title | description | ms.service | ms.topic | ms.workload | author | manager | ms.author | ms.date | ms.custom |
---|---|---|---|---|---|---|---|---|---|
Azure built-in roles for Identity - Azure RBAC |
This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Identity category. It lists Actions, NotActions, DataActions, and NotDataActions. |
role-based-access-control |
reference |
identity |
rolyon |
amycolannino |
rolyon |
04/25/2024 |
generated |
This article lists the Azure built-in roles in the Identity category.
Can manage Azure AD Domain Services and related network configurations
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Resources/deployments/read Gets or lists deployments. Microsoft.Resources/deployments/write Creates or updates an deployment. Microsoft.Resources/deployments/delete Deletes a deployment. Microsoft.Resources/deployments/cancel/action Cancels a deployment. Microsoft.Resources/deployments/validate/action Validates an deployment. Microsoft.Resources/deployments/whatIf/action Predicts template deployment changes. Microsoft.Resources/deployments/exportTemplate/action Export template for a deployment Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/deployments/operationstatuses/read Gets or lists deployment operation statuses. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Insights/AlertRules/Write Create or update a classic metric alert Microsoft.Insights/AlertRules/Delete Delete a classic metric alert Microsoft.Insights/AlertRules/Read Read a classic metric alert Microsoft.Insights/AlertRules/Activated/Action Classic metric alert activated Microsoft.Insights/AlertRules/Resolved/Action Classic metric alert resolved Microsoft.Insights/AlertRules/Throttled/Action Classic metric alert rule throttled Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident Microsoft.Insights/Logs/Read Reading data from all your logs Microsoft.Insights/Metrics/Read Read metrics Microsoft.Insights/DiagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.Insights/DiagnosticSettingsCategories/Read Read diagnostic settings categories Microsoft.AAD/register/action Register Domain Service Microsoft.AAD/unregister/action Unregister Domain Service Microsoft.AAD/domainServices/* Microsoft.Network/register/action Registers the subscription Microsoft.Network/unregister/action Unregisters the subscription Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.Network/virtualNetworks/write Creates a virtual network or updates an existing virtual network Microsoft.Network/virtualNetworks/delete Deletes a virtual network Microsoft.Network/virtualNetworks/peer/action Peers a virtual network with another virtual network Microsoft.Network/virtualNetworks/join/action Joins a virtual network. Not Alertable. Microsoft.Network/virtualNetworks/subnets/read Gets a virtual network subnet definition Microsoft.Network/virtualNetworks/subnets/write Creates a virtual network subnet or updates an existing virtual network subnet Microsoft.Network/virtualNetworks/subnets/delete Deletes a virtual network subnet Microsoft.Network/virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable. Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read Gets a virtual network peering definition Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write Creates a virtual network peering or updates an existing virtual network peering Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete Deletes a virtual network peering Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read Get the diagnostic settings of Virtual Network Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read Gets available metrics for the PingMesh Microsoft.Network/azureFirewalls/read Get Azure Firewall Microsoft.Network/ddosProtectionPlans/read Gets a DDoS Protection Plan Microsoft.Network/ddosProtectionPlans/join/action Joins a DDoS Protection Plan. Not alertable. Microsoft.Network/loadBalancers/read Gets a load balancer definition Microsoft.Network/loadBalancers/delete Deletes a load balancer Microsoft.Network/loadBalancers/*/read Microsoft.Network/loadBalancers/backendAddressPools/join/action Joins a load balancer backend address pool. Not Alertable. Microsoft.Network/loadBalancers/inboundNatRules/join/action Joins a load balancer inbound nat rule. Not Alertable. Microsoft.Network/natGateways/join/action Joins a NAT Gateway Microsoft.Network/networkInterfaces/read Gets a network interface definition. Microsoft.Network/networkInterfaces/write Creates a network interface or updates an existing network interface. Microsoft.Network/networkInterfaces/delete Deletes a network interface Microsoft.Network/networkInterfaces/join/action Joins a Virtual Machine to a network interface. Not Alertable. Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read Gets a default security rule definition Microsoft.Network/networkSecurityGroups/read Gets a network security group definition Microsoft.Network/networkSecurityGroups/write Creates a network security group or updates an existing network security group Microsoft.Network/networkSecurityGroups/delete Deletes a network security group Microsoft.Network/networkSecurityGroups/join/action Joins a network security group. Not Alertable. Microsoft.Network/networkSecurityGroups/securityRules/read Gets a security rule definition Microsoft.Network/networkSecurityGroups/securityRules/write Creates a security rule or updates an existing security rule Microsoft.Network/networkSecurityGroups/securityRules/delete Deletes a security rule Microsoft.Network/routeTables/read Gets a route table definition Microsoft.Network/routeTables/write Creates a route table or Updates an existing route table Microsoft.Network/routeTables/delete Deletes a route table definition Microsoft.Network/routeTables/join/action Joins a route table. Not Alertable. Microsoft.Network/routeTables/routes/read Gets a route definition Microsoft.Network/routeTables/routes/write Creates a route or Updates an existing route Microsoft.Network/routeTables/routes/delete Deletes a route definition NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
"name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.Insights/DiagnosticSettings/*",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/register/action",
"Microsoft.AAD/unregister/action",
"Microsoft.AAD/domainServices/*",
"Microsoft.Network/register/action",
"Microsoft.Network/unregister/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/natGateways/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Can view Azure AD Domain Services and related network configurations
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Resources/deployments/read Gets or lists deployments. Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/deployments/operationstatuses/read Gets or lists deployment operation statuses. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Insights/AlertRules/Read Read a classic metric alert Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident Microsoft.Insights/Logs/Read Reading data from all your logs Microsoft.Insights/Metrics/read Read metrics Microsoft.Insights/DiagnosticSettings/read Read a resource diagnostic setting Microsoft.Insights/DiagnosticSettingsCategories/Read Read diagnostic settings categories Microsoft.AAD/domainServices/*/read Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.Network/virtualNetworks/subnets/read Gets a virtual network subnet definition Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read Gets a virtual network peering definition Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read Get the diagnostic settings of Virtual Network Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read Gets available metrics for the PingMesh Microsoft.Network/azureFirewalls/read Get Azure Firewall Microsoft.Network/ddosProtectionPlans/read Gets a DDoS Protection Plan Microsoft.Network/loadBalancers/read Gets a load balancer definition Microsoft.Network/loadBalancers/*/read Microsoft.Network/natGateways/read Gets a Nat Gateway Definition Microsoft.Network/networkInterfaces/read Gets a network interface definition. Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read Gets a default security rule definition Microsoft.Network/networkSecurityGroups/read Gets a network security group definition Microsoft.Network/networkSecurityGroups/securityRules/read Gets a security rule definition Microsoft.Network/routeTables/read Gets a route table definition Microsoft.Network/routeTables/routes/read Gets a route definition NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Can view Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
"name": "361898ef-9ed1-48c2-849c-a832951106bb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Insights/DiagnosticSettings/read",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/routes/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Create, Read, Update, and Delete User Assigned Identity
[!div class="mx-tableFixed"]
Actions Description Microsoft.ManagedIdentity/userAssignedIdentities/read Gets an existing user assigned identity Microsoft.ManagedIdentity/userAssignedIdentities/write Creates a new user assigned identity or updates the tags associated with an existing user assigned identity Microsoft.ManagedIdentity/userAssignedIdentities/delete Deletes an existing user assigned identity Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read Get or list Federated Identity Credentials Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write Add or update a Federated Identity Credential Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete Delete a Federated Identity Credential Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action Revoked all the existing tokens on a user assigned identity Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Read and Assign User Assigned Identity
[!div class="mx-tableFixed"]
Actions Description Microsoft.ManagedIdentity/userAssignedIdentities/*/read Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Read and Assign User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
"name": "f1a07417-d97a-45cb-824c-7a7467783830",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}