Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: Azure built-in roles for Storage - Azure RBAC description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Storage category. It lists Actions, NotActions, DataActions, and NotDataActions. ms.service: role-based-access-control ms.topic: generated-reference ms.workload: identity author: rolyon manager: pmwongera ms.author: rolyon ms.date: 12/31/2025 ms.custom: generated --- # Azure built-in roles for Storage This article lists the Azure built-in roles in the Storage category. ## Avere Contributor Can create and manage an Avere vFXT cluster. [Learn more](/azure/avere-vfxt/avere-vfxt-deploy-plan) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/*/read | | > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/* | | > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/proximityPlacementGroups/* | | > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/* | | > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/* | | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/*/read | | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/* | | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/*/read | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/* | Create and manage storage accounts | > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Can create and manage an Avere vFXT cluster.", "id": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", "name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/availabilitySets/*", "Microsoft.Compute/proximityPlacementGroups/*", "Microsoft.Compute/virtualMachines/*", "Microsoft.Compute/disks/*", "Microsoft.Network/*/read", "Microsoft.Network/networkInterfaces/*", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Resources/deployments/*", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/*/read", "Microsoft.Storage/storageAccounts/*", "Microsoft.Support/*", "Microsoft.Resources/subscriptions/resourceGroups/resources/read" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" ], "notDataActions": [] } ], "roleName": "Avere Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Avere Operator Used by the Avere vFXT cluster to manage the cluster [Learn more](/azure/avere-vfxt/avere-vfxt-manage-cluster) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/delete | Returns the result of deleting a container | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Used by the Avere vFXT cluster to manage the cluster", "id": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", "name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", "permissions": [ { "actions": [ "Microsoft.Compute/virtualMachines/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/blobServices/containers/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" ], "notDataActions": [] } ], "roleName": "Avere Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Azure File Sync Administrator Provides full access to manage all Azure File Sync (Storage Sync Service) resources. Includes an ABAC condition to constrain role assignments. [Learn more](/azure/storage/file-sync/file-sync-deployment-guide) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/register/action | Registers the subscription for the Storage Sync Provider | > | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/unregister/action | Unregisters the subscription for the Storage Sync Provider | > | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/locations/* | | > | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/deployments/preflight/action | Validate all resources before we deploy the resources successfully. | > | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/storageSyncServices/* | | > | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/operations/read | Gets a list of the Supported Operations | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/* | Create and manage a classic metric alert | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/shares/read | List file shares | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/read | Get file service properties | > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | > | **Condition** | | > | ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {c12c1c16-33a1-487b-954d-41c89c60f349, 69566ab7-960f-475b-8e7c-b3118f30c6bd, 17d1049b-9a84-46fb-8f53-869881c3d3ab})) | Add role assignments for the following roles:<br/>Reader and Data Access<br/>Storage File Data Privileged Contributor<br/>Storage Account Contributor | ```json { "assignableScopes": [ "/" ], "description": "Provides full access to manage all Azure File Sync (Storage Sync Service) resources.", "id": "/providers/Microsoft.Authorization/roleDefinitions/92b92042-07d9-4307-87f7-36a593fc5850", "name": "92b92042-07d9-4307-87f7-36a593fc5850", "permissions": [ { "actions": [ "Microsoft.StorageSync/register/action", "Microsoft.StorageSync/unregister/action", "Microsoft.StorageSync/locations/*", "Microsoft.StorageSync/deployments/preflight/action", "Microsoft.StorageSync/storageSyncServices/*", "Microsoft.StorageSync/operations/read", "Microsoft.Authorization/roleAssignments/write", "Microsoft.Insights/AlertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/fileServices/shares/read", "Microsoft.Storage/storageAccounts/fileServices/read", "Microsoft.Support/*", "Microsoft.Authorization/*/read" ], "notActions": [], "dataActions": [], "notDataActions": [], "conditionVersion": "2.0", "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {c12c1c16-33a1-487b-954d-41c89c60f349, 69566ab7-960f-475b-8e7c-b3118f30c6bd, 17d1049b-9a84-46fb-8f53-869881c3d3ab}))" } ], "roleName": "Azure File Sync Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Azure File Sync Reader Provides read access to Azure File Sync service (Storage Sync Service). [Learn more](/azure/storage/file-sync/file-sync-deployment-guide) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/*/read | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Provides read access to Azure File Sync service (Storage Sync Service).", "id": "/providers/Microsoft.Authorization/roleDefinitions/754c1a27-40dc-4708-8ad4-2bffdeee09e8", "name": "754c1a27-40dc-4708-8ad4-2bffdeee09e8", "permissions": [ { "actions": [ "Microsoft.StorageSync/*/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Azure File Sync Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Backup Contributor Lets you manage backup service, but can't create vaults and give access to others [Learn more](/azure/backup/backup-rbac-rs-vault) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/* | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/operationResults/* | Manage results of operation on backup management | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/* | Create and manage backup containers inside backup fabrics of Recovery Services vault | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobs/* | Create and manage backup jobs | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobsExport/action | Export Jobs | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperationResults/* | Create and manage Results of backup management operations | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/* | Create and manage backup policies | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectableItems/* | Create and manage items which can be backed up | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectedItems/* | Create and manage backed up items | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionContainers/* | Create and manage containers holding backup items | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupSecurityPIN/* | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/certificates/* | Create and manage certificates related to backup in Recovery Services vault | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/* | Create and manage extended info related to vault | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/* | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/* | Create and manage registered identities | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/* | Create and manage usage of Recovery Services vault | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupstorageconfig/* | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupconfig/* | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupValidateOperation/action | Validate Operation on Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/* | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/operationStatus/read | Gets Operation Status for a given Operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupPreValidateProtection/action | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupValidateFeatures/action | Validate Features | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/write | Resolves the alert. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/operations/read | Operation returns the list of Operations for a Resource Provider | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/operationStatus/read | Gets Operation Status for a given Operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionIntents/read | List all backup Protection Intents | > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/write | Creates a Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/delete | Deletes the Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/undelete/action | Perform undelete of soft-deleted Backup Instance. Backup Instance moves from SoftDeleted to ProtectionStopped state. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupPolicies/write | Creates Backup Policy | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupPolicies/delete | Deletes the Backup Policy | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/write | Update BackupVault operation updates an Azure resource of type 'Backup Vault' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/checkNameAvailability/action | Checks if the requested BackupVault Name is Available | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/validateForBackup/action | Validates for backup of Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/operations/read | Operation returns the list of Operations for a Resource Provider | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/validateForModifyBackup/action | Validates for modification of Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/SuspendBackups/action | Suspend Backups operation stops only backups of backup instance. Retention activities will continue and hence data will be ratained as per policy. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/resumeProtection/action | Resume protection of a ProtectionStopped BI. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Lets you manage backups, but can't delete vaults and give access to others", "id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", "name": "5e467623-bb1f-42f4-a55d-6e525e11384b", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.RecoveryServices/locations/*", "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*", "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action", "Microsoft.RecoveryServices/Vaults/backupJobs/*", "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", "Microsoft.RecoveryServices/Vaults/backupOperationResults/*", "Microsoft.RecoveryServices/Vaults/backupPolicies/*", "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*", "Microsoft.RecoveryServices/Vaults/backupProtectedItems/*", "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*", "Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*", "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", "Microsoft.RecoveryServices/Vaults/certificates/*", "Microsoft.RecoveryServices/Vaults/extendedInformation/*", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/*", "Microsoft.RecoveryServices/Vaults/usages/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*", "Microsoft.RecoveryServices/Vaults/backupconfig/*", "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action", "Microsoft.RecoveryServices/Vaults/write", "Microsoft.RecoveryServices/Vaults/backupOperations/read", "Microsoft.RecoveryServices/Vaults/backupEngines/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read", "Microsoft.RecoveryServices/vaults/operationStatus/read", "Microsoft.RecoveryServices/vaults/operationResults/read", "Microsoft.RecoveryServices/locations/backupStatus/action", "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action", "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", "Microsoft.RecoveryServices/operations/read", "Microsoft.RecoveryServices/locations/operationStatus/read", "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", "Microsoft.Support/*", "Microsoft.DataProtection/locations/getBackupStatus/action", "Microsoft.DataProtection/backupVaults/backupInstances/write", "Microsoft.DataProtection/backupVaults/backupInstances/delete", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", "Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action", "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action", "Microsoft.DataProtection/backupVaults/backupPolicies/write", "Microsoft.DataProtection/backupVaults/backupPolicies/delete", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", "Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read", "Microsoft.DataProtection/backupVaults/write", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/operationResults/read", "Microsoft.DataProtection/backupVaults/operationStatus/read", "Microsoft.DataProtection/locations/checkNameAvailability/action", "Microsoft.DataProtection/locations/checkFeatureSupport/action", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/locations/operationStatus/read", "Microsoft.DataProtection/locations/operationResults/read", "Microsoft.DataProtection/backupVaults/validateForBackup/action", "Microsoft.DataProtection/operations/read", "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete", "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read", "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action", "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action", "Microsoft.DataProtection/backupVaults/backupInstances/validateForModifyBackup/action", "Microsoft.DataProtection/backupVaults/backupInstances/SuspendBackups/action", "Microsoft.DataProtection/backupVaults/backupInstances/resumeProtection/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Backup Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Backup MUA Admin Backup MultiUser-Authorization. Can create/delete ResourceGuard [Learn more](/azure/backup/multi-user-authorization-concept) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/*/read | | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/*/resourceGuards/write | | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/resourceGuards/write | Update ResourceGuard operation updates an Azure resource of type 'ResourceGuard' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/resourceGuards/delete | The Delete ResourceGuard operation deletes the specified Azure resource of type 'ResourceGuard' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/resourceGuards/read | Gets list of ResourceGuards in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/features/read | Gets the features of a subscription. | > | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. | > | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/* | | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/providers/resourceGuards/read | Gets list of ResourceGuards in a Subscription | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read | Gets ResourceGuard default operation request info | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Backup MultiUser-Authorization. Can create/delete ResourceGuard ", "id": "/providers/Microsoft.Authorization/roleDefinitions/c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8", "name": "c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8", "permissions": [ { "actions": [ "Microsoft.DataProtection/*/read", "Microsoft.DataProtection/*/resourceGuards/write", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read", "Microsoft.DataProtection/locations/operationResults/read", "Microsoft.DataProtection/locations/operationStatus/read", "Microsoft.DataProtection/locations/getBackupStatus/action", "Microsoft.DataProtection/locations/checkFeatureSupport/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read", "Microsoft.Authorization/*/read", "Microsoft.Features/features/read", "Microsoft.Features/providers/features/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/operations/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action", "Microsoft.DataProtection/subscriptions/providers/resourceGuards/read", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Backup MUA Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Backup MUA Operator Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard [Learn more](/azure/backup/multi-user-authorization-concept) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/*/action | | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/*/read | | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard", "id": "/providers/Microsoft.Authorization/roleDefinitions/f54b6d04-23c6-443e-b462-9c16ab7b4a52", "name": "f54b6d04-23c6-443e-b462-9c16ab7b4a52", "permissions": [ { "actions": [ "Microsoft.DataProtection/*/action", "Microsoft.DataProtection/*/read", "Microsoft.Authorization/*/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Backup MUA Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Backup Operator Lets you manage backup services, except removal of backup, vault creation and giving access to others [Learn more](/azure/backup/backup-rbac-rs-vault) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/operationResults/read | Returns status of the operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobs/* | Create and manage backup jobs | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobsExport/action | Export Jobs | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperationResults/* | Create and manage Results of backup management operations | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/read | Returns all Protection Policies | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectableItems/* | Create and manage items which can be backed up | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/write | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/* | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/write | The Register Service Container operation can be used to register a container with Recovery Service. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupstorageconfig/* | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupValidateOperation/action | Validate Operation on Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupTriggerValidateOperation/action | Validate Operation on Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupValidateOperationResults/read | Validate Operation on Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupValidateOperationsStatuses/read | Validate Operation on Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/write | Creates a registered container | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupPreValidateProtection/action | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupValidateFeatures/action | Validate Features | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrossRegionRestore/action | Trigger Cross region restore. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/write | Resolves the alert. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/operations/read | Operation returns the list of Operations for a Resource Provider | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/operationStatus/read | Gets Operation Status for a given Operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionIntents/read | List all backup Protection Intents | > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/write | Creates a Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/operations/read | Operation returns the list of Operations for a Resource Provider | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/validateForBackup/action | Validates for backup of Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/validateForModifyBackup/action | Validates for modification of Backup Instance | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others", "id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", "name": "00c29273-979b-4161-815c-10b084fb9324", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action", "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action", "Microsoft.RecoveryServices/Vaults/backupJobs/*", "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", "Microsoft.RecoveryServices/Vaults/backupOperationResults/*", "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/read", "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*", "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read", "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read", "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", "Microsoft.RecoveryServices/Vaults/certificates/write", "Microsoft.RecoveryServices/Vaults/extendedInformation/read", "Microsoft.RecoveryServices/Vaults/extendedInformation/write", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/write", "Microsoft.RecoveryServices/Vaults/usages/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*", "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action", "Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action", "Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read", "Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read", "Microsoft.RecoveryServices/Vaults/backupOperations/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action", "Microsoft.RecoveryServices/Vaults/backupEngines/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write", "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read", "Microsoft.RecoveryServices/locations/backupStatus/action", "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action", "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", "Microsoft.RecoveryServices/locations/backupAadProperties/read", "Microsoft.RecoveryServices/locations/backupCrrJobs/action", "Microsoft.RecoveryServices/locations/backupCrrJob/action", "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action", "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read", "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", "Microsoft.RecoveryServices/operations/read", "Microsoft.RecoveryServices/locations/operationStatus/read", "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", "Microsoft.Support/*", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read", "Microsoft.DataProtection/backupVaults/backupInstances/write", "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/operationResults/read", "Microsoft.DataProtection/backupVaults/operationStatus/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/locations/operationStatus/read", "Microsoft.DataProtection/locations/operationResults/read", "Microsoft.DataProtection/operations/read", "Microsoft.DataProtection/backupVaults/validateForBackup/action", "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action", "Microsoft.DataProtection/locations/checkFeatureSupport/action", "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete", "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read", "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action", "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete", "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action", "Microsoft.DataProtection/backupVaults/backupInstances/validateForModifyBackup/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Backup Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Backup Reader Can view backup services, but can't make changes [Learn more](/azure/backup/backup-rbac-rs-vault) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/operationResults/read | Returns status of the operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobs/read | Returns all Job Objects | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobsExport/action | Export Jobs | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/read | Returns all Protection Policies | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/* | | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/write | Resolves the alert. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/operations/read | Operation returns the list of Operations for a Resource Provider | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/operationStatus/read | Gets Operation Status for a given Operation | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionIntents/read | List all backup Protection Intents | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupValidateFeatures/action | Validate Features | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. | > | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/operations/read | Operation returns the list of Operations for a Resource Provider | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | > | [Microsoft.DataProtection](../permissions/security.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Can view backup services, but can't make changes", "id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", "name": "a795c7a0-d4a2-40c1-ae25-d81f01202912", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.RecoveryServices/locations/allocatedStamp/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read", "Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupJobs/read", "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", "Microsoft.RecoveryServices/Vaults/backupOperationResults/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/read", "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read", "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read", "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", "Microsoft.RecoveryServices/Vaults/extendedInformation/read", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", "Microsoft.RecoveryServices/Vaults/backupstorageconfig/read", "Microsoft.RecoveryServices/Vaults/backupconfig/read", "Microsoft.RecoveryServices/Vaults/backupOperations/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read", "Microsoft.RecoveryServices/Vaults/backupEngines/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read", "Microsoft.RecoveryServices/locations/backupStatus/action", "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", "Microsoft.RecoveryServices/operations/read", "Microsoft.RecoveryServices/locations/operationStatus/read", "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", "Microsoft.RecoveryServices/Vaults/usages/read", "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", "Microsoft.RecoveryServices/locations/backupCrrJobs/action", "Microsoft.RecoveryServices/locations/backupCrrJob/action", "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read", "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read", "Microsoft.DataProtection/locations/getBackupStatus/action", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read", "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/operationResults/read", "Microsoft.DataProtection/backupVaults/operationStatus/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/locations/operationStatus/read", "Microsoft.DataProtection/locations/operationResults/read", "Microsoft.DataProtection/operations/read", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action", "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action", "Microsoft.DataProtection/locations/checkFeatureSupport/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Backup Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Classic Storage Account Contributor Lets you manage classic storage accounts, but not access to them. > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/* | Create and manage storage accounts | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Lets you manage classic storage accounts, but not access to them.", "id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", "name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ClassicStorage/storageAccounts/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Classic Storage Account Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Classic Storage Account Key Operator Service Role Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts [Learn more](/azure/key-vault/secrets/overview-storage-keys) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/listkeys/action | Lists the access keys for the storage accounts. | > | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/regeneratekey/action | Regenerates the existing access keys for the storage account. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts", "id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", "name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d", "permissions": [ { "actions": [ "Microsoft.ClassicStorage/storageAccounts/listkeys/action", "Microsoft.ClassicStorage/storageAccounts/regeneratekey/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Classic Storage Account Key Operator Service Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Data Box Contributor Lets you manage everything under Data Box Service except giving access to others. [Learn more](/azure/databox/data-box-logs) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | > | [Microsoft.Databox](../permissions/migration.md#microsoftdatabox)/* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Lets you manage everything under Data Box Service except giving access to others.", "id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", "name": "add466c9-e687-43fc-8d98-dfcf8d720be5", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Databox/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Data Box Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Data Box Reader Lets you manage Data Box Service except creating order or editing order details and giving access to others. [Learn more](/azure/databox/data-box-logs) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Databox](../permissions/migration.md#microsoftdatabox)/*/read | | > | [Microsoft.Databox](../permissions/migration.md#microsoftdatabox)/jobs/listsecrets/action | | > | [Microsoft.Databox](../permissions/migration.md#microsoftdatabox)/jobs/listcredentials/action | Lists the unencrypted credentials related to the order. | > | [Microsoft.Databox](../permissions/migration.md#microsoftdatabox)/locations/availableSkus/action | This method returns the list of available skus. | > | [Microsoft.Databox](../permissions/migration.md#microsoftdatabox)/locations/validateInputs/action | This method does all type of validations. | > | [Microsoft.Databox](../permissions/migration.md#microsoftdatabox)/locations/regionConfiguration/action | This method returns the configurations for the region. | > | [Microsoft.Databox](../permissions/migration.md#microsoftdatabox)/locations/validateAddress/action | Validates the shipping address and provides alternate addresses if any. | > | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.", "id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", "name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Databox/*/read", "Microsoft.Databox/jobs/listsecrets/action", "Microsoft.Databox/jobs/listcredentials/action", "Microsoft.Databox/locations/availableSkus/action", "Microsoft.Databox/locations/validateInputs/action", "Microsoft.Databox/locations/regionConfiguration/action", "Microsoft.Databox/locations/validateAddress/action", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Support/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Data Box Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Data Lake Analytics Developer Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. [Learn more](/azure/data-lake-analytics/data-lake-analytics-manage-use-portal) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | Microsoft.BigAnalytics/accounts/* | | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/* | | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | > | **NotActions** | | > | Microsoft.BigAnalytics/accounts/Delete | | > | Microsoft.BigAnalytics/accounts/TakeOwnership/action | | > | Microsoft.BigAnalytics/accounts/Write | | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/Delete | Delete a DataLakeAnalytics account. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/TakeOwnership/action | Grant permissions to cancel jobs submitted by other users. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/Write | Create or update a DataLakeAnalytics account. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/dataLakeStoreAccounts/Write | Create or update a linked DataLakeStore account of a DataLakeAnalytics account. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/dataLakeStoreAccounts/Delete | Unlink a DataLakeStore account from a DataLakeAnalytics account. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/storageAccounts/Write | Create or update a linked Storage account of a DataLakeAnalytics account. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/storageAccounts/Delete | Unlink a Storage account from a DataLakeAnalytics account. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/firewallRules/Write | Create or update a firewall rule. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/firewallRules/Delete | Delete a firewall rule. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/computePolicies/Write | Create or update a compute policy. | > | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/computePolicies/Delete | Delete a compute policy. | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.", "id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", "name": "47b7735b-770e-4598-a7da-8b91488b4c88", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.BigAnalytics/accounts/*", "Microsoft.DataLakeAnalytics/accounts/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" ], "notActions": [ "Microsoft.BigAnalytics/accounts/Delete", "Microsoft.BigAnalytics/accounts/TakeOwnership/action", "Microsoft.BigAnalytics/accounts/Write", "Microsoft.DataLakeAnalytics/accounts/Delete", "Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action", "Microsoft.DataLakeAnalytics/accounts/Write", "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write", "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete", "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write", "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete", "Microsoft.DataLakeAnalytics/accounts/firewallRules/Write", "Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete", "Microsoft.DataLakeAnalytics/accounts/computePolicies/Write", "Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete" ], "dataActions": [], "notDataActions": [] } ], "roleName": "Data Lake Analytics Developer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Defender for Storage Data Scanner Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/shares/read | List file shares | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/tags/write | Returns the result of writing blob tags | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/tags/read | Returns the result of reading blob tags | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Semantics Privilege | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.", "id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", "name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/fileServices/shares/read" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action" ], "notDataActions": [] } ], "roleName": "Defender for Storage Data Scanner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Elastic SAN Network Admin Allows access to create Private Endpoints on SAN resources, and to read SAN resources [Learn more](/azure/storage/elastic-san/elastic-san-networking) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/*/read | | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/PrivateEndpointConnectionsApproval/action | | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/privateEndpointConnections/write | | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/privateEndpointConnections/delete | | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/locations/asyncoperations/read | Polls the status of an asynchronous operation. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows access to create Private Endpoints on SAN resources, and to read SAN resources", "id": "/providers/Microsoft.Authorization/roleDefinitions/fa6cecf6-5db3-4c43-8470-c540bcb4eafa", "name": "fa6cecf6-5db3-4c43-8470-c540bcb4eafa", "permissions": [ { "actions": [ "Microsoft.ElasticSan/elasticSans/*/read", "Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action", "Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write", "Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete", "Microsoft.ElasticSan/locations/asyncoperations/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Elastic SAN Network Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Elastic SAN Owner Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/* | | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/locations/* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access", "id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406", "name": "80dcbedb-47ef-405d-95bd-188a1b4ac406", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ElasticSan/elasticSans/*", "Microsoft.ElasticSan/locations/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Elastic SAN Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Elastic SAN Reader Allows for control path read access to Azure Elastic SAN > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | > | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/*/read | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for control path read access to Azure Elastic SAN", "id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca", "name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca", "permissions": [ { "actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ElasticSan/elasticSans/*/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Elastic SAN Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Elastic SAN Volume Group Owner Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/volumeGroups/* | | > | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/locations/asyncoperations/read | Polls the status of an asynchronous operation. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access", "id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23", "name": "a8281131-f312-4f34-8d98-ae12be9f0d23", "permissions": [ { "actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.ElasticSan/elasticSans/volumeGroups/*", "Microsoft.ElasticSan/locations/asyncoperations/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Elastic SAN Volume Group Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Reader and Data Access Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/ListAccountSas/action | Returns the Account SAS token for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.", "id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", "name": "c12c1c16-33a1-487b-954d-41c89c60f349", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/ListAccountSas/action", "Microsoft.Storage/storageAccounts/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Reader and Data Access", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Account Backup Contributor Lets you perform backup and restore operations using Azure Backup on the storage account. [Learn more](/azure/backup/blob-backup-configure-manage) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/locks/read | Gets locks at the specified scope. | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/locks/write | Add locks at the specified scope. | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/locks/delete | Delete locks at the specified scope. | > | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/features/read | Gets the features of a subscription. | > | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/operations/read | Polls the status of an asynchronous operation. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/delete | Delete object replication policy | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/read | List object replication policies | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/write | Create or update object replication policy | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | Create object replication restore point marker | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/write | Returns the result of put blob service properties | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/restoreBlobRanges/action | Restore blob ranges to the state of the specified time | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Lets you perform backup and restore operations using Azure Backup on the storage account.", "id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", "name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Authorization/locks/read", "Microsoft.Authorization/locks/write", "Microsoft.Authorization/locks/delete", "Microsoft.Features/features/read", "Microsoft.Features/providers/features/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/operations/read", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/read", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/write", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/blobServices/write", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/restoreBlobRanges/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Storage Account Backup Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Account Contributor Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. [Learn more](/azure/storage/common/storage-auth-aad) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | > | [Microsoft.ResourceHealth](../permissions/management-and-governance.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/* | Create and manage storage accounts | > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.", "id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", "name": "17d1049b-9a84-46fb-8f53-869881c3d3ab", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/*", "Microsoft.Support/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Storage Account Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Account Key Operator Service Role Permits listing and regenerating storage account access keys. [Learn more](/azure/storage/common/storage-account-keys-manage) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/regeneratekey/action | Regenerates the access keys for the specified storage account. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts", "id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", "name": "81a9662b-bebf-436f-a333-f67b29880f12", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/listkeys/action", "Microsoft.Storage/storageAccounts/regeneratekey/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Storage Account Key Operator Service Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Actions Blob Data Operator Used by the Storage Actions - Storage Task to list & perform operations on the Storage Account blobs [Learn more](/azure/storage-actions/storage-tasks/storage-task-authorization-roles) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/add/action | Returns the result of adding blob content | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/tags/read | Returns the result of reading blob tags | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/tags/write | Returns the result of writing blob tags | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action | Returns the result of the blob command | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Used by the Storage Actions - Storage Task to list & perform operations on the Storage Account blobs", "id": "/providers/Microsoft.Authorization/roleDefinitions/4bad4d9e-2a13-4888-94bb-c8432f6f3040", "name": "4bad4d9e-2a13-4888-94bb-c8432f6f3040", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action" ], "notDataActions": [] } ], "roleName": "Storage Actions Blob Data Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Actions Contributor Used by the Storage Actions author to create, read, update, and delete Storage Actions [Learn more](/azure/storage-actions/storage-tasks/storage-task-authorization-roles) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | Microsoft.StorageActions/storageTasks/read | Gets the properties for the specified storage task | > | Microsoft.StorageActions/storageTasks/write | Creates or updates storage task | > | Microsoft.StorageActions/storageTasks/delete | Deletes an existing storage task | > | Microsoft.StorageActions/storageTasks/storageTaskAssignments/read | List all storage task assignments of a storage task | > | Microsoft.StorageActions/storageTasks/reports/read | List run statuses of a storage task | > | Microsoft.StorageActions/locations/previewActions/action | previewActions | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Used by the Storage Actions author to create, read, update, and delete Storage Actions", "id": "/providers/Microsoft.Authorization/roleDefinitions/bd8acdb0-202c-4493-a7fe-ef98eefbfbc4", "name": "bd8acdb0-202c-4493-a7fe-ef98eefbfbc4", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.StorageActions/storageTasks/read", "Microsoft.StorageActions/storageTasks/write", "Microsoft.StorageActions/storageTasks/delete", "Microsoft.StorageActions/storageTasks/storageTaskAssignments/read", "Microsoft.StorageActions/storageTasks/reports/read", "Microsoft.StorageActions/locations/previewActions/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Storage Actions Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Actions Task Assignment Contributor Used by the Storage Actions assigner to create a Task Assignment on their target Storage Account, with RBAC privileges for Managed Identity Includes an ABAC condition to constrain role assignments. [Learn more](/azure/storage-actions/storage-tasks/storage-task-authorization-roles-assign) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/reports/read | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/storageTaskAssignments/read | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/storageTaskAssignments/write | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/storageTaskAssignments/delete | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/storageTaskAssignments/reports/read | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | > | **Actions** | | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | > | **Condition** | | > | ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{4bad4d9e2a13488894bbc8432f6f3040})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{4bad4d9e2a13488894bbc8432f6f3040})) | Add or remove role assignments for the following roles:<br/>Storage Actions Blob Data Operator | ```json { "assignableScopes": [ "/" ], "description": "Used by the Storage Actions assigner to create a Task Assignment on their target Storage Account, with RBAC privileges for Managed Identity", "id": "/providers/Microsoft.Authorization/roleDefinitions/77789c21-1643-48a2-8f27-47f858540b51", "name": "77789c21-1643-48a2-8f27-47f858540b51", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/reports/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/storageTaskAssignments/read", "Microsoft.Storage/storageAccounts/storageTaskAssignments/write", "Microsoft.Storage/storageAccounts/storageTaskAssignments/delete", "Microsoft.Storage/storageAccounts/storageTaskAssignments/reports/read" ], "notActions": [], "dataActions": [], "notDataActions": [] }, { "actions": [ "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete" ], "notActions": [], "dataActions": [], "notDataActions": [], "conditionVersion": "2.0", "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{4bad4d9e2a13488894bbc8432f6f3040})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{4bad4d9e2a13488894bbc8432f6f3040}))" } ], "roleName": "Storage Actions Task Assignment Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Blob Data Contributor Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). [Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/delete | Delete a container. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Return a container or a list of containers. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Modify a container's metadata or properties. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Delete a blob. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Write to a blob. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/move/action | Moves the blob from one path to another | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/add/action | Returns the result of adding blob content | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for read, write and delete access to Azure Storage blob containers and data", "id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", "name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" ], "notDataActions": [] } ], "roleName": "Storage Blob Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Blob Data Owner Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). [Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/* | Full permissions on containers. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/* | Full permissions on blobs. | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.", "id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", "name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/*", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*" ], "notDataActions": [] } ], "roleName": "Storage Blob Data Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Blob Data Reader Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). [Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Return a container or a list of containers. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for read access to Azure Storage blob containers and data", "id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", "name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" ], "notDataActions": [] } ], "roleName": "Storage Blob Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Blob Delegator Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). [Learn more](/rest/api/storageservices/get-user-delegation-key) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for generation of a user delegation key which can be used to sign SAS tokens", "id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", "name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Storage Blob Delegator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Connector Contributor Allows creating and managing storage connectors to access remote data sources in-place in a storage account. This role is in preview and subject to change. > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listServiceSas/action | Returns the Service SAS token for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/locations/DataManagementRPOperationStatuses/read | Get a DataManagamentRP operation status | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/locations/DataManagementRPOperationStatuses/write | Creates or updates a DataManagamentRP operation status | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/connectors/read | Returns the list of storage connectors or gets the properties of specified storage connector. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/connectors/delete | Delete a storage connector. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/connectors/write | Creates or updates a storage connector. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/connectors/testExistingConnection/action | Test the connection of an existing storage connector. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows creating and managing storage connectors to access remote data sources in-place in a storage account. This role is in preview and subject to change.", "id": "/providers/Microsoft.Authorization/roleDefinitions/9d819e60-1b9f-4871-b492-4e6cdee0b50a", "name": "9d819e60-1b9f-4871-b492-4e6cdee0b50a", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/listServiceSas/action", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/locations/DataManagementRPOperationStatuses/read", "Microsoft.Storage/locations/DataManagementRPOperationStatuses/write", "Microsoft.Storage/storageAccounts/connectors/read", "Microsoft.Storage/storageAccounts/connectors/delete", "Microsoft.Storage/storageAccounts/connectors/write", "Microsoft.Storage/storageAccounts/connectors/testExistingConnection/action" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" ], "notDataActions": [] } ], "roleName": "Storage Connector Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage DataShare Contributor Allows creating and managing storage dataShares to share data from storage accounts in-place. This role is in preview and subject to change. > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listServiceSas/action | Returns the Service SAS token for the specified storage account. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/locations/DataManagementRPOperationStatuses/read | Get a DataManagamentRP operation status | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/locations/DataManagementRPOperationStatuses/write | Creates or updates a DataManagamentRP operation status | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/dataShares/read | Returns the list of storage data shares or gets the properties of specified storage data share. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/dataShares/delete | Delete a storage data share. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/dataShares/write | Creates or updates a storage data share. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows creating and managing storage dataShares to share data from storage accounts in-place. This role is in preview and subject to change.", "id": "/providers/Microsoft.Authorization/roleDefinitions/35c49d44-ccc1-4b18-8267-cfb3bacdd396", "name": "35c49d44-ccc1-4b18-8267-cfb3bacdd396", "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/listServiceSas/action", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/locations/DataManagementRPOperationStatuses/read", "Microsoft.Storage/locations/DataManagementRPOperationStatuses/write", "Microsoft.Storage/storageAccounts/dataShares/read", "Microsoft.Storage/storageAccounts/dataShares/delete", "Microsoft.Storage/storageAccounts/dataShares/write" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" ], "notDataActions": [] } ], "roleName": "Storage DataShare Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage File Data Privileged Contributor Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Semantics Privilege | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/writeFileBackupSemantics/action | Write File Backup Semantics Privilege | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.", "id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd", "name": "69566ab7-960f-475b-8e7c-b3118f30c6bd", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action", "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action", "Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action" ], "notDataActions": [] } ], "roleName": "Storage File Data Privileged Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage File Data Privileged Reader Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Semantics Privilege | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Customer has read access on Azure Storage file shares.", "id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d", "name": "b8eda974-7b85-4f76-af95-65846b26df6d", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action" ], "notDataActions": [] } ], "roleName": "Storage File Data Privileged Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage File Data SMB Admin Allows for admin access equivalent to storage account key for end users over SMB. > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Semantics Privilege | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/writeFileBackupSemantics/action | Write File Backup Semantics Privilege | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/takeOwnership/action | File Take Ownership Privilege | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for admin access equivalent to storage account key for end users over SMB.", "id": "/providers/Microsoft.Authorization/roleDefinitions/bbf004e3-0e4b-4f86-ae4f-1f8fb47b357b", "name": "bbf004e3-0e4b-4f86-ae4f-1f8fb47b357b", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action", "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action", "Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action", "Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action" ], "notDataActions": [] } ], "roleName": "Storage File Data SMB Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage File Data SMB MI Admin Allows for admin-level access for managed identities on files/directories in Azure file shares. > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Semantics Privilege | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/writeFileBackupSemantics/action | Write File Backup Semantics Privilege | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/takeOwnership/action | File Take Ownership Privilege | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/runAsBuiltInFileAdministrator/action | Permission that gives built-in admin privilege for file share mounts via managed identity | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for admin-level access for managed identities on files/directories in Azure file shares.", "id": "/providers/Microsoft.Authorization/roleDefinitions/a235d3ee-5935-4cfb-8cc5-a3303ad5995e", "name": "a235d3ee-5935-4cfb-8cc5-a3303ad5995e", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action", "Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action", "Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action", "Microsoft.Storage/storageAccounts/fileServices/runAsBuiltInFileAdministrator/action", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action" ], "notDataActions": [] } ], "roleName": "Storage File Data SMB MI Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage File Data SMB Share Contributor Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. [Learn more](/azure/storage/files/storage-files-identity-auth-active-directory-enable) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB", "id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", "name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete" ], "notDataActions": [] } ], "roleName": "Storage File Data SMB Share Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage File Data SMB Share Elevated Contributor Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. [Learn more](/azure/storage/files/storage-files-identity-auth-active-directory-enable) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder. | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB", "id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", "name": "a7264617-510b-434b-a828-9731dc254ea7", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action" ], "notDataActions": [] } ], "roleName": "Storage File Data SMB Share Elevated Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage File Data SMB Share Reader Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. [Learn more](/azure/storage/files/storage-files-identity-auth-active-directory-enable) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for read access to Azure File Share over SMB", "id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", "name": "aba4ae5f-2193-4029-9191-0cb91df5e314", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read" ], "notDataActions": [] } ], "roleName": "Storage File Data SMB Share Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage File Data SMB Take Ownership Allows end user to assume ownership of a file/directory > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/takeOwnership/action | File Take Ownership Privilege | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows end user to assume ownership of a file/directory", "id": "/providers/Microsoft.Authorization/roleDefinitions/5d9bac3f-34b2-432f-bde5-78aa8e73ce6b", "name": "5d9bac3f-34b2-432f-bde5-78aa8e73ce6b", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action" ], "notDataActions": [] } ], "roleName": "Storage File Data SMB Take Ownership", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage File Delegator Get a user delegation key, which can then be used to create a shared access signature for a file or Azure file share that is signed with Azure AD credentials. For more information, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). [Learn more](/rest/api/storageservices/get-user-delegation-key) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/generateUserDelegationKey/action | Returns a user delegation key for the file service | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for generation of a user delegation key, which can then be used to create a shared access signature for a file or Azure file share that is signed with Entra ID credentials.", "id": "/providers/Microsoft.Authorization/roleDefinitions/765a04e0-5de8-4bb2-9bf6-b2a30bc03e91", "name": "765a04e0-5de8-4bb2-9bf6-b2a30bc03e91", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/fileServices/generateUserDelegationKey/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Storage File Delegator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Queue Data Contributor Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). [Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/delete | Delete a queue. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/read | Return a queue or a list of queues. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/write | Modify queue metadata or properties. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/delete | Delete one or more messages from a queue. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/write | Add a message to a queue. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/process/action | Returns the result of processing a message | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for read, write, and delete access to Azure Storage queues and queue messages", "id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", "name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/delete", "Microsoft.Storage/storageAccounts/queueServices/queues/read", "Microsoft.Storage/storageAccounts/queueServices/queues/write" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action" ], "notDataActions": [] } ], "roleName": "Storage Queue Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Queue Data Message Processor Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). [Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/read | Peek a message. | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/process/action | Retrieve and delete a message. | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for peek, receive, and delete access to Azure Storage queue messages", "id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", "name": "8a0f0c08-91a1-4084-bc3d-661d67233fed", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action" ], "notDataActions": [] } ], "roleName": "Storage Queue Data Message Processor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Queue Data Message Sender Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). [Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | *none* | | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/add/action | Add a message to a queue. | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for sending of Azure Storage queue messages", "id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", "name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action" ], "notDataActions": [] } ], "roleName": "Storage Queue Data Message Sender", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Queue Data Reader Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). [Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/read | Returns a queue or a list of queues. | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for read access to Azure Storage queues and queue messages", "id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", "name": "19e7f393-937e-4f77-808e-94535e297925", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/read" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read" ], "notDataActions": [] } ], "roleName": "Storage Queue Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Queue Delegator Get a user delegation key, which can then be used to create a shared access signature for an Azure Storage queue that is signed with Azure AD credentials. For more information, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). [Learn more](/rest/api/storageservices/get-user-delegation-key) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/generateUserDelegationKey/action | Returns a user delegation key for the queue service | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for generation of a user delegation key, which can then be used to create a shared access signature for an Azure Storage queue that is signed with Entra ID credentials.", "id": "/providers/Microsoft.Authorization/roleDefinitions/7ee386e9-84f0-448e-80a6-f185f6533131", "name": "7ee386e9-84f0-448e-80a6-f185f6533131", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/queueServices/generateUserDelegationKey/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Storage Queue Delegator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Table Data Contributor Allows for read, write and delete access to Azure Storage tables and entities > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/read | Query tables | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/write | Create tables | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/delete | Delete tables | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/read | Query table entities | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/write | Insert, merge, or replace table entities | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/delete | Delete table entities | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/add/action | Insert table entities | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/update/action | Merge or update table entities | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for read, write and delete access to Azure Storage tables and entities", "id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", "name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/tableServices/tables/read", "Microsoft.Storage/storageAccounts/tableServices/tables/write", "Microsoft.Storage/storageAccounts/tableServices/tables/delete" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read", "Microsoft.Storage/storageAccounts/tableServices/tables/entities/write", "Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete", "Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action", "Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action" ], "notDataActions": [] } ], "roleName": "Storage Table Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Table Data Reader Allows for read access to Azure Storage tables and entities > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/read | Query tables | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/read | Query table entities | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for read access to Azure Storage tables and entities", "id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6", "name": "76199698-9eea-4c19-bc75-cec21354c6b6", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/tableServices/tables/read" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read" ], "notDataActions": [] } ], "roleName": "Storage Table Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Storage Table Delegator Get a user delegation key, which can then be used to create a shared access signature for an Azure Storage table that is signed with Azure AD credentials. For more information, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). [Learn more](/rest/api/storageservices/get-user-delegation-key) > [!div class="mx-tableFixed"] > | Actions | Description | > | --- | --- | > | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/generateUserDelegationKey/action | Returns a user delegation key for the table service | > | **NotActions** | | > | *none* | | > | **DataActions** | | > | *none* | | > | **NotDataActions** | | > | *none* | | ```json { "assignableScopes": [ "/" ], "description": "Allows for generation of a user delegation key, which can then be used to create a shared access signature for an Azure Storage table that is signed with Entra ID credentials.", "id": "/providers/Microsoft.Authorization/roleDefinitions/965033a5-c8eb-4f35-b82f-fef460a3606d", "name": "965033a5-c8eb-4f35-b82f-fef460a3606d", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/tableServices/generateUserDelegationKey/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "roleName": "Storage Table Delegator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions" } ``` ## Next steps - [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal)