314 KiB
314 KiB
Synopsis
First part of this gist contains list of Azure RBAC and Azure AD roles sorted by their names.
Second part contains full definitions of each role along with their permissions assigned.
Role Definitions
Azure RBAC Roles
| # | RoleName | RoleDescription | RoleId |
|---|
| 1 | Experimentation Metric Contributor | Allows for creation, writes and reads to the metric set via the metrics service APIs. | 6188b7c9-7d01-4f99-a59f-c88b630326c0 |
| 2 | Project Babylon Data Curator | The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. | 9ef4ef9c-a049-46b0-82ab-dd8ac094c889 |
| 3 | Storage Account Backup Contributor Role | Storage Account Backup Contributors are allowed to perform backup and restore of Storage Account. | e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 |
| 4 | Reservation Purchaser | Lets you purchase reservations | f7b75c60-3036-4b75-91c3-6b41c27c1689 |
| 5 | AzureML Metrics Writer (preview) | Lets you write metrics to AzureML workspace | 635dd51f-9968-44d3-b7fb-6d9a6bd613ae |
| 6 | Purview role 3 (Deprecated) | Deprecated role. | ff100721-1b9d-43d8-af52-42b69c1272db |
| 7 | Purview role 2 (Deprecated) | Deprecated role. | 200bba9e-f0c8-430f-892b-6f0794863803 |
| 8 | Purview role 1 (Deprecated) | Deprecated role. | 8a3c2885-9b38-4fd2-9d99-91af537c1347 |
| 9 | Project Babylon Data Reader | The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change. | c8d896ba-346d-4f50-bc1d-7d1c84130446 |
| 10 | Project Babylon Data Source Administrator | The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change. | 05b7651b-dc44-475e-b74d-df3db49fae0f |
| 11 | AgFood Platform Service Reader | Provides read access to AgFood Platform Service | 7ec7ccdc-f61e-41fe-9aaf-980df0a44eba |
| 12 | AgFood Platform Service Contributor | Provides contribute access to AgFood Platform Service | 8508508a-4469-4e45-963b-2518ee0bb728 |
| 13 | Schema Registry Contributor (Preview) | Read, write, and delete Schema Registry groups and schemas. | 5dffeca3-4936-4216-b2bc-10343a5abb25 |
| 14 | Cognitive Services Metrics Advisor User | Access to the project. | 3b20f47b-3825-43cb-8114-4bd2201156a8 |
| 15 | Schema Registry Reader (Preview) | Read and list Schema Registry groups and schemas. | 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 |
| 16 | SignalR REST API Reader | Read-only access to Azure SignalR Service REST APIs | ddde6b66-c0df-4114-a159-3618637b3035 |
| 17 | SignalR Service Owner | Full access to Azure SignalR Service REST APIs | 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 |
| 18 | Security Detonation Chamber Submitter | Allowed to create submissions to Security Detonation Chamber | 0b555d9b-b4a7-4f43-b330-627f0e5be8f0 |
| 19 | AgFood Platform Service Admin | Provides admin access to AgFood Platform Service | f8da80de-1ff9-4747-ad80-a19b7f6079e3 |
| 20 | Managed HSM contributor | Lets you manage managed HSM pools, but not access to them. | 18500a29-7fe2-46b2-a342-b16a415e101d |
| 21 | Autonomous Development Platform Data Reader (Preview) | Grants read access to Autonomous Development Platform data. | d63b75f7-47ea-4f27-92ac-e0d173aaf093 |
| 22 | Autonomous Development Platform Data Owner (Preview) | Grants full access to Autonomous Development Platform data. | 27f8b550-c507-4db9-86f2-f4b8e816d59d |
| 23 | Autonomous Development Platform Data Contributor (Preview) | Grants permissions to upload and manage new Autonomous Development Platform measurements. | b8b15564-4fa6-4a59-ab12-03e1d9594795 |
| 24 | Desktop Virtualization Workspace Reader | Reader of the Desktop Virtualization Workspace. | 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d |
| 25 | Disk Backup Reader | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| 26 | Security Detonation Chamber Submission Manager | Allowed to create and manage submissions to Security Detonation Chamber | a37b566d-3efa-4beb-a2f2-698963fa42ce |
| 27 | Security Detonation Chamber Publisher | Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber | 352470b3-6a9c-4686-b503-35deb827e500 |
| 28 | Microsoft.Kubernetes connected cluster role | Microsoft.Kubernetes connected cluster role. | 5548b2cf-c94c-4228-90ba-30851930a12f |
| 29 | Disk Restore Operator | Provides permission to backup vault to perform disk restore. | b50d9833-a0cb-478e-945f-707fcc997c13 |
| 30 | Disk Snapshot Contributor | Provides permission to backup vault to manage disk snapshots. | 7efff54f-a5b4-42b5-a1c5-5411624893ce |
| 31 | Desktop Virtualization Workspace Contributor | Contributor of the Desktop Virtualization Workspace. | 21efdde3-836f-432b-bf3d-3e8e734d4b2b |
| 32 | Desktop Virtualization User Session Operator | Operator of the Desktop Virtualization Uesr Session. | ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 |
| 33 | Desktop Virtualization Contributor | Contributor of Desktop Virtualization. | 082f0a83-3be5-4ba1-904c-961cca79b387 |
| 34 | Application Group Contributor | Contributor of the Application Group. | ca6382a4-1721-4bcf-a114-ff0c70227b6b |
| 35 | Desktop Virtualization Reader | Reader of Desktop Virtualization. | 49a72310-ab8d-41df-bbb0-79b649203868 |
| 36 | Desktop Virtualization Application Group Reader | Reader of the Desktop Virtualization Application Group. | aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 |
| 37 | Desktop Virtualization Application Group Contributor | Contributor of the Desktop Virtualization Application Group. | 86240b0e-9422-4c43-887b-b61143f32ba8 |
| 38 | Desktop Virtualization Host Pool Contributor | Contributor of the Desktop Virtualization Host Pool. | e307426c-f9b6-4e81-87de-d99efb3c32bc |
| 39 | Desktop Virtualization Session Host Operator | Operator of the Desktop Virtualization Session Host. | 2ad6aaab-ead9-4eaa-8ac5-da422f562408 |
| 40 | Desktop Virtualization Host Pool Reader | Reader of the Desktop Virtualization Host Pool. | ceadfde2-b300-400a-ab7b-6143895aa822 |
| 41 | Key Vault Crypto User | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | 12338af0-0e69-4776-bea7-57ae8d297424 |
| 42 | Key Vault Secrets Officer | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 |
| 43 | Key Vault Crypto Officer | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 |
| 44 | Cognitive Services Custom Vision Trainer | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b |
| 45 | Key Vault Administrator | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e74483 |
| 46 | Key Vault Crypto Service Encryption User | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. | e147488a-f6f5-4113-8e2d-b22465e65bf6 |
| 47 | Azure Arc Kubernetes Viewer | Lets you view all resources in cluster/namespace, except secrets. | 63f0a09d-1495-4db4-a681-037d84835eb4 |
| 48 | Key Vault Reader | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | 21090545-7ca7-4776-b22c-e363652d74d2 |
| 49 | Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e6 |
| 50 | Key Vault Certificates Officer | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | a4417e6f-fecd-4de8-b567-7b0420556985 |
| 51 | Experimentation Reader | Experimentation Reader | 49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 |
| 52 | Object Understanding Account Owner | Provides user with ingestion capabilities for Azure Object Understanding. | 4dd61c23-6743-42fe-a388-d8bdd41cb745 |
| 53 | FHIR Data Writer | Role allows user or principal to read and write FHIR Data | 3f88fce4-5892-4214-ae73-ba5294559913 |
| 54 | FHIR Data Exporter | Role allows user or principal to read and export FHIR Data | 3db33094-8700-4567-8da5-1501d4e7e843 |
| 55 | FHIR Data Reader | Role allows user or principal to read FHIR Data | 4c8d0bbc-75d3-4935-991f-5f3c56d81508 |
| 56 | Cognitive Services Custom Vision Labeler | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. | 88424f51-ebe7-446f-bc41-7fa16989e96c |
| 57 | Cognitive Services Custom Vision Reader | Read-only actions in the project. Readers can't create or update the project. | 93586559-c37d-4a6b-ba08-b9f0940c2d73 |
| 58 | Cognitive Services Custom Vision Deployment | Publish, unpublish or export models. Deployment can view the project but can't update. | 5c4089e1-6d96-4d2f-b296-c1bc7137275f |
| 59 | Azure Maps Data Contributor | Grants access to read, write, and delete access to map related data from an Azure maps account. | 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 |
| 60 | Cognitive Services Custom Vision Contributor | Full access to the project, including the ability to view, create, edit, or delete projects. | c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 |
| 61 | Device Update Reader | Gives you read access to management and content operations, but does not allow making changes | e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f |
| 62 | Device Update Administrator | Gives you full access to management and content operations | 02ca0879-e8e4-47a5-a61e-5c618b76e64a |
| 63 | Collaborative Data Contributor | Can manage data packages of a collaborative. | daa9e50b-21df-454c-94a6-a8050adab352 |
| 64 | SignalR App Server | Lets your app server access SignalR Service with AAD auth options. | 420fcaa2-552c-430f-98ca-3264be4806c7 |
| 65 | SignalR REST API Owner | Full access to Azure SignalR Service REST APIs | fd53cd77-2268-407a-8f46-7e7863d0f521 |
| 66 | Device Update Content Reader | Gives you read access to content operations, but does not allow making changes | d1ee9a80-8b14-47f0-bdc2-f4a351625a7b |
| 67 | Cognitive Services Metrics Advisor Administrator | Full access to the project, including the system level configuration. | cb43c632-a144-4ec5-977c-e80c4affc34a |
| 68 | Device Update Deployments Reader | Gives you read access to management operations, but does not allow making changes | 49e2f5d2-7741-4835-8efa-19e1fe35e47f |
| 69 | Device Update Content Administrator | Gives you full access to content operations | 0378884a-3af5-44ab-8323-f5b22f9f3c98 |
| 70 | Device Update Deployments Administrator | Gives you full access to management operations | e4237640-0e3d-4a46-8fda-70bc94856432 |
| 71 | Azure Kubernetes Service RBAC Cluster Admin | Lets you manage all resources in the cluster. | b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b |
| 72 | Azure Kubernetes Service RBAC Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | 3498e952-d568-435e-9b2c-8d77e338d7f7 |
| 73 | Azure Arc Kubernetes Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | dffb1e0c-446f-4dde-a09f-99eb5cc68b96 |
| 74 | Azure Arc Kubernetes Writer | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. | 5b999177-9696-4545-85c7-50de3797e5a1 |
| 75 | Azure Arc Kubernetes Cluster Admin | Lets you manage all resources in the cluster. | 8393591c-06b9-48a2-a542-1bd6b377f6a2 |
| 76 | Object Understanding Account Reader | Lets you read ingestion jobs for an object understanding account. | d18777c0-1514-4662-8490-608db7d334b6 |
| 77 | Azure Arc Enabled Kubernetes Cluster User Role | List cluster user credentials action. | 00493d72-78f6-4148-b6c5-d3ce8e4799dd |
| 78 | Services Hub Operator | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | 82200a5b-e217-47a5-b665-6d8765ee745b |
| 79 | Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 7f6c6a51-bcf8-42ba-9220-52d62157d7db |
| 80 | Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb |
| 81 | Azure VM Managed identities restore Contributor | Azure VM Managed identities restore Contributors are allowed to perform Azure VM Restores with managed identities both user and system | 6ae96244-5829-4925-a7d3-5975537d91dd |
| 82 | Azure Maps Search and Render Data Reader | Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. | 6be48352-4f82-47c9-ad5e-0acacefdb005 |
| 83 | Azure Spring Cloud Config Server Contributor | Allow read, write and delete access to Azure Spring Cloud Config Server | a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b |
| 84 | Azure Spring Cloud Service Registry Contributor | Allow read, write and delete access to Azure Spring Cloud Service Registry | f5880b48-c26d-48be-b172-7927bfa1c8f1 |
| 85 | Azure Spring Cloud Config Server Reader | Allow read access to Azure Spring Cloud Config Server | d04c6db6-4947-4782-9e91-30a88feb7be7 |
| 86 | Azure Arc VMware Administrator role | Arc VMware VM Contributor has permissions to perform all connected VMwarevSphere actions. | ddc140ed-e463-4246-9145-7c664192013f |
| 87 | Azure Arc VMware Private Clouds Onboarding | Azure Arc VMware Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vCenter instances to Azure. | 67d33e57-3129-45e6-bb0b-7cc522f762fa |
| 88 | Azure Arc VMware Private Cloud User | Azure Arc VMware Private Cloud User has permissions to use the VMware cloud resources to deploy VMs. | ce551c02-7c42-47e0-9deb-e3b6fc3a9a83 |
| 89 | Azure Maps Contributor | Grants access all Azure Maps resource management. | dba33070-676a-4fb0-87fa-064dc56ff7fb |
| 90 | Azure Arc VMware VM Contributor | Arc VMware VM Contributor has permissions to perform all VM actions. | b748a06d-6150-4f8a-aaa9-ce3940cd96cb |
| 91 | Grafana Editor | Built-in Grafana Editor role | a79a5197-3a5c-4973-a920-486035ffd60f |
| 92 | Automation Contributor | Manage azure automation resources and other resources using azure automation. | f353d9bd-d4a6-484e-a77a-8050b599b867 |
| 93 | Grafana Viewer | Built-in Grafana Viewer role | 60921a7e-fef1-4a43-9b16-a26c52ad4769 |
| 94 | Azure Relay Owner | Allows for full access to Azure Relay resources. | 2787bf04-f1f5-4bfe-8383-c8a24483ee38 |
| 95 | Azure Relay Listener | Allows for listen access to Azure Relay resources. | 26e0b698-aa6d-4085-9386-aadae190014d |
| 96 | CodeSigning Certificate Profile Signer | Sign files with a certificate profile. This role is in preview and subject to change. | 2837e146-70d7-4cfd-ad55-7efa6464f958 |
| 97 | Azure Spring Cloud Service Registry Reader | Allow read access to Azure Spring Cloud Service Registry | cff1b556-2399-4e7e-856d-a8f754be7b65 |
| 98 | Device Provisioning Service Data Contributor | Allows for full access to Device Provisioning Service data-plane operations. | dfce44e4-17b7-4bd1-a6d1-04996ec95633 |
| 99 | Kubernetes Extension Contributor | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 |
| 100 | Device Provisioning Service Data Reader | Allows for full read access to Device Provisioning Service data-plane properties. | 10745317-c249-44a1-a5ce-3a4353c0bbd8 |
| 101 | Lab Services Reader | The lab services reader role | 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc |
| 102 | Lab Assistant | The lab assistant role | ce40b423-cede-4313-a93f-9b28290b72e1 |
| 103 | Lab Services Contributor | The lab services contributor role | f69b8690-cc87-41d6-b77a-a4bc3c0a966f |
| 104 | Load Test Reader | View and list all load tests and load test resources but can not make any changes | 3ae3fb29-0000-4ccd-bf80-542e7b26e081 |
| 105 | Cognitive Services Immersive Reader User | Provides access to create Immersive Reader sessions and call APIs | b2de6794-95db-4659-8781-7e080d3f2b9d |
| 106 | Chamber Admin | Lets you manage everything under your HPC Workbench chamber. | 4e9b8407-af2e-495b-ae54-bb60a55b1b5a |
| 107 | Guest Configuration Resource Contributor | Grants access to read or write to Guest Configuration resources. | 088ab73d-1256-47ae-bea9-9de8e7131f31 |
| 108 | Chamber User | Lets you view everything under your HPC Workbench chamber, but not make any changes. | 4447db05-44ed-4da3-ae60-6cbece780e32 |
| 109 | Lab Operator | The lab operator role | a36e6959-b6be-4b12-8e9f-ef4b474d304d |
| 110 | Lab Contributor | The lab contributor role | 5daaa2af-1fe8-407c-9122-bba179798270 |
| 111 | Cognitive Services Language Owner | Has access to all Read, Test, Write, Deploy and Delete functions under Language portal | f07febfe-79bc-46b1-8b37-790e26e6e498 |
| 112 | Cognitive Services LUIS Reader | Has access to Read and Test functions under LUIS. | 18e81cdc-4e98-4e29-a639-e7d10c5a6226 |
| 113 | Cognitive Services Language Writer | _ Has access to all Read, Test, and Write functions under Language Portal_ | f2310ca1-dc64-4889-bb49-c8e0fa3d47a8 |
| 114 | Cognitive Services LUIS Owner | _ Has access to all Read, Test, Write, Deploy and Delete functions under LUIS_ | f72c8140-2111-481c-87ff-72b910f6e3f8 |
| 115 | Cognitive Services Language Reader | Has access to Read and Test functions under Language portal | 7628b7b8-a8b2-4cdc-b46f-e9b35248918e |
| 116 | Load Test Owner | Execute all operations on load test resources and load tests | 45bb0b16-2f0c-4e78-afaa-a07599b003f6 |
| 117 | PlayFab Contributor | Provides contributor access to PlayFab resources | 0c8b84dc-067c-4039-9615-fa1a4b77c726 |
| 118 | Load Test Contributor | View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. | 749a398d-560b-491b-bb21-08924219302e |
| 119 | Cognitive Services LUIS Writer | Has access to all Read, Test, and Write functions under LUIS | 6322a993-d5c9-4bed-b113-e49bbea25b27 |
| 120 | PlayFab Reader | Provides read access to PlayFab resources | a9a19cc5-31f4-447c-901f-56c0bb18fcaf |
| 121 | Cognitive Services Speech User | Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. | f2dc8367-1007-4938-bd23-fe263f013447 |
| 122 | Cognitive Services Speech Contributor | Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. | 0e75ca1e-0464-4b4d-8b93-68208a576181 |
| 123 | Azure Spring Cloud Data Reader | Allow read access to Azure Spring Cloud Data | b5537268-8956-4941-a8f0-646150406f0c |
| 124 | Web PubSub Service Owner (Preview) | Full access to Azure Web PubSub Service REST APIs | 12cf5a90-567b-43ae-8102-96cf46c7d9b4 |
| 125 | Web PubSub Service Reader (Preview) | Read-only access to Azure Web PubSub Service REST APIs | bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf |
| 126 | Media Services Media Operator | Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. | e4395492-1534-4db2-bedf-88c14621589c |
| 127 | Media Services Policy Administrator | Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. | c4bba371-dacd-4a26-b320-7250bca963ae |
| 128 | Media Services Live Events Administrator | Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. | 532bc159-b25e-42c0-969e-a1d439f60d77 |
| 129 | Cognitive Services Face Recognizer | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. | 9894cab4-e18a-44aa-828b-cb588cd6f2d7 |
| 130 | Media Services Account Administrator | Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. | 054126f8-9a2b-4f1c-a9ad-eca461f08466 |
| 131 | Microsoft Sentinel Automation Contributor | Microsoft Sentinel Automation Contributor | f4c81013-99ee-4d62-a7ee-b3f1f648599a |
| 132 | Quota Request Operator | Read and create quota requests, get quota request status, and create support tickets. | 0e5f05e5-9ab9-446b-b98d-1e2157c94125 |
| 133 | FHIR Data Converter | Role allows user or principal to convert data from legacy format to FHIR | a1705bd2-3a8f-45a5-8683-466fcfd5cc24 |
| 134 | Collaborative Runtime Operator | Can manage resources created by AICS at runtime | 7a6f0e70-c033-4fb1-828c-08514e5f4102 |
| 135 | CosmosRestoreOperator | Can perform restore action for Cosmos DB database account with continuous backup mode | 5432c526-bc82-444a-b7ba-57c5b0b5b34f |
| 136 | Object Anchors Account Owner | Provides user with ingestion capabilities for an object anchors account. | ca0835dd-bacc-42dd-8ed2-ed5e7230d15b |
| 137 | WorkloadBuilder Migration Agent Role | WorkloadBuilder Migration Agent Role. | d17ce0a2-0697-43bc-aac5-9113337ab61c |
| 138 | Object Anchors Account Reader | Lets you read ingestion jobs for an object anchors account. | 4a167cdf-cb95-4554-9203-2347fe489bd9 |
| 139 | EventGrid Contributor | Lets you manage EventGrid operations. | 1e241071-0855-49ea-94dc-649edcd759de |
| 140 | Security Detonation Chamber Reader | Allowed to query submission info and files from Security Detonation Chamber | 28241645-39f8-410b-ad48-87863e2951d5 |
| 141 | DICOM Data Owner | Full access to DICOM data. | 58a3b984-7adf-4c20-983a-32417c86fbc8 |
| 142 | EventGrid Data Sender | Allows send access to event grid events. | d5a91429-5739-47e2-a06b-3470a27159e7 |
| 143 | DICOM Data Reader | Read and search DICOM data. | e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a |
| 144 | Storage Table Data Reader | Allows for read access to Azure Storage tables and entities | 76199698-9eea-4c19-bc75-cec21354c6b6 |
| 145 | Storage Table Data Contributor | Allows for read, write and delete access to Azure Storage tables and entities | 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 |
| 146 | Azure Connected SQL Server Onboarding | Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS. | e8113dce-c529-4d33-91fa-e9b972617508 |
| 147 | Azure Relay Sender | Allows for send access to Azure Relay resources. | 26baccc8-eea7-41f1-98f4-1762cc7f685d |
| 148 | Grafana Admin | Built-in Grafana admin role | 22926164-76b3-42b3-bc55-97df8dab3e41 |
| 149 | Disk Pool Operator | Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool. | 60fc6e62-5479-42d4-8bf4-67625fcc2840 |
| 150 | AzureML Data Scientist | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. | f6c7c914-8db3-469d-8ca1-694a8f32e121 |
| 151 | IoT Hub Data Reader | Allows for full read access to IoT Hub data-plane properties | b447c946-2db7-41ec-983d-d8bf3b1c77e3 |
| 152 | IoT Hub Twin Contributor | Allows for read and write access to all IoT Hub device and module twins. | 494bdba2-168f-4f31-a0a1-191d2f7c028c |
| 153 | AnyBuild Builder | Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities. | a2138dac-4907-4679-a376-736901ed8ad8 |
| 154 | Media Services Streaming Endpoints Administrator | Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. | 99dba123-b5fe-44d5-874c-ced7199a5804 |
| 155 | Stream Analytics Query Tester | Lets you perform query testing without creating a stream analytics job first | 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf |
| 156 | Search Index Data Reader | Grants read access to Azure Cognitive Search index data. | 1407120a-92aa-4202-b7e9-c0e197c71c8f |
| 157 | Search Index Data Contributor | Grants full access to Azure Cognitive Search index data. | 8ebe5a00-799e-43f5-93ac-243d3dce84a7 |
| 158 | Test Base Reader | Let you view and download packages and test results. | 15e0f5a1-3450-4248-8e25-e2afe88a9e85 |
| 159 | IoT Hub Registry Contributor | Allows for full access to IoT Hub device registry. | 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 |
| 160 | IoT Hub Data Contributor | Allows for full access to IoT Hub data plane operations. | 4fc6c259-987e-4a07-842e-c321cc9d413f |
| 161 | FHIR Data Contributor | Role allows user or principal full access to FHIR Data | 5a1fc7df-4bf1-4951-a576-89034ee01acd |
| 162 | EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. | 2414bbcf-6497-4faf-8c65-045460748405 |
| 163 | Graph Owner | Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions | b60367af-1334-4454-b71e-769d9a4f83d9 |
| 164 | EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 |
| 165 | DocumentDB Account Contributor | Lets you manage DocumentDB accounts, but not access to them. | 5bd9cd88-fe45-4216-938b-f97437e15450 |
| 166 | DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | befefa01-2a29-4197-83a8-272ff33ce314 |
| 167 | Knowledge Consumer | Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query | ee361c5d-f7b5-4119-b4b6-892157c8f64c |
| 168 | Lab Creator | Lets you create new labs under your Azure Lab Accounts. | b97fb8bc-a8b2-4522-a38b-dd33c7e65ead |
| 169 | Key Vault Contributor | Lets you manage key vaults, but not access to them. | f25e0fa2-a7c8-4377-a976-54943a77a395 |
| 170 | HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | 8d8d5a11-05d3-4bda-a417-a08778121c7c |
| 171 | Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. | 03a6d094-3444-4b3d-88af-7477090a9e5e |
| 172 | Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) | 72fafb9e-0641-4937-9268-a91bfd8191a3 |
| 173 | Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. | add466c9-e687-43fc-8d98-dfcf8d720be5 |
| 174 | Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) | 434105ed-43f6-45c7-a02f-909b2ba83430 |
| 175 | Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | b24988ac-6180-42a0-ab88-20f7382dd24c |
| 176 | Cosmos DB Account Reader Role | Can read Azure Cosmos DB Accounts data | fbdf93bf-df7d-467e-a4d2-9458aa1360c8 |
| 177 | Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | 47b7735b-770e-4598-a7da-8b91488b4c88 |
| 178 | DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | 76283e04-6283-4c54-8f91-bcf1374a3c64 |
| 179 | Data Purger | Can purge analytics data | 150f5e0c-0603-4f03-8c7f-cf70034c4e90 |
| 180 | Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 |
| 181 | Data Factory Contributor | Create and manage data factories, as well as child resources within them. | 673868aa-7521-48a0-acc6-0f60742d39f5 |
| 182 | Monitoring Contributor | Can read all monitoring data and update monitoring settings. | 749f88d5-cbae-40b8-bcfc-e573ddc772fa |
| 183 | New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | 5d28c62d-5b37-4476-8438-e587778df237 |
| 184 | Network Contributor | Lets you manage networks, but not access to them. | 4d97b98b-1d4f-4787-a291-c67834d212e7 |
| 185 | Monitoring Metrics Publisher | Enables publishing metrics against Azure resources | 3913510d-42f4-4e42-8a64-420c390055eb |
| 186 | Monitoring Reader | Can read all monitoring data. | 43d0d8ad-25c7-4714-9337-8ba259a9fe05 |
| 187 | Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | c12c1c16-33a1-487b-954d-41c89c60f349 |
| 188 | Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | 36243c78-bf99-498c-9df9-86d9f8d28608 |
| 189 | Redis Cache Contributor | Lets you manage Redis caches, but not access to them. | e0f68234-74aa-48ed-b826-c38b57376e17 |
| 190 | Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 |
| 191 | Reader | View all resources, but does not allow you to make any changes. | acdd72a7-3385-48ef-bd42-f606fba81ae7 |
| 192 | Logic App Contributor | Lets you manage logic app, but not access to them. | 87a39d53-fc1b-424a-814c-f7e04687dc9e |
| 193 | Managed Application Operator Role | Lets you read and perform actions on Managed Application resources | c7393b34-138c-406f-901b-d8cf2b17e6ae |
| 194 | Logic App Operator | Lets you read, enable and disable logic app. | 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe |
| 195 | Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | 73c42c96-874c-492b-b04d-ab87d138a893 |
| 196 | Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. | 92aaf0da-9dab-42b6-94a3-d43ce8d16293 |
| 197 | Management Group Contributor | Management Group Contributor Role | 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c |
| 198 | Management Group Reader | Management Group Reader Role | ac63b705-f282-497d-ac71-919bf39d939d |
| 199 | Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity | e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 |
| 200 | Managed Applications Reader | Lets you read resources in a managed app and request JIT access. | b9331d33-8a36-4f8c-b097-4f54124fdb44 |
| 201 | Managed Identity Operator | Read and Assign User Assigned Identity | f1a07417-d97a-45cb-824c-7a7467783830 |
| 202 | Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. | 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 |
| 203 | Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs | d3881f73-407a-4167-8283-e981cbba0404 |
| 204 | Automation Job Operator | Create and Manage Jobs using Automation Runbooks. | 4fe576fe-1146-4730-92eb-48519fa6bf9f |
| 205 | Application Insights Snapshot Debugger | Gives user permission to use Application Insights Snapshot Debugger features | 08954f03-6346-4c2e-81c0-ec3a5cfae23b |
| 206 | Attestation Reader | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 |
| 207 | Azure Kubernetes Service Cluster User Role | List cluster user credential action. | 4abbcc35-e782-43d8-92c5-2d3f1bd2253f |
| 208 | Azure Maps Data Reader | Grants access to read map related data from an Azure maps account. | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa |
| 209 | Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. | 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 |
| 210 | Avere Contributor | Can create and manage an Avere vFXT cluster. | 4f8fab4f-1852-4a58-a46a-8eaf358af14a |
| 211 | Avere Operator | Used by the Avere vFXT cluster to manage the cluster | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 |
| 212 | AcrImageSigner | acr image signer | 6cef56e8-d556-48e5-a04f-b8e64114680f |
| 213 | AcrDelete | acr delete | c2f4ef07-c644-48eb-af81-4b1b4947fb11 |
| 214 | AcrPull | acr pull | 7f951dda-4ed3-4680-a7ca-43fe172d538d |
| 215 | AcrPush | acr push | 8311e382-0749-4cb8-b61a-304f252e45ec |
| 216 | API Management Service Contributor | Can manage service and the APIs | 312a565d-c81f-4fd8-895a-4e21e48d571c |
| 217 | API Management Service Reader Role | Read-only access to service and APIs | 71522526-b88f-4d52-b57f-d31fc3546d0d |
| 218 | Application Insights Component Contributor | Can manage Application Insights components | ae349356-3a1b-4a5e-921d-050484c6347e |
| 219 | API Management Service Operator Role | Can manage service but not the APIs | e022efe7-f5ba-4159-bbe4-b44f577e9b61 |
| 220 | AcrQuarantineReader | acr quarantine data reader | cdda3590-29a3-44f6-95f2-9f980659eb04 |
| 221 | AcrQuarantineWriter | acr quarantine data writer | c8d4ff99-41c3-41a8-9f60-21dfdad59608 |
| 222 | Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | 985d6b00-f706-48f5-a6fe-d0ca12fb668d |
| 223 | ClearDB MySQL DB Contributor | Lets you manage ClearDB MySQL databases, but not access to them. | 9106cda0-8a86-4e81-b686-29a22c54effe |
| 224 | Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. | 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 |
| 225 | CDN Profile Reader | Can view CDN profiles and their endpoints, but can't make changes. | 8f96442b-4075-438f-813d-ad51ab4019af |
| 226 | Classic Network Contributor | Lets you manage classic networks, but not access to them. | b34d265f-36f7-4a0d-a4d4-e158ca92e90f |
| 227 | Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 |
| 228 | CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account | db7b14f2-5adf-42da-9f96-f2ee17bab5cb |
| 229 | Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. | b59867f0-fa02-499b-be73-45a86b5b3e1c |
| 230 | Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | d73bb868-a0df-4d4d-bd69-98a00b01fccb |
| 231 | Cognitive Services User | Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908 |
| 232 | Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others | 00c29273-979b-4161-815c-10b084fb9324 |
| 233 | Backup Reader | Can view backup services, but can't make changes | a795c7a0-d4a2-40c1-ae25-d81f01202912 |
| 234 | Billing Reader | Allows read access to billing data | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 |
| 235 | Azure Stack Registration Owner | Lets you manage Azure Stack registrations. | 6f12a6df-dd06-4f3e-bcb1-ce8be600526a |
| 236 | Backup Contributor | Lets you manage backup service,but can't create vaults and give access to others | 5e467623-bb1f-42f4-a55d-6e525e11384b |
| 237 | CDN Endpoint Reader | Can view CDN endpoints, but can't make changes. | 871e35f6-b5c1-49cc-a043-bde969a0f2cd |
| 238 | CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can't grant access to other users. | ec156ff8-a8d1-4d15-830c-5b80698ca432 |
| 239 | CDN Endpoint Contributor | Can manage CDN endpoints, but can't grant access to other users. | 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 |
| 240 | Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes | 31a002a1-acaf-453e-8a5b-297c9ca1ea24 |
| 241 | BizTalk Contributor | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 |
| 242 | Microsoft Sentinel Reader | Microsoft Sentinel Reader | 8d289c81-5878-46d4-8554-54e1e3d8b5cb |
| 243 | Workbook Reader | Can read workbooks. | b279062a-9be3-42a0-92ae-8b3cf002ec4d |
| 244 | Microsoft Sentinel Responder | Microsoft Sentinel Responder | 3e150937-b8fe-4cfb-8069-0eaf05ecd056 |
| 245 | Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. | 437d2ced-4a38-4302-8479-ed2bcb43d090 |
| 246 | Microsoft Sentinel Contributor | Microsoft Sentinel Contributor | ab8e14d6-4a74-4a29-9ba8-549422addade |
| 247 | SignalR/Web PubSub Contributor | Create, Read, Update, and Delete SignalR service resources | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 |
| 248 | Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. | b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 |
| 249 | SignalR AccessKey Reader | Read SignalR Service Access Keys | 04165923-9d83-45d5-8227-78b77b0a687e |
| 250 | Workbook Contributor | Can save shared workbooks. | e8ddcd69-c73f-4f9f-9844-4100522f16ad |
| 251 | Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. | 66bb4e9e-b016-4a94-8249-4c0511c2be84 |
| 252 | Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB | aba4ae5f-2193-4029-9191-0cb91df5e314 |
| 253 | Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb |
| 254 | Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 |
| 255 | Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. | 2b629674-e913-4c01-ae53-ef4638d8f975 |
| 256 | Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 |
| 257 | Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB | a7264617-510b-434b-a828-9731dc254ea7 |
| 258 | Blueprint Contributor | Can manage blueprint definitions, but not assign them. | 41077137-e803-4205-871c-5a86e6a753b4 |
| 259 | Desktop Virtualization User | Allows user to use the applications in an application group. | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 |
| 260 | Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | b12aa53e-6015-4669-85d0-8515ebb3ae7f |
| 261 | Storage Blob Delegator | Allows for generation of a user delegation key which can be used to sign SAS tokens | db58b8e5-c6ad-4a2a-8342-4190687cbf4a |
| 262 | Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f |
| 263 | Integration Service Environment Developer | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | c7aa55d3-1abb-444a-a5ca-5e51e485d6ec |
| 264 | Security Assessment Contributor | Lets you push assessments to Security Center | 612c2aa1-cb24-443b-ac28-3ab7272de6f5 |
| 265 | Remote Rendering Client | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | d39065c4-c120-43c9-ab0a-63eed9795f0a |
| 266 | Managed Application Contributor Role | Allows for creating managed application resources. | 641177b8-a67a-45b9-a033-47bc880bb21e |
| 267 | Azure Digital Twins Data Owner | Full access role for Digital Twins data-plane | bcd981a7-7f74-457b-83e1-cceb9e632ffe |
| 268 | Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings | 350f8d15-c687-4448-8ae1-157740a3936d |
| 269 | Azure Digital Twins Data Reader | Read-only role for Digital Twins data-plane properties | d57506d4-4c8d-48b1-8587-93c323f6a5a3 |
| 270 | Integration Service Environment Contributor | Lets you manage integration service environments, but not access to them. | a41e2c5b-bd99-4a07-88f4-9bf657a760b8 |
| 271 | Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters | ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 |
| 272 | App Configuration Data Reader | Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071 |
| 273 | Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 |
| 274 | App Configuration Data Owner | Allows full access to App Configuration data. | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b |
| 275 | Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. | cd570a14-e51a-42ad-bac8-bafd67325302 |
| 276 | Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | 91c1777a-f3dc-4fae-b103-61d183457e46 |
| 277 | Experimentation Administrator | Experimentation Administrator | 7f646f1b-fa08-80eb-a33b-edd6ce5c915c |
| 278 | Remote Rendering Administrator | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | 3df8b902-2a6f-47c7-8cc5-360e9b272a7e |
| 279 | Cognitive Services QnA Maker Editor | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | f4cc2bf9-21be-47a1-bdf1-5c5804381025 |
| 280 | Experimentation Contributor | Experimentation Contributor | 7f646f1b-fa08-80eb-a22b-edd6ce5c915c |
| 281 | Cognitive Services QnA Maker Reader | Let's you read and test a KB only. | 466ccd10-b268-4a11-b098-b4849f024126 |
| 282 | SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | 056cd41c-7e88-42e1-933e-88ba6a50c9c3 |
| 283 | Storage Account Contributor | Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. | 17d1049b-9a84-46fb-8f53-869881c3d3ab |
| 284 | SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec |
| 285 | Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them | 70bbe301-9835-447d-afdd-19eb3167307c |
| 286 | SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d |
| 287 | Storage Blob Data Owner | Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. | b7e6dc6d-f1e8-4753-8033-0f276bb0955b |
| 288 | Storage Blob Data Reader | Allows for read access to Azure Storage blob containers and data | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 |
| 289 | Storage Blob Data Contributor | Allows for read, write and delete access to Azure Storage blob containers and data | ba92f5b4-2d11-453d-a403-e96b0029c9fe |
| 290 | SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. | 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 |
| 291 | Storage Account Key Operator Service Role | Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts | 81a9662b-bebf-436f-a333-f67b29880f12 |
| 292 | Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead | e3d13bf0-dd5a-482e-ba6b-9b8433878d10 |
| 293 | Security Reader | Security Reader Role | 39bc4728-0917-49c7-9d2c-d95423bc2eb4 |
| 294 | Security Admin | Security Admin Role | fb1c8493-542b-48eb-b624-b4c8fea62acd |
| 295 | Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 |
| 296 | Search Service Contributor | Lets you manage Search services, but not access to them. | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 |
| 297 | Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account | 5d51204f-eb77-4b1c-b86a-2ec626c49413 |
| 298 | Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations | dbaa88c4-0c30-4179-9fb3-46319faa6149 |
| 299 | Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations | 494ae006-db33-4328-bf46-533a6560a3ca |
| 300 | Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them | 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 |
| 301 | Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment | 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 |
| 302 | Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. | f526a384-b230-433a-b45c-95f59c4a2dec |
| 303 | Attestation Contributor | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e |
| 304 | Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. | 090c5cfd-751d-490a-894a-3ce6f1109419 |
| 305 | Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. | 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b |
| 306 | Website Contributor | Lets you manage websites (not web plans), but not access to them. | de139f84-1756-47ae-9be6-808fbbe84772 |
| 307 | Hybrid Server Onboarding | Can onboard new Hybrid servers to the Hybrid Resource Provider. | 5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb |
| 308 | Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. | a638d3c7-ab3a-418d-83e6-5f17a39d4fde |
| 309 | Hybrid Server Resource Administrator | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. | 48b40c6e-82e0-4eb3-90d5-19e40f49b624 |
| 310 | HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. | 61ed4efc-fab3-44fd-b111-e24485cc132a |
| 311 | Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | 230815da-be43-4aae-9cb4-875f7bd000aa |
| 312 | Storage Queue Data Reader | Allows for read access to Azure Storage queues and queue messages | 19e7f393-937e-4f77-808e-94535e297925 |
| 313 | Support Request Contributor | Lets you create and manage Support requests | cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e |
| 314 | Storage Queue Data Message Sender | Allows for sending of Azure Storage queue messages | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a |
| 315 | Storage Queue Data Contributor | Allows for read, write, and delete access to Azure Storage queues and queue messages | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 |
| 316 | Storage Queue Data Message Processor | Allows for peek, receive, and delete access to Azure Storage queue messages | 8a0f0c08-91a1-4084-bc3d-661d67233fed |
| 317 | Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
| 318 | Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | 9980e02c-c2be-4d73-94e8-173b1dc7cf3c |
| 319 | User Access Administrator | Lets you manage user access to Azure resources. | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 |
| 320 | Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 |
| 321 | Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator | 1c0163c0-47e6-4577-8991-ea5c82e286e4 |
Azure AD Roles
| # | RoleName | RoleDescription | RoleId |
|---|---|---|---|
| 1 | Application Administrator |
Can create and manage all aspects of app registrations and enterprise apps. | 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 |
| 2 | Application Developer |
Can create application registrations independent of the 'Users can register applications' setting. | cf1c38e5-3621-4004-a7cb-879624dced7c |
| 3 | Attack Payload Author |
Can create attack payloads that an administrator can initiate later. | 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f |
| 4 | Attack Simulation Administrator |
Can create and manage all aspects of attack simulation campaigns. | c430b396-e693-46cc-96f3-db01bf8bb62a |
| 5 | Attribute Assignment Administrator |
Assign custom security attribute keys and values to supported Azure AD objects. | 58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d |
| 6 | Attribute Assignment Reader |
Read custom security attribute keys and values for supported Azure AD objects. | ffd52fa5-98dc-465c-991d-fc073eb59f8f |
| 7 | Attribute Definition Administrator |
Define and manage the definition of custom security attributes. | 8424c6f0-a189-499e-bbd0-26c1753c96d4 |
| 8 | Attribute Definition Reader |
Read the definition of custom security attributes. | 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c |
| 9 | Authentication Administrator |
Allowed to view, set and reset authentication method information for any non-admin user. | c4e39bd9-1100-46d3-8c65-fb160da0071f |
| 10 | Authentication Policy Administrator |
Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. | 0526716b-113d-4c15-b2c8-68e3c22b9f80 |
| 11 | Azure AD Joined Device Local Administrator |
Users assigned to this role are added to the local administrators group on Azure AD-joined devices. | 9f06204d-73c1-4d4c-880a-6edb90606fd8 |
| 12 | Azure DevOps Administrator |
Can manage Azure DevOps organization policy and settings. | e3973bdf-4987-49ae-837a-ba8e231c7286 |
| 13 | Azure Information Protection Administrator |
Can manage all aspects of the Azure Information Protection product. | 7495fdc4-34c4-4d15-a289-98788ce399fd |
| 14 | B2C IEF Keyset Administrator |
Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). | aaf43236-0c0d-4d5f-883a-6955382ac081 |
| 15 | B2C IEF Policy Administrator |
Can create and manage trust framework policies in the Identity Experience Framework (IEF). | 3edaf663-341e-4475-9f94-5c398ef6c070 |
| 16 | Billing Administrator |
Can perform common billing related tasks like updating payment information. | b0f54661-2d74-4c50-afa3-1ec803f12efe |
| 17 | Cloud App Security Administrator |
Can manage all aspects of the Cloud App Security product. | 892c5842-a9a6-463a-8041-72aa08ca3cf6 |
| 18 | Cloud Application Administrator |
Can create and manage all aspects of app registrations and enterprise apps except App Proxy. | 158c047a-c907-4556-b7ef-446551a6b5f7 |
| 19 | Cloud Device Administrator |
Full access to manage devices in Azure AD. | 7698a772-787b-4ac8-901f-60d6b08affd2 |
| 20 | Compliance Administrator |
Can read and manage compliance configuration and reports in Azure AD and Microsoft 365. | 17315797-102d-40b4-93e0-432062caca18 |
| 21 | Compliance Data Administrator |
Creates and manages compliance content. | e6d1a23a-da11-4be4-9570-befc86d067a7 |
| 22 | Conditional Access Administrator |
Can manage Conditional Access capabilities. | b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 |
| 23 | Customer LockBox Access Approver |
Can approve Microsoft support requests to access customer organizational data. | 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 |
| 24 | Desktop Analytics Administrator |
Can access and manage Desktop management tools and services. | 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4 |
| 25 | Device Join |
Device Join | 9c094953-4995-41c8-84c8-3ebb9b32c93f |
| 26 | Device Managers |
Deprecated - Do Not Use. | 2b499bcd-da44-4968-8aec-78e1674fa64d |
| 27 | Device Users |
Device Users | d405c6df-0af8-4e3b-95e4-4d06e542189e |
| 28 | Directory Readers |
Can read basic directory information. Commonly used to grant directory read access to applications and guests. | 88d8e3e3-8f55-4a1e-953a-9b9898b8876b |
| 29 | Directory Synchronization Accounts |
Only used by Azure AD Connect service. | d29b2b05-8046-44ba-8758-1e26182fcf32 |
| 30 | Directory Writers |
Can read and write basic directory information. For granting access to applications, not intended for users. | 9360feb5-f418-4baa-8175-e2a00bac4301 |
| 31 | Domain Name Administrator |
Can manage domain names in cloud and on-premises. | 8329153b-31d0-4727-b945-745eb3bc5f31 |
| 32 | Dynamics 365 Administrator |
Can manage all aspects of the Dynamics 365 product. | 44367163-eba1-44c3-98af-f5787879f96a |
| 33 | Edge Administrator |
Manage all aspects of Microsoft Edge. | 3f1acade-1e04-4fbc-9b69-f0302cd84aef |
| 34 | Exchange Administrator |
Can manage all aspects of the Exchange product. | 29232cdf-9323-42fd-ade2-1d097af3e4de |
| 35 | Exchange Recipient Administrator |
Can create or update Exchange Online recipients within the Exchange Online organization. | 31392ffb-586c-42d1-9346-e59415a2cc4e |
| 36 | External ID User Flow Administrator |
Can create and manage all aspects of user flows. | 6e591065-9bad-43ed-90f3-e9424366d2f0 |
| 37 | External ID User Flow Attribute Administrator |
Can create and manage the attribute schema available to all user flows. | 0f971eea-41eb-4569-a71e-57bb8a3eff1e |
| 38 | External Identity Provider Administrator |
Can configure identity providers for use in direct federation. | be2f45a1-457d-42af-a067-6ec1fa63bc45 |
| 39 | Global Administrator |
Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. | 62e90394-69f5-4237-9190-012177145e10 |
| 40 | Global Reader |
Can read everything that a Global Administrator can, but not update anything. | f2ef992c-3afb-46b9-b7cf-a126ee74c451 |
| 41 | Groups Administrator |
Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. | fdd7a751-b60b-444a-984c-02652fe8fa1c |
| 42 | Guest Inviter |
Can invite guest users independent of the 'members can invite guests' setting. | 95e79109-95c0-4d8e-aee3-d01accf2d47b |
| 43 | Guest User |
Default role for guest users. Can read a limited set of directory information. | 10dae51f-b6af-4016-8d66-8c2a99b929b3 |
| 44 | Helpdesk Administrator |
Can reset passwords for non-administrators and Helpdesk Administrators. | 729827e3-9c14-49f7-bb1b-9608f156bbb8 |
| 45 | Hybrid Identity Administrator |
Can manage AD to Azure AD cloud provisioning, Azure AD Connect, and federation settings. | 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2 |
| 46 | Identity Governance Administrator |
Manage access using Azure AD for identity governance scenarios. | 45d8d3c5-c802-45c6-b32a-1d70b5e1e86e |
| 47 | Insights Administrator |
Has administrative access in the Microsoft 365 Insights app. | eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c |
| 48 | Insights Business Leader |
Can view and share dashboards and insights via the M365 Insights app. | 31e939ad-9672-4796-9c2e-873181342d2d |
| 49 | Intune Administrator |
Can manage all aspects of the Intune product. | 3a2c62db-5318-420d-8d74-23affee5d9d5 |
| 50 | Kaizala Administrator |
Can manage settings for Microsoft Kaizala. | 74ef975b-6605-40af-a5d2-b9539d836353 |
| 51 | Knowledge Administrator |
Can configure knowledge, learning, and other intelligent features. | b5a8dcf3-09d5-43a9-a639-8e29ef291470 |
| 52 | Knowledge Manager |
Has access to topic management dashboard and can manage content. | 744ec460-397e-42ad-a462-8b3f9747a02c |
| 53 | License Administrator |
Can manage product licenses on users and groups. | 4d6ac14f-3453-41d0-bef9-a3e0c569773a |
| 54 | Message Center Privacy Reader |
Can read security messages and updates in Office 365 Message Center only. | ac16e43d-7b2d-40e0-ac05-243ff356ab5b |
| 55 | Message Center Reader |
Can read messages and updates for their organization in Office 365 Message Center only. | 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b |
| 56 | Network Administrator |
Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. | d37c8bed-0711-4417-ba38-b4abe66ce4c2 |
| 57 | Office Apps Administrator |
Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices. | 2b745bdf-0803-4d80-aa65-822c4493daac |
| 58 | Partner Tier1 Support |
Do not use - not intended for general use. | 4ba39ca4-527c-499a-b93d-d9b492c50246 |
| 59 | Partner Tier2 Support |
Do not use - not intended for general use. | e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 |
| 60 | Password Administrator |
Can reset passwords for non-administrators and Password Administrators. | 966707d0-3269-4727-9be2-8c3a10f19b9d |
| 61 | Power BI Administrator |
Can manage all aspects of the Power BI product. | a9ea8996-122f-4c74-9520-8edcd192826c |
| 62 | Power Platform Administrator |
Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow. | 11648597-926c-4cf3-9c36-bcebb0ba8dcc |
| 63 | Printer Administrator |
Can manage all aspects of printers and printer connectors. | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f |
| 64 | Printer Technician |
Can manage all aspects of printers and printer connectors. | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 |
| 65 | Privileged Authentication Administrator |
Allowed to view, set and reset authentication method information for any user (admin or non-admin). | 7be44c8a-adaf-4e2a-84d6-ab2649e08a13 |
| 66 | Privileged Role Administrator |
Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. | e8611ab8-c189-46e8-94e1-60213ab1f814 |
| 67 | Reports Reader |
Can read sign-in and audit reports. | 4a5d8f65-41da-4de4-8968-e035b65339cf |
| 68 | Restricted Guest User |
Default role for guest users with restricted access. Can read a limited set of directory information. | 2af84b1e-32c8-42b7-82bc-daa82404023b |
| 69 | Search Administrator |
Can create and manage all aspects of Microsoft Search settings. | 0964bb5e-9bdb-4d7b-ac29-58e794862a40 |
| 70 | Search Editor |
Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. | 8835291a-918c-4fd7-a9ce-faa49f0cf7d9 |
| 71 | Security Administrator |
Security Administrator allows ability to read and manage security configuration and reports. | 194ae4cb-b126-40b2-bd5b-6091b380977d |
| 72 | Security Operator |
Creates and manages security events. | 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f |
| 73 | Security Reader |
Can read security information and reports in Azure AD and Office 365. | 5d6b6bb7-de71-4623-b4af-96380a352509 |
| 74 | Service Support Administrator |
Can read service health information and manage support tickets. | f023fd81-a637-4b56-95fd-791ac0226033 |
| 75 | SharePoint Administrator |
Can manage all aspects of the SharePoint service. | f28a1f50-f6e7-4571-818b-6a12f2af6b6c |
| 76 | Skype for Business Administrator |
Can manage all aspects of the Skype for Business product. | 75941009-915a-4869-abe7-691bff18279e |
| 77 | Teams Administrator |
Can manage the Microsoft Teams service. | 69091246-20e8-4a56-aa4d-066075b2a7a8 |
| 78 | Teams Communications Administrator |
Can manage calling and meetings features within the Microsoft Teams service. | baf37b3a-610e-45da-9e62-d9d1e5e8914b |
| 79 | Teams Communications Support Engineer |
Can troubleshoot communications issues within Teams using advanced tools. | f70938a0-fc10-4177-9e90-2178f8765737 |
| 80 | Teams Communications Support Specialist |
Can troubleshoot communications issues within Teams using basic tools. | fcf91098-03e3-41a9-b5ba-6f0ec8188a12 |
| 81 | Teams Devices Administrator |
Can perform management related tasks on Teams certified devices. | 3d762c5a-1b6c-493f-843e-55a3b42923d4 |
| 82 | Usage Summary Reports Reader |
Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. | 75934031-6c7e-415a-99d7-48dbd49e875e |
| 83 | User |
Default role for member users. Can read all and write a limited set of directory information. | a0b1b346-4d3e-4e8b-98f8-753987be4970 |
| 84 | User Administrator |
Can manage all aspects of users and groups, including resetting passwords for limited admins. | fe930be7-5e62-47db-91af-98c3a49a38b1 |
| 85 | Windows 365 Administrator |
Can provision and manage all aspects of Cloud PCs. | 11451d60-acb2-45eb-a7d6-43d0f0125c13 |
| 86 | Windows Update Deployment Administrator |
Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. | 32696413-001a-46ae-978c-ce0f6b3620d2 |
| 87 | Workplace Device Join |
Workplace Device Join | c34f683f-4d5a-4403-affd-6615e00e3a7f |
Role Definitions
This section contains detailed definitions of each role along with their assigned permissions sets.
Azure RBAC Role Definitions
Experimentation Metric Contributor
-
Actions:
Microsoft.Experimentation/experimentWorkspaces/read
-
DataActions:
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/readMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/actionMicrosoft.Experimentation/experimentWorkspaces/metricwrite/actionMicrosoft.Experimentation/experimentWorkspaces/read
Project Babylon Data Curator
-
Actions:
Microsoft.ProjectBabylon/accounts/read
-
DataActions:
Microsoft.ProjectBabylon/accounts/data/readMicrosoft.ProjectBabylon/accounts/data/write
Storage Account Backup Contributor Role
- Actions:
Microsoft.Authorization/*/readMicrosoft.Authorization/locks/readMicrosoft.Authorization/locks/writeMicrosoft.Authorization/locks/deleteMicrosoft.Features/features/readMicrosoft.Features/providers/features/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/operations/readMicrosoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/blobServices/readMicrosoft.Storage/storageAccounts/blobServices/writeMicrosoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/restoreBlobRanges/action
Reservation Purchaser
- Actions:
Microsoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Capacity/register/actionMicrosoft.Compute/register/actionMicrosoft.SQL/register/actionMicrosoft.Consumption/register/actionMicrosoft.Capacity/catalogs/readMicrosoft.Authorization/roleAssignments/readMicrosoft.Consumption/reservationRecommendations/readMicrosoft.Support/supporttickets/write
AzureML Metrics Writer (preview)
- Actions:
Microsoft.MachineLearningServices/workspaces/metrics/*/write
Purview role 3 (Deprecated)
-
Actions:
Microsoft.Purview/accounts/read
-
DataActions:
Microsoft.Purview/accounts/data/read
Purview role 2 (Deprecated)
-
Actions:
Microsoft.Purview/accounts/read
-
DataActions:
Microsoft.Purview/accounts/scan/readMicrosoft.Purview/accounts/scan/write
Purview role 1 (Deprecated)
-
Actions:
Microsoft.Purview/accounts/read
-
DataActions:
Microsoft.Purview/accounts/data/readMicrosoft.Purview/accounts/data/write
Project Babylon Data Reader
-
Actions:
Microsoft.ProjectBabylon/accounts/read
-
DataActions:
Microsoft.ProjectBabylon/accounts/data/read
Project Babylon Data Source Administrator
-
Actions:
Microsoft.ProjectBabylon/accounts/read
-
DataActions:
Microsoft.ProjectBabylon/accounts/scan/readMicrosoft.ProjectBabylon/accounts/scan/write
AgFood Platform Service Reader
- DataActions:
Microsoft.AgFoodPlatform/*/read
AgFood Platform Service Contributor
-
DataActions:
Microsoft.AgFoodPlatform/*/actionMicrosoft.AgFoodPlatform/*/readMicrosoft.AgFoodPlatform/*/write
-
NotDataActions:
Microsoft.AgFoodPlatform/farmers/writeMicrosoft.AgFoodPlatform/deletionJobs/*/write
Schema Registry Contributor (Preview)
-
Actions:
Microsoft.EventHub/namespaces/schemagroups/*
-
DataActions:
Microsoft.EventHub/namespaces/schemas/*
Cognitive Services Metrics Advisor User
-
Actions:
Microsoft.CognitiveServices/*/read
-
DataActions:
Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
-
NotDataActions:
Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/*
Schema Registry Reader (Preview)
-
Actions:
Microsoft.EventHub/namespaces/schemagroups/read
-
DataActions:
Microsoft.EventHub/namespaces/schemas/read
SignalR REST API Reader
- DataActions:
Microsoft.SignalRService/SignalR/group/readMicrosoft.SignalRService/SignalR/clientConnection/readMicrosoft.SignalRService/SignalR/user/read
SignalR Service Owner
- DataActions:
Microsoft.SignalRService/SignalR/auth/accessKey/actionMicrosoft.SignalRService/SignalR/auth/clientToken/actionMicrosoft.SignalRService/SignalR/hub/send/actionMicrosoft.SignalRService/SignalR/group/send/actionMicrosoft.SignalRService/SignalR/group/readMicrosoft.SignalRService/SignalR/group/writeMicrosoft.SignalRService/SignalR/clientConnection/send/actionMicrosoft.SignalRService/SignalR/clientConnection/readMicrosoft.SignalRService/SignalR/clientConnection/writeMicrosoft.SignalRService/SignalR/serverConnection/writeMicrosoft.SignalRService/SignalR/user/send/actionMicrosoft.SignalRService/SignalR/user/readMicrosoft.SignalRService/SignalR/user/write
Security Detonation Chamber Submitter
- DataActions:
Microsoft.SecurityDetonation/chambers/submissions/deleteMicrosoft.SecurityDetonation/chambers/submissions/writeMicrosoft.SecurityDetonation/chambers/submissions/readMicrosoft.SecurityDetonation/chambers/submissions/files/readMicrosoft.SecurityDetonation/chambers/submissions/accesskeyview/readMicrosoft.SecurityDetonation/chambers/platforms/metadata/readMicrosoft.SecurityDetonation/chambers/workflows/metadata/readMicrosoft.SecurityDetonation/chambers/toolsets/metadata/read
AgFood Platform Service Admin
- DataActions:
Microsoft.AgFoodPlatform/*
Managed HSM contributor
- Actions:
Microsoft.KeyVault/managedHSMs/*
Autonomous Development Platform Data Reader (Preview)
-
Actions:
Microsoft.AutonomousDevelopmentPlatform/*/readMicrosoft.Authorization/*/readMicrosoft.Resources/subscriptions/resourceGroups/read
-
DataActions:
Microsoft.AutonomousDevelopmentPlatform/*/read
Autonomous Development Platform Data Owner (Preview)
-
Actions:
Microsoft.AutonomousDevelopmentPlatform/*/readMicrosoft.Authorization/*/readMicrosoft.Resources/subscriptions/resourceGroups/read
-
DataActions:
Microsoft.AutonomousDevelopmentPlatform/*
Autonomous Development Platform Data Contributor (Preview)
-
Actions:
Microsoft.AutonomousDevelopmentPlatform/*/readMicrosoft.Authorization/*/readMicrosoft.Resources/subscriptions/resourceGroups/read
-
DataActions:
Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/*Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/*Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/*Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurementCollections/*Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/*Microsoft.AutonomousDevelopmentPlatform/workspaces/discoveries/*Microsoft.AutonomousDevelopmentPlatform/workspaces/uploads/*Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/*Microsoft.AutonomousDevelopmentPlatform/workspaces/measurementCollections/*
-
NotDataActions:
Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/actionMicrosoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/changeState/action
Desktop Virtualization Workspace Reader
- Actions:
Microsoft.DesktopVirtualization/workspaces/readMicrosoft.DesktopVirtualization/applicationgroups/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/readMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/readMicrosoft.Support/*
Disk Backup Reader
- Actions:
Microsoft.Authorization/*/readMicrosoft.Compute/disks/readMicrosoft.Compute/disks/beginGetAccess/action
Security Detonation Chamber Submission Manager
- DataActions:
Microsoft.SecurityDetonation/chambers/submissions/deleteMicrosoft.SecurityDetonation/chambers/submissions/writeMicrosoft.SecurityDetonation/chambers/submissions/readMicrosoft.SecurityDetonation/chambers/submissions/files/readMicrosoft.SecurityDetonation/chambers/submissions/accesskeyview/readMicrosoft.SecurityDetonation/chambers/submissions/adminview/readMicrosoft.SecurityDetonation/chambers/submissions/analystview/readMicrosoft.SecurityDetonation/chambers/submissions/publicview/readMicrosoft.SecurityDetonation/chambers/platforms/metadata/readMicrosoft.SecurityDetonation/chambers/workflows/metadata/readMicrosoft.SecurityDetonation/chambers/toolsets/metadata/read
Security Detonation Chamber Publisher
- DataActions:
Microsoft.SecurityDetonation/chambers/platforms/readMicrosoft.SecurityDetonation/chambers/platforms/writeMicrosoft.SecurityDetonation/chambers/platforms/deleteMicrosoft.SecurityDetonation/chambers/platforms/metadata/readMicrosoft.SecurityDetonation/chambers/workflows/readMicrosoft.SecurityDetonation/chambers/workflows/writeMicrosoft.SecurityDetonation/chambers/workflows/deleteMicrosoft.SecurityDetonation/chambers/workflows/metadata/readMicrosoft.SecurityDetonation/chambers/toolsets/readMicrosoft.SecurityDetonation/chambers/toolsets/writeMicrosoft.SecurityDetonation/chambers/toolsets/deleteMicrosoft.SecurityDetonation/chambers/toolsets/metadata/readMicrosoft.SecurityDetonation/chambers/publishRequests/readMicrosoft.SecurityDetonation/chambers/publishRequests/cancel/action
Microsoft.Kubernetes connected cluster role
- Actions:
Microsoft.Kubernetes/connectedClusters/readMicrosoft.Kubernetes/connectedClusters/writeMicrosoft.Kubernetes/connectedClusters/deleteMicrosoft.Kubernetes/registeredSubscriptions/read
Disk Restore Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Compute/disks/writeMicrosoft.Compute/disks/read
Disk Snapshot Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Compute/snapshots/deleteMicrosoft.Compute/snapshots/writeMicrosoft.Compute/snapshots/readMicrosoft.Compute/snapshots/beginGetAccess/actionMicrosoft.Compute/snapshots/endGetAccess/actionMicrosoft.Compute/disks/beginGetAccess/actionMicrosoft.Storage/storageAccounts/listkeys/actionMicrosoft.Storage/storageAccounts/writeMicrosoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/delete
Desktop Virtualization Workspace Contributor
- Actions:
Microsoft.DesktopVirtualization/workspaces/*Microsoft.DesktopVirtualization/applicationgroups/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Support/*
Desktop Virtualization User Session Operator
- Actions:
Microsoft.DesktopVirtualization/hostpools/readMicrosoft.DesktopVirtualization/hostpools/sessionhosts/readMicrosoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Support/*
Desktop Virtualization Contributor
- Actions:
Microsoft.DesktopVirtualization/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Support/*
Application Group Contributor
- Actions:
Microsoft.DesktopVirtualization/applicationgroups/*Microsoft.DesktopVirtualization/hostpools/readMicrosoft.DesktopVirtualization/hostpools/sessionhosts/readMicrosoft.DesktopVirtualization/workspaces/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Support/*
Desktop Virtualization Reader
- Actions:
Microsoft.DesktopVirtualization/*/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/readMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/readMicrosoft.Support/*
Desktop Virtualization Application Group Reader
- Actions:
Microsoft.DesktopVirtualization/applicationgroups/*/readMicrosoft.DesktopVirtualization/applicationgroups/readMicrosoft.DesktopVirtualization/hostpools/readMicrosoft.DesktopVirtualization/hostpools/sessionhosts/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/readMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/readMicrosoft.Support/*
Desktop Virtualization Application Group Contributor
- Actions:
Microsoft.DesktopVirtualization/applicationgroups/*Microsoft.DesktopVirtualization/hostpools/readMicrosoft.DesktopVirtualization/hostpools/sessionhosts/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Support/*
Desktop Virtualization Host Pool Contributor
- Actions:
Microsoft.DesktopVirtualization/hostpools/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Support/*
Desktop Virtualization Session Host Operator
- Actions:
Microsoft.DesktopVirtualization/hostpools/readMicrosoft.DesktopVirtualization/hostpools/sessionhosts/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Support/*
Desktop Virtualization Host Pool Reader
- Actions:
Microsoft.DesktopVirtualization/hostpools/*/readMicrosoft.DesktopVirtualization/hostpools/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/readMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/readMicrosoft.Support/*
Key Vault Crypto User
- DataActions:
Microsoft.KeyVault/vaults/keys/readMicrosoft.KeyVault/vaults/keys/update/actionMicrosoft.KeyVault/vaults/keys/backup/actionMicrosoft.KeyVault/vaults/keys/encrypt/actionMicrosoft.KeyVault/vaults/keys/decrypt/actionMicrosoft.KeyVault/vaults/keys/wrap/actionMicrosoft.KeyVault/vaults/keys/unwrap/actionMicrosoft.KeyVault/vaults/keys/sign/actionMicrosoft.KeyVault/vaults/keys/verify/action
Key Vault Secrets Officer
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.KeyVault/checkNameAvailability/readMicrosoft.KeyVault/deletedVaults/readMicrosoft.KeyVault/locations/*/readMicrosoft.KeyVault/vaults/*/readMicrosoft.KeyVault/operations/read
-
DataActions:
Microsoft.KeyVault/vaults/secrets/*
Key Vault Crypto Officer
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.KeyVault/checkNameAvailability/readMicrosoft.KeyVault/deletedVaults/readMicrosoft.KeyVault/locations/*/readMicrosoft.KeyVault/vaults/*/readMicrosoft.KeyVault/operations/read
-
DataActions:
Microsoft.KeyVault/vaults/keys/*Microsoft.KeyVault/vaults/keyrotationpolicies/*
Cognitive Services Custom Vision Trainer
-
Actions:
Microsoft.CognitiveServices/*/read
-
DataActions:
Microsoft.CognitiveServices/accounts/CustomVision/*
-
NotDataActions:
Microsoft.CognitiveServices/accounts/CustomVision/projects/actionMicrosoft.CognitiveServices/accounts/CustomVision/projects/deleteMicrosoft.CognitiveServices/accounts/CustomVision/projects/import/actionMicrosoft.CognitiveServices/accounts/CustomVision/projects/export/read
Key Vault Administrator
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.KeyVault/checkNameAvailability/readMicrosoft.KeyVault/deletedVaults/readMicrosoft.KeyVault/locations/*/readMicrosoft.KeyVault/vaults/*/readMicrosoft.KeyVault/operations/read
-
DataActions:
Microsoft.KeyVault/vaults/*
Key Vault Crypto Service Encryption User
-
Actions:
Microsoft.EventGrid/eventSubscriptions/writeMicrosoft.EventGrid/eventSubscriptions/readMicrosoft.EventGrid/eventSubscriptions/delete
-
DataActions:
Microsoft.KeyVault/vaults/keys/readMicrosoft.KeyVault/vaults/keys/wrap/actionMicrosoft.KeyVault/vaults/keys/unwrap/action
Azure Arc Kubernetes Viewer
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
DataActions:
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/readMicrosoft.Kubernetes/connectedClusters/apps/daemonsets/readMicrosoft.Kubernetes/connectedClusters/apps/deployments/readMicrosoft.Kubernetes/connectedClusters/apps/replicasets/readMicrosoft.Kubernetes/connectedClusters/apps/statefulsets/readMicrosoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/readMicrosoft.Kubernetes/connectedClusters/batch/cronjobs/readMicrosoft.Kubernetes/connectedClusters/batch/jobs/readMicrosoft.Kubernetes/connectedClusters/configmaps/readMicrosoft.Kubernetes/connectedClusters/endpoints/readMicrosoft.Kubernetes/connectedClusters/events.k8s.io/events/readMicrosoft.Kubernetes/connectedClusters/events/readMicrosoft.Kubernetes/connectedClusters/extensions/daemonsets/readMicrosoft.Kubernetes/connectedClusters/extensions/deployments/readMicrosoft.Kubernetes/connectedClusters/extensions/ingresses/readMicrosoft.Kubernetes/connectedClusters/extensions/networkpolicies/readMicrosoft.Kubernetes/connectedClusters/extensions/replicasets/readMicrosoft.Kubernetes/connectedClusters/limitranges/readMicrosoft.Kubernetes/connectedClusters/namespaces/readMicrosoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/readMicrosoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/readMicrosoft.Kubernetes/connectedClusters/persistentvolumeclaims/readMicrosoft.Kubernetes/connectedClusters/pods/readMicrosoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/readMicrosoft.Kubernetes/connectedClusters/replicationcontrollers/readMicrosoft.Kubernetes/connectedClusters/replicationcontrollers/readMicrosoft.Kubernetes/connectedClusters/resourcequotas/readMicrosoft.Kubernetes/connectedClusters/serviceaccounts/readMicrosoft.Kubernetes/connectedClusters/services/read
Key Vault Reader
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.KeyVault/checkNameAvailability/readMicrosoft.KeyVault/deletedVaults/readMicrosoft.KeyVault/locations/*/readMicrosoft.KeyVault/vaults/*/readMicrosoft.KeyVault/operations/read
-
DataActions:
Microsoft.KeyVault/vaults/*/readMicrosoft.KeyVault/vaults/secrets/readMetadata/action
Key Vault Secrets User
- DataActions:
Microsoft.KeyVault/vaults/secrets/getSecret/actionMicrosoft.KeyVault/vaults/secrets/readMetadata/action
Key Vault Certificates Officer
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.KeyVault/checkNameAvailability/readMicrosoft.KeyVault/deletedVaults/readMicrosoft.KeyVault/locations/*/readMicrosoft.KeyVault/vaults/*/readMicrosoft.KeyVault/operations/read
-
DataActions:
Microsoft.KeyVault/vaults/certificatecas/*Microsoft.KeyVault/vaults/certificates/*
Experimentation Reader
-
Actions:
Microsoft.Experimentation/experimentWorkspaces/read
-
DataActions:
Microsoft.Experimentation/experimentWorkspaces/readMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/read
Object Understanding Account Owner
- DataActions:
Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/actionMicrosoft.MixedReality/ObjectUnderstandingAccounts/ingest/read
FHIR Data Writer
-
DataActions:
Microsoft.HealthcareApis/services/fhir/resources/*Microsoft.HealthcareApis/workspaces/fhirservices/resources/*
-
NotDataActions:
Microsoft.HealthcareApis/services/fhir/resources/hardDelete/actionMicrosoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action
FHIR Data Exporter
- DataActions:
Microsoft.HealthcareApis/services/fhir/resources/readMicrosoft.HealthcareApis/services/fhir/resources/export/actionMicrosoft.HealthcareApis/workspaces/fhirservices/resources/readMicrosoft.HealthcareApis/workspaces/fhirservices/resources/export/action
FHIR Data Reader
- DataActions:
Microsoft.HealthcareApis/services/fhir/resources/readMicrosoft.HealthcareApis/workspaces/fhirservices/resources/read
Cognitive Services Custom Vision Labeler
-
Actions:
Microsoft.CognitiveServices/*/read
-
DataActions:
Microsoft.CognitiveServices/accounts/CustomVision/*/readMicrosoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/actionMicrosoft.CognitiveServices/accounts/CustomVision/projects/images/*Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action
-
NotDataActions:
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
Cognitive Services Custom Vision Reader
-
Actions:
Microsoft.CognitiveServices/*/read
-
DataActions:
Microsoft.CognitiveServices/accounts/CustomVision/*/readMicrosoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action
-
NotDataActions:
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
Cognitive Services Custom Vision Deployment
-
Actions:
Microsoft.CognitiveServices/*/read
-
DataActions:
Microsoft.CognitiveServices/accounts/CustomVision/*/readMicrosoft.CognitiveServices/accounts/CustomVision/projects/predictions/*Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*Microsoft.CognitiveServices/accounts/CustomVision/classify/*Microsoft.CognitiveServices/accounts/CustomVision/detect/*
-
NotDataActions:
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
Azure Maps Data Contributor
- DataActions:
Microsoft.Maps/accounts/*/readMicrosoft.Maps/accounts/*/writeMicrosoft.Maps/accounts/*/deleteMicrosoft.Maps/accounts/*/action
Cognitive Services Custom Vision Contributor
-
Actions:
Microsoft.CognitiveServices/*/read
-
DataActions:
Microsoft.CognitiveServices/accounts/CustomVision/*
Device Update Reader
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Insights/alertRules/*
-
DataActions:
Microsoft.DeviceUpdate/accounts/instances/updates/readMicrosoft.DeviceUpdate/accounts/instances/management/read
Device Update Administrator
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Insights/alertRules/*
-
DataActions:
Microsoft.DeviceUpdate/accounts/instances/updates/readMicrosoft.DeviceUpdate/accounts/instances/updates/writeMicrosoft.DeviceUpdate/accounts/instances/updates/deleteMicrosoft.DeviceUpdate/accounts/instances/management/readMicrosoft.DeviceUpdate/accounts/instances/management/writeMicrosoft.DeviceUpdate/accounts/instances/management/delete
Collaborative Data Contributor
- Actions:
Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/readMicrosoft.IndustryDataLifecycle/memberCollaboratives/*/readMicrosoft.IndustryDataLifecycle/locations/dataPackages/*Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/*Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/actionMicrosoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/*Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/*Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/actionMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
SignalR App Server
- DataActions:
Microsoft.SignalRService/SignalR/auth/accessKey/actionMicrosoft.SignalRService/SignalR/serverConnection/writeMicrosoft.SignalRService/SignalR/clientConnection/write
SignalR REST API Owner
- DataActions:
Microsoft.SignalRService/SignalR/auth/clientToken/actionMicrosoft.SignalRService/SignalR/hub/send/actionMicrosoft.SignalRService/SignalR/group/send/actionMicrosoft.SignalRService/SignalR/group/readMicrosoft.SignalRService/SignalR/group/writeMicrosoft.SignalRService/SignalR/clientConnection/send/actionMicrosoft.SignalRService/SignalR/clientConnection/readMicrosoft.SignalRService/SignalR/clientConnection/writeMicrosoft.SignalRService/SignalR/user/send/actionMicrosoft.SignalRService/SignalR/user/readMicrosoft.SignalRService/SignalR/user/write
Device Update Content Reader
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Insights/alertRules/*
-
DataActions:
Microsoft.DeviceUpdate/accounts/instances/updates/read
Cognitive Services Metrics Advisor Administrator
-
Actions:
Microsoft.CognitiveServices/*/read
-
DataActions:
Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
Device Update Deployments Reader
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Insights/alertRules/*
-
DataActions:
Microsoft.DeviceUpdate/accounts/instances/management/readMicrosoft.DeviceUpdate/accounts/instances/updates/read
Device Update Content Administrator
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Insights/alertRules/*
-
DataActions:
Microsoft.DeviceUpdate/accounts/instances/updates/readMicrosoft.DeviceUpdate/accounts/instances/updates/writeMicrosoft.DeviceUpdate/accounts/instances/updates/delete
Device Update Deployments Administrator
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Insights/alertRules/*
-
DataActions:
Microsoft.DeviceUpdate/accounts/instances/management/readMicrosoft.DeviceUpdate/accounts/instances/management/writeMicrosoft.DeviceUpdate/accounts/instances/management/deleteMicrosoft.DeviceUpdate/accounts/instances/updates/read
Azure Kubernetes Service RBAC Cluster Admin
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
-
DataActions:
Microsoft.ContainerService/managedClusters/*
Azure Kubernetes Service RBAC Admin
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
-
DataActions:
Microsoft.ContainerService/managedClusters/*
-
NotDataActions:
Microsoft.ContainerService/managedClusters/resourcequotas/writeMicrosoft.ContainerService/managedClusters/resourcequotas/deleteMicrosoft.ContainerService/managedClusters/namespaces/writeMicrosoft.ContainerService/managedClusters/namespaces/delete
Azure Arc Kubernetes Admin
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
DataActions:
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/readMicrosoft.Kubernetes/connectedClusters/apps/daemonsets/*Microsoft.Kubernetes/connectedClusters/apps/deployments/*Microsoft.Kubernetes/connectedClusters/apps/replicasets/*Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/writeMicrosoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*Microsoft.Kubernetes/connectedClusters/batch/jobs/*Microsoft.Kubernetes/connectedClusters/configmaps/*Microsoft.Kubernetes/connectedClusters/endpoints/*Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/readMicrosoft.Kubernetes/connectedClusters/events/readMicrosoft.Kubernetes/connectedClusters/extensions/daemonsets/*Microsoft.Kubernetes/connectedClusters/extensions/deployments/*Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*Microsoft.Kubernetes/connectedClusters/limitranges/readMicrosoft.Kubernetes/connectedClusters/namespaces/readMicrosoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*Microsoft.Kubernetes/connectedClusters/pods/*Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*Microsoft.Kubernetes/connectedClusters/resourcequotas/readMicrosoft.Kubernetes/connectedClusters/secrets/*Microsoft.Kubernetes/connectedClusters/serviceaccounts/*Microsoft.Kubernetes/connectedClusters/services/*
Azure Arc Kubernetes Writer
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
DataActions:
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/readMicrosoft.Kubernetes/connectedClusters/apps/daemonsets/*Microsoft.Kubernetes/connectedClusters/apps/deployments/*Microsoft.Kubernetes/connectedClusters/apps/replicasets/*Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*Microsoft.Kubernetes/connectedClusters/batch/jobs/*Microsoft.Kubernetes/connectedClusters/configmaps/*Microsoft.Kubernetes/connectedClusters/endpoints/*Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/readMicrosoft.Kubernetes/connectedClusters/events/readMicrosoft.Kubernetes/connectedClusters/extensions/daemonsets/*Microsoft.Kubernetes/connectedClusters/extensions/deployments/*Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*Microsoft.Kubernetes/connectedClusters/limitranges/readMicrosoft.Kubernetes/connectedClusters/namespaces/readMicrosoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*Microsoft.Kubernetes/connectedClusters/pods/*Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*Microsoft.Kubernetes/connectedClusters/resourcequotas/readMicrosoft.Kubernetes/connectedClusters/secrets/*Microsoft.Kubernetes/connectedClusters/serviceaccounts/*Microsoft.Kubernetes/connectedClusters/services/*
Azure Arc Kubernetes Cluster Admin
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
DataActions:
Microsoft.Kubernetes/connectedClusters/*
Object Understanding Account Reader
- DataActions:
Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read
Azure Arc Enabled Kubernetes Cluster User Role
- Actions:
Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Kubernetes/connectedClusters/listClusterUserCredentials/actionMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Support/*
Services Hub Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.ServicesHub/connectors/writeMicrosoft.ServicesHub/connectors/readMicrosoft.ServicesHub/connectors/deleteMicrosoft.ServicesHub/connectors/checkAssessmentEntitlement/actionMicrosoft.ServicesHub/supportOfferingEntitlement/readMicrosoft.ServicesHub/workspaces/read
Azure Kubernetes Service RBAC Reader
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
DataActions:
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/readMicrosoft.ContainerService/managedClusters/apps/daemonsets/readMicrosoft.ContainerService/managedClusters/apps/deployments/readMicrosoft.ContainerService/managedClusters/apps/replicasets/readMicrosoft.ContainerService/managedClusters/apps/statefulsets/readMicrosoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/readMicrosoft.ContainerService/managedClusters/batch/cronjobs/readMicrosoft.ContainerService/managedClusters/batch/jobs/readMicrosoft.ContainerService/managedClusters/configmaps/readMicrosoft.ContainerService/managedClusters/endpoints/readMicrosoft.ContainerService/managedClusters/events.k8s.io/events/readMicrosoft.ContainerService/managedClusters/events/readMicrosoft.ContainerService/managedClusters/extensions/daemonsets/readMicrosoft.ContainerService/managedClusters/extensions/deployments/readMicrosoft.ContainerService/managedClusters/extensions/ingresses/readMicrosoft.ContainerService/managedClusters/extensions/networkpolicies/readMicrosoft.ContainerService/managedClusters/extensions/replicasets/readMicrosoft.ContainerService/managedClusters/limitranges/readMicrosoft.ContainerService/managedClusters/namespaces/readMicrosoft.ContainerService/managedClusters/networking.k8s.io/ingresses/readMicrosoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/readMicrosoft.ContainerService/managedClusters/persistentvolumeclaims/readMicrosoft.ContainerService/managedClusters/pods/readMicrosoft.ContainerService/managedClusters/policy/poddisruptionbudgets/readMicrosoft.ContainerService/managedClusters/replicationcontrollers/readMicrosoft.ContainerService/managedClusters/replicationcontrollers/readMicrosoft.ContainerService/managedClusters/resourcequotas/readMicrosoft.ContainerService/managedClusters/serviceaccounts/readMicrosoft.ContainerService/managedClusters/services/read
Azure Kubernetes Service RBAC Writer
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
DataActions:
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/readMicrosoft.ContainerService/managedClusters/apps/daemonsets/*Microsoft.ContainerService/managedClusters/apps/deployments/*Microsoft.ContainerService/managedClusters/apps/replicasets/*Microsoft.ContainerService/managedClusters/apps/statefulsets/*Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*Microsoft.ContainerService/managedClusters/batch/cronjobs/*Microsoft.ContainerService/managedClusters/batch/jobs/*Microsoft.ContainerService/managedClusters/configmaps/*Microsoft.ContainerService/managedClusters/endpoints/*Microsoft.ContainerService/managedClusters/events.k8s.io/events/readMicrosoft.ContainerService/managedClusters/events/readMicrosoft.ContainerService/managedClusters/extensions/daemonsets/*Microsoft.ContainerService/managedClusters/extensions/deployments/*Microsoft.ContainerService/managedClusters/extensions/ingresses/*Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*Microsoft.ContainerService/managedClusters/extensions/replicasets/*Microsoft.ContainerService/managedClusters/limitranges/readMicrosoft.ContainerService/managedClusters/namespaces/readMicrosoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*Microsoft.ContainerService/managedClusters/pods/*Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*Microsoft.ContainerService/managedClusters/replicationcontrollers/*Microsoft.ContainerService/managedClusters/replicationcontrollers/*Microsoft.ContainerService/managedClusters/resourcequotas/readMicrosoft.ContainerService/managedClusters/secrets/*Microsoft.ContainerService/managedClusters/serviceaccounts/*Microsoft.ContainerService/managedClusters/services/*
Azure VM Managed identities restore Contributor
- Actions:
Microsoft.Authorization/*/read
Azure Maps Search and Render Data Reader
- DataActions:
Microsoft.Maps/accounts/services/render/readMicrosoft.Maps/accounts/services/search/read
Azure Spring Cloud Config Server Contributor
- DataActions:
Microsoft.AppPlatform/Spring/configService/readMicrosoft.AppPlatform/Spring/configService/writeMicrosoft.AppPlatform/Spring/configService/delete
Azure Spring Cloud Service Registry Contributor
- DataActions:
Microsoft.AppPlatform/Spring/eurekaService/readMicrosoft.AppPlatform/Spring/eurekaService/writeMicrosoft.AppPlatform/Spring/eurekaService/delete
Azure Spring Cloud Config Server Reader
- DataActions:
Microsoft.AppPlatform/Spring/configService/read
Azure Arc VMware Administrator role
- Actions:
Microsoft.ConnectedVMwarevSphere/*Microsoft.Insights/AlertRules/WriteMicrosoft.Insights/AlertRules/DeleteMicrosoft.Insights/AlertRules/ReadMicrosoft.Insights/AlertRules/Activated/ActionMicrosoft.Insights/AlertRules/Resolved/ActionMicrosoft.Insights/AlertRules/Throttled/ActionMicrosoft.Insights/AlertRules/Incidents/ReadMicrosoft.Resources/deployments/readMicrosoft.Resources/deployments/writeMicrosoft.Resources/deployments/deleteMicrosoft.Resources/deployments/cancel/actionMicrosoft.Resources/deployments/validate/actionMicrosoft.Resources/deployments/whatIf/actionMicrosoft.Resources/deployments/exportTemplate/actionMicrosoft.Resources/deployments/operations/readMicrosoft.Resources/deployments/operationstatuses/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/writeMicrosoft.Resources/subscriptions/resourcegroups/deployments/operations/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Authorization/*/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/operationresults/read
Azure Arc VMware Private Clouds Onboarding
- Actions:
Microsoft.ConnectedVMwarevSphere/vcenters/WriteMicrosoft.ConnectedVMwarevSphere/vcenters/ReadMicrosoft.ConnectedVMwarevSphere/vcenters/DeleteMicrosoft.Insights/AlertRules/WriteMicrosoft.Insights/AlertRules/DeleteMicrosoft.Insights/AlertRules/ReadMicrosoft.Insights/AlertRules/Activated/ActionMicrosoft.Insights/AlertRules/Resolved/ActionMicrosoft.Insights/AlertRules/Throttled/ActionMicrosoft.Insights/AlertRules/Incidents/ReadMicrosoft.Resources/deployments/readMicrosoft.Resources/deployments/writeMicrosoft.Resources/deployments/deleteMicrosoft.Resources/deployments/cancel/actionMicrosoft.Resources/deployments/validate/actionMicrosoft.Resources/deployments/whatIf/actionMicrosoft.Resources/deployments/exportTemplate/actionMicrosoft.Resources/deployments/operations/readMicrosoft.Resources/deployments/operationstatuses/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/writeMicrosoft.Resources/subscriptions/resourcegroups/deployments/operations/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Authorization/*/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.KubernetesConfiguration/extensions/WriteMicrosoft.KubernetesConfiguration/extensions/ReadMicrosoft.KubernetesConfiguration/extensions/DeleteMicrosoft.KubernetesConfiguration/operations/readMicrosoft.ExtendedLocation/customLocations/ReadMicrosoft.ExtendedLocation/customLocations/WriteMicrosoft.ExtendedLocation/customLocations/DeleteMicrosoft.ExtendedLocation/customLocations/deploy/actionMicrosoft.ResourceConnector/appliances/ReadMicrosoft.ResourceConnector/appliances/WriteMicrosoft.ResourceConnector/appliances/Delete
Azure Arc VMware Private Cloud User
- Actions:
Microsoft.Insights/AlertRules/WriteMicrosoft.Insights/AlertRules/DeleteMicrosoft.Insights/AlertRules/ReadMicrosoft.Insights/AlertRules/Activated/ActionMicrosoft.Insights/AlertRules/Resolved/ActionMicrosoft.Insights/AlertRules/Throttled/ActionMicrosoft.Insights/AlertRules/Incidents/ReadMicrosoft.Resources/deployments/readMicrosoft.Resources/deployments/writeMicrosoft.Resources/deployments/deleteMicrosoft.Resources/deployments/cancel/actionMicrosoft.Resources/deployments/validate/actionMicrosoft.Resources/deployments/whatIf/actionMicrosoft.Resources/deployments/exportTemplate/actionMicrosoft.Resources/deployments/operations/readMicrosoft.Resources/deployments/operationstatuses/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/writeMicrosoft.Resources/subscriptions/resourcegroups/deployments/operations/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Authorization/*/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.ConnectedVMwarevSphere/virtualnetworks/join/actionMicrosoft.ConnectedVMwarevSphere/virtualnetworks/ReadMicrosoft.ConnectedVMwarevSphere/virtualmachinetemplates/clone/actionMicrosoft.ConnectedVMwarevSphere/virtualmachinetemplates/ReadMicrosoft.ConnectedVMwarevSphere/resourcepools/deploy/actionMicrosoft.ConnectedVMwarevSphere/resourcepools/ReadMicrosoft.ConnectedVMwarevSphere/hosts/deploy/actionMicrosoft.ConnectedVMwarevSphere/hosts/ReadMicrosoft.ConnectedVMwarevSphere/clusters/deploy/actionMicrosoft.ConnectedVMwarevSphere/clusters/ReadMicrosoft.ConnectedVMwarevSphere/datastores/allocateSpace/actionMicrosoft.ConnectedVMwarevSphere/datastores/Read
Azure Maps Contributor
- Actions:
Microsoft.Maps/*Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
Azure Arc VMware VM Contributor
- Actions:
Microsoft.ConnectedVMwarevSphere/virtualmachines/*Microsoft.Insights/AlertRules/WriteMicrosoft.Insights/AlertRules/DeleteMicrosoft.Insights/AlertRules/ReadMicrosoft.Insights/AlertRules/Activated/ActionMicrosoft.Insights/AlertRules/Resolved/ActionMicrosoft.Insights/AlertRules/Throttled/ActionMicrosoft.Insights/AlertRules/Incidents/ReadMicrosoft.Resources/deployments/readMicrosoft.Resources/deployments/writeMicrosoft.Resources/deployments/deleteMicrosoft.Resources/deployments/cancel/actionMicrosoft.Resources/deployments/validate/actionMicrosoft.Resources/deployments/whatIf/actionMicrosoft.Resources/deployments/exportTemplate/actionMicrosoft.Resources/deployments/operations/readMicrosoft.Resources/deployments/operationstatuses/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/writeMicrosoft.Resources/subscriptions/resourcegroups/deployments/operations/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Authorization/*/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/operationresults/read
Grafana Editor
- DataActions:
Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action
Automation Contributor
- Actions:
Microsoft.Automation/automationAccounts/*Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Insights/ActionGroups/*Microsoft.Insights/ActivityLogAlerts/*Microsoft.Insights/MetricAlerts/*Microsoft.Insights/ScheduledQueryRules/*Microsoft.Insights/diagnosticSettings/*Microsoft.OperationalInsights/workspaces/sharedKeys/action
Grafana Viewer
- DataActions:
Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action
Azure Relay Owner
-
Actions:
Microsoft.Relay/*
-
DataActions:
Microsoft.Relay/*
Azure Relay Listener
-
Actions:
Microsoft.Relay/*/wcfRelays/readMicrosoft.Relay/*/hybridConnections/read
-
DataActions:
Microsoft.Relay/*/listen/action
CodeSigning Certificate Profile Signer
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
-
DataActions:
Microsoft.CodeSigning/certificateProfiles/Sign/action
Azure Spring Cloud Service Registry Reader
- DataActions:
Microsoft.AppPlatform/Spring/eurekaService/read
Device Provisioning Service Data Contributor
- DataActions:
Microsoft.Devices/provisioningServices/*
Kubernetes Extension Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.KubernetesConfiguration/extensions/writeMicrosoft.KubernetesConfiguration/extensions/readMicrosoft.KubernetesConfiguration/extensions/deleteMicrosoft.KubernetesConfiguration/extensions/operations/read
Device Provisioning Service Data Reader
- DataActions:
Microsoft.Devices/provisioningServices/*/read
Lab Services Reader
- Actions:
Microsoft.LabServices/*/readMicrosoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
Lab Assistant
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.LabServices/labPlans/images/readMicrosoft.LabServices/labPlans/readMicrosoft.LabServices/labs/readMicrosoft.LabServices/labs/schedules/readMicrosoft.LabServices/labs/users/readMicrosoft.LabServices/labs/users/invite/actionMicrosoft.LabServices/labs/virtualMachines/readMicrosoft.LabServices/labs/virtualMachines/start/actionMicrosoft.LabServices/labs/virtualMachines/stop/actionMicrosoft.LabServices/labs/virtualMachines/reimage/actionMicrosoft.LabServices/labs/virtualMachines/redeploy/actionMicrosoft.LabServices/locations/usages/readMicrosoft.LabServices/skus/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
Lab Services Contributor
-
Actions:
Microsoft.LabServices/*Microsoft.Insights/alertRules/*Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
-
DataActions:
Microsoft.LabServices/labPlans/createLab/action
Load Test Reader
-
Actions:
Microsoft.LoadTestService/*/readMicrosoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Insights/alertRules/*
-
DataActions:
Microsoft.LoadTestService/loadtests/readTest/action
Cognitive Services Immersive Reader User
- DataActions:
Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action
Chamber Admin
- Actions:
Microsoft.HpcWorkbench/*/readMicrosoft.HpcWorkbench/instances/chambers/*Microsoft.HpcWorkbench/instances/consortiums/*/readMicrosoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
Guest Configuration Resource Contributor
- Actions:
Microsoft.GuestConfiguration/guestConfigurationAssignments/writeMicrosoft.GuestConfiguration/guestConfigurationAssignments/readMicrosoft.GuestConfiguration/guestConfigurationAssignments/*/read
Chamber User
- Actions:
Microsoft.HpcWorkbench/instances/chambers/*/readMicrosoft.HpcWorkbench/instances/consortiums/*/readMicrosoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
Lab Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.LabServices/labPlans/images/readMicrosoft.LabServices/labPlans/readMicrosoft.LabServices/labPlans/saveImage/actionMicrosoft.LabServices/labs/publish/actionMicrosoft.LabServices/labs/readMicrosoft.LabServices/labs/schedules/readMicrosoft.LabServices/labs/schedules/writeMicrosoft.LabServices/labs/schedules/deleteMicrosoft.LabServices/labs/users/readMicrosoft.LabServices/labs/users/writeMicrosoft.LabServices/labs/users/deleteMicrosoft.LabServices/labs/users/invite/actionMicrosoft.LabServices/labs/virtualMachines/readMicrosoft.LabServices/labs/virtualMachines/start/actionMicrosoft.LabServices/labs/virtualMachines/stop/actionMicrosoft.LabServices/labs/virtualMachines/reimage/actionMicrosoft.LabServices/labs/virtualMachines/redeploy/actionMicrosoft.LabServices/labs/virtualMachines/resetPassword/actionMicrosoft.LabServices/locations/usages/readMicrosoft.LabServices/skus/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
Lab Contributor
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.LabServices/labPlans/images/readMicrosoft.LabServices/labPlans/readMicrosoft.LabServices/labPlans/saveImage/actionMicrosoft.LabServices/labs/readMicrosoft.LabServices/labs/writeMicrosoft.LabServices/labs/deleteMicrosoft.LabServices/labs/publish/actionMicrosoft.LabServices/labs/syncGroup/actionMicrosoft.LabServices/labs/schedules/readMicrosoft.LabServices/labs/schedules/writeMicrosoft.LabServices/labs/schedules/deleteMicrosoft.LabServices/labs/users/readMicrosoft.LabServices/labs/users/writeMicrosoft.LabServices/labs/users/deleteMicrosoft.LabServices/labs/users/invite/actionMicrosoft.LabServices/labs/virtualMachines/readMicrosoft.LabServices/labs/virtualMachines/start/actionMicrosoft.LabServices/labs/virtualMachines/stop/actionMicrosoft.LabServices/labs/virtualMachines/reimage/actionMicrosoft.LabServices/labs/virtualMachines/redeploy/actionMicrosoft.LabServices/labs/virtualMachines/resetPassword/actionMicrosoft.LabServices/locations/usages/readMicrosoft.LabServices/skus/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
-
DataActions:
Microsoft.LabServices/labPlans/createLab/action
Cognitive Services Language Owner
-
Actions:
Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/accounts/listkeys/actionMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
-
DataActions:
Microsoft.CognitiveServices/accounts/LanguageAuthoring/*Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*
Cognitive Services LUIS Reader
-
Actions:
Microsoft.CognitiveServices/*/readMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
-
DataActions:
Microsoft.CognitiveServices/accounts/LUIS/*/readMicrosoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write
Cognitive Services Language Writer
-
Actions:
Microsoft.CognitiveServices/*/readMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
-
DataActions:
Microsoft.CognitiveServices/accounts/LanguageAuthoring/*Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*
-
NotDataActions:
Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/actionMicrosoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write
Cognitive Services LUIS Owner
-
Actions:
Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/accounts/listkeys/actionMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
-
DataActions:
Microsoft.CognitiveServices/accounts/LUIS/*
Cognitive Services Language Reader
-
Actions:
Microsoft.CognitiveServices/*/readMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
-
DataActions:
Microsoft.CognitiveServices/accounts/LanguageAuthoring/*/readMicrosoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*/readMicrosoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action
Load Test Owner
-
Actions:
Microsoft.LoadTestService/*Microsoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Insights/alertRules/*
-
DataActions:
Microsoft.LoadTestService/*
PlayFab Contributor
- Actions:
Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.PlayFab/*/readMicrosoft.PlayFab/*/writeMicrosoft.PlayFab/*/delete
Load Test Contributor
-
Actions:
Microsoft.LoadTestService/*/readMicrosoft.Authorization/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Insights/alertRules/*
-
DataActions:
Microsoft.LoadTestService/loadtests/*
Cognitive Services LUIS Writer
-
Actions:
Microsoft.CognitiveServices/*/readMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
-
DataActions:
Microsoft.CognitiveServices/accounts/LUIS/*
-
NotDataActions:
Microsoft.CognitiveServices/accounts/LUIS/apps/deleteMicrosoft.CognitiveServices/accounts/LUIS/apps/move/actionMicrosoft.CognitiveServices/accounts/LUIS/apps/publish/actionMicrosoft.CognitiveServices/accounts/LUIS/apps/settings/writeMicrosoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/actionMicrosoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete
PlayFab Reader
- Actions:
Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Authorization/*/readMicrosoft.PlayFab/*/read
Cognitive Services Speech User
-
Actions:
Microsoft.CognitiveServices/*/read
-
DataActions:
Microsoft.CognitiveServices/accounts/SpeechServices/*/readMicrosoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/writeMicrosoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/deleteMicrosoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/readMicrosoft.CognitiveServices/accounts/SpeechServices/*/frontend/actionMicrosoft.CognitiveServices/accounts/SpeechServices/text-dependent/*/actionMicrosoft.CognitiveServices/accounts/SpeechServices/text-independent/*/actionMicrosoft.CognitiveServices/accounts/CustomVoice/*/readMicrosoft.CognitiveServices/accounts/CustomVoice/evaluations/*Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/*
-
NotDataActions:
Microsoft.CognitiveServices/accounts/CustomVoice/trainingsets/files/readMicrosoft.CognitiveServices/accounts/CustomVoice/datasets/files/readMicrosoft.CognitiveServices/accounts/CustomVoice/trainingsets/utterances/read
Cognitive Services Speech Contributor
-
Actions:
Microsoft.CognitiveServices/*/read
-
DataActions:
Microsoft.CognitiveServices/accounts/SpeechServices/*Microsoft.CognitiveServices/accounts/CustomVoice/*
Azure Spring Cloud Data Reader
- DataActions:
Microsoft.AppPlatform/Spring/*/read
Web PubSub Service Owner (Preview)
- DataActions:
Microsoft.SignalRService/WebPubSub/*
Web PubSub Service Reader (Preview)
- DataActions:
Microsoft.SignalRService/WebPubSub/*/read
Media Services Media Operator
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/metrics/readMicrosoft.Insights/metricDefinitions/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Media/mediaservices/*/readMicrosoft.Media/mediaservices/assets/*Microsoft.Media/mediaservices/assets/assetfilters/*Microsoft.Media/mediaservices/streamingLocators/*Microsoft.Media/mediaservices/transforms/jobs/*
-
NotActions:
Microsoft.Media/mediaservices/assets/getEncryptionKey/actionMicrosoft.Media/mediaservices/streamingLocators/listContentKeys/action
Media Services Policy Administrator
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/metrics/readMicrosoft.Insights/metricDefinitions/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Media/mediaservices/*/readMicrosoft.Media/mediaservices/assets/listStreamingLocators/actionMicrosoft.Media/mediaservices/streamingLocators/listPaths/actionMicrosoft.Media/mediaservices/accountFilters/*Microsoft.Media/mediaservices/streamingPolicies/*Microsoft.Media/mediaservices/contentKeyPolicies/*Microsoft.Media/mediaservices/transforms/*
-
NotActions:
Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action
Media Services Live Events Administrator
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/metrics/readMicrosoft.Insights/metricDefinitions/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Media/mediaservices/*/readMicrosoft.Media/mediaservices/assets/*Microsoft.Media/mediaservices/assets/assetfilters/*Microsoft.Media/mediaservices/streamingLocators/*Microsoft.Media/mediaservices/liveEvents/*
-
NotActions:
Microsoft.Media/mediaservices/assets/getEncryptionKey/actionMicrosoft.Media/mediaservices/streamingLocators/listContentKeys/action
Cognitive Services Face Recognizer
- DataActions:
Microsoft.CognitiveServices/accounts/Face/detect/actionMicrosoft.CognitiveServices/accounts/Face/verify/actionMicrosoft.CognitiveServices/accounts/Face/identify/actionMicrosoft.CognitiveServices/accounts/Face/group/actionMicrosoft.CognitiveServices/accounts/Face/findsimilars/action
Media Services Account Administrator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/metrics/readMicrosoft.Insights/metricDefinitions/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Media/mediaservices/*/readMicrosoft.Media/mediaservices/assets/listStreamingLocators/actionMicrosoft.Media/mediaservices/streamingLocators/listPaths/actionMicrosoft.Media/mediaservices/writeMicrosoft.Media/mediaservices/deleteMicrosoft.Media/mediaservices/privateEndpointConnectionsApproval/actionMicrosoft.Media/mediaservices/privateEndpointConnections/*
Microsoft Sentinel Automation Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Logic/workflows/triggers/readMicrosoft.Logic/workflows/triggers/listCallbackUrl/actionMicrosoft.Logic/workflows/runs/read
Quota Request Operator
- Actions:
Microsoft.Capacity/resourceProviders/locations/serviceLimits/readMicrosoft.Capacity/resourceProviders/locations/serviceLimits/writeMicrosoft.Capacity/resourceProviders/locations/serviceLimitsRequests/readMicrosoft.Capacity/register/actionMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
FHIR Data Converter
- DataActions:
Microsoft.HealthcareApis/services/fhir/resources/convertData/actionMicrosoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action
Collaborative Runtime Operator
- Actions:
Microsoft.IndustryDataLifecycle/derivedModels/*Microsoft.IndustryDataLifecycle/pipelineSets/*Microsoft.IndustryDataLifecycle/modelMappings/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
CosmosRestoreOperator
- Actions:
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/actionMicrosoft.DocumentDB/locations/restorableDatabaseAccounts/*/readMicrosoft.DocumentDB/locations/restorableDatabaseAccounts/read
Object Anchors Account Owner
- DataActions:
Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/actionMicrosoft.MixedReality/ObjectAnchorsAccounts/ingest/read
WorkloadBuilder Migration Agent Role
- Actions:
Microsoft.WorkloadBuilder/migrationAgents/ReadMicrosoft.WorkloadBuilder/migrationAgents/Write
Object Anchors Account Reader
- DataActions:
Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read
EventGrid Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.EventGrid/*Microsoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Security Detonation Chamber Reader
- DataActions:
Microsoft.SecurityDetonation/chambers/submissions/readMicrosoft.SecurityDetonation/chambers/submissions/files/read
DICOM Data Owner
- DataActions:
Microsoft.HealthcareApis/workspaces/dicomservices/resources/*
EventGrid Data Sender
-
Actions:
Microsoft.Authorization/*/readMicrosoft.EventGrid/topics/readMicrosoft.EventGrid/domains/readMicrosoft.EventGrid/partnerNamespaces/readMicrosoft.Resources/subscriptions/resourceGroups/read
-
DataActions:
Microsoft.EventGrid/events/send/action
DICOM Data Reader
- DataActions:
Microsoft.HealthcareApis/workspaces/dicomservices/resources/read
Storage Table Data Reader
-
Actions:
Microsoft.Storage/storageAccounts/tableServices/tables/read
-
DataActions:
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
Storage Table Data Contributor
-
Actions:
Microsoft.Storage/storageAccounts/tableServices/tables/readMicrosoft.Storage/storageAccounts/tableServices/tables/writeMicrosoft.Storage/storageAccounts/tableServices/tables/delete
-
DataActions:
Microsoft.Storage/storageAccounts/tableServices/tables/entities/readMicrosoft.Storage/storageAccounts/tableServices/tables/entities/writeMicrosoft.Storage/storageAccounts/tableServices/tables/entities/deleteMicrosoft.Storage/storageAccounts/tableServices/tables/entities/add/actionMicrosoft.Storage/storageAccounts/tableServices/tables/entities/update/action
Azure Connected SQL Server Onboarding
- Actions:
Microsoft.AzureArcData/sqlServerInstances/readMicrosoft.AzureArcData/sqlServerInstances/write
Azure Relay Sender
-
Actions:
Microsoft.Relay/*/wcfRelays/readMicrosoft.Relay/*/hybridConnections/read
-
DataActions:
Microsoft.Relay/*/send/action
Grafana Admin
- DataActions:
Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action
Disk Pool Operator
- Actions:
Microsoft.Compute/disks/writeMicrosoft.Compute/disks/readMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/read
AzureML Data Scientist
-
Actions:
Microsoft.MachineLearningServices/workspaces/*/readMicrosoft.MachineLearningServices/workspaces/*/actionMicrosoft.MachineLearningServices/workspaces/*/deleteMicrosoft.MachineLearningServices/workspaces/*/write
-
NotActions:
Microsoft.MachineLearningServices/workspaces/deleteMicrosoft.MachineLearningServices/workspaces/writeMicrosoft.MachineLearningServices/workspaces/computes/*/writeMicrosoft.MachineLearningServices/workspaces/computes/*/deleteMicrosoft.MachineLearningServices/workspaces/computes/listKeys/actionMicrosoft.MachineLearningServices/workspaces/listKeys/action
IoT Hub Data Reader
- DataActions:
Microsoft.Devices/IotHubs/*/readMicrosoft.Devices/IotHubs/fileUpload/notifications/action
IoT Hub Twin Contributor
- DataActions:
Microsoft.Devices/IotHubs/twins/*
AnyBuild Builder
- DataActions:
Microsoft.AnyBuild/clusters/build/writeMicrosoft.AnyBuild/clusters/build/read
Media Services Streaming Endpoints Administrator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/metrics/readMicrosoft.Insights/metricDefinitions/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Media/mediaservices/*/readMicrosoft.Media/mediaservices/assets/listStreamingLocators/actionMicrosoft.Media/mediaservices/streamingLocators/listPaths/actionMicrosoft.Media/mediaservices/streamingEndpoints/*
Stream Analytics Query Tester
- Actions:
Microsoft.StreamAnalytics/locations/TestQuery/actionMicrosoft.StreamAnalytics/locations/OperationResults/readMicrosoft.StreamAnalytics/locations/SampleInput/actionMicrosoft.StreamAnalytics/locations/CompileQuery/action
Search Index Data Reader
- DataActions:
Microsoft.Search/searchServices/indexes/documents/read
Search Index Data Contributor
- DataActions:
Microsoft.Search/searchServices/indexes/documents/*
Test Base Reader
- Actions:
Microsoft.TestBase/testBaseAccounts/packages/testResults/getDownloadUrl/actionMicrosoft.TestBase/testBaseAccounts/packages/testResults/getVideoDownloadUrl/actionMicrosoft.TestBase/testBaseAccounts/packages/getDownloadUrl/actionMicrosoft.TestBase/*/readMicrosoft.TestBase/testBaseAccounts/customerEvents/writeMicrosoft.TestBase/testBaseAccounts/customerEvents/delete
IoT Hub Registry Contributor
- DataActions:
Microsoft.Devices/IotHubs/devices/*
IoT Hub Data Contributor
- DataActions:
Microsoft.Devices/IotHubs/*
FHIR Data Contributor
- DataActions:
Microsoft.HealthcareApis/services/fhir/resources/*Microsoft.HealthcareApis/workspaces/fhirservices/resources/*
EventGrid EventSubscription Reader
- Actions:
Microsoft.Authorization/*/readMicrosoft.EventGrid/eventSubscriptions/readMicrosoft.EventGrid/topicTypes/eventSubscriptions/readMicrosoft.EventGrid/locations/eventSubscriptions/readMicrosoft.EventGrid/locations/topicTypes/eventSubscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/read
Graph Owner
- Actions:
Microsoft.EnterpriseKnowledgeGraph/services/conflation/readMicrosoft.EnterpriseKnowledgeGraph/services/conflation/writeMicrosoft.EnterpriseKnowledgeGraph/services/sourceschema/readMicrosoft.EnterpriseKnowledgeGraph/services/sourceschema/writeMicrosoft.EnterpriseKnowledgeGraph/services/knowledge/readMicrosoft.EnterpriseKnowledgeGraph/services/knowledge/writeMicrosoft.EnterpriseKnowledgeGraph/services/intentclassification/readMicrosoft.EnterpriseKnowledgeGraph/services/intentclassification/writeMicrosoft.EnterpriseKnowledgeGraph/services/ingestion/readMicrosoft.EnterpriseKnowledgeGraph/services/ingestion/writeMicrosoft.EnterpriseKnowledgeGraph/services/ontology/readMicrosoft.EnterpriseKnowledgeGraph/services/ontology/writeMicrosoft.EnterpriseKnowledgeGraph/services/deleteMicrosoft.EnterpriseKnowledgeGraph/operations/read
EventGrid EventSubscription Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.EventGrid/eventSubscriptions/*Microsoft.EventGrid/topicTypes/eventSubscriptions/readMicrosoft.EventGrid/locations/eventSubscriptions/readMicrosoft.EventGrid/locations/topicTypes/eventSubscriptions/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
DocumentDB Account Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.DocumentDb/databaseAccounts/*Microsoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
DNS Zone Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Network/dnsZones/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Knowledge Consumer
- Actions:
Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read
Lab Creator
-
Actions:
Microsoft.Authorization/*/readMicrosoft.LabServices/labAccounts/*/readMicrosoft.LabServices/labAccounts/createLab/actionMicrosoft.LabServices/labAccounts/getPricingAndAvailability/actionMicrosoft.LabServices/labAccounts/getRestrictionsAndUsage/actionMicrosoft.Insights/alertRules/*Microsoft.LabServices/labPlans/images/readMicrosoft.LabServices/labPlans/readMicrosoft.LabServices/labPlans/saveImage/actionMicrosoft.LabServices/labs/readMicrosoft.LabServices/labs/schedules/readMicrosoft.LabServices/labs/users/readMicrosoft.LabServices/labs/virtualMachines/readMicrosoft.LabServices/locations/usages/readMicrosoft.LabServices/skus/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
DataActions:
Microsoft.LabServices/labPlans/createLab/action
Key Vault Contributor
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.KeyVault/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
NotActions:
Microsoft.KeyVault/locations/deletedVaults/purge/actionMicrosoft.KeyVault/hsmPools/*Microsoft.KeyVault/managedHsms/*
HDInsight Domain Services Contributor
- Actions:
Microsoft.AAD/*/readMicrosoft.AAD/domainServices/*/readMicrosoft.AAD/domainServices/oucontainer/*
Intelligent Systems Account Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.IntelligentSystems/accounts/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Cost Management Reader
- Actions:
Microsoft.Consumption/*/readMicrosoft.CostManagement/*/readMicrosoft.Billing/billingPeriods/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Advisor/configurations/readMicrosoft.Advisor/recommendations/readMicrosoft.Management/managementGroups/readMicrosoft.Billing/billingProperty/read
Data Box Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Databox/*
Cost Management Contributor
- Actions:
Microsoft.Consumption/*Microsoft.CostManagement/*Microsoft.Billing/billingPeriods/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Advisor/configurations/readMicrosoft.Advisor/recommendations/readMicrosoft.Management/managementGroups/readMicrosoft.Billing/billingProperty/read
Contributor
-
Actions:
*
-
NotActions:
Microsoft.Authorization/*/DeleteMicrosoft.Authorization/*/WriteMicrosoft.Authorization/elevateAccess/ActionMicrosoft.Blueprint/blueprintAssignments/writeMicrosoft.Blueprint/blueprintAssignments/deleteMicrosoft.Compute/galleries/share/action
Cosmos DB Account Reader Role
- Actions:
Microsoft.Authorization/*/readMicrosoft.DocumentDB/*/readMicrosoft.DocumentDB/databaseAccounts/readonlykeys/actionMicrosoft.Insights/MetricDefinitions/readMicrosoft.Insights/Metrics/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Data Lake Analytics Developer
-
Actions:
Microsoft.Authorization/*/readMicrosoft.BigAnalytics/accounts/*Microsoft.DataLakeAnalytics/accounts/*Microsoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
NotActions:
Microsoft.BigAnalytics/accounts/DeleteMicrosoft.BigAnalytics/accounts/TakeOwnership/actionMicrosoft.BigAnalytics/accounts/WriteMicrosoft.DataLakeAnalytics/accounts/DeleteMicrosoft.DataLakeAnalytics/accounts/TakeOwnership/actionMicrosoft.DataLakeAnalytics/accounts/WriteMicrosoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/WriteMicrosoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/DeleteMicrosoft.DataLakeAnalytics/accounts/storageAccounts/WriteMicrosoft.DataLakeAnalytics/accounts/storageAccounts/DeleteMicrosoft.DataLakeAnalytics/accounts/firewallRules/WriteMicrosoft.DataLakeAnalytics/accounts/firewallRules/DeleteMicrosoft.DataLakeAnalytics/accounts/computePolicies/WriteMicrosoft.DataLakeAnalytics/accounts/computePolicies/Delete
DevTest Labs User
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Compute/availabilitySets/readMicrosoft.Compute/virtualMachines/*/readMicrosoft.Compute/virtualMachines/deallocate/actionMicrosoft.Compute/virtualMachines/readMicrosoft.Compute/virtualMachines/restart/actionMicrosoft.Compute/virtualMachines/start/actionMicrosoft.DevTestLab/*/readMicrosoft.DevTestLab/labs/claimAnyVm/actionMicrosoft.DevTestLab/labs/createEnvironment/actionMicrosoft.DevTestLab/labs/ensureCurrentUserProfile/actionMicrosoft.DevTestLab/labs/formulas/deleteMicrosoft.DevTestLab/labs/formulas/readMicrosoft.DevTestLab/labs/formulas/writeMicrosoft.DevTestLab/labs/policySets/evaluatePolicies/actionMicrosoft.DevTestLab/labs/virtualMachines/claim/actionMicrosoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/actionMicrosoft.DevTestLab/labs/virtualMachines/getRdpFileContents/actionMicrosoft.Network/loadBalancers/backendAddressPools/join/actionMicrosoft.Network/loadBalancers/inboundNatRules/join/actionMicrosoft.Network/networkInterfaces/*/readMicrosoft.Network/networkInterfaces/join/actionMicrosoft.Network/networkInterfaces/readMicrosoft.Network/networkInterfaces/writeMicrosoft.Network/publicIPAddresses/*/readMicrosoft.Network/publicIPAddresses/join/actionMicrosoft.Network/publicIPAddresses/readMicrosoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Resources/deployments/operations/readMicrosoft.Resources/deployments/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/storageAccounts/listKeys/action
-
NotActions:
Microsoft.Compute/virtualMachines/vmSizes/read
Data Purger
- Actions:
Microsoft.Insights/components/*/readMicrosoft.Insights/components/purge/actionMicrosoft.OperationalInsights/workspaces/*/readMicrosoft.OperationalInsights/workspaces/purge/action
Data Box Reader
- Actions:
Microsoft.Authorization/*/readMicrosoft.Databox/*/readMicrosoft.Databox/jobs/listsecrets/actionMicrosoft.Databox/jobs/listcredentials/actionMicrosoft.Databox/locations/availableSkus/actionMicrosoft.Databox/locations/validateInputs/actionMicrosoft.Databox/locations/regionConfiguration/actionMicrosoft.Databox/locations/validateAddress/actionMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Support/*
Data Factory Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.DataFactory/dataFactories/*Microsoft.DataFactory/factories/*Microsoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.EventGrid/eventSubscriptions/write
Monitoring Contributor
- Actions:
*/readMicrosoft.AlertsManagement/alerts/*Microsoft.AlertsManagement/alertsSummary/*Microsoft.Insights/actiongroups/*Microsoft.Insights/activityLogAlerts/*Microsoft.Insights/AlertRules/*Microsoft.Insights/components/*Microsoft.Insights/dataCollectionEndpoints/*Microsoft.Insights/dataCollectionRules/*Microsoft.Insights/dataCollectionRuleAssociations/*Microsoft.Insights/DiagnosticSettings/*Microsoft.Insights/eventtypes/*Microsoft.Insights/LogDefinitions/*Microsoft.Insights/metricalerts/*Microsoft.Insights/MetricDefinitions/*Microsoft.Insights/Metrics/*Microsoft.Insights/Register/ActionMicrosoft.Insights/scheduledqueryrules/*Microsoft.Insights/webtests/*Microsoft.Insights/workbooks/*Microsoft.Insights/workbooktemplates/*Microsoft.Insights/privateLinkScopes/*Microsoft.Insights/privateLinkScopeOperationStatuses/*Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/intelligencepacks/*Microsoft.OperationalInsights/workspaces/savedSearches/*Microsoft.OperationalInsights/workspaces/search/actionMicrosoft.OperationalInsights/workspaces/sharedKeys/actionMicrosoft.OperationalInsights/workspaces/storageinsightconfigs/*Microsoft.Support/*Microsoft.WorkloadMonitor/monitors/*Microsoft.AlertsManagement/smartDetectorAlertRules/*Microsoft.AlertsManagement/actionRules/*Microsoft.AlertsManagement/smartGroups/*
New Relic APM Account Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*NewRelic.APM/accounts/*
Network Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Network/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Monitoring Metrics Publisher
-
Actions:
Microsoft.Insights/Register/ActionMicrosoft.Support/*Microsoft.Resources/subscriptions/resourceGroups/read
-
DataActions:
Microsoft.Insights/Metrics/WriteMicrosoft.Insights/Telemetry/Write
Monitoring Reader
- Actions:
*/readMicrosoft.OperationalInsights/workspaces/search/actionMicrosoft.Support/*
Reader and Data Access
- Actions:
Microsoft.Storage/storageAccounts/listKeys/actionMicrosoft.Storage/storageAccounts/ListAccountSas/actionMicrosoft.Storage/storageAccounts/read
Resource Policy Contributor
- Actions:
*/readMicrosoft.Authorization/policyassignments/*Microsoft.Authorization/policydefinitions/*Microsoft.Authorization/policyexemptions/*Microsoft.Authorization/policysetdefinitions/*Microsoft.PolicyInsights/*Microsoft.Support/*
Redis Cache Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Cache/register/actionMicrosoft.Cache/redis/*Microsoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Owner
- Actions:
*
Reader
- Actions:
*/read
Logic App Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.ClassicStorage/storageAccounts/listKeys/actionMicrosoft.ClassicStorage/storageAccounts/readMicrosoft.Insights/alertRules/*Microsoft.Insights/metricAlerts/*Microsoft.Insights/diagnosticSettings/*Microsoft.Insights/logdefinitions/*Microsoft.Insights/metricDefinitions/*Microsoft.Logic/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/storageAccounts/listkeys/actionMicrosoft.Storage/storageAccounts/readMicrosoft.Support/*Microsoft.Web/connectionGateways/*Microsoft.Web/connections/*Microsoft.Web/customApis/*Microsoft.Web/serverFarms/join/actionMicrosoft.Web/serverFarms/readMicrosoft.Web/sites/functions/listSecrets/action
Managed Application Operator Role
- Actions:
*/readMicrosoft.Solutions/applications/readMicrosoft.Solutions/*/action
Logic App Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*/readMicrosoft.Insights/metricAlerts/*/readMicrosoft.Insights/diagnosticSettings/*/readMicrosoft.Insights/metricDefinitions/*/readMicrosoft.Logic/*/readMicrosoft.Logic/workflows/disable/actionMicrosoft.Logic/workflows/enable/actionMicrosoft.Logic/workflows/validate/actionMicrosoft.Resources/deployments/operations/readMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Web/connectionGateways/*/readMicrosoft.Web/connections/*/readMicrosoft.Web/customApis/*/readMicrosoft.Web/serverFarms/read
Log Analytics Reader
-
Actions:
*/readMicrosoft.OperationalInsights/workspaces/analytics/query/actionMicrosoft.OperationalInsights/workspaces/search/actionMicrosoft.Support/*
-
NotActions:
Microsoft.OperationalInsights/workspaces/sharedKeys/read
Log Analytics Contributor
- Actions:
*/readMicrosoft.ClassicCompute/virtualMachines/extensions/*Microsoft.ClassicStorage/storageAccounts/listKeys/actionMicrosoft.Compute/virtualMachines/extensions/*Microsoft.HybridCompute/machines/extensions/writeMicrosoft.Insights/alertRules/*Microsoft.Insights/diagnosticSettings/*Microsoft.OperationalInsights/*Microsoft.OperationsManagement/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourcegroups/deployments/*Microsoft.Storage/storageAccounts/listKeys/actionMicrosoft.Support/*
Management Group Contributor
- Actions:
Microsoft.Management/managementGroups/deleteMicrosoft.Management/managementGroups/readMicrosoft.Management/managementGroups/subscriptions/deleteMicrosoft.Management/managementGroups/subscriptions/writeMicrosoft.Management/managementGroups/writeMicrosoft.Management/managementGroups/subscriptions/read
Management Group Reader
- Actions:
Microsoft.Management/managementGroups/readMicrosoft.Management/managementGroups/subscriptions/read
Managed Identity Contributor
- Actions:
Microsoft.ManagedIdentity/userAssignedIdentities/readMicrosoft.ManagedIdentity/userAssignedIdentities/writeMicrosoft.ManagedIdentity/userAssignedIdentities/deleteMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Support/*
Managed Applications Reader
- Actions:
*/readMicrosoft.Resources/deployments/*Microsoft.Solutions/jitRequests/*
Managed Identity Operator
- Actions:
Microsoft.ManagedIdentity/userAssignedIdentities/*/readMicrosoft.ManagedIdentity/userAssignedIdentities/*/assign/actionMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Support/*
Automation Runbook Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Automation/automationAccounts/runbooks/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Automation Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Automation/automationAccounts/hybridRunbookWorkerGroups/readMicrosoft.Automation/automationAccounts/jobs/readMicrosoft.Automation/automationAccounts/jobs/resume/actionMicrosoft.Automation/automationAccounts/jobs/stop/actionMicrosoft.Automation/automationAccounts/jobs/streams/readMicrosoft.Automation/automationAccounts/jobs/suspend/actionMicrosoft.Automation/automationAccounts/jobs/writeMicrosoft.Automation/automationAccounts/jobSchedules/readMicrosoft.Automation/automationAccounts/jobSchedules/writeMicrosoft.Automation/automationAccounts/linkedWorkspace/readMicrosoft.Automation/automationAccounts/readMicrosoft.Automation/automationAccounts/runbooks/readMicrosoft.Automation/automationAccounts/schedules/readMicrosoft.Automation/automationAccounts/schedules/writeMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Automation/automationAccounts/jobs/output/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Automation Job Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Automation/automationAccounts/hybridRunbookWorkerGroups/readMicrosoft.Automation/automationAccounts/jobs/readMicrosoft.Automation/automationAccounts/jobs/resume/actionMicrosoft.Automation/automationAccounts/jobs/stop/actionMicrosoft.Automation/automationAccounts/jobs/streams/readMicrosoft.Automation/automationAccounts/jobs/suspend/actionMicrosoft.Automation/automationAccounts/jobs/writeMicrosoft.Automation/automationAccounts/jobs/output/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Application Insights Snapshot Debugger
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/components/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Attestation Reader
- Actions:
Microsoft.Attestation/attestationProviders/attestation/read
Azure Kubernetes Service Cluster User Role
- Actions:
Microsoft.ContainerService/managedClusters/listClusterUserCredential/actionMicrosoft.ContainerService/managedClusters/read
Azure Maps Data Reader
- DataActions:
Microsoft.Maps/accounts/*/read
Azure Kubernetes Service Cluster Admin Role
- Actions:
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/actionMicrosoft.ContainerService/managedClusters/accessProfiles/listCredential/actionMicrosoft.ContainerService/managedClusters/read
Avere Contributor
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Compute/*/readMicrosoft.Compute/availabilitySets/*Microsoft.Compute/proximityPlacementGroups/*Microsoft.Compute/virtualMachines/*Microsoft.Compute/disks/*Microsoft.Network/*/readMicrosoft.Network/networkInterfaces/*Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionMicrosoft.Network/networkSecurityGroups/join/actionMicrosoft.Resources/deployments/*Microsoft.Insights/alertRules/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/*/readMicrosoft.Storage/storageAccounts/*Microsoft.Support/*Microsoft.Resources/subscriptions/resourceGroups/resources/read
-
DataActions:
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write
Avere Operator
-
Actions:
Microsoft.Compute/virtualMachines/readMicrosoft.Network/networkInterfaces/readMicrosoft.Network/networkInterfaces/writeMicrosoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/networkSecurityGroups/join/actionMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/storageAccounts/blobServices/containers/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/blobServices/containers/write
-
DataActions:
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write
AcrImageSigner
-
Actions:
Microsoft.ContainerRegistry/registries/sign/write
-
DataActions:
Microsoft.ContainerRegistry/registries/trustedCollections/write
AcrDelete
- Actions:
Microsoft.ContainerRegistry/registries/artifacts/delete
AcrPull
- Actions:
Microsoft.ContainerRegistry/registries/pull/read
AcrPush
- Actions:
Microsoft.ContainerRegistry/registries/pull/readMicrosoft.ContainerRegistry/registries/push/write
API Management Service Contributor
- Actions:
Microsoft.ApiManagement/service/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
API Management Service Reader Role
-
Actions:
Microsoft.ApiManagement/service/*/readMicrosoft.ApiManagement/service/readMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
NotActions:
Microsoft.ApiManagement/service/users/keys/read
Application Insights Component Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/generateLiveToken/readMicrosoft.Insights/metricAlerts/*Microsoft.Insights/components/*Microsoft.Insights/scheduledqueryrules/*Microsoft.Insights/topology/readMicrosoft.Insights/transactions/readMicrosoft.Insights/webtests/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
API Management Service Operator Role
-
Actions:
Microsoft.ApiManagement/service/*/readMicrosoft.ApiManagement/service/backup/actionMicrosoft.ApiManagement/service/deleteMicrosoft.ApiManagement/service/managedeployments/actionMicrosoft.ApiManagement/service/readMicrosoft.ApiManagement/service/restore/actionMicrosoft.ApiManagement/service/updatecertificate/actionMicrosoft.ApiManagement/service/updatehostname/actionMicrosoft.ApiManagement/service/writeMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
NotActions:
Microsoft.ApiManagement/service/users/keys/read
AcrQuarantineReader
-
Actions:
Microsoft.ContainerRegistry/registries/quarantine/read
-
DataActions:
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read
AcrQuarantineWriter
-
Actions:
Microsoft.ContainerRegistry/registries/quarantine/readMicrosoft.ContainerRegistry/registries/quarantine/write
-
DataActions:
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/readMicrosoft.ContainerRegistry/registries/quarantinedArtifacts/write
Classic Storage Account Key Operator Service Role
- Actions:
Microsoft.ClassicStorage/storageAccounts/listkeys/actionMicrosoft.ClassicStorage/storageAccounts/regeneratekey/action
ClearDB MySQL DB Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*successbricks.cleardb/databases/*
Classic Storage Account Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.ClassicStorage/storageAccounts/*Microsoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
CDN Profile Reader
- Actions:
Microsoft.Authorization/*/readMicrosoft.Cdn/edgenodes/readMicrosoft.Cdn/operationresults/*Microsoft.Cdn/profiles/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Classic Network Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.ClassicNetwork/*Microsoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Cognitive Services Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.CognitiveServices/*Microsoft.Features/features/readMicrosoft.Features/providers/features/readMicrosoft.Features/providers/features/register/actionMicrosoft.Insights/alertRules/*Microsoft.Insights/diagnosticSettings/*Microsoft.Insights/logDefinitions/readMicrosoft.Insights/metricdefinitions/readMicrosoft.Insights/metrics/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/deployments/operations/readMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourcegroups/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
CosmosBackupOperator
- Actions:
Microsoft.DocumentDB/databaseAccounts/backup/actionMicrosoft.DocumentDB/databaseAccounts/restore/action
Cognitive Services Data Reader (Preview)
- DataActions:
Microsoft.CognitiveServices/*/read
Classic Virtual Machine Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.ClassicCompute/domainNames/*Microsoft.ClassicCompute/virtualMachines/*Microsoft.ClassicNetwork/networkSecurityGroups/join/actionMicrosoft.ClassicNetwork/reservedIps/link/actionMicrosoft.ClassicNetwork/reservedIps/readMicrosoft.ClassicNetwork/virtualNetworks/join/actionMicrosoft.ClassicNetwork/virtualNetworks/readMicrosoft.ClassicStorage/storageAccounts/disks/readMicrosoft.ClassicStorage/storageAccounts/images/readMicrosoft.ClassicStorage/storageAccounts/listKeys/actionMicrosoft.ClassicStorage/storageAccounts/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Cognitive Services User
-
Actions:
Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/accounts/listkeys/actionMicrosoft.Insights/alertRules/readMicrosoft.Insights/diagnosticSettings/readMicrosoft.Insights/logDefinitions/readMicrosoft.Insights/metricdefinitions/readMicrosoft.Insights/metrics/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/operations/readMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
DataActions:
Microsoft.CognitiveServices/*
Backup Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Network/virtualNetworks/readMicrosoft.RecoveryServices/Vaults/backupFabrics/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/actionMicrosoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/writeMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/readMicrosoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/actionMicrosoft.RecoveryServices/Vaults/backupJobs/*Microsoft.RecoveryServices/Vaults/backupJobsExport/actionMicrosoft.RecoveryServices/Vaults/backupOperationResults/*Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/readMicrosoft.RecoveryServices/Vaults/backupPolicies/readMicrosoft.RecoveryServices/Vaults/backupProtectableItems/*Microsoft.RecoveryServices/Vaults/backupProtectedItems/readMicrosoft.RecoveryServices/Vaults/backupProtectionContainers/readMicrosoft.RecoveryServices/Vaults/backupUsageSummaries/readMicrosoft.RecoveryServices/Vaults/certificates/writeMicrosoft.RecoveryServices/Vaults/extendedInformation/readMicrosoft.RecoveryServices/Vaults/extendedInformation/writeMicrosoft.RecoveryServices/Vaults/monitoringAlerts/readMicrosoft.RecoveryServices/Vaults/monitoringConfigurations/*Microsoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/operationResults/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/writeMicrosoft.RecoveryServices/Vaults/usages/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/storageAccounts/readMicrosoft.RecoveryServices/Vaults/backupstorageconfig/*Microsoft.RecoveryServices/Vaults/backupValidateOperation/actionMicrosoft.RecoveryServices/Vaults/backupTriggerValidateOperation/actionMicrosoft.RecoveryServices/Vaults/backupValidateOperationResults/readMicrosoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/readMicrosoft.RecoveryServices/Vaults/backupOperations/readMicrosoft.RecoveryServices/Vaults/backupPolicies/operations/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/writeMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/actionMicrosoft.RecoveryServices/Vaults/backupEngines/readMicrosoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/writeMicrosoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/readMicrosoft.RecoveryServices/locations/backupStatus/actionMicrosoft.RecoveryServices/locations/backupPreValidateProtection/actionMicrosoft.RecoveryServices/locations/backupValidateFeatures/actionMicrosoft.RecoveryServices/locations/backupAadProperties/readMicrosoft.RecoveryServices/locations/backupCrrJobs/actionMicrosoft.RecoveryServices/locations/backupCrrJob/actionMicrosoft.RecoveryServices/locations/backupCrossRegionRestore/actionMicrosoft.RecoveryServices/locations/backupCrrOperationResults/readMicrosoft.RecoveryServices/locations/backupCrrOperationsStatus/readMicrosoft.RecoveryServices/Vaults/monitoringAlerts/writeMicrosoft.RecoveryServices/operations/readMicrosoft.RecoveryServices/locations/operationStatus/readMicrosoft.RecoveryServices/Vaults/backupProtectionIntents/readMicrosoft.Support/*Microsoft.DataProtection/backupVaults/backupInstances/readMicrosoft.DataProtection/backupVaults/backupInstances/readMicrosoft.DataProtection/backupVaults/backupPolicies/readMicrosoft.DataProtection/backupVaults/backupPolicies/readMicrosoft.DataProtection/backupVaults/backupInstances/recoveryPoints/readMicrosoft.DataProtection/backupVaults/backupInstances/recoveryPoints/readMicrosoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/actionMicrosoft.DataProtection/backupVaults/readMicrosoft.DataProtection/backupVaults/operationResults/readMicrosoft.DataProtection/backupVaults/readMicrosoft.DataProtection/backupVaults/readMicrosoft.DataProtection/locations/operationStatus/readMicrosoft.DataProtection/locations/operationResults/readMicrosoft.DataProtection/providers/operations/read
Backup Reader
- Actions:
Microsoft.Authorization/*/readMicrosoft.RecoveryServices/locations/allocatedStamp/readMicrosoft.RecoveryServices/Vaults/backupFabrics/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/readMicrosoft.RecoveryServices/Vaults/backupJobs/operationResults/readMicrosoft.RecoveryServices/Vaults/backupJobs/readMicrosoft.RecoveryServices/Vaults/backupJobsExport/actionMicrosoft.RecoveryServices/Vaults/backupOperationResults/readMicrosoft.RecoveryServices/Vaults/backupPolicies/operationResults/readMicrosoft.RecoveryServices/Vaults/backupPolicies/readMicrosoft.RecoveryServices/Vaults/backupProtectedItems/readMicrosoft.RecoveryServices/Vaults/backupProtectionContainers/readMicrosoft.RecoveryServices/Vaults/backupUsageSummaries/readMicrosoft.RecoveryServices/Vaults/extendedInformation/readMicrosoft.RecoveryServices/Vaults/monitoringAlerts/readMicrosoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/operationResults/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/readMicrosoft.RecoveryServices/Vaults/backupstorageconfig/readMicrosoft.RecoveryServices/Vaults/backupconfig/readMicrosoft.RecoveryServices/Vaults/backupOperations/readMicrosoft.RecoveryServices/Vaults/backupPolicies/operations/readMicrosoft.RecoveryServices/Vaults/backupEngines/readMicrosoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/readMicrosoft.RecoveryServices/locations/backupStatus/actionMicrosoft.RecoveryServices/Vaults/monitoringConfigurations/*Microsoft.RecoveryServices/Vaults/monitoringAlerts/writeMicrosoft.RecoveryServices/operations/readMicrosoft.RecoveryServices/locations/operationStatus/readMicrosoft.RecoveryServices/Vaults/backupProtectionIntents/readMicrosoft.RecoveryServices/Vaults/usages/readMicrosoft.RecoveryServices/locations/backupValidateFeatures/actionMicrosoft.RecoveryServices/locations/backupCrrJobs/actionMicrosoft.RecoveryServices/locations/backupCrrJob/actionMicrosoft.RecoveryServices/locations/backupCrrOperationResults/readMicrosoft.RecoveryServices/locations/backupCrrOperationsStatus/readMicrosoft.DataProtection/locations/getBackupStatus/actionMicrosoft.DataProtection/backupVaults/backupInstances/writeMicrosoft.DataProtection/backupVaults/backupInstances/readMicrosoft.DataProtection/backupVaults/backupInstances/readMicrosoft.DataProtection/backupVaults/backupInstances/backup/actionMicrosoft.DataProtection/backupVaults/backupInstances/validateRestore/actionMicrosoft.DataProtection/backupVaults/backupInstances/restore/actionMicrosoft.DataProtection/backupVaults/backupPolicies/readMicrosoft.DataProtection/backupVaults/backupPolicies/readMicrosoft.DataProtection/backupVaults/backupInstances/recoveryPoints/readMicrosoft.DataProtection/backupVaults/backupInstances/recoveryPoints/readMicrosoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/actionMicrosoft.DataProtection/backupVaults/readMicrosoft.DataProtection/backupVaults/operationResults/readMicrosoft.DataProtection/backupVaults/readMicrosoft.DataProtection/backupVaults/readMicrosoft.DataProtection/locations/operationStatus/readMicrosoft.DataProtection/locations/operationResults/readMicrosoft.DataProtection/backupVaults/validateForBackup/actionMicrosoft.DataProtection/providers/operations/read
Billing Reader
- Actions:
Microsoft.Authorization/*/readMicrosoft.Billing/*/readMicrosoft.Commerce/*/readMicrosoft.Consumption/*/readMicrosoft.Management/managementGroups/readMicrosoft.CostManagement/*/readMicrosoft.Support/*
Azure Stack Registration Owner
- Actions:
Microsoft.AzureStack/edgeSubscriptions/readMicrosoft.AzureStack/registrations/products/*/actionMicrosoft.AzureStack/registrations/products/readMicrosoft.AzureStack/registrations/read
Backup Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Network/virtualNetworks/readMicrosoft.RecoveryServices/locations/*Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/actionMicrosoft.RecoveryServices/Vaults/backupJobs/*Microsoft.RecoveryServices/Vaults/backupJobsExport/actionMicrosoft.RecoveryServices/Vaults/backupOperationResults/*Microsoft.RecoveryServices/Vaults/backupPolicies/*Microsoft.RecoveryServices/Vaults/backupProtectableItems/*Microsoft.RecoveryServices/Vaults/backupProtectedItems/*Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*Microsoft.RecoveryServices/Vaults/backupUsageSummaries/readMicrosoft.RecoveryServices/Vaults/certificates/*Microsoft.RecoveryServices/Vaults/extendedInformation/*Microsoft.RecoveryServices/Vaults/monitoringAlerts/readMicrosoft.RecoveryServices/Vaults/monitoringConfigurations/*Microsoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/*Microsoft.RecoveryServices/Vaults/usages/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/storageAccounts/readMicrosoft.RecoveryServices/Vaults/backupstorageconfig/*Microsoft.RecoveryServices/Vaults/backupconfig/*Microsoft.RecoveryServices/Vaults/backupValidateOperation/actionMicrosoft.RecoveryServices/Vaults/writeMicrosoft.RecoveryServices/Vaults/backupOperations/readMicrosoft.RecoveryServices/Vaults/backupEngines/readMicrosoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/readMicrosoft.RecoveryServices/locations/backupStatus/actionMicrosoft.RecoveryServices/locations/backupPreValidateProtection/actionMicrosoft.RecoveryServices/locations/backupValidateFeatures/actionMicrosoft.RecoveryServices/Vaults/monitoringAlerts/writeMicrosoft.RecoveryServices/operations/readMicrosoft.RecoveryServices/locations/operationStatus/readMicrosoft.RecoveryServices/Vaults/backupProtectionIntents/readMicrosoft.Support/*Microsoft.DataProtection/locations/getBackupStatus/actionMicrosoft.DataProtection/backupVaults/backupInstances/writeMicrosoft.DataProtection/backupVaults/backupInstances/deleteMicrosoft.DataProtection/backupVaults/backupInstances/readMicrosoft.DataProtection/backupVaults/backupInstances/readMicrosoft.DataProtection/backupVaults/backupInstances/backup/actionMicrosoft.DataProtection/backupVaults/backupInstances/validateRestore/actionMicrosoft.DataProtection/backupVaults/backupInstances/restore/actionMicrosoft.DataProtection/backupVaults/backupPolicies/writeMicrosoft.DataProtection/backupVaults/backupPolicies/deleteMicrosoft.DataProtection/backupVaults/backupPolicies/readMicrosoft.DataProtection/backupVaults/backupPolicies/readMicrosoft.DataProtection/backupVaults/backupInstances/recoveryPoints/readMicrosoft.DataProtection/backupVaults/backupInstances/recoveryPoints/readMicrosoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/actionMicrosoft.DataProtection/backupVaults/writeMicrosoft.DataProtection/backupVaults/readMicrosoft.DataProtection/backupVaults/operationResults/readMicrosoft.DataProtection/locations/checkNameAvailability/actionMicrosoft.DataProtection/backupVaults/readMicrosoft.DataProtection/backupVaults/readMicrosoft.DataProtection/locations/operationStatus/readMicrosoft.DataProtection/locations/operationResults/readMicrosoft.DataProtection/backupVaults/validateForBackup/actionMicrosoft.DataProtection/providers/operations/read
CDN Endpoint Reader
- Actions:
Microsoft.Authorization/*/readMicrosoft.Cdn/edgenodes/readMicrosoft.Cdn/operationresults/*Microsoft.Cdn/profiles/endpoints/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
CDN Profile Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Cdn/edgenodes/readMicrosoft.Cdn/operationresults/*Microsoft.Cdn/profiles/*Microsoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
CDN Endpoint Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Cdn/edgenodes/readMicrosoft.Cdn/operationresults/*Microsoft.Cdn/profiles/endpoints/*Microsoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Blockchain Member Node Access (Preview)
-
Actions:
Microsoft.Blockchain/blockchainMembers/transactionNodes/read
-
DataActions:
Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action
BizTalk Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.BizTalkServices/BizTalk/*Microsoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Microsoft Sentinel Reader
- Actions:
Microsoft.SecurityInsights/*/readMicrosoft.SecurityInsights/dataConnectorsCheckRequirements/actionMicrosoft.SecurityInsights/threatIntelligence/indicators/query/actionMicrosoft.SecurityInsights/threatIntelligence/queryIndicators/actionMicrosoft.OperationalInsights/workspaces/analytics/query/actionMicrosoft.OperationalInsights/workspaces/*/readMicrosoft.OperationalInsights/workspaces/LinkedServices/readMicrosoft.OperationalInsights/workspaces/savedSearches/readMicrosoft.OperationsManagement/solutions/readMicrosoft.OperationalInsights/workspaces/query/readMicrosoft.OperationalInsights/workspaces/query/*/readMicrosoft.OperationalInsights/querypacks/*/readMicrosoft.OperationalInsights/workspaces/dataSources/readMicrosoft.Insights/workbooks/readMicrosoft.Insights/myworkbooks/readMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Workbook Reader
- Actions:
microsoft.insights/workbooks/readmicrosoft.insights/workbooktemplates/read
Microsoft Sentinel Responder
-
Actions:
Microsoft.SecurityInsights/*/readMicrosoft.SecurityInsights/dataConnectorsCheckRequirements/actionMicrosoft.SecurityInsights/automationRules/*Microsoft.SecurityInsights/cases/*Microsoft.SecurityInsights/incidents/*Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/actionMicrosoft.SecurityInsights/threatIntelligence/indicators/query/actionMicrosoft.SecurityInsights/threatIntelligence/bulkTag/actionMicrosoft.SecurityInsights/threatIntelligence/indicators/appendTags/actionMicrosoft.SecurityInsights/threatIntelligence/indicators/replaceTags/actionMicrosoft.SecurityInsights/threatIntelligence/queryIndicators/actionMicrosoft.OperationalInsights/workspaces/analytics/query/actionMicrosoft.OperationalInsights/workspaces/*/readMicrosoft.OperationalInsights/workspaces/dataSources/readMicrosoft.OperationalInsights/workspaces/savedSearches/readMicrosoft.OperationsManagement/solutions/readMicrosoft.OperationalInsights/workspaces/query/readMicrosoft.OperationalInsights/workspaces/query/*/readMicrosoft.OperationalInsights/workspaces/dataSources/readMicrosoft.OperationalInsights/querypacks/*/readMicrosoft.Insights/workbooks/readMicrosoft.Insights/myworkbooks/readMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
-
NotActions:
Microsoft.SecurityInsights/cases/*/DeleteMicrosoft.SecurityInsights/incidents/*/Delete
Blueprint Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Blueprint/blueprintAssignments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Support/*
Microsoft Sentinel Contributor
- Actions:
Microsoft.SecurityInsights/*Microsoft.OperationalInsights/workspaces/analytics/query/actionMicrosoft.OperationalInsights/workspaces/*/readMicrosoft.OperationalInsights/workspaces/savedSearches/*Microsoft.OperationsManagement/solutions/readMicrosoft.OperationalInsights/workspaces/query/readMicrosoft.OperationalInsights/workspaces/query/*/readMicrosoft.OperationalInsights/workspaces/dataSources/readMicrosoft.OperationalInsights/querypacks/*/readMicrosoft.Insights/workbooks/*Microsoft.Insights/myworkbooks/readMicrosoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
SignalR/Web PubSub Contributor
- Actions:
Microsoft.SignalRService/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Support/*
Azure Connected Machine Onboarding
- Actions:
Microsoft.HybridCompute/machines/readMicrosoft.HybridCompute/machines/writeMicrosoft.HybridCompute/privateLinkScopes/readMicrosoft.GuestConfiguration/guestConfigurationAssignments/read
SignalR AccessKey Reader
- Actions:
Microsoft.SignalRService/*/readMicrosoft.SignalRService/SignalR/listkeys/actionMicrosoft.Authorization/*/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Workbook Contributor
- Actions:
Microsoft.Insights/workbooks/writeMicrosoft.Insights/workbooks/deleteMicrosoft.Insights/workbooks/readMicrosoft.Insights/workbooktemplates/writeMicrosoft.Insights/workbooktemplates/deleteMicrosoft.Insights/workbooktemplates/read
Policy Insights Data Writer (Preview)
-
Actions:
Microsoft.Authorization/policyassignments/readMicrosoft.Authorization/policydefinitions/readMicrosoft.Authorization/policyexemptions/readMicrosoft.Authorization/policysetdefinitions/read
-
DataActions:
Microsoft.PolicyInsights/checkDataPolicyCompliance/actionMicrosoft.PolicyInsights/policyEvents/logDataEvents/action
Storage File Data SMB Share Reader
- DataActions:
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
Storage File Data SMB Share Contributor
- DataActions:
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/readMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/writeMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/delete
Azure Service Bus Data Sender
-
Actions:
Microsoft.ServiceBus/*/queues/readMicrosoft.ServiceBus/*/topics/readMicrosoft.ServiceBus/*/topics/subscriptions/read
-
DataActions:
Microsoft.ServiceBus/*/send/action
Azure Event Hubs Data Sender
-
Actions:
Microsoft.EventHub/*/eventhubs/read
-
DataActions:
Microsoft.EventHub/*/send/action
Azure Service Bus Data Receiver
-
Actions:
Microsoft.ServiceBus/*/queues/readMicrosoft.ServiceBus/*/topics/readMicrosoft.ServiceBus/*/topics/subscriptions/read
-
DataActions:
Microsoft.ServiceBus/*/receive/action
Storage File Data SMB Share Elevated Contributor
- DataActions:
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/readMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/writeMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/deleteMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action
Blueprint Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Blueprint/blueprints/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/*Microsoft.Support/*
Desktop Virtualization User
- DataActions:
Microsoft.DesktopVirtualization/applicationGroups/useApplications/action
Private DNS Zone Contributor
- Actions:
Microsoft.Insights/alertRules/*Microsoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Network/privateDnsZones/*Microsoft.Network/privateDnsOperationResults/*Microsoft.Network/privateDnsOperationStatuses/*Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/join/actionMicrosoft.Authorization/*/read
Storage Blob Delegator
- Actions:
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
Tag Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/resources/readMicrosoft.Resources/subscriptions/resources/readMicrosoft.Resources/deployments/*Microsoft.Insights/alertRules/*Microsoft.Support/*Microsoft.Resources/tags/*
Integration Service Environment Developer
- Actions:
Microsoft.Authorization/*/readMicrosoft.Support/*Microsoft.Logic/integrationServiceEnvironments/readMicrosoft.Logic/integrationServiceEnvironments/*/join/action
Security Assessment Contributor
- Actions:
Microsoft.Security/assessments/write
Remote Rendering Client
- DataActions:
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/readMicrosoft.MixedReality/RemoteRenderingAccounts/managesessions/actionMicrosoft.MixedReality/RemoteRenderingAccounts/managesessions/deleteMicrosoft.MixedReality/RemoteRenderingAccounts/render/readMicrosoft.MixedReality/RemoteRenderingAccounts/diagnostic/read
Managed Application Contributor Role
- Actions:
*/readMicrosoft.Solutions/applications/*Microsoft.Solutions/register/actionMicrosoft.Resources/subscriptions/resourceGroups/*Microsoft.Resources/deployments/*
Azure Digital Twins Data Owner
- DataActions:
Microsoft.DigitalTwins/eventroutes/*Microsoft.DigitalTwins/digitaltwins/*Microsoft.DigitalTwins/digitaltwins/commands/*Microsoft.DigitalTwins/digitaltwins/relationships/*Microsoft.DigitalTwins/models/*Microsoft.DigitalTwins/query/*
Hierarchy Settings Administrator
- Actions:
Microsoft.Management/managementGroups/settings/writeMicrosoft.Management/managementGroups/settings/delete
Azure Digital Twins Data Reader
- DataActions:
Microsoft.DigitalTwins/digitaltwins/readMicrosoft.DigitalTwins/digitaltwins/relationships/readMicrosoft.DigitalTwins/eventroutes/readMicrosoft.DigitalTwins/models/readMicrosoft.DigitalTwins/query/action
Integration Service Environment Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Support/*Microsoft.Logic/integrationServiceEnvironments/*
Azure Kubernetes Service Contributor Role
- Actions:
Microsoft.ContainerService/managedClusters/readMicrosoft.ContainerService/managedClusters/writeMicrosoft.Resources/deployments/*
App Configuration Data Reader
- DataActions:
Microsoft.AppConfiguration/configurationStores/*/read
Kubernetes Cluster - Azure Arc Onboarding
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Resources/deployments/writeMicrosoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Kubernetes/connectedClusters/WriteMicrosoft.Kubernetes/connectedClusters/readMicrosoft.Support/*
App Configuration Data Owner
- DataActions:
Microsoft.AppConfiguration/configurationStores/*/readMicrosoft.AppConfiguration/configurationStores/*/writeMicrosoft.AppConfiguration/configurationStores/*/delete
Azure Connected Machine Resource Administrator
- Actions:
Microsoft.HybridCompute/machines/readMicrosoft.HybridCompute/machines/writeMicrosoft.HybridCompute/machines/deleteMicrosoft.HybridCompute/machines/UpgradeExtensions/actionMicrosoft.HybridCompute/machines/extensions/readMicrosoft.HybridCompute/machines/extensions/writeMicrosoft.HybridCompute/machines/extensions/deleteMicrosoft.HybridCompute/privateLinkScopes/*Microsoft.HybridCompute/*/readMicrosoft.Resources/deployments/*
Managed Services Registration assignment Delete Role
- Actions:
Microsoft.ManagedServices/registrationAssignments/readMicrosoft.ManagedServices/registrationAssignments/deleteMicrosoft.ManagedServices/operationStatuses/read
Experimentation Administrator
-
Actions:
Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Experimentation/experimentWorkspaces/read
-
DataActions:
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/actionMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/readMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/writeMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/deleteMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/actionMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/actionMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/actionMicrosoft.Experimentation/experimentWorkspaces/readMicrosoft.Experimentation/experimentWorkspaces/writeMicrosoft.Experimentation/experimentWorkspaces/deleteMicrosoft.Experimentation/experimentWorkspaces/admin/actionMicrosoft.Experimentation/experimentWorkspaces/metricwrite/actionMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action
Remote Rendering Administrator
- DataActions:
Microsoft.MixedReality/RemoteRenderingAccounts/convert/actionMicrosoft.MixedReality/RemoteRenderingAccounts/convert/readMicrosoft.MixedReality/RemoteRenderingAccounts/convert/deleteMicrosoft.MixedReality/RemoteRenderingAccounts/managesessions/readMicrosoft.MixedReality/RemoteRenderingAccounts/managesessions/actionMicrosoft.MixedReality/RemoteRenderingAccounts/managesessions/deleteMicrosoft.MixedReality/RemoteRenderingAccounts/render/readMicrosoft.MixedReality/RemoteRenderingAccounts/diagnostic/read
Cognitive Services QnA Maker Editor
-
Actions:
Microsoft.CognitiveServices/*/readMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
-
DataActions:
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/readMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/readMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/writeMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/writeMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/actionMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/actionMicrosoft.CognitiveServices/accounts/QnAMaker/alterations/readMicrosoft.CognitiveServices/accounts/QnAMaker/alterations/writeMicrosoft.CognitiveServices/accounts/QnAMaker/endpointkeys/readMicrosoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/actionMicrosoft.CognitiveServices/accounts/QnAMaker/endpointsettings/readMicrosoft.CognitiveServices/accounts/QnAMaker/endpointsettings/writeMicrosoft.CognitiveServices/accounts/QnAMaker/operations/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/writeMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/writeMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/actionMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/actionMicrosoft.CognitiveServices/accounts/QnAMaker.v2/alterations/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/alterations/writeMicrosoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/actionMicrosoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/writeMicrosoft.CognitiveServices/accounts/QnAMaker.v2/operations/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/writeMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/writeMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/actionMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/actionMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/writeMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/actionMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/writeMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read
Experimentation Contributor
-
Actions:
Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Experimentation/experimentWorkspaces/read
-
DataActions:
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/readMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/writeMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/deleteMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/actionMicrosoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/actionMicrosoft.Experimentation/experimentWorkspaces/readMicrosoft.Experimentation/experimentWorkspaces/writeMicrosoft.Experimentation/experimentWorkspaces/delete
Cognitive Services QnA Maker Reader
-
Actions:
Microsoft.CognitiveServices/*/readMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
-
DataActions:
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/readMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/readMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/actionMicrosoft.CognitiveServices/accounts/QnAMaker/alterations/readMicrosoft.CognitiveServices/accounts/QnAMaker/endpointkeys/readMicrosoft.CognitiveServices/accounts/QnAMaker/endpointsettings/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/actionMicrosoft.CognitiveServices/accounts/QnAMaker.v2/alterations/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/actionMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/readMicrosoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read
SQL Security Manager
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Sql/locations/administratorAzureAsyncOperation/readMicrosoft.Sql/managedInstances/databases/currentSensitivityLabels/*Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*Microsoft.Sql/managedInstances/databases/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*Microsoft.Sql/managedInstances/securityAlertPolicies/*Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*Microsoft.Sql/managedInstances/vulnerabilityAssessments/*Microsoft.Sql/servers/auditingSettings/*Microsoft.Sql/servers/extendedAuditingSettings/readMicrosoft.Sql/servers/databases/auditingSettings/*Microsoft.Sql/servers/databases/auditRecords/readMicrosoft.Sql/servers/databases/currentSensitivityLabels/*Microsoft.Sql/servers/databases/dataMaskingPolicies/*Microsoft.Sql/servers/databases/extendedAuditingSettings/readMicrosoft.Sql/servers/databases/readMicrosoft.Sql/servers/databases/recommendedSensitivityLabels/*Microsoft.Sql/servers/databases/schemas/readMicrosoft.Sql/servers/databases/schemas/tables/columns/readMicrosoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/servers/databases/schemas/tables/readMicrosoft.Sql/servers/databases/securityAlertPolicies/*Microsoft.Sql/servers/databases/securityMetrics/*Microsoft.Sql/servers/databases/sensitivityLabels/*Microsoft.Sql/servers/databases/transparentDataEncryption/*Microsoft.Sql/servers/databases/vulnerabilityAssessments/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*Microsoft.Sql/servers/devOpsAuditingSettings/*Microsoft.Sql/servers/firewallRules/*Microsoft.Sql/servers/readMicrosoft.Sql/servers/securityAlertPolicies/*Microsoft.Sql/servers/vulnerabilityAssessments/*Microsoft.Support/*Microsoft.Sql/servers/azureADOnlyAuthentications/*Microsoft.Sql/managedInstances/readMicrosoft.Sql/managedInstances/azureADOnlyAuthentications/*Microsoft.Security/sqlVulnerabilityAssessments/*Microsoft.Sql/managedInstances/administrators/readMicrosoft.Sql/servers/administrators/read
Storage Account Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/diagnosticSettings/*Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/storageAccounts/*Microsoft.Support/*
SQL DB Contributor
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Sql/locations/*/readMicrosoft.Sql/servers/databases/*Microsoft.Sql/servers/readMicrosoft.Support/*Microsoft.Insights/metrics/readMicrosoft.Insights/metricDefinitions/read
-
NotActions:
Microsoft.Sql/servers/databases/ledgerDigestUploads/writeMicrosoft.Sql/servers/databases/ledgerDigestUploads/disable/actionMicrosoft.Sql/managedInstances/databases/currentSensitivityLabels/*Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*Microsoft.Sql/managedInstances/databases/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*Microsoft.Sql/managedInstances/securityAlertPolicies/*Microsoft.Sql/managedInstances/vulnerabilityAssessments/*Microsoft.Sql/servers/databases/auditingSettings/*Microsoft.Sql/servers/databases/auditRecords/readMicrosoft.Sql/servers/databases/currentSensitivityLabels/*Microsoft.Sql/servers/databases/dataMaskingPolicies/*Microsoft.Sql/servers/databases/extendedAuditingSettings/*Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/servers/databases/securityAlertPolicies/*Microsoft.Sql/servers/databases/securityMetrics/*Microsoft.Sql/servers/databases/sensitivityLabels/*Microsoft.Sql/servers/databases/vulnerabilityAssessments/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*Microsoft.Sql/servers/vulnerabilityAssessments/*
Spatial Anchors Account Owner
- DataActions:
Microsoft.MixedReality/SpatialAnchorsAccounts/create/actionMicrosoft.MixedReality/SpatialAnchorsAccounts/deleteMicrosoft.MixedReality/SpatialAnchorsAccounts/discovery/readMicrosoft.MixedReality/SpatialAnchorsAccounts/properties/readMicrosoft.MixedReality/SpatialAnchorsAccounts/query/readMicrosoft.MixedReality/SpatialAnchorsAccounts/submitdiag/readMicrosoft.MixedReality/SpatialAnchorsAccounts/write
SQL Managed Instance Contributor
-
Actions:
Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Network/networkSecurityGroups/*Microsoft.Network/routeTables/*Microsoft.Sql/locations/*/readMicrosoft.Sql/locations/instanceFailoverGroups/*Microsoft.Sql/managedInstances/*Microsoft.Support/*Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/virtualNetworks/*Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/metrics/readMicrosoft.Insights/metricDefinitions/read
-
NotActions:
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/deleteMicrosoft.Sql/managedInstances/azureADOnlyAuthentications/write
Storage Blob Data Owner
-
Actions:
Microsoft.Storage/storageAccounts/blobServices/containers/*Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
-
DataActions:
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
Storage Blob Data Reader
-
Actions:
Microsoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
-
DataActions:
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Storage Blob Data Contributor
-
Actions:
Microsoft.Storage/storageAccounts/blobServices/containers/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/blobServices/containers/writeMicrosoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
-
DataActions:
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/move/actionMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
SQL Server Contributor
-
Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Sql/locations/*/readMicrosoft.Sql/servers/*Microsoft.Support/*Microsoft.Insights/metrics/readMicrosoft.Insights/metricDefinitions/read
-
NotActions:
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*Microsoft.Sql/managedInstances/databases/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*Microsoft.Sql/managedInstances/securityAlertPolicies/*Microsoft.Sql/managedInstances/vulnerabilityAssessments/*Microsoft.Sql/servers/auditingSettings/*Microsoft.Sql/servers/databases/auditingSettings/*Microsoft.Sql/servers/databases/auditRecords/readMicrosoft.Sql/servers/databases/currentSensitivityLabels/*Microsoft.Sql/servers/databases/dataMaskingPolicies/*Microsoft.Sql/servers/databases/extendedAuditingSettings/*Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/servers/databases/securityAlertPolicies/*Microsoft.Sql/servers/databases/securityMetrics/*Microsoft.Sql/servers/databases/sensitivityLabels/*Microsoft.Sql/servers/databases/vulnerabilityAssessments/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*Microsoft.Sql/servers/devOpsAuditingSettings/*Microsoft.Sql/servers/extendedAuditingSettings/*Microsoft.Sql/servers/securityAlertPolicies/*Microsoft.Sql/servers/vulnerabilityAssessments/*Microsoft.Sql/servers/azureADOnlyAuthentications/deleteMicrosoft.Sql/servers/azureADOnlyAuthentications/write
Storage Account Key Operator Service Role
- Actions:
Microsoft.Storage/storageAccounts/listkeys/actionMicrosoft.Storage/storageAccounts/regeneratekey/action
Security Manager (Legacy)
- Actions:
Microsoft.Authorization/*/readMicrosoft.ClassicCompute/*/readMicrosoft.ClassicCompute/virtualMachines/*/writeMicrosoft.ClassicNetwork/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Security/*Microsoft.Support/*
Security Reader
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/readMicrosoft.operationalInsights/workspaces/*/readMicrosoft.Resources/deployments/*/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Security/*/readMicrosoft.IoTSecurity/*/readMicrosoft.Support/*/readMicrosoft.Security/iotDefenderSettings/packageDownloads/actionMicrosoft.Security/iotDefenderSettings/downloadManagerActivation/actionMicrosoft.Security/iotSensors/downloadResetPassword/actionMicrosoft.IoTSecurity/defenderSettings/packageDownloads/actionMicrosoft.IoTSecurity/defenderSettings/downloadManagerActivation/actionMicrosoft.Management/managementGroups/read
Security Admin
- Actions:
Microsoft.Authorization/*/readMicrosoft.Authorization/policyAssignments/*Microsoft.Authorization/policyDefinitions/*Microsoft.Authorization/policyExemptions/*Microsoft.Authorization/policySetDefinitions/*Microsoft.Insights/alertRules/*Microsoft.Management/managementGroups/readMicrosoft.operationalInsights/workspaces/*/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Security/*Microsoft.IoTSecurity/*Microsoft.Support/*
Scheduler Job Collections Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Scheduler/jobcollections/*Microsoft.Support/*
Search Service Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Search/searchServices/*Microsoft.Support/*
Spatial Anchors Account Reader
- DataActions:
Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/readMicrosoft.MixedReality/SpatialAnchorsAccounts/properties/readMicrosoft.MixedReality/SpatialAnchorsAccounts/query/readMicrosoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read
Site Recovery Reader
- Actions:
Microsoft.Authorization/*/readMicrosoft.RecoveryServices/locations/allocatedStamp/readMicrosoft.RecoveryServices/Vaults/extendedInformation/readMicrosoft.RecoveryServices/Vaults/monitoringAlerts/readMicrosoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/readMicrosoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/refreshContainers/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/operationResults/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/readMicrosoft.RecoveryServices/vaults/replicationAlertSettings/readMicrosoft.RecoveryServices/vaults/replicationEvents/readMicrosoft.RecoveryServices/vaults/replicationFabrics/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/readMicrosoft.RecoveryServices/vaults/replicationJobs/readMicrosoft.RecoveryServices/vaults/replicationPolicies/readMicrosoft.RecoveryServices/vaults/replicationRecoveryPlans/readMicrosoft.RecoveryServices/vaults/replicationVaultSettings/readMicrosoft.RecoveryServices/Vaults/storageConfig/readMicrosoft.RecoveryServices/Vaults/tokenInfo/readMicrosoft.RecoveryServices/Vaults/usages/readMicrosoft.RecoveryServices/Vaults/vaultTokens/readMicrosoft.Support/*
Site Recovery Operator
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Network/virtualNetworks/readMicrosoft.RecoveryServices/locations/allocatedStamp/readMicrosoft.RecoveryServices/locations/allocateStamp/actionMicrosoft.RecoveryServices/Vaults/extendedInformation/readMicrosoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/refreshContainers/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/operationResults/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/readMicrosoft.RecoveryServices/vaults/replicationAlertSettings/readMicrosoft.RecoveryServices/vaults/replicationEvents/readMicrosoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/readMicrosoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/actionMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/readMicrosoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/readMicrosoft.RecoveryServices/vaults/replicationJobs/*Microsoft.RecoveryServices/vaults/replicationPolicies/readMicrosoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/actionMicrosoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/actionMicrosoft.RecoveryServices/vaults/replicationRecoveryPlans/readMicrosoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/actionMicrosoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/actionMicrosoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/actionMicrosoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/actionMicrosoft.RecoveryServices/vaults/replicationVaultSettings/readMicrosoft.RecoveryServices/Vaults/monitoringAlerts/*Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/readMicrosoft.RecoveryServices/Vaults/storageConfig/readMicrosoft.RecoveryServices/Vaults/tokenInfo/readMicrosoft.RecoveryServices/Vaults/usages/readMicrosoft.RecoveryServices/Vaults/vaultTokens/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/storageAccounts/readMicrosoft.Support/*
Spatial Anchors Account Contributor
- DataActions:
Microsoft.MixedReality/SpatialAnchorsAccounts/create/actionMicrosoft.MixedReality/SpatialAnchorsAccounts/discovery/readMicrosoft.MixedReality/SpatialAnchorsAccounts/properties/readMicrosoft.MixedReality/SpatialAnchorsAccounts/query/readMicrosoft.MixedReality/SpatialAnchorsAccounts/submitdiag/readMicrosoft.MixedReality/SpatialAnchorsAccounts/write
Site Recovery Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Network/virtualNetworks/readMicrosoft.RecoveryServices/locations/allocatedStamp/readMicrosoft.RecoveryServices/locations/allocateStamp/actionMicrosoft.RecoveryServices/Vaults/certificates/writeMicrosoft.RecoveryServices/Vaults/extendedInformation/*Microsoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/refreshContainers/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/*Microsoft.RecoveryServices/vaults/replicationAlertSettings/*Microsoft.RecoveryServices/vaults/replicationEvents/readMicrosoft.RecoveryServices/vaults/replicationFabrics/*Microsoft.RecoveryServices/vaults/replicationJobs/*Microsoft.RecoveryServices/vaults/replicationPolicies/*Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*Microsoft.RecoveryServices/vaults/replicationVaultSettings/*Microsoft.RecoveryServices/Vaults/storageConfig/*Microsoft.RecoveryServices/Vaults/tokenInfo/readMicrosoft.RecoveryServices/Vaults/usages/readMicrosoft.RecoveryServices/Vaults/vaultTokens/readMicrosoft.RecoveryServices/Vaults/monitoringAlerts/*Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Storage/storageAccounts/readMicrosoft.RecoveryServices/vaults/replicationOperationStatus/readMicrosoft.Support/*
Azure Event Hubs Data Owner
-
Actions:
Microsoft.EventHub/*
-
DataActions:
Microsoft.EventHub/*
Attestation Contributor
- Actions:
Microsoft.Attestation/attestationProviders/attestation/readMicrosoft.Attestation/attestationProviders/attestation/writeMicrosoft.Attestation/attestationProviders/attestation/delete
Azure Service Bus Data Owner
-
Actions:
Microsoft.ServiceBus/*
-
DataActions:
Microsoft.ServiceBus/*
Web Plan Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Web/serverFarms/*Microsoft.Web/hostingEnvironments/Join/Action
Website Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Insights/components/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Web/certificates/*Microsoft.Web/listSitesAssignedToHostName/readMicrosoft.Web/serverFarms/join/actionMicrosoft.Web/serverFarms/readMicrosoft.Web/sites/*
Hybrid Server Onboarding
- Actions:
Microsoft.HybridCompute/machines/readMicrosoft.HybridCompute/machines/write
Azure Event Hubs Data Receiver
-
Actions:
Microsoft.EventHub/*/eventhubs/consumergroups/read
-
DataActions:
Microsoft.EventHub/*/receive/action
Hybrid Server Resource Administrator
- Actions:
Microsoft.HybridCompute/machines/*Microsoft.HybridCompute/*/read
HDInsight Cluster Operator
- Actions:
Microsoft.HDInsight/*/readMicrosoft.HDInsight/clusters/getGatewaySettings/actionMicrosoft.HDInsight/clusters/updateGatewaySettings/actionMicrosoft.HDInsight/clusters/configurations/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/deployments/operations/readMicrosoft.Insights/alertRules/*Microsoft.Authorization/*/readMicrosoft.Support/*
Cosmos DB Operator
-
Actions:
Microsoft.DocumentDb/databaseAccounts/*Microsoft.Insights/alertRules/*Microsoft.Authorization/*/readMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
-
NotActions:
Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*Microsoft.DocumentDB/databaseAccounts/regenerateKey/*Microsoft.DocumentDB/databaseAccounts/listKeys/*Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/writeMicrosoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/deleteMicrosoft.DocumentDB/databaseAccounts/sqlRoleAssignments/writeMicrosoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete
Storage Queue Data Reader
-
Actions:
Microsoft.Storage/storageAccounts/queueServices/queues/read
-
DataActions:
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
Support Request Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Storage Queue Data Message Sender
- DataActions:
Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action
Storage Queue Data Contributor
-
Actions:
Microsoft.Storage/storageAccounts/queueServices/queues/deleteMicrosoft.Storage/storageAccounts/queueServices/queues/readMicrosoft.Storage/storageAccounts/queueServices/queues/write
-
DataActions:
Microsoft.Storage/storageAccounts/queueServices/queues/messages/deleteMicrosoft.Storage/storageAccounts/queueServices/queues/messages/readMicrosoft.Storage/storageAccounts/queueServices/queues/messages/writeMicrosoft.Storage/storageAccounts/queueServices/queues/messages/process/action
Storage Queue Data Message Processor
- DataActions:
Microsoft.Storage/storageAccounts/queueServices/queues/messages/readMicrosoft.Storage/storageAccounts/queueServices/queues/messages/process/action
Virtual Machine User Login
-
Actions:
Microsoft.Network/publicIPAddresses/readMicrosoft.Network/virtualNetworks/readMicrosoft.Network/loadBalancers/readMicrosoft.Network/networkInterfaces/readMicrosoft.Compute/virtualMachines/*/readMicrosoft.HybridCompute/machines/*/readMicrosoft.HybridConnectivity/endpoints/listCredentials/action
-
DataActions:
Microsoft.Compute/virtualMachines/login/actionMicrosoft.HybridCompute/machines/login/action
Virtual Machine Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Compute/availabilitySets/*Microsoft.Compute/locations/*Microsoft.Compute/virtualMachines/*Microsoft.Compute/virtualMachineScaleSets/*Microsoft.Compute/cloudServices/*Microsoft.Compute/disks/writeMicrosoft.Compute/disks/readMicrosoft.Compute/disks/deleteMicrosoft.DevTestLab/schedules/*Microsoft.Insights/alertRules/*Microsoft.Network/applicationGateways/backendAddressPools/join/actionMicrosoft.Network/loadBalancers/backendAddressPools/join/actionMicrosoft.Network/loadBalancers/inboundNatPools/join/actionMicrosoft.Network/loadBalancers/inboundNatRules/join/actionMicrosoft.Network/loadBalancers/probes/join/actionMicrosoft.Network/loadBalancers/readMicrosoft.Network/locations/*Microsoft.Network/networkInterfaces/*Microsoft.Network/networkSecurityGroups/join/actionMicrosoft.Network/networkSecurityGroups/readMicrosoft.Network/publicIPAddresses/join/actionMicrosoft.Network/publicIPAddresses/readMicrosoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/subnets/join/actionMicrosoft.RecoveryServices/locations/*Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/writeMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/writeMicrosoft.RecoveryServices/Vaults/backupPolicies/readMicrosoft.RecoveryServices/Vaults/backupPolicies/writeMicrosoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/usages/readMicrosoft.RecoveryServices/Vaults/writeMicrosoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.SerialConsole/serialPorts/connect/actionMicrosoft.SqlVirtualMachine/*Microsoft.Storage/storageAccounts/listKeys/actionMicrosoft.Storage/storageAccounts/readMicrosoft.Support/*
User Access Administrator
- Actions:
*/readMicrosoft.Authorization/*Microsoft.Support/*
Traffic Manager Contributor
- Actions:
Microsoft.Authorization/*/readMicrosoft.Insights/alertRules/*Microsoft.Network/trafficManagerProfiles/*Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.Resources/deployments/*Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Support/*
Virtual Machine Administrator Login
-
Actions:
Microsoft.Network/publicIPAddresses/readMicrosoft.Network/virtualNetworks/readMicrosoft.Network/loadBalancers/readMicrosoft.Network/networkInterfaces/readMicrosoft.Compute/virtualMachines/*/readMicrosoft.HybridCompute/machines/*/readMicrosoft.HybridConnectivity/endpoints/listCredentials/action
-
DataActions:
Microsoft.Compute/virtualMachines/login/actionMicrosoft.Compute/virtualMachines/loginAsAdmin/actionMicrosoft.HybridCompute/machines/login/actionMicrosoft.HybridCompute/machines/loginAsAdmin/action
Azure AD Role Definitions
Application Administrator
microsoft.directory/applications/createmicrosoft.directory/applications/deletemicrosoft.directory/applications/applicationProxy/readmicrosoft.directory/applications/applicationProxy/updatemicrosoft.directory/applications/applicationProxyAuthentication/updatemicrosoft.directory/applications/applicationProxySslCertificate/updatemicrosoft.directory/applications/applicationProxyUrlSettings/updatemicrosoft.directory/applications/appRoles/updatemicrosoft.directory/applications/audience/updatemicrosoft.directory/applications/authentication/updatemicrosoft.directory/applications/basic/updatemicrosoft.directory/applications/credentials/updatemicrosoft.directory/applications/extensionProperties/updatemicrosoft.directory/applications/notes/updatemicrosoft.directory/applications/owners/updatemicrosoft.directory/applications/permissions/updatemicrosoft.directory/applications/policies/updatemicrosoft.directory/applications/tag/updatemicrosoft.directory/applications/verification/updatemicrosoft.directory/applications/synchronization/standard/readmicrosoft.directory/applicationTemplates/instantiatemicrosoft.directory/auditLogs/allProperties/readmicrosoft.directory/connectors/createmicrosoft.directory/connectors/allProperties/readmicrosoft.directory/connectorGroups/createmicrosoft.directory/connectorGroups/deletemicrosoft.directory/connectorGroups/allProperties/readmicrosoft.directory/connectorGroups/allProperties/updatemicrosoft.directory/customAuthenticationExtensions/allProperties/allTasksmicrosoft.directory/deletedItems.applications/deletemicrosoft.directory/deletedItems.applications/restoremicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/applicationPolicies/createmicrosoft.directory/applicationPolicies/deletemicrosoft.directory/applicationPolicies/standard/readmicrosoft.directory/applicationPolicies/owners/readmicrosoft.directory/applicationPolicies/policyAppliedTo/readmicrosoft.directory/applicationPolicies/basic/updatemicrosoft.directory/applicationPolicies/owners/updatemicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/getPasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/managePasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-adminmicrosoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/notes/updatemicrosoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/tag/updatemicrosoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/signInReports/allProperties/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Application Developer
microsoft.directory/applications/createAsOwnermicrosoft.directory/oAuth2PermissionGrants/createAsOwnermicrosoft.directory/servicePrincipals/createAsOwner
Attack Payload Author
microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasksmicrosoft.office365.protectionCenter/attackSimulator/reports/allProperties/read
Attack Simulation Administrator
microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasksmicrosoft.office365.protectionCenter/attackSimulator/reports/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks
Attribute Assignment Administrator
microsoft.directory/attributeSets/allProperties/readmicrosoft.directory/customSecurityAttributeDefinitions/allProperties/readmicrosoft.directory/devices/customSecurityAttributes/readmicrosoft.directory/devices/customSecurityAttributes/updatemicrosoft.directory/servicePrincipals/customSecurityAttributes/readmicrosoft.directory/servicePrincipals/customSecurityAttributes/updatemicrosoft.directory/users/customSecurityAttributes/readmicrosoft.directory/users/customSecurityAttributes/update
Attribute Assignment Reader
microsoft.directory/attributeSets/allProperties/readmicrosoft.directory/customSecurityAttributeDefinitions/allProperties/readmicrosoft.directory/devices/customSecurityAttributes/readmicrosoft.directory/servicePrincipals/customSecurityAttributes/readmicrosoft.directory/users/customSecurityAttributes/read
Attribute Definition Administrator
microsoft.directory/attributeSets/allProperties/allTasksmicrosoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks
Attribute Definition Reader
microsoft.directory/attributeSets/allProperties/readmicrosoft.directory/customSecurityAttributeDefinitions/allProperties/read
Authentication Administrator
microsoft.directory/users/authenticationMethods/createmicrosoft.directory/users/authenticationMethods/deletemicrosoft.directory/users/authenticationMethods/standard/restrictedReadmicrosoft.directory/users/authenticationMethods/basic/updatemicrosoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/password/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Authentication Policy Administrator
microsoft.directory/organization/strongAuthentication/allTasksmicrosoft.directory/userCredentialPolicies/createmicrosoft.directory/userCredentialPolicies/deletemicrosoft.directory/userCredentialPolicies/standard/readmicrosoft.directory/userCredentialPolicies/owners/readmicrosoft.directory/userCredentialPolicies/policyAppliedTo/readmicrosoft.directory/userCredentialPolicies/basic/updatemicrosoft.directory/userCredentialPolicies/owners/updatemicrosoft.directory/userCredentialPolicies/tenantDefault/updatemicrosoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/readmicrosoft.directory/verifiableCredentials/configuration/contracts/cards/revokemicrosoft.directory/verifiableCredentials/configuration/contracts/createmicrosoft.directory/verifiableCredentials/configuration/contracts/allProperties/readmicrosoft.directory/verifiableCredentials/configuration/contracts/allProperties/updatemicrosoft.directory/verifiableCredentials/configuration/createmicrosoft.directory/verifiableCredentials/configuration/deletemicrosoft.directory/verifiableCredentials/configuration/allProperties/readmicrosoft.directory/verifiableCredentials/configuration/allProperties/updatemicrosoft.azure.supportTickets/allEntities/allTasks
Azure AD Joined Device Local Administrator
microsoft.directory/groupSettings/standard/readmicrosoft.directory/groupSettingTemplates/standard/read
Azure DevOps Administrator
microsoft.azure.devOps/allEntities/allTasks
Azure Information Protection Administrator
microsoft.directory/authorizationPolicy/standard/readmicrosoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
B2C IEF Keyset Administrator
microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks
B2C IEF Policy Administrator
microsoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks
Billing Administrator
microsoft.directory/organization/basic/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.commerce.billing/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Cloud App Security Administrator
microsoft.directory/cloudAppSecurity/allProperties/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Cloud Application Administrator
microsoft.directory/applications/createmicrosoft.directory/applications/deletemicrosoft.directory/applications/appRoles/updatemicrosoft.directory/applications/audience/updatemicrosoft.directory/applications/authentication/updatemicrosoft.directory/applications/basic/updatemicrosoft.directory/applications/credentials/updatemicrosoft.directory/applications/extensionProperties/updatemicrosoft.directory/applications/notes/updatemicrosoft.directory/applications/owners/updatemicrosoft.directory/applications/permissions/updatemicrosoft.directory/applications/policies/updatemicrosoft.directory/applications/tag/updatemicrosoft.directory/applications/verification/updatemicrosoft.directory/applications/synchronization/standard/readmicrosoft.directory/applicationTemplates/instantiatemicrosoft.directory/auditLogs/allProperties/readmicrosoft.directory/deletedItems.applications/deletemicrosoft.directory/deletedItems.applications/restoremicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/applicationPolicies/createmicrosoft.directory/applicationPolicies/deletemicrosoft.directory/applicationPolicies/standard/readmicrosoft.directory/applicationPolicies/owners/readmicrosoft.directory/applicationPolicies/policyAppliedTo/readmicrosoft.directory/applicationPolicies/basic/updatemicrosoft.directory/applicationPolicies/owners/updatemicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/getPasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/managePasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-adminmicrosoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/notes/updatemicrosoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/tag/updatemicrosoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/signInReports/allProperties/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Cloud Device Administrator
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/authorizationPolicy/standard/readmicrosoft.directory/bitlockerKeys/key/readmicrosoft.directory/devices/deletemicrosoft.directory/devices/disablemicrosoft.directory/devices/enablemicrosoft.directory/deviceManagementPolicies/standard/readmicrosoft.directory/deviceManagementPolicies/basic/updatemicrosoft.directory/deviceRegistrationPolicy/standard/readmicrosoft.directory/deviceRegistrationPolicy/basic/updatemicrosoft.directory/signInReports/allProperties/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasks
Compliance Administrator
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.directory/entitlementManagement/allProperties/readmicrosoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Compliance Data Administrator
microsoft.directory/authorizationPolicy/standard/readmicrosoft.directory/cloudAppSecurity/allProperties/allTasksmicrosoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Conditional Access Administrator
microsoft.directory/conditionalAccessPolicies/createmicrosoft.directory/conditionalAccessPolicies/deletemicrosoft.directory/conditionalAccessPolicies/standard/readmicrosoft.directory/conditionalAccessPolicies/owners/readmicrosoft.directory/conditionalAccessPolicies/policyAppliedTo/readmicrosoft.directory/conditionalAccessPolicies/basic/updatemicrosoft.directory/conditionalAccessPolicies/owners/updatemicrosoft.directory/conditionalAccessPolicies/tenantDefault/updatemicrosoft.directory/crossTenantAccessPolicies/createmicrosoft.directory/crossTenantAccessPolicies/deletemicrosoft.directory/crossTenantAccessPolicies/standard/readmicrosoft.directory/crossTenantAccessPolicies/owners/readmicrosoft.directory/crossTenantAccessPolicies/policyAppliedTo/readmicrosoft.directory/crossTenantAccessPolicies/basic/updatemicrosoft.directory/crossTenantAccessPolicies/owners/updatemicrosoft.directory/crossTenantAccessPolicies/tenantDefault/update
Customer LockBox Access Approver
microsoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Desktop Analytics Administrator
microsoft.directory/authorizationPolicy/standard/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasks
Device Join
Device Managers
microsoft.directory/devices/standard/readmicrosoft.directory/devices/memberOf/readmicrosoft.directory/devices/registeredOwners/readmicrosoft.directory/devices/registeredUsers/readmicrosoft.directory/devices/basic/updatemicrosoft.directory/devices/extensionAttributeSet1/updatemicrosoft.directory/devices/extensionAttributeSet2/updatemicrosoft.directory/devices/extensionAttributeSet3/updatemicrosoft.directory/devices/registeredOwners/updatemicrosoft.directory/devices/registeredUsers/update
Device Users
Directory Readers
microsoft.directory/administrativeUnits/standard/readmicrosoft.directory/administrativeUnits/members/readmicrosoft.directory/applications/standard/readmicrosoft.directory/applications/owners/readmicrosoft.directory/applications/policies/readmicrosoft.directory/contacts/standard/readmicrosoft.directory/contacts/memberOf/readmicrosoft.directory/contracts/standard/readmicrosoft.directory/devices/standard/readmicrosoft.directory/devices/memberOf/readmicrosoft.directory/devices/registeredOwners/readmicrosoft.directory/devices/registeredUsers/readmicrosoft.directory/directoryRoles/standard/readmicrosoft.directory/directoryRoles/eligibleMembers/readmicrosoft.directory/directoryRoles/members/readmicrosoft.directory/domains/standard/readmicrosoft.directory/groups/standard/readmicrosoft.directory/groups/appRoleAssignments/readmicrosoft.directory/groups/memberOf/readmicrosoft.directory/groups/members/readmicrosoft.directory/groups/owners/readmicrosoft.directory/groups/settings/readmicrosoft.directory/groupSettings/standard/readmicrosoft.directory/groupSettingTemplates/standard/readmicrosoft.directory/oAuth2PermissionGrants/standard/readmicrosoft.directory/organization/standard/readmicrosoft.directory/organization/trustedCAsForPasswordlessAuth/readmicrosoft.directory/applicationPolicies/standard/readmicrosoft.directory/roleAssignments/standard/readmicrosoft.directory/roleDefinitions/standard/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/readmicrosoft.directory/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/standard/readmicrosoft.directory/servicePrincipals/memberOf/readmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/readmicrosoft.directory/servicePrincipals/owners/readmicrosoft.directory/servicePrincipals/ownedObjects/readmicrosoft.directory/servicePrincipals/policies/readmicrosoft.directory/subscribedSkus/standard/readmicrosoft.directory/users/standard/readmicrosoft.directory/users/appRoleAssignments/readmicrosoft.directory/users/deviceForResourceAccount/readmicrosoft.directory/users/directReports/readmicrosoft.directory/users/licenseDetails/readmicrosoft.directory/users/manager/readmicrosoft.directory/users/memberOf/readmicrosoft.directory/users/oAuth2PermissionGrants/readmicrosoft.directory/users/ownedDevices/readmicrosoft.directory/users/ownedObjects/readmicrosoft.directory/users/photo/readmicrosoft.directory/users/registeredDevices/readmicrosoft.directory/users/scopedRoleMemberOf/read
Directory Synchronization Accounts
microsoft.directory/applications/createmicrosoft.directory/applications/deletemicrosoft.directory/applications/appRoles/updatemicrosoft.directory/applications/audience/updatemicrosoft.directory/applications/authentication/updatemicrosoft.directory/applications/basic/updatemicrosoft.directory/applications/credentials/updatemicrosoft.directory/applications/notes/updatemicrosoft.directory/applications/owners/updatemicrosoft.directory/applications/permissions/updatemicrosoft.directory/applications/policies/updatemicrosoft.directory/applications/tag/updatemicrosoft.directory/authorizationPolicy/standard/readmicrosoft.directory/hybridAuthenticationPolicy/allProperties/allTasksmicrosoft.directory/organization/dirSync/updatemicrosoft.directory/passwordHashSync/allProperties/allTasksmicrosoft.directory/policies/createmicrosoft.directory/policies/deletemicrosoft.directory/policies/standard/readmicrosoft.directory/policies/owners/readmicrosoft.directory/policies/policyAppliedTo/readmicrosoft.directory/policies/basic/updatemicrosoft.directory/policies/owners/updatemicrosoft.directory/policies/tenantDefault/updatemicrosoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/getPasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/managePasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/appRoleAssignedTo/readmicrosoft.directory/servicePrincipals/appRoleAssignments/readmicrosoft.directory/servicePrincipals/standard/readmicrosoft.directory/servicePrincipals/memberOf/readmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/readmicrosoft.directory/servicePrincipals/owners/readmicrosoft.directory/servicePrincipals/ownedObjects/readmicrosoft.directory/servicePrincipals/policies/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/notes/updatemicrosoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/tag/update
Directory Writers
microsoft.directory/applications/extensionProperties/updatemicrosoft.directory/groups/assignLicensemicrosoft.directory/groups/createmicrosoft.directory/groups/reprocessLicenseAssignmentmicrosoft.directory/groups/basic/updatemicrosoft.directory/groups/classification/updatemicrosoft.directory/groups/dynamicMembershipRule/updatemicrosoft.directory/groups/groupType/updatemicrosoft.directory/groups/members/updatemicrosoft.directory/groups/onPremWriteBack/updatemicrosoft.directory/groups/owners/updatemicrosoft.directory/groups/settings/updatemicrosoft.directory/groups/visibility/updatemicrosoft.directory/groupSettings/createmicrosoft.directory/groupSettings/deletemicrosoft.directory/groupSettings/basic/updatemicrosoft.directory/oAuth2PermissionGrants/createmicrosoft.directory/oAuth2PermissionGrants/basic/updatemicrosoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissionsmicrosoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/users/assignLicensemicrosoft.directory/users/createmicrosoft.directory/users/disablemicrosoft.directory/users/enablemicrosoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/inviteGuestmicrosoft.directory/users/reprocessLicenseAssignmentmicrosoft.directory/users/basic/updatemicrosoft.directory/users/manager/updatemicrosoft.directory/users/photo/updatemicrosoft.directory/users/userPrincipalName/update
Domain Name Administrator
microsoft.directory/domains/allProperties/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Dynamics 365 Administrator
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.dynamics365/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Edge Administrator
microsoft.edge/allEntities/allProperties/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Exchange Administrator
microsoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups.unified/createmicrosoft.directory/groups.unified/deletemicrosoft.directory/groups.unified/restoremicrosoft.directory/groups.unified/basic/updatemicrosoft.directory/groups.unified/members/updatemicrosoft.directory/groups.unified/owners/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.exchange/allEntities/basic/allTasksmicrosoft.office365.network/performance/allProperties/readmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.usageReports/allEntities/allProperties/readmicrosoft.office365.webPortal/allEntities/standard/read
Exchange Recipient Administrator
microsoft.office365.exchange/allRecipients/allProperties/allTasksmicrosoft.office365.exchange/messageTracking/allProperties/allTasksmicrosoft.office365.exchange/migration/allProperties/allTasks
External ID User Flow Administrator
microsoft.directory/b2cUserFlow/allProperties/allTasks
External ID User Flow Attribute Administrator
microsoft.directory/b2cUserAttribute/allProperties/allTasks
External Identity Provider Administrator
microsoft.directory/identityProviders/allProperties/allTasks
Global Administrator
microsoft.directory/accessReviews/allProperties/allTasksmicrosoft.directory/administrativeUnits/allProperties/allTasksmicrosoft.directory/applications/allProperties/allTasksmicrosoft.directory/applications/synchronization/standard/readmicrosoft.directory/applicationTemplates/instantiatemicrosoft.directory/auditLogs/allProperties/readmicrosoft.directory/users/authenticationMethods/createmicrosoft.directory/users/authenticationMethods/deletemicrosoft.directory/users/authenticationMethods/standard/readmicrosoft.directory/users/authenticationMethods/basic/updatemicrosoft.directory/authorizationPolicy/allProperties/allTasksmicrosoft.directory/bitlockerKeys/key/readmicrosoft.directory/cloudAppSecurity/allProperties/allTasksmicrosoft.directory/connectors/createmicrosoft.directory/connectors/allProperties/readmicrosoft.directory/connectorGroups/createmicrosoft.directory/connectorGroups/deletemicrosoft.directory/connectorGroups/allProperties/readmicrosoft.directory/connectorGroups/allProperties/updatemicrosoft.directory/contacts/allProperties/allTasksmicrosoft.directory/contracts/allProperties/allTasksmicrosoft.directory/customAuthenticationExtensions/allProperties/allTasksmicrosoft.directory/deletedItems/deletemicrosoft.directory/deletedItems/restoremicrosoft.directory/devices/allProperties/allTasksmicrosoft.directory/deviceManagementPolicies/standard/readmicrosoft.directory/deviceManagementPolicies/basic/updatemicrosoft.directory/deviceRegistrationPolicy/standard/readmicrosoft.directory/deviceRegistrationPolicy/basic/updatemicrosoft.directory/directoryRoles/allProperties/allTasksmicrosoft.directory/directoryRoleTemplates/allProperties/allTasksmicrosoft.directory/domains/allProperties/allTasksmicrosoft.directory/entitlementManagement/allProperties/allTasksmicrosoft.directory/groups/allProperties/allTasksmicrosoft.directory/groupsAssignableToRoles/createmicrosoft.directory/groupsAssignableToRoles/deletemicrosoft.directory/groupsAssignableToRoles/restoremicrosoft.directory/groupsAssignableToRoles/allProperties/updatemicrosoft.directory/groupSettings/allProperties/allTasksmicrosoft.directory/groupSettingTemplates/allProperties/allTasksmicrosoft.directory/hybridAuthenticationPolicy/allProperties/allTasksmicrosoft.directory/identityProtection/allProperties/allTasksmicrosoft.directory/loginOrganizationBranding/allProperties/allTasksmicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/organization/allProperties/allTasksmicrosoft.directory/passwordHashSync/allProperties/allTasksmicrosoft.directory/policies/allProperties/allTasksmicrosoft.directory/conditionalAccessPolicies/allProperties/allTasksmicrosoft.directory/crossTenantAccessPolicies/allProperties/allTasksmicrosoft.directory/privilegedIdentityManagement/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/roleAssignments/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasksmicrosoft.directory/scopedRoleMemberships/allProperties/allTasksmicrosoft.directory/serviceAction/activateServicemicrosoft.directory/serviceAction/disableDirectoryFeaturemicrosoft.directory/serviceAction/enableDirectoryFeaturemicrosoft.directory/serviceAction/getAvailableExtentionPropertiesmicrosoft.directory/servicePrincipals/allProperties/allTasksmicrosoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-adminmicrosoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissionsmicrosoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/signInReports/allProperties/readmicrosoft.directory/subscribedSkus/allProperties/allTasksmicrosoft.directory/users/allProperties/allTasksmicrosoft.directory/permissionGrantPolicies/createmicrosoft.directory/permissionGrantPolicies/deletemicrosoft.directory/permissionGrantPolicies/standard/readmicrosoft.directory/permissionGrantPolicies/basic/updatemicrosoft.directory/servicePrincipalCreationPolicies/createmicrosoft.directory/servicePrincipalCreationPolicies/deletemicrosoft.directory/servicePrincipalCreationPolicies/standard/readmicrosoft.directory/servicePrincipalCreationPolicies/basic/updatemicrosoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/readmicrosoft.directory/verifiableCredentials/configuration/contracts/cards/revokemicrosoft.directory/verifiableCredentials/configuration/contracts/createmicrosoft.directory/verifiableCredentials/configuration/contracts/allProperties/readmicrosoft.directory/verifiableCredentials/configuration/contracts/allProperties/updatemicrosoft.directory/verifiableCredentials/configuration/createmicrosoft.directory/verifiableCredentials/configuration/deletemicrosoft.directory/verifiableCredentials/configuration/allProperties/readmicrosoft.directory/verifiableCredentials/configuration/allProperties/updatemicrosoft.azure.advancedThreatProtection/allEntities/allTasksmicrosoft.azure.informationProtection/allEntities/allTasksmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.cloudPC/allEntities/allProperties/allTasksmicrosoft.commerce.billing/allEntities/allTasksmicrosoft.dynamics365/allEntities/allTasksmicrosoft.edge/allEntities/allProperties/allTasksmicrosoft.flow/allEntities/allTasksmicrosoft.intune/allEntities/allTasksmicrosoft.office365.complianceManager/allEntities/allTasksmicrosoft.office365.desktopAnalytics/allEntities/allTasksmicrosoft.office365.exchange/allEntities/basic/allTasksmicrosoft.office365.knowledge/contentUnderstanding/allProperties/allTasksmicrosoft.office365.knowledge/contentUnderstanding/analytics/allProperties/readmicrosoft.office365.knowledge/knowledgeNetwork/allProperties/allTasksmicrosoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasksmicrosoft.office365.knowledge/learningSources/allProperties/allTasksmicrosoft.office365.lockbox/allEntities/allTasksmicrosoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/securityMessages/readmicrosoft.office365.network/performance/allProperties/readmicrosoft.office365.protectionCenter/allEntities/allProperties/allTasksmicrosoft.office365.search/content/managemicrosoft.office365.securityComplianceCenter/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.sharePoint/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.usageReports/allEntities/allProperties/readmicrosoft.office365.userCommunication/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.yammer/allEntities/allProperties/allTasksmicrosoft.powerApps/allEntities/allTasksmicrosoft.powerApps.powerBI/allEntities/allTasksmicrosoft.teams/allEntities/allProperties/allTasksmicrosoft.windows.defenderAdvancedThreatProtection/allEntities/allTasksmicrosoft.windows.updatesDeployments/allEntities/allProperties/allTasks
Global Reader
microsoft.directory/accessReviews/allProperties/readmicrosoft.directory/administrativeUnits/allProperties/readmicrosoft.directory/applications/allProperties/readmicrosoft.directory/applications/synchronization/standard/readmicrosoft.directory/auditLogs/allProperties/readmicrosoft.directory/users/authenticationMethods/standard/restrictedReadmicrosoft.directory/authorizationPolicy/standard/readmicrosoft.directory/bitlockerKeys/key/readmicrosoft.directory/cloudAppSecurity/allProperties/readmicrosoft.directory/connectors/allProperties/readmicrosoft.directory/connectorGroups/allProperties/readmicrosoft.directory/contacts/allProperties/readmicrosoft.directory/customAuthenticationExtensions/allProperties/readmicrosoft.directory/devices/allProperties/readmicrosoft.directory/directoryRoles/allProperties/readmicrosoft.directory/directoryRoleTemplates/allProperties/readmicrosoft.directory/domains/allProperties/readmicrosoft.directory/entitlementManagement/allProperties/readmicrosoft.directory/groups/allProperties/readmicrosoft.directory/groupSettings/allProperties/readmicrosoft.directory/groupSettingTemplates/allProperties/readmicrosoft.directory/identityProtection/allProperties/readmicrosoft.directory/loginOrganizationBranding/allProperties/readmicrosoft.directory/oAuth2PermissionGrants/allProperties/readmicrosoft.directory/organization/allProperties/readmicrosoft.directory/permissionGrantPolicies/standard/readmicrosoft.directory/policies/allProperties/readmicrosoft.directory/conditionalAccessPolicies/allProperties/readmicrosoft.directory/crossTenantAccessPolicies/allProperties/readmicrosoft.directory/deviceManagementPolicies/standard/readmicrosoft.directory/deviceRegistrationPolicy/standard/readmicrosoft.directory/privilegedIdentityManagement/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/roleAssignments/allProperties/readmicrosoft.directory/roleDefinitions/allProperties/readmicrosoft.directory/scopedRoleMemberships/allProperties/readmicrosoft.directory/serviceAction/getAvailableExtentionPropertiesmicrosoft.directory/servicePrincipals/allProperties/readmicrosoft.directory/servicePrincipalCreationPolicies/standard/readmicrosoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/signInReports/allProperties/readmicrosoft.directory/subscribedSkus/allProperties/readmicrosoft.directory/users/allProperties/readmicrosoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/readmicrosoft.directory/verifiableCredentials/configuration/contracts/allProperties/readmicrosoft.directory/verifiableCredentials/configuration/allProperties/readmicrosoft.cloudPC/allEntities/allProperties/readmicrosoft.commerce.billing/allEntities/readmicrosoft.edge/allEntities/allProperties/readmicrosoft.office365.exchange/allEntities/standard/readmicrosoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/securityMessages/readmicrosoft.office365.network/performance/allProperties/readmicrosoft.office365.protectionCenter/allEntities/allProperties/readmicrosoft.office365.securityComplianceCenter/allEntities/readmicrosoft.office365.usageReports/allEntities/allProperties/readmicrosoft.office365.webPortal/allEntities/standard/readmicrosoft.office365.yammer/allEntities/allProperties/readmicrosoft.teams/allEntities/allProperties/readmicrosoft.windows.updatesDeployments/allEntities/allProperties/read
Groups Administrator
microsoft.directory/deletedItems.groups/deletemicrosoft.directory/deletedItems.groups/restoremicrosoft.directory/groups/assignLicensemicrosoft.directory/groups/createmicrosoft.directory/groups/deletemicrosoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/reprocessLicenseAssignmentmicrosoft.directory/groups/restoremicrosoft.directory/groups/basic/updatemicrosoft.directory/groups/classification/updatemicrosoft.directory/groups/dynamicMembershipRule/updatemicrosoft.directory/groups/groupType/updatemicrosoft.directory/groups/members/updatemicrosoft.directory/groups/onPremWriteBack/updatemicrosoft.directory/groups/owners/updatemicrosoft.directory/groups/settings/updatemicrosoft.directory/groups/visibility/updatemicrosoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissionsmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Guest Inviter
microsoft.directory/users/inviteGuestmicrosoft.directory/users/standard/readmicrosoft.directory/users/appRoleAssignments/readmicrosoft.directory/users/deviceForResourceAccount/readmicrosoft.directory/users/directReports/readmicrosoft.directory/users/licenseDetails/readmicrosoft.directory/users/manager/readmicrosoft.directory/users/memberOf/readmicrosoft.directory/users/oAuth2PermissionGrants/readmicrosoft.directory/users/ownedDevices/readmicrosoft.directory/users/ownedObjects/readmicrosoft.directory/users/photo/readmicrosoft.directory/users/registeredDevices/readmicrosoft.directory/users/scopedRoleMemberOf/read
Guest User
microsoft.directory/applications/standard/limitedReadmicrosoft.directory/applications/owners/limitedReadmicrosoft.directory/applications/policies/limitedReadmicrosoft.directory/domains/standard/readmicrosoft.directory/groups/standard/limitedReadmicrosoft.directory/groups/appRoleAssignments/limitedReadmicrosoft.directory/groups/memberOf/limitedReadmicrosoft.directory/groups/members/limitedReadmicrosoft.directory/groups/owners/limitedReadmicrosoft.directory/groups/settings/limitedReadmicrosoft.directory/organization/basicProfile/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/limitedReadmicrosoft.directory/servicePrincipals/appRoleAssignments/limitedReadmicrosoft.directory/servicePrincipals/standard/limitedReadmicrosoft.directory/servicePrincipals/memberOf/limitedReadmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/limitedReadmicrosoft.directory/servicePrincipals/owners/limitedReadmicrosoft.directory/servicePrincipals/ownedObjects/limitedReadmicrosoft.directory/servicePrincipals/policies/limitedReadmicrosoft.directory/users/inviteGuestmicrosoft.directory/users/guestBasicProfile/limitedReadmicrosoft.directory/users/standard/readmicrosoft.directory/users/appRoleAssignments/readmicrosoft.directory/users/deviceForResourceAccount/readmicrosoft.directory/users/directReports/readmicrosoft.directory/users/eligibleMemberOf/readmicrosoft.directory/users/licenseDetails/readmicrosoft.directory/users/manager/readmicrosoft.directory/users/memberOf/readmicrosoft.directory/users/oAuth2PermissionGrants/readmicrosoft.directory/users/ownedDevices/readmicrosoft.directory/users/ownedObjects/readmicrosoft.directory/users/pendingMemberOf/readmicrosoft.directory/users/photo/readmicrosoft.directory/users/registeredDevices/readmicrosoft.directory/users/scopedRoleMemberOf/readmicrosoft.directory/users/password/update
Helpdesk Administrator
microsoft.directory/bitlockerKeys/key/readmicrosoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/password/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Hybrid Identity Administrator
microsoft.directory/applications/createmicrosoft.directory/applications/deletemicrosoft.directory/applications/appRoles/updatemicrosoft.directory/applications/audience/updatemicrosoft.directory/applications/authentication/updatemicrosoft.directory/applications/basic/updatemicrosoft.directory/applications/notes/updatemicrosoft.directory/applications/owners/updatemicrosoft.directory/applications/permissions/updatemicrosoft.directory/applications/policies/updatemicrosoft.directory/applications/tag/updatemicrosoft.directory/applications/synchronization/standard/readmicrosoft.directory/applicationTemplates/instantiatemicrosoft.directory/auditLogs/allProperties/readmicrosoft.directory/cloudProvisioning/allProperties/allTasksmicrosoft.directory/deletedItems.applications/deletemicrosoft.directory/deletedItems.applications/restoremicrosoft.directory/domains/allProperties/readmicrosoft.directory/domains/federation/updatemicrosoft.directory/hybridAuthenticationPolicy/allProperties/allTasksmicrosoft.directory/organization/dirSync/updatemicrosoft.directory/passwordHashSync/allProperties/allTasksmicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/servicePrincipals/createmicrosoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/synchronizationCredentials/managemicrosoft.directory/servicePrincipals/synchronizationJobs/managemicrosoft.directory/servicePrincipals/synchronizationSchema/managemicrosoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/notes/updatemicrosoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/tag/updatemicrosoft.directory/servicePrincipals/synchronization/standard/readmicrosoft.directory/signInReports/allProperties/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.messageCenter/messages/readmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Identity Governance Administrator
microsoft.directory/accessReviews/allProperties/allTasksmicrosoft.directory/entitlementManagement/allProperties/allTasksmicrosoft.directory/groups/members/updatemicrosoft.directory/servicePrincipals/appRoleAssignedTo/update
Insights Administrator
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.insights/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Insights Business Leader
microsoft.insights/reports/readmicrosoft.insights/programs/update
Intune Administrator
microsoft.directory/bitlockerKeys/key/readmicrosoft.directory/contacts/createmicrosoft.directory/contacts/deletemicrosoft.directory/contacts/basic/updatemicrosoft.directory/devices/createmicrosoft.directory/devices/deletemicrosoft.directory/devices/disablemicrosoft.directory/devices/enablemicrosoft.directory/devices/basic/updatemicrosoft.directory/devices/extensionAttributeSet1/updatemicrosoft.directory/devices/extensionAttributeSet2/updatemicrosoft.directory/devices/extensionAttributeSet3/updatemicrosoft.directory/devices/registeredOwners/updatemicrosoft.directory/devices/registeredUsers/updatemicrosoft.directory/deviceManagementPolicies/standard/readmicrosoft.directory/deviceRegistrationPolicy/standard/readmicrosoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups.security/createmicrosoft.directory/groups.security/deletemicrosoft.directory/groups.security/basic/updatemicrosoft.directory/groups.security/classification/updatemicrosoft.directory/groups.security/dynamicMembershipRule/updatemicrosoft.directory/groups.security/members/updatemicrosoft.directory/groups.security/owners/updatemicrosoft.directory/groups.security/visibility/updatemicrosoft.directory/users/basic/updatemicrosoft.directory/users/manager/updatemicrosoft.directory/users/photo/updatemicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.cloudPC/allEntities/allProperties/allTasksmicrosoft.intune/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Kaizala Administrator
microsoft.directory/authorizationPolicy/standard/readmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Knowledge Administrator
microsoft.directory/groups.security/createmicrosoft.directory/groups.security/createAsOwnermicrosoft.directory/groups.security/deletemicrosoft.directory/groups.security/basic/updatemicrosoft.directory/groups.security/members/updatemicrosoft.directory/groups.security/owners/updatemicrosoft.office365.knowledge/contentUnderstanding/allProperties/allTasksmicrosoft.office365.knowledge/knowledgeNetwork/allProperties/allTasksmicrosoft.office365.knowledge/learningSources/allProperties/allTasksmicrosoft.office365.protectionCenter/sensitivityLabels/allProperties/readmicrosoft.office365.sharePoint/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Knowledge Manager
microsoft.directory/groups.security/createmicrosoft.directory/groups.security/createAsOwnermicrosoft.directory/groups.security/deletemicrosoft.directory/groups.security/basic/updatemicrosoft.directory/groups.security/members/updatemicrosoft.directory/groups.security/owners/updatemicrosoft.office365.knowledge/contentUnderstanding/analytics/allProperties/readmicrosoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasksmicrosoft.office365.sharePoint/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
License Administrator
microsoft.directory/authorizationPolicy/standard/readmicrosoft.directory/groups/assignLicensemicrosoft.directory/groups/reprocessLicenseAssignmentmicrosoft.directory/users/assignLicensemicrosoft.directory/users/reprocessLicenseAssignmentmicrosoft.directory/users/usageLocation/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Message Center Privacy Reader
microsoft.office365.messageCenter/messages/readmicrosoft.office365.messageCenter/securityMessages/readmicrosoft.office365.webPortal/allEntities/standard/read
Message Center Reader
microsoft.office365.messageCenter/messages/readmicrosoft.office365.webPortal/allEntities/standard/read
Network Administrator
microsoft.office365.network/locations/allProperties/allTasksmicrosoft.office365.network/performance/allProperties/readmicrosoft.office365.webPortal/allEntities/standard/read
Office Apps Administrator
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.messageCenter/messages/readmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.userCommunication/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Partner Tier1 Support
microsoft.directory/applications/appRoles/updatemicrosoft.directory/applications/audience/updatemicrosoft.directory/applications/authentication/updatemicrosoft.directory/applications/basic/updatemicrosoft.directory/applications/credentials/updatemicrosoft.directory/applications/notes/updatemicrosoft.directory/applications/owners/updatemicrosoft.directory/applications/permissions/updatemicrosoft.directory/applications/policies/updatemicrosoft.directory/applications/tag/updatemicrosoft.directory/contacts/createmicrosoft.directory/contacts/deletemicrosoft.directory/contacts/basic/updatemicrosoft.directory/deletedItems.groups/restoremicrosoft.directory/groups/createmicrosoft.directory/groups/deletemicrosoft.directory/groups/restoremicrosoft.directory/groups/members/updatemicrosoft.directory/groups/owners/updatemicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/users/assignLicensemicrosoft.directory/users/createmicrosoft.directory/users/deletemicrosoft.directory/users/disablemicrosoft.directory/users/enablemicrosoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/restoremicrosoft.directory/users/basic/updatemicrosoft.directory/users/manager/updatemicrosoft.directory/users/password/updatemicrosoft.directory/users/photo/updatemicrosoft.directory/users/userPrincipalName/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Partner Tier2 Support
microsoft.directory/applications/appRoles/updatemicrosoft.directory/applications/audience/updatemicrosoft.directory/applications/authentication/updatemicrosoft.directory/applications/basic/updatemicrosoft.directory/applications/credentials/updatemicrosoft.directory/applications/notes/updatemicrosoft.directory/applications/owners/updatemicrosoft.directory/applications/permissions/updatemicrosoft.directory/applications/policies/updatemicrosoft.directory/applications/tag/updatemicrosoft.directory/contacts/createmicrosoft.directory/contacts/deletemicrosoft.directory/contacts/basic/updatemicrosoft.directory/deletedItems.groups/restoremicrosoft.directory/domains/allProperties/allTasksmicrosoft.directory/groups/createmicrosoft.directory/groups/deletemicrosoft.directory/groups/restoremicrosoft.directory/groups/members/updatemicrosoft.directory/groups/owners/updatemicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/organization/basic/updatemicrosoft.directory/roleAssignments/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasksmicrosoft.directory/scopedRoleMemberships/allProperties/allTasksmicrosoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/subscribedSkus/standard/readmicrosoft.directory/users/assignLicensemicrosoft.directory/users/createmicrosoft.directory/users/deletemicrosoft.directory/users/disablemicrosoft.directory/users/enablemicrosoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/restoremicrosoft.directory/users/basic/updatemicrosoft.directory/users/manager/updatemicrosoft.directory/users/password/updatemicrosoft.directory/users/photo/updatemicrosoft.directory/users/userPrincipalName/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Password Administrator
microsoft.directory/users/password/updatemicrosoft.office365.webPortal/allEntities/standard/read
Power BI Administrator
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/readmicrosoft.powerApps.powerBI/allEntities/allTasks
Power Platform Administrator
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.dynamics365/allEntities/allTasksmicrosoft.flow/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/readmicrosoft.powerApps/allEntities/allTasks
Printer Administrator
microsoft.azure.print/allEntities/allProperties/allTasks
Printer Technician
microsoft.azure.print/connectors/allProperties/readmicrosoft.azure.print/printers/allProperties/readmicrosoft.azure.print/printers/registermicrosoft.azure.print/printers/unregistermicrosoft.azure.print/printers/basic/update
Privileged Authentication Administrator
microsoft.directory/users/authenticationMethods/createmicrosoft.directory/users/authenticationMethods/deletemicrosoft.directory/users/authenticationMethods/standard/readmicrosoft.directory/users/authenticationMethods/basic/updatemicrosoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/password/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Privileged Role Administrator
microsoft.directory/administrativeUnits/allProperties/allTasksmicrosoft.directory/authorizationPolicy/allProperties/allTasksmicrosoft.directory/directoryRoles/allProperties/allTasksmicrosoft.directory/groupsAssignableToRoles/createmicrosoft.directory/groupsAssignableToRoles/deletemicrosoft.directory/groupsAssignableToRoles/restoremicrosoft.directory/groupsAssignableToRoles/allProperties/updatemicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/privilegedIdentityManagement/allProperties/allTasksmicrosoft.directory/roleAssignments/allProperties/allTasksmicrosoft.directory/roleDefinitions/allProperties/allTasksmicrosoft.directory/scopedRoleMemberships/allProperties/allTasksmicrosoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-adminmicrosoft.office365.webPortal/allEntities/standard/read
Reports Reader
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/signInReports/allProperties/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.office365.network/performance/allProperties/readmicrosoft.office365.usageReports/allEntities/allProperties/readmicrosoft.office365.webPortal/allEntities/standard/read
Restricted Guest User
microsoft.directory/applications/standard/limitedReadmicrosoft.directory/applications/owners/limitedReadmicrosoft.directory/applications/policies/limitedReadmicrosoft.directory/domains/standard/readmicrosoft.directory/organization/basicProfile/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/limitedReadmicrosoft.directory/servicePrincipals/appRoleAssignments/limitedReadmicrosoft.directory/servicePrincipals/standard/limitedReadmicrosoft.directory/servicePrincipals/memberOf/limitedReadmicrosoft.directory/servicePrincipals/oAuth2PermissionGrants/limitedReadmicrosoft.directory/servicePrincipals/owners/limitedReadmicrosoft.directory/servicePrincipals/ownedObjects/limitedReadmicrosoft.directory/servicePrincipals/policies/limitedReadmicrosoft.directory/users/standard/readmicrosoft.directory/users/appRoleAssignments/readmicrosoft.directory/users/deviceForResourceAccount/readmicrosoft.directory/users/directReports/readmicrosoft.directory/users/eligibleMemberOf/readmicrosoft.directory/users/licenseDetails/readmicrosoft.directory/users/manager/readmicrosoft.directory/users/memberOf/readmicrosoft.directory/users/oAuth2PermissionGrants/readmicrosoft.directory/users/ownedDevices/readmicrosoft.directory/users/ownedObjects/readmicrosoft.directory/users/pendingMemberOf/readmicrosoft.directory/users/photo/readmicrosoft.directory/users/registeredDevices/readmicrosoft.directory/users/scopedRoleMemberOf/readmicrosoft.directory/users/password/update
Search Administrator
microsoft.office365.messageCenter/messages/readmicrosoft.office365.search/content/managemicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Search Editor
microsoft.office365.messageCenter/messages/readmicrosoft.office365.search/content/managemicrosoft.office365.webPortal/allEntities/standard/read
Security Administrator
microsoft.directory/applications/policies/updatemicrosoft.directory/auditLogs/allProperties/readmicrosoft.directory/authorizationPolicy/standard/readmicrosoft.directory/bitlockerKeys/key/readmicrosoft.directory/entitlementManagement/allProperties/readmicrosoft.directory/hybridAuthenticationPolicy/allProperties/allTasksmicrosoft.directory/identityProtection/allProperties/readmicrosoft.directory/identityProtection/allProperties/updatemicrosoft.directory/passwordHashSync/allProperties/allTasksmicrosoft.directory/policies/createmicrosoft.directory/policies/deletemicrosoft.directory/policies/basic/updatemicrosoft.directory/policies/owners/updatemicrosoft.directory/policies/tenantDefault/updatemicrosoft.directory/conditionalAccessPolicies/createmicrosoft.directory/conditionalAccessPolicies/deletemicrosoft.directory/conditionalAccessPolicies/standard/readmicrosoft.directory/conditionalAccessPolicies/owners/readmicrosoft.directory/conditionalAccessPolicies/policyAppliedTo/readmicrosoft.directory/conditionalAccessPolicies/basic/updatemicrosoft.directory/conditionalAccessPolicies/owners/updatemicrosoft.directory/conditionalAccessPolicies/tenantDefault/updatemicrosoft.directory/crossTenantAccessPolicies/createmicrosoft.directory/crossTenantAccessPolicies/deletemicrosoft.directory/crossTenantAccessPolicies/standard/readmicrosoft.directory/crossTenantAccessPolicies/owners/readmicrosoft.directory/crossTenantAccessPolicies/policyAppliedTo/readmicrosoft.directory/crossTenantAccessPolicies/basic/updatemicrosoft.directory/crossTenantAccessPolicies/owners/updatemicrosoft.directory/crossTenantAccessPolicies/tenantDefault/updatemicrosoft.directory/privilegedIdentityManagement/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/servicePrincipals/policies/updatemicrosoft.directory/signInReports/allProperties/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.protectionCenter/allEntities/standard/readmicrosoft.office365.protectionCenter/allEntities/basic/updatemicrosoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasksmicrosoft.office365.protectionCenter/attackSimulator/reports/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Security Operator
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/authorizationPolicy/standard/readmicrosoft.directory/cloudAppSecurity/allProperties/allTasksmicrosoft.directory/identityProtection/allProperties/allTasksmicrosoft.directory/privilegedIdentityManagement/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/signInReports/allProperties/readmicrosoft.azure.advancedThreatProtection/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.intune/allEntities/readmicrosoft.office365.securityComplianceCenter/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.windows.defenderAdvancedThreatProtection/allEntities/allTasks
Security Reader
microsoft.directory/auditLogs/allProperties/readmicrosoft.directory/authorizationPolicy/standard/readmicrosoft.directory/bitlockerKeys/key/readmicrosoft.directory/entitlementManagement/allProperties/readmicrosoft.directory/identityProtection/allProperties/readmicrosoft.directory/policies/standard/readmicrosoft.directory/policies/owners/readmicrosoft.directory/policies/policyAppliedTo/readmicrosoft.directory/conditionalAccessPolicies/standard/readmicrosoft.directory/conditionalAccessPolicies/owners/readmicrosoft.directory/conditionalAccessPolicies/policyAppliedTo/readmicrosoft.directory/privilegedIdentityManagement/allProperties/readmicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/signInReports/allProperties/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.office365.protectionCenter/allEntities/standard/readmicrosoft.office365.protectionCenter/attackSimulator/payload/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/reports/allProperties/readmicrosoft.office365.protectionCenter/attackSimulator/simulation/allProperties/readmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Service Support Administrator
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.network/performance/allProperties/readmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
SharePoint Administrator
microsoft.directory/groups.unified/createmicrosoft.directory/groups.unified/deletemicrosoft.directory/groups.unified/restoremicrosoft.directory/groups.unified/basic/updatemicrosoft.directory/groups.unified/members/updatemicrosoft.directory/groups.unified/owners/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.network/performance/allProperties/readmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.sharePoint/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.usageReports/allEntities/allProperties/readmicrosoft.office365.webPortal/allEntities/standard/read
Skype for Business Administrator
microsoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.usageReports/allEntities/allProperties/readmicrosoft.office365.webPortal/allEntities/standard/read
Teams Administrator
microsoft.directory/authorizationPolicy/standard/readmicrosoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups.unified/createmicrosoft.directory/groups.unified/deletemicrosoft.directory/groups.unified/restoremicrosoft.directory/groups.unified/basic/updatemicrosoft.directory/groups.unified/members/updatemicrosoft.directory/groups.unified/owners/updatemicrosoft.directory/servicePrincipals/managePermissionGrantsForGroup.microsoft-all-application-permissionsmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.network/performance/allProperties/readmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.usageReports/allEntities/allProperties/readmicrosoft.office365.webPortal/allEntities/standard/readmicrosoft.teams/allEntities/allProperties/allTasks
Teams Communications Administrator
microsoft.directory/authorizationPolicy/standard/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.usageReports/allEntities/allProperties/readmicrosoft.office365.webPortal/allEntities/standard/readmicrosoft.teams/callQuality/allProperties/readmicrosoft.teams/meetings/allProperties/allTasksmicrosoft.teams/voice/allProperties/allTasks
Teams Communications Support Engineer
microsoft.directory/authorizationPolicy/standard/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/readmicrosoft.teams/callQuality/allProperties/read
Teams Communications Support Specialist
microsoft.directory/authorizationPolicy/standard/readmicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.skypeForBusiness/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/readmicrosoft.teams/callQuality/standard/read
Teams Devices Administrator
microsoft.office365.webPortal/allEntities/standard/readmicrosoft.teams/devices/standard/read
Usage Summary Reports Reader
microsoft.office365.network/performance/allProperties/readmicrosoft.office365.usageReports/allEntities/standard/readmicrosoft.office365.webPortal/allEntities/standard/read
User
microsoft.directory/applications/createAsOwnermicrosoft.directory/authorizationPolicy/standard/readmicrosoft.directory/groups/createAsOwnermicrosoft.directory/policies/standard/readmicrosoft.directory/policies/owners/readmicrosoft.directory/policies/policyAppliedTo/readmicrosoft.directory/applicationPolicies/createAsOwnermicrosoft.directory/servicePrincipals/createAsOwnermicrosoft.directory/servicePrincipals/authentication/readmicrosoft.directory/users/activateServicePlanmicrosoft.directory/users/inviteGuestmicrosoft.directory/applications/deletemicrosoft.directory/applications/appRoles/updatemicrosoft.directory/applications/audience/updatemicrosoft.directory/applications/authentication/updatemicrosoft.directory/applications/basic/updatemicrosoft.directory/applications/credentials/updatemicrosoft.directory/applications/extensionProperties/updatemicrosoft.directory/applications/notes/updatemicrosoft.directory/applications/owners/updatemicrosoft.directory/applications/permissions/updatemicrosoft.directory/applications/policies/updatemicrosoft.directory/applications/tag/updatemicrosoft.directory/applications/verification/updatemicrosoft.directory/auditLogs/allProperties/readmicrosoft.directory/deletedItems.applications/deletemicrosoft.directory/deletedItems.applications/restoremicrosoft.directory/deletedItems.groups/restoremicrosoft.directory/devices/disablemicrosoft.directory/groups/deletemicrosoft.directory/groups/restoremicrosoft.directory/groups/basic/updatemicrosoft.directory/groups/classification/updatemicrosoft.directory/groups/groupType/updatemicrosoft.directory/groups/members/updatemicrosoft.directory/groups/owners/updatemicrosoft.directory/groups/settings/updatemicrosoft.directory/groups/visibility/updatemicrosoft.directory/groupsAssignableToRoles/deletemicrosoft.directory/groupsAssignableToRoles/restoremicrosoft.directory/groupsAssignableToRoles/allProperties/updatemicrosoft.directory/policies/deletemicrosoft.directory/policies/basic/updatemicrosoft.directory/policies/owners/updatemicrosoft.directory/provisioningLogs/allProperties/readmicrosoft.directory/servicePrincipals/deletemicrosoft.directory/servicePrincipals/disablemicrosoft.directory/servicePrincipals/enablemicrosoft.directory/servicePrincipals/getPasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/managePasswordSingleSignOnCredentialsmicrosoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/servicePrincipals/audience/updatemicrosoft.directory/servicePrincipals/authentication/updatemicrosoft.directory/servicePrincipals/basic/updatemicrosoft.directory/servicePrincipals/credentials/updatemicrosoft.directory/servicePrincipals/notes/updatemicrosoft.directory/servicePrincipals/owners/updatemicrosoft.directory/servicePrincipals/permissions/updatemicrosoft.directory/servicePrincipals/policies/updatemicrosoft.directory/servicePrincipals/tag/updatemicrosoft.directory/signInReports/allProperties/readmicrosoft.directory/users/changePasswordmicrosoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/basicProfile/updatemicrosoft.directory/users/identities/updatemicrosoft.directory/users/mobile/updatemicrosoft.directory/users/searchableDeviceKey/updatemicrosoft.directory/userInfos/address/readmicrosoft.directory/userInfos/email/readmicrosoft.directory/userInfos/openId/readmicrosoft.directory/userInfos/phone/readmicrosoft.directory/userInfos/profile/read
User Administrator
microsoft.directory/contacts/createmicrosoft.directory/contacts/deletemicrosoft.directory/contacts/basic/updatemicrosoft.directory/deletedItems.groups/restoremicrosoft.directory/entitlementManagement/allProperties/allTasksmicrosoft.directory/groups/assignLicensemicrosoft.directory/groups/createmicrosoft.directory/groups/deletemicrosoft.directory/groups/hiddenMembers/readmicrosoft.directory/groups/reprocessLicenseAssignmentmicrosoft.directory/groups/restoremicrosoft.directory/groups/basic/updatemicrosoft.directory/groups/classification/updatemicrosoft.directory/groups/dynamicMembershipRule/updatemicrosoft.directory/groups/groupType/updatemicrosoft.directory/groups/members/updatemicrosoft.directory/groups/onPremWriteBack/updatemicrosoft.directory/groups/owners/updatemicrosoft.directory/groups/settings/updatemicrosoft.directory/groups/visibility/updatemicrosoft.directory/oAuth2PermissionGrants/allProperties/allTasksmicrosoft.directory/policies/standard/readmicrosoft.directory/servicePrincipals/appRoleAssignedTo/updatemicrosoft.directory/users/assignLicensemicrosoft.directory/users/createmicrosoft.directory/users/deletemicrosoft.directory/users/disablemicrosoft.directory/users/enablemicrosoft.directory/users/inviteGuestmicrosoft.directory/users/invalidateAllRefreshTokensmicrosoft.directory/users/reprocessLicenseAssignmentmicrosoft.directory/users/restoremicrosoft.directory/users/basic/updatemicrosoft.directory/users/manager/updatemicrosoft.directory/users/password/updatemicrosoft.directory/users/photo/updatemicrosoft.directory/users/userPrincipalName/updatemicrosoft.azure.serviceHealth/allEntities/allTasksmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.office365.serviceHealth/allEntities/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.webPortal/allEntities/standard/read
Windows 365 Administrator
microsoft.directory/devices/createmicrosoft.directory/devices/deletemicrosoft.directory/devices/disablemicrosoft.directory/devices/enablemicrosoft.directory/devices/basic/updatemicrosoft.directory/devices/extensionAttributeSet1/updatemicrosoft.directory/devices/extensionAttributeSet2/updatemicrosoft.directory/devices/extensionAttributeSet3/updatemicrosoft.directory/devices/registeredOwners/updatemicrosoft.directory/devices/registeredUsers/updatemicrosoft.directory/groups.security/createmicrosoft.directory/groups.security/deletemicrosoft.directory/groups.security/basic/updatemicrosoft.directory/groups.security/classification/updatemicrosoft.directory/groups.security/dynamicMembershipRule/updatemicrosoft.directory/groups.security/members/updatemicrosoft.directory/groups.security/owners/updatemicrosoft.directory/groups.security/visibility/updatemicrosoft.directory/deviceManagementPolicies/standard/readmicrosoft.directory/deviceRegistrationPolicy/standard/readmicrosoft.azure.supportTickets/allEntities/allTasksmicrosoft.cloudPC/allEntities/allProperties/allTasksmicrosoft.office365.supportTickets/allEntities/allTasksmicrosoft.office365.usageReports/allEntities/allProperties/readmicrosoft.office365.webPortal/allEntities/standard/read
Windows Update Deployment Administrator
microsoft.windows.updatesDeployments/allEntities/allProperties/allTasks