Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists the Azure built-in roles in the Storage category.
Avere Contributor
Can create and manage an Avere vFXT cluster.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Compute/*/read | |
| Microsoft.Compute/availabilitySets/* | |
| Microsoft.Compute/proximityPlacementGroups/* | |
| Microsoft.Compute/virtualMachines/* | |
| Microsoft.Compute/disks/* | |
| Microsoft.Network/*/read | |
| Microsoft.Network/networkInterfaces/* | |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/*/read | |
| Microsoft.Storage/storageAccounts/* | Create and manage storage accounts |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Resources/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can create and manage an Avere vFXT cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/proximityPlacementGroups/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/disks/*",
"Microsoft.Network/*/read",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Avere Operator
Used by the Avere vFXT cluster to manage the cluster
| Actions | Description |
|---|---|
| Microsoft.Compute/virtualMachines/read | Get the properties of a virtual machine |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Network/networkInterfaces/write | Creates a network interface or updates an existing network interface. |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/blobServices/containers/delete | Returns the result of deleting a container |
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers |
| Microsoft.Storage/storageAccounts/blobServices/containers/write | Returns the result of put blob container |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Used by the Avere vFXT cluster to manage the cluster",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure File Sync Administrator
This role provides full access to manage all Azure File Sync (Storage Sync Service) resources, including the ability to assign roles in Azure RBAC.
| Actions | Description |
|---|---|
| Microsoft.StorageSync/register/action | Registers the server to Storage Sync Service |
| Microsoft.StorageSync/unregister/action | Unregisters the server to Storage Sync Service |
| Microsoft.StorageSync/locations/* | |
| Microsoft.StorageSync/deployments/preflight/action | |
| Microsoft.StorageSync/storageSyncServices/* | |
| Microsoft.StorageSync/operations/read | Returns the status of Storage Sync operations |
| Microsoft.Insights/AlertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Authorization/roleAssignments/write | Create and update role assignments |
| Microsoft.Authorization/roleAssignments/read | Read role assignments |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account |
| Microsoft.Storage/storageAccounts/fileServices/read | List file services |
| Microsoft.Storage/storageAccounts/fileServices/shares/read | Get file share |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "This role provides full access to manage all Azure File Sync (Storage Sync Service) resources, including the ability to assign roles in Azure RBAC.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/92b92042-07d9-4307-87f7-36a593fc5850",
"name": "92b92042-07d9-4307-87f7-36a593fc5850",
"permissions": [
{
"actions": [
"Microsoft.StorageSync/register/action",
"Microsoft.StorageSync/unregister/action",
"Microsoft.StorageSync/locations/*",
"Microsoft.StorageSync/deployments/preflight/action",
"Microsoft.StorageSync/storageSyncServices/*",
"Microsoft.StorageSync/operations/read",
"Microsoft.Insights/AlertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/fileServices/read",
"Microsoft.Storage/storageAccounts/fileServices/shares/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure File Sync Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure File Sync Reader
This role provides read access to Azure File Sync service (Storage Sync Service).
| Actions | Description |
|---|---|
| Microsoft.StorageSync/*/read | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "This role provides full access to manage all Azure File Sync (Storage Sync Service) resources, including the ability to assign roles in Azure RBAC.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/754c1a27-40dc-4708-8ad4-2bffdeee09e8",
"name": "754c1a27-40dc-4708-8ad4-2bffdeee09e8",
"permissions": [
{
"actions": [
"Microsoft.StorageSync/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure File Sync Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Backup Contributor
Lets you manage backup service, but can't create vaults and give access to others
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.RecoveryServices/locations/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* | Manage results of operation on backup management |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* | Create and manage backup containers inside backup fabrics of Recovery Services vault |
| Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list |
| Microsoft.RecoveryServices/Vaults/backupJobs/* | Create and manage backup jobs |
| Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
| Microsoft.RecoveryServices/Vaults/backupOperationResults/* | Create and manage Results of backup management operations |
| Microsoft.RecoveryServices/Vaults/backupPolicies/* | Create and manage backup policies |
| Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | Create and manage items which can be backed up |
| Microsoft.RecoveryServices/Vaults/backupProtectedItems/* | Create and manage backed up items |
| Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* | Create and manage containers holding backup items |
| Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* | |
| Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
| Microsoft.RecoveryServices/Vaults/certificates/* | Create and manage certificates related to backup in Recovery Services vault |
| Microsoft.RecoveryServices/Vaults/extendedInformation/* | Create and manage extended info related to vault |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. |
| Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
| Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/* | Create and manage registered identities |
| Microsoft.RecoveryServices/Vaults/usages/* | Create and manage usage of Recovery Services vault |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
| Microsoft.RecoveryServices/Vaults/backupconfig/* | |
| Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers |
| Microsoft.RecoveryServices/vaults/operationStatus/read | Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/vaults/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
| Microsoft.RecoveryServices/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
| Microsoft.RecoveryServices/locations/backupValidateFeatures/action | Validate Features |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. |
| Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.DataProtection/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.DataProtection/backupVaults/backupInstances/write | Creates a Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/delete | Deletes the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. |
| Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action | Perform undelete of soft-deleted Backup Instance. Backup Instance moves from SoftDeleted to ProtectionStopped state. |
| Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. |
| Microsoft.DataProtection/backupVaults/backupPolicies/write | Creates Backup Policy |
| Microsoft.DataProtection/backupVaults/backupPolicies/delete | Deletes the Backup Policy |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges |
| Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/backupVaults/write | Update BackupVault operation updates an Azure resource of type 'Backup Vault' |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault |
| Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/locations/checkNameAvailability/action | Checks if the requested BackupVault Name is Available |
| Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance |
| Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
| Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource |
| Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
| Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
| Microsoft.DataProtection/backupVaults/backupInstances/validateForModifyBackup/action | Validates for modification of Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/SuspendBackups/action | Suspend Backups operation stops only backups of backup instance. Retention activities will continue and hence data will be ratained as per policy. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backups, but can't delete vaults and give access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
"name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/*",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/*",
"Microsoft.RecoveryServices/Vaults/extendedInformation/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
"Microsoft.RecoveryServices/Vaults/usages/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/vaults/operationStatus/read",
"Microsoft.RecoveryServices/vaults/operationResults/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/delete",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/write",
"Microsoft.DataProtection/backupVaults/backupPolicies/delete",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read",
"Microsoft.DataProtection/backupVaults/write",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/locations/checkNameAvailability/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/operations/read",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateForModifyBackup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/SuspendBackups/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Backup MUA Admin
Backup MultiUser-Authorization. Can create/delete ResourceGuard
| Actions | Description |
|---|---|
| Microsoft.DataProtection/*/read | |
| Microsoft.DataProtection/*/resourceGuards/write | |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write | Update ResourceGuard operation updates an Azure resource of type 'ResourceGuard' |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete | The Delete ResourceGuard operation deletes the specified Azure resource of type 'ResourceGuard' |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read | Gets list of ResourceGuards in a Resource Group |
| Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Features/features/read | Gets the features of a subscription. |
| Microsoft.Features/providers/features/read | Gets the feature of a subscription in a given resource provider. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
| Microsoft.DataProtection/subscriptions/providers/resourceGuards/read | Gets list of ResourceGuards in a Subscription |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read | Gets ResourceGuard default operation request info |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Backup MultiUser-Authorization. Can create/delete ResourceGuard ",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8",
"name": "c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8",
"permissions": [
{
"actions": [
"Microsoft.DataProtection/*/read",
"Microsoft.DataProtection/*/resourceGuards/write",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read",
"Microsoft.Authorization/*/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action",
"Microsoft.DataProtection/subscriptions/providers/resourceGuards/read",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup MUA Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Backup MUA Operator
Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard
| Actions | Description |
|---|---|
| Microsoft.DataProtection/*/action | |
| Microsoft.DataProtection/*/read | |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f54b6d04-23c6-443e-b462-9c16ab7b4a52",
"name": "f54b6d04-23c6-443e-b462-9c16ab7b4a52",
"permissions": [
{
"actions": [
"Microsoft.DataProtection/*/action",
"Microsoft.DataProtection/*/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup MUA Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Backup Operator
Lets you manage backup services, except removal of backup, vault creation and giving access to others
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | Returns status of the operation |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item |
| Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers |
| Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list |
| Microsoft.RecoveryServices/Vaults/backupJobs/* | Create and manage backup jobs |
| Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
| Microsoft.RecoveryServices/Vaults/backupOperationResults/* | Create and manage Results of backup management operations |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/read | Returns all Protection Policies |
| Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | Create and manage items which can be backed up |
| Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription |
| Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
| Microsoft.RecoveryServices/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. |
| Microsoft.RecoveryServices/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
| Microsoft.RecoveryServices/Vaults/extendedInformation/write | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. |
| Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
| Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/write | The Register Service Container operation can be used to register a container with Recovery Service. |
| Microsoft.RecoveryServices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
| Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write | Creates a registered container |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container |
| Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container |
| Microsoft.RecoveryServices/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
| Microsoft.RecoveryServices/locations/backupValidateFeatures/action | Validate Features |
| Microsoft.RecoveryServices/locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. |
| Microsoft.RecoveryServices/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action | Trigger Cross region restore. |
| Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. |
| Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/backupVaults/backupInstances/write | Creates a Backup Instance |
| Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault |
| Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. |
| Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
| Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
| Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource |
| Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
| Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
| Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
| Microsoft.DataProtection/backupVaults/backupInstances/validateForModifyBackup/action | Validates for modification of Backup Instance |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
"name": "00c29273-979b-4161-815c-10b084fb9324",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/write",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/write",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read",
"Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupAadProperties/read",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",
"Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/operations/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateForModifyBackup/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Backup Reader
Can view backup services, but can't make changes
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service |
| Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | Returns status of the operation |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers |
| Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. |
| Microsoft.RecoveryServices/Vaults/backupJobs/read | Returns all Job Objects |
| Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
| Microsoft.RecoveryServices/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/read | Returns all Protection Policies |
| Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription |
| Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
| Microsoft.RecoveryServices/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. |
| Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. |
| Microsoft.RecoveryServices/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container |
| Microsoft.RecoveryServices/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. |
| Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
| Microsoft.RecoveryServices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupValidateFeatures/action | Validate Features |
| Microsoft.RecoveryServices/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. |
| Microsoft.DataProtection/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.DataProtection/backupVaults/backupInstances/write | Creates a Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. |
| Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault |
| Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance |
| Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. |
| Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view backup services, but can't make changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
"name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/read",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
"Microsoft.RecoveryServices/Vaults/backupconfig/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",
"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/operations/read",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Classic Storage Account Contributor
Lets you manage classic storage accounts, but not access to them.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ClassicStorage/storageAccounts/* | Create and manage storage accounts |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic storage accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Classic Storage Account Key Operator Service Role
Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts
| Actions | Description |
|---|---|
| Microsoft.ClassicStorage/storageAccounts/listkeys/action | Lists the access keys for the storage accounts. |
| Microsoft.ClassicStorage/storageAccounts/regeneratekey/action | Regenerates the existing access keys for the storage account. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"permissions": [
{
"actions": [
"Microsoft.ClassicStorage/storageAccounts/listkeys/action",
"Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Box Contributor
Lets you manage everything under Data Box Service except giving access to others.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Databox/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage everything under Data Box Service except giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
"name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Databox/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Box Reader
Lets you manage Data Box Service except creating order or editing order details and giving access to others.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Databox/*/read | |
| Microsoft.Databox/jobs/listsecrets/action | |
| Microsoft.Databox/jobs/listcredentials/action | Lists the unencrypted credentials related to the order. |
| Microsoft.Databox/locations/availableSkus/action | This method returns the list of available skus. |
| Microsoft.Databox/locations/validateInputs/action | This method does all type of validations. |
| Microsoft.Databox/locations/regionConfiguration/action | This method returns the configurations for the region. |
| Microsoft.Databox/locations/validateAddress/action | Validates the shipping address and provides alternate addresses if any. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Databox/*/read",
"Microsoft.Databox/jobs/listsecrets/action",
"Microsoft.Databox/jobs/listcredentials/action",
"Microsoft.Databox/locations/availableSkus/action",
"Microsoft.Databox/locations/validateInputs/action",
"Microsoft.Databox/locations/regionConfiguration/action",
"Microsoft.Databox/locations/validateAddress/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Lake Analytics Developer
Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.BigAnalytics/accounts/* | |
| Microsoft.DataLakeAnalytics/accounts/* | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| Microsoft.BigAnalytics/accounts/Delete | |
| Microsoft.BigAnalytics/accounts/TakeOwnership/action | |
| Microsoft.BigAnalytics/accounts/Write | |
| Microsoft.DataLakeAnalytics/accounts/Delete | Delete a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action | Grant permissions to cancel jobs submitted by other users. |
| Microsoft.DataLakeAnalytics/accounts/Write | Create or update a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write | Create or update a linked DataLakeStore account of a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete | Unlink a DataLakeStore account from a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write | Create or update a linked Storage account of a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete | Unlink a Storage account from a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/firewallRules/Write | Create or update a firewall rule. |
| Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete | Delete a firewall rule. |
| Microsoft.DataLakeAnalytics/accounts/computePolicies/Write | Create or update a compute policy. |
| Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete | Delete a compute policy. |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
"name": "47b7735b-770e-4598-a7da-8b91488b4c88",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.BigAnalytics/accounts/*",
"Microsoft.DataLakeAnalytics/accounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.BigAnalytics/accounts/Delete",
"Microsoft.BigAnalytics/accounts/TakeOwnership/action",
"Microsoft.BigAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
"Microsoft.DataLakeAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Lake Analytics Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Defender for Storage Data Scanner
Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | Returns the result of writing blob tags |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read | Returns the result of reading blob tags |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
"name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read"
],
"notDataActions": []
}
],
"roleName": "Defender for Storage Data Scanner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Elastic SAN Network Admin
Allows access to create Private Endpoints on SAN resources, and to read SAN resources
| Actions | Description |
|---|---|
| Microsoft.ElasticSan/elasticSans/*/read | |
| Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action | |
| Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write | |
| Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Polls the status of an asynchronous operation. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows access to create Private Endpoints on SAN resources, and to read SAN resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fa6cecf6-5db3-4c43-8470-c540bcb4eafa",
"name": "fa6cecf6-5db3-4c43-8470-c540bcb4eafa",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*/read",
"Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action",
"Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write",
"Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete",
"Microsoft.ElasticSan/locations/asyncoperations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Network Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Elastic SAN Owner
Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406",
"name": "80dcbedb-47ef-405d-95bd-188a1b4ac406",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Elastic SAN Reader
Allows for control path read access to Azure Elastic SAN
| Actions | Description |
|---|---|
| Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
| Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ElasticSan/elasticSans/*/read | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for control path read access to Azure Elastic SAN",
"id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
"name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ElasticSan/elasticSans/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Elastic SAN Volume Group Owner
Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access
| Actions | Description |
|---|---|
| Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
| Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Polls the status of an asynchronous operation. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23",
"name": "a8281131-f312-4f34-8d98-ae12be9f0d23",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/locations/asyncoperations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Volume Group Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Reader and Data Access
Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/ListAccountSas/action | Returns the Account SAS token for the specified storage account. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
"name": "c12c1c16-33a1-487b-954d-41c89c60f349",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/ListAccountSas/action",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader and Data Access",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Account Backup Contributor
Lets you perform backup and restore operations using Azure Backup on the storage account.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Authorization/locks/read | Gets locks at the specified scope. |
| Microsoft.Authorization/locks/write | Add locks at the specified scope. |
| Microsoft.Authorization/locks/delete | Delete locks at the specified scope. |
| Microsoft.Features/features/read | Gets the features of a subscription. |
| Microsoft.Features/providers/features/read | Gets the feature of a subscription in a given resource provider. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/operations/read | Polls the status of an asynchronous operation. |
| Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete | Delete object replication policy |
| Microsoft.Storage/storageAccounts/objectReplicationPolicies/read | List object replication policies |
| Microsoft.Storage/storageAccounts/objectReplicationPolicies/write | Create or update object replication policy |
| Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | Create object replication restore point marker |
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers |
| Microsoft.Storage/storageAccounts/blobServices/containers/write | Returns the result of put blob container |
| Microsoft.Storage/storageAccounts/blobServices/read | Returns blob service properties or statistics |
| Microsoft.Storage/storageAccounts/blobServices/write | Returns the result of put blob service properties |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.Storage/storageAccounts/restoreBlobRanges/action | Restore blob ranges to the state of the specified time |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you perform backup and restore operations using Azure Backup on the storage account.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
"name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/operations/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/restoreBlobRanges/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Account Contributor
Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/* | Create and manage storage accounts |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Account Key Operator Service Role
Permits listing and regenerating storage account access keys.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/regeneratekey/action | Regenerates the access keys for the specified storage account. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
"name": "81a9662b-bebf-436f-a333-f67b29880f12",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Blob Data Contributor
Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/delete | Delete a container. |
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Return a container or a list of containers. |
| Microsoft.Storage/storageAccounts/blobServices/containers/write | Modify a container's metadata or properties. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Delete a blob. |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Write to a blob. |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | Moves the blob from one path to another |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | Returns the result of adding blob content |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage blob containers and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Blob Data Owner
Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling data operations.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/* | Full permissions on containers. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* | Full permissions on blobs. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/*",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Blob Data Reader
Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Return a container or a list of containers. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage blob containers and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Blob Delegator
Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Blob Delegator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data Privileged Contributor
Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder |
| Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Semantics Privilege |
| Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action | Write File Backup Semantics Privilege |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd",
"name": "69566ab7-960f-475b-8e7c-b3118f30c6bd",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action",
"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action",
"Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data Privileged Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data Privileged Reader
Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders |
| Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Semantics Privilege |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Customer has read access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d",
"name": "b8eda974-7b85-4f76-af95-65846b26df6d",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data Privileged Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data SMB Share Contributor
Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data SMB Share Elevated Contributor
Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
"name": "a7264617-510b-434b-a828-9731dc254ea7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Elevated Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data SMB Share Reader
Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure File Share over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
"name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Queue Data Contributor
Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/queueServices/queues/delete | Delete a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/read | Return a queue or a list of queues. |
| Microsoft.Storage/storageAccounts/queueServices/queues/write | Modify queue metadata or properties. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete | Delete one or more messages from a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/write | Add a message to a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | Returns the result of processing a message |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Queue Data Message Processor
Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Peek a message. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | Retrieve and delete a message. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
"name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Processor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Queue Data Message Sender
Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action | Add a message to a queue. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for sending of Azure Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Queue Data Reader
Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/queueServices/queues/read | Returns a queue or a list of queues. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage queues and queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
"name": "19e7f393-937e-4f77-808e-94535e297925",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Table Data Contributor
Allows for read, write and delete access to Azure Storage tables and entities
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/tableServices/tables/read | Query tables |
| Microsoft.Storage/storageAccounts/tableServices/tables/write | Create tables |
| Microsoft.Storage/storageAccounts/tableServices/tables/delete | Delete tables |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | Query table entities |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Insert, merge, or replace table entities |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete | Delete table entities |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Insert table entities |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action | Merge or update table entities |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage tables and entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read",
"Microsoft.Storage/storageAccounts/tableServices/tables/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Table Data Reader
Allows for read access to Azure Storage tables and entities
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/tableServices/tables/read | Query tables |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | Query table entities |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage tables and entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6",
"name": "76199698-9eea-4c19-bc75-cec21354c6b6",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}