users/authenticationMethods/create
  • microsoft.directory/users/authenticationMethods/delete
  • microsoft.directory/users/authenticationMethods/standard/read
  • microsoft.directory/users/authenticationMethods/basic/update
  • microsoft.directory/users/invalidateAllRefreshTokens
  • microsoft.directory/users/password/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Privileged Role Administrator

  • microsoft.directory/administrativeUnits/allProperties/allTasks
  • microsoft.directory/authorizationPolicy/allProperties/allTasks
  • microsoft.directory/directoryRoles/allProperties/allTasks
  • microsoft.directory/groupsAssignableToRoles/create
  • microsoft.directory/groupsAssignableToRoles/delete
  • microsoft.directory/groupsAssignableToRoles/restore
  • microsoft.directory/groupsAssignableToRoles/allProperties/update
  • microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks
  • microsoft.directory/privilegedIdentityManagement/allProperties/allTasks
  • microsoft.directory/roleAssignments/allProperties/allTasks
  • microsoft.directory/roleDefinitions/allProperties/allTasks
  • microsoft.directory/scopedRoleMemberships/allProperties/allTasks
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/servicePrincipals/permissions/update
  • microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin
  • microsoft.office365.webPortal/allEntities/standard/read

Reports Reader

  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.office365.network/performance/allProperties/read
  • microsoft.office365.usageReports/allEntities/allProperties/read
  • microsoft.office365.webPortal/allEntities/standard/read

Restricted Guest User

  • microsoft.directory/applications/standard/limitedRead
  • microsoft.directory/applications/owners/limitedRead
  • microsoft.directory/applications/policies/limitedRead
  • microsoft.directory/domains/standard/read
  • microsoft.directory/organization/basicProfile/read
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/limitedRead
  • microsoft.directory/servicePrincipals/appRoleAssignments/limitedRead
  • microsoft.directory/servicePrincipals/standard/limitedRead
  • microsoft.directory/servicePrincipals/memberOf/limitedRead
  • microsoft.directory/servicePrincipals/oAuth2PermissionGrants/limitedRead
  • microsoft.directory/servicePrincipals/owners/limitedRead
  • microsoft.directory/servicePrincipals/ownedObjects/limitedRead
  • microsoft.directory/servicePrincipals/policies/limitedRead
  • microsoft.directory/users/standard/read
  • microsoft.directory/users/appRoleAssignments/read
  • microsoft.directory/users/deviceForResourceAccount/read
  • microsoft.directory/users/directReports/read
  • microsoft.directory/users/eligibleMemberOf/read
  • microsoft.directory/users/licenseDetails/read
  • microsoft.directory/users/manager/read
  • microsoft.directory/users/memberOf/read
  • microsoft.directory/users/oAuth2PermissionGrants/read
  • microsoft.directory/users/ownedDevices/read
  • microsoft.directory/users/ownedObjects/read
  • microsoft.directory/users/pendingMemberOf/read
  • microsoft.directory/users/photo/read
  • microsoft.directory/users/registeredDevices/read
  • microsoft.directory/users/scopedRoleMemberOf/read
  • microsoft.directory/users/password/update

Search Administrator

  • microsoft.office365.messageCenter/messages/read
  • microsoft.office365.search/content/manage
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Search Editor

  • microsoft.office365.messageCenter/messages/read
  • microsoft.office365.search/content/manage
  • microsoft.office365.webPortal/allEntities/standard/read

Security Administrator

  • microsoft.directory/applications/policies/update
  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/bitlockerKeys/key/read
  • microsoft.directory/entitlementManagement/allProperties/read
  • microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks
  • microsoft.directory/identityProtection/allProperties/read
  • microsoft.directory/identityProtection/allProperties/update
  • microsoft.directory/passwordHashSync/allProperties/allTasks
  • microsoft.directory/policies/create
  • microsoft.directory/policies/delete
  • microsoft.directory/policies/basic/update
  • microsoft.directory/policies/owners/update
  • microsoft.directory/policies/tenantDefault/update
  • microsoft.directory/conditionalAccessPolicies/create
  • microsoft.directory/conditionalAccessPolicies/delete
  • microsoft.directory/conditionalAccessPolicies/standard/read
  • microsoft.directory/conditionalAccessPolicies/owners/read
  • microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read
  • microsoft.directory/conditionalAccessPolicies/basic/update
  • microsoft.directory/conditionalAccessPolicies/owners/update
  • microsoft.directory/conditionalAccessPolicies/tenantDefault/update
  • microsoft.directory/crossTenantAccessPolicies/create
  • microsoft.directory/crossTenantAccessPolicies/delete
  • microsoft.directory/crossTenantAccessPolicies/standard/read
  • microsoft.directory/crossTenantAccessPolicies/owners/read
  • microsoft.directory/crossTenantAccessPolicies/policyAppliedTo/read
  • microsoft.directory/crossTenantAccessPolicies/basic/update
  • microsoft.directory/crossTenantAccessPolicies/owners/update
  • microsoft.directory/crossTenantAccessPolicies/tenantDefault/update
  • microsoft.directory/privilegedIdentityManagement/allProperties/read
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/servicePrincipals/policies/update
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.protectionCenter/allEntities/standard/read
  • microsoft.office365.protectionCenter/allEntities/basic/update
  • microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks
  • microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read
  • microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Security Operator

  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/cloudAppSecurity/allProperties/allTasks
  • microsoft.directory/identityProtection/allProperties/allTasks
  • microsoft.directory/privilegedIdentityManagement/allProperties/read
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.azure.advancedThreatProtection/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.intune/allEntities/read
  • microsoft.office365.securityComplianceCenter/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.windows.defenderAdvancedThreatProtection/allEntities/allTasks

Security Reader

  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/bitlockerKeys/key/read
  • microsoft.directory/entitlementManagement/allProperties/read
  • microsoft.directory/identityProtection/allProperties/read
  • microsoft.directory/policies/standard/read
  • microsoft.directory/policies/owners/read
  • microsoft.directory/policies/policyAppliedTo/read
  • microsoft.directory/conditionalAccessPolicies/standard/read
  • microsoft.directory/conditionalAccessPolicies/owners/read
  • microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read
  • microsoft.directory/privilegedIdentityManagement/allProperties/read
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.office365.protectionCenter/allEntities/standard/read
  • microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/read
  • microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read
  • microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/read
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Service Support Administrator

  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.network/performance/allProperties/read
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

SharePoint Administrator

  • microsoft.directory/groups.unified/create
  • microsoft.directory/groups.unified/delete
  • microsoft.directory/groups.unified/restore
  • microsoft.directory/groups.unified/basic/update
  • microsoft.directory/groups.unified/members/update
  • microsoft.directory/groups.unified/owners/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.network/performance/allProperties/read
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.sharePoint/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.usageReports/allEntities/allProperties/read
  • microsoft.office365.webPortal/allEntities/standard/read

Skype for Business Administrator

  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.skypeForBusiness/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.usageReports/allEntities/allProperties/read
  • microsoft.office365.webPortal/allEntities/standard/read

Teams Administrator

  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/groups/hiddenMembers/read
  • microsoft.directory/groups.unified/create
  • microsoft.directory/groups.unified/delete
  • microsoft.directory/groups.unified/restore
  • microsoft.directory/groups.unified/basic/update
  • microsoft.directory/groups.unified/members/update
  • microsoft.directory/groups.unified/owners/update
  • microsoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissions
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.network/performance/allProperties/read
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.skypeForBusiness/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.usageReports/allEntities/allProperties/read
  • microsoft.office365.webPortal/allEntities/standard/read
  • microsoft.teams/allEntities/allProperties/allTasks

Teams Communications Administrator

  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.skypeForBusiness/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.usageReports/allEntities/allProperties/read
  • microsoft.office365.webPortal/allEntities/standard/read
  • microsoft.teams/callQuality/allProperties/read
  • microsoft.teams/meetings/allProperties/allTasks
  • microsoft.teams/voice/allProperties/allTasks

Teams Communications Support Engineer

  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.skypeForBusiness/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read
  • microsoft.teams/callQuality/allProperties/read

Teams Communications Support Specialist

  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.skypeForBusiness/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read
  • microsoft.teams/callQuality/standard/read

Teams Devices Administrator

  • microsoft.office365.webPortal/allEntities/standard/read
  • microsoft.teams/devices/standard/read

Usage Summary Reports Reader

  • microsoft.office365.network/performance/allProperties/read
  • microsoft.office365.usageReports/allEntities/standard/read
  • microsoft.office365.webPortal/allEntities/standard/read

User

  • microsoft.directory/applications/createAsOwner
  • microsoft.directory/authorizationPolicy/standard/read
  • microsoft.directory/groups/createAsOwner
  • microsoft.directory/policies/standard/read
  • microsoft.directory/policies/owners/read
  • microsoft.directory/policies/policyAppliedTo/read
  • microsoft.directory/applicationPolicies/createAsOwner
  • microsoft.directory/servicePrincipals/createAsOwner
  • microsoft.directory/servicePrincipals/authentication/read
  • microsoft.directory/users/activateServicePlan
  • microsoft.directory/users/inviteGuest
  • microsoft.directory/applications/delete
  • microsoft.directory/applications/appRoles/update
  • microsoft.directory/applications/audience/update
  • microsoft.directory/applications/authentication/update
  • microsoft.directory/applications/basic/update
  • microsoft.directory/applications/credentials/update
  • microsoft.directory/applications/extensionProperties/update
  • microsoft.directory/applications/notes/update
  • microsoft.directory/applications/owners/update
  • microsoft.directory/applications/permissions/update
  • microsoft.directory/applications/policies/update
  • microsoft.directory/applications/tag/update
  • microsoft.directory/applications/verification/update
  • microsoft.directory/auditLogs/allProperties/read
  • microsoft.directory/deletedItems.applications/delete
  • microsoft.directory/deletedItems.applications/restore
  • microsoft.directory/deletedItems.groups/restore
  • microsoft.directory/devices/disable
  • microsoft.directory/groups/delete
  • microsoft.directory/groups/restore
  • microsoft.directory/groups/basic/update
  • microsoft.directory/groups/classification/update
  • microsoft.directory/groups/groupType/update
  • microsoft.directory/groups/members/update
  • microsoft.directory/groups/owners/update
  • microsoft.directory/groups/settings/update
  • microsoft.directory/groups/visibility/update
  • microsoft.directory/groupsAssignableToRoles/delete
  • microsoft.directory/groupsAssignableToRoles/restore
  • microsoft.directory/groupsAssignableToRoles/allProperties/update
  • microsoft.directory/policies/delete
  • microsoft.directory/policies/basic/update
  • microsoft.directory/policies/owners/update
  • microsoft.directory/provisioningLogs/allProperties/read
  • microsoft.directory/servicePrincipals/delete
  • microsoft.directory/servicePrincipals/disable
  • microsoft.directory/servicePrincipals/enable
  • microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials
  • microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/servicePrincipals/audience/update
  • microsoft.directory/servicePrincipals/authentication/update
  • microsoft.directory/servicePrincipals/basic/update
  • microsoft.directory/servicePrincipals/credentials/update
  • microsoft.directory/servicePrincipals/notes/update
  • microsoft.directory/servicePrincipals/owners/update
  • microsoft.directory/servicePrincipals/permissions/update
  • microsoft.directory/servicePrincipals/policies/update
  • microsoft.directory/servicePrincipals/tag/update
  • microsoft.directory/signInReports/allProperties/read
  • microsoft.directory/users/changePassword
  • microsoft.directory/users/invalidateAllRefreshTokens
  • microsoft.directory/users/basicProfile/update
  • microsoft.directory/users/identities/update
  • microsoft.directory/users/mobile/update
  • microsoft.directory/users/searchableDeviceKey/update
  • microsoft.directory/userInfos/address/read
  • microsoft.directory/userInfos/email/read
  • microsoft.directory/userInfos/openId/read
  • microsoft.directory/userInfos/phone/read
  • microsoft.directory/userInfos/profile/read

User Administrator

  • microsoft.directory/contacts/create
  • microsoft.directory/contacts/delete
  • microsoft.directory/contacts/basic/update
  • microsoft.directory/deletedItems.groups/restore
  • microsoft.directory/entitlementManagement/allProperties/allTasks
  • microsoft.directory/groups/assignLicense
  • microsoft.directory/groups/create
  • microsoft.directory/groups/delete
  • microsoft.directory/groups/hiddenMembers/read
  • microsoft.directory/groups/reprocessLicenseAssignment
  • microsoft.directory/groups/restore
  • microsoft.directory/groups/basic/update
  • microsoft.directory/groups/classification/update
  • microsoft.directory/groups/dynamicMembershipRule/update
  • microsoft.directory/groups/groupType/update
  • microsoft.directory/groups/members/update
  • microsoft.directory/groups/onPremWriteBack/update
  • microsoft.directory/groups/owners/update
  • microsoft.directory/groups/settings/update
  • microsoft.directory/groups/visibility/update
  • microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks
  • microsoft.directory/policies/standard/read
  • microsoft.directory/servicePrincipals/appRoleAssignedTo/update
  • microsoft.directory/users/assignLicense
  • microsoft.directory/users/create
  • microsoft.directory/users/delete
  • microsoft.directory/users/disable
  • microsoft.directory/users/enable
  • microsoft.directory/users/inviteGuest
  • microsoft.directory/users/invalidateAllRefreshTokens
  • microsoft.directory/users/reprocessLicenseAssignment
  • microsoft.directory/users/restore
  • microsoft.directory/users/basic/update
  • microsoft.directory/users/manager/update
  • microsoft.directory/users/password/update
  • microsoft.directory/users/photo/update
  • microsoft.directory/users/userPrincipalName/update
  • microsoft.azure.serviceHealth/allEntities/allTasks
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.office365.serviceHealth/allEntities/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.webPortal/allEntities/standard/read

Windows 365 Administrator

  • microsoft.directory/devices/create
  • microsoft.directory/devices/delete
  • microsoft.directory/devices/disable
  • microsoft.directory/devices/enable
  • microsoft.directory/devices/basic/update
  • microsoft.directory/devices/extensionAttributeSet1/update
  • microsoft.directory/devices/extensionAttributeSet2/update
  • microsoft.directory/devices/extensionAttributeSet3/update
  • microsoft.directory/devices/registeredOwners/update
  • microsoft.directory/devices/registeredUsers/update
  • microsoft.directory/groups.security/create
  • microsoft.directory/groups.security/delete
  • microsoft.directory/groups.security/basic/update
  • microsoft.directory/groups.security/classification/update
  • microsoft.directory/groups.security/dynamicMembershipRule/update
  • microsoft.directory/groups.security/members/update
  • microsoft.directory/groups.security/owners/update
  • microsoft.directory/groups.security/visibility/update
  • microsoft.directory/deviceManagementPolicies/standard/read
  • microsoft.directory/deviceRegistrationPolicy/standard/read
  • microsoft.azure.supportTickets/allEntities/allTasks
  • microsoft.cloudPC/allEntities/allProperties/allTasks
  • microsoft.office365.supportTickets/allEntities/allTasks
  • microsoft.office365.usageReports/allEntities/allProperties/read
  • microsoft.office365.webPortal/allEntities/standard/read

Windows Update Deployment Administrator

  • microsoft.windows.updatesDeployments/allEntities/allProperties/allTasks

Workplace Device Join