Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Add Captcha | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/add-captcha.md | + + Title: Enable CAPTCHA in Azure Active Directory B2C +description: How to enable CAPTCHA for user flows and custom policies in Azure Active Directory B2C. ++++ Last updated : 01/17/2024++++zone_pivot_groups: b2c-policy-type ++#Customer intent: As a developer, I want to enable CAPTCHA in consumer-facing application that is secured by Azure Active Directory B2C, so that I can protect my sign-in and sign-up flows from automated attacks. ++++# Enable CAPTCHA in Azure Active Directory B2C +++Azure Active Directory B2C (Azure AD B2C) allows you to enable CAPTCHA prevent to automated attacks on your consumer-facing applications. Azure AD B2CΓÇÖs CAPTCHA supports both audio and visual CAPTCHA challenges. You can enable this security feature in both sign-up and sign-in flows for your local accounts. CAPTCHA isn't applicable for social identity providers' sign-in. ++> [!NOTE] +> This feature is in public preview ++## Prerequisites +++## Enable CAPTCHA +++1. Sign in to the [Azure portal](https://portal.azure.com). ++1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu. ++1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**. ++1. Select **User flows**. ++1. Select the user flow for which you want to enable CAPTCHA. For example, *B2C_1_signinsignup*. ++1. Select **Properties**. ++1. Under **CAPTCHA (Preview)**, select the flow for which to enable CAPTCHA for, such as **Enable CAPTCHA - Sign Up**. ++1. Select **Save**. ++## Test the user flow ++Use the steps in [Test the user flow](tutorial-create-user-flows.md?pivots=b2c-user-flow#test-the-user-flow-1) to test and confirm that CAPTCHA is enabled for your chosen flow. You should be prompted to enter the characters you see or hear depending on the CAPTCHA type, visual or audio, you choose. +++++To enable CAPTCHA in your custom policy, you need to update your existing custom policy files. If you don't have any existing custom policy files, [Download the .zip file](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository from `https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack`. In this article, we update the XML files in */Display Controls Starterpack/LocalAccounts/* folder. ++### Declare claims ++You need more claims to enable CAPTCHA in your custom policy: ++1. In VS Code, open the *TrustFrameworkBase.XML* file. ++1. In the `ClaimsSchema` section, declare claims by using the following code: ++ ```xml + <!--<ClaimsSchema>--> + ... + <ClaimType Id="inputSolution"> + <DataType>string</DataType> + </ClaimType> ++ <ClaimType Id="solved"> + <DataType>boolean</DataType> + </ClaimType> ++ <ClaimType Id="reason"> + <DataType>string</DataType> + </ClaimType> ++ <ClaimType Id="azureregion"> + <DataType>string</DataType> + </ClaimType> ++ <ClaimType Id="challengeId"> + <DisplayName>The ID of the generated captcha</DisplayName> + <DataType>string</DataType> + <UserHelpText>Captcha challenge identifier</UserHelpText> + <UserInputType>Paragraph</UserInputType> + </ClaimType> ++ <ClaimType Id="challengeType"> + <DisplayName>Type of captcha (visual / audio)</DisplayName> + <DataType>string</DataType> + <UserHelpText>Captcha challenge type</UserHelpText> + <UserInputType>Paragraph</UserInputType> + </ClaimType> ++ <ClaimType Id="challengeString"> + <DisplayName>Captcha challenge code</DisplayName> + <DataType>string</DataType> + <UserHelpText>Captcha challenge code</UserHelpText> + <UserInputType>Paragraph</UserInputType> + </ClaimType> ++ <ClaimType Id="captchaEntered"> + <DisplayName>Captcha entered by the user</DisplayName> + <DataType>string</DataType> + <UserHelpText>Enter the characters you see</UserHelpText> + <UserInputType>TextBox</UserInputType> + </ClaimType> ++ <ClaimType Id="isCaptchaSolved"> + <DisplayName>Flag indicating that the captcha was successfully solved</DisplayName> + <DataType>boolean</DataType> + </ClaimType> + ... + <!--<ClaimsSchema>--> + ``` ++### Configure a display control ++To enable CAPTCHA for your custom policy, you use a [CAPTCHA display Control](display-control-captcha.md). The CAPTCHA display control generates and renders the CAPTCHA image. ++In the *TrustFrameworkBase.XML* file, locate the `DisplayControls` element, then add the following display control as a child element. If you don't already have `DisplayControls` element, add one. ++```xml +<!--<DisplayControls>--> +... +<DisplayControl Id="captchaControlChallengeCode" UserInterfaceControlType="CaptchaControl" DisplayName="Help us beat the bots"> + <InputClaims> + <InputClaim ClaimTypeReferenceId="challengeType" /> + <InputClaim ClaimTypeReferenceId="challengeId" /> + </InputClaims> ++ <DisplayClaims> + <DisplayClaim ClaimTypeReferenceId="challengeType" ControlClaimType="ChallengeType" /> + <DisplayClaim ClaimTypeReferenceId="challengeId" ControlClaimType="ChallengeId" /> + <DisplayClaim ClaimTypeReferenceId="challengeString" ControlClaimType="ChallengeString" /> + <DisplayClaim ClaimTypeReferenceId="captchaEntered" ControlClaimType="CaptchaEntered" /> + </DisplayClaims> ++ <Actions> + <Action Id="GetChallenge"> + <ValidationClaimsExchange> + <ValidationClaimsExchangeTechnicalProfile + TechnicalProfileReferenceId="HIP-GetChallenge" /> + </ValidationClaimsExchange> + </Action> ++ <Action Id="VerifyChallenge"> + <ValidationClaimsExchange> + <ValidationClaimsExchangeTechnicalProfile + TechnicalProfileReferenceId="HIP-VerifyChallenge" /> + </ValidationClaimsExchange> + </Action> + </Actions> +</DisplayControl> +... +<!--</DisplayControls>--> +``` ++### Configure a CAPTCHA technical profile ++Azure AD B2C [CAPTCHA technical profile](captcha-technical-profile.md) verifies the CAPTCHA challenge. This technical profile can generate a CAPTCHA code or verify it depending on how you configure it. ++In the *TrustFrameworkBase.XML* file, locate the `ClaimsProviders` element and add the claims provider by using the following code: ++```xml +<!--<ClaimsProvider>--> +... +<ClaimsProvider> ++ <DisplayName>HIPChallenge</DisplayName> ++ <TechnicalProfiles> ++ <TechnicalProfile Id="HIP-GetChallenge"> + <DisplayName>GetChallenge</DisplayName> + <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.CaptchaProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> + <Metadata> + <Item Key="Operation">GetChallenge</Item> + <Item Key="Brand">HIP</Item> + </Metadata> + <InputClaims> + <InputClaim ClaimTypeReferenceId="challengeType" /> + </InputClaims> + <DisplayClaims> + <DisplayClaim ClaimTypeReferenceId="challengeString" /> + </DisplayClaims> + <OutputClaims> + <OutputClaim ClaimTypeReferenceId="challengeId" /> + <OutputClaim ClaimTypeReferenceId="challengeString" PartnerClaimType="ChallengeString" /> + <OutputClaim ClaimTypeReferenceId="azureregion" /> + </OutputClaims> + </TechnicalProfile> + <TechnicalProfile Id="HIP-VerifyChallenge"> + <DisplayName>Verify Code</DisplayName> + <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.CaptchaProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> + <Metadata> + <Item Key="Brand">HIP</Item> + <Item Key="Operation">VerifyChallenge</Item> + </Metadata> + <InputClaims> + <InputClaim ClaimTypeReferenceId="challengeType" DefaultValue="Visual" /> + <InputClaim ClaimTypeReferenceId="challengeId" /> + <InputClaim ClaimTypeReferenceId="captchaEntered" PartnerClaimType="inputSolution" Required="true" /> + <InputClaim ClaimTypeReferenceId="azureregion" /> + </InputClaims> + <DisplayClaims> + <DisplayClaim ClaimTypeReferenceId="captchaEntered" /> + </DisplayClaims> + <OutputClaims> + <OutputClaim ClaimTypeReferenceId="challengeId" /> + <OutputClaim ClaimTypeReferenceId="isCaptchaSolved" PartnerClaimType="solved" /> + <OutputClaim ClaimTypeReferenceId="reason" PartnerClaimType="reason" /> + </OutputClaims> + </TechnicalProfile> + </TechnicalProfiles> +</ClaimsProvider> +... +<!--<ClaimsProviders>--> +``` ++The CAPTCHA technical profile that you configure with the *GetChallenge* operation generates and display the CAPTCHA challenge string. The CAPTCHA technical profile that you configure with the *VerifyChallenge* verifies the challenge string that the user inputs. ++### Update content definition's page layouts ++For the various page layouts, use the following page layout versions: ++|Page layout |Page layout version range | +||| +| Selfasserted | >=2.1.29 | +| Unifiedssp | >=2.1.17 | +| Multifactor | >=1.2.15 | ++**Example:** ++In the *TrustFrameworkBase.XML* file, under the `ContentDefinitions` element, locate a content definition with *Id="api.localaccountsignup"*, then updates its *DataUri* as shown in the following code: ++```xml +<!<ContentDefinitions>--> +... +<ContentDefinition Id="api.localaccountsignup"> + ... + <!--Update this DataUri--> + <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.27</DataUri> + ... +</ContentDefinition> +... +<!</ContentDefinitions>--> +``` +We specify the selfasserted page layout version as *2.1.27*. ++Once you configure your technical profiles and display controls, you can specify the flow for which you want to enable CAPTCHA. ++### Enable CAPTCHA for sign-up or sign-in flow + +To enable CAPTCHA for your sign-up or sign-in flow, use the following steps: ++1. Inspect your sign-up sign-in user journey, such as *SignUpOrSignIn*, to identify the self asserted technical profile that displays your sign-up or sign-in experience. ++1. In the technical profile, such as *LocalAccountSignUpWithLogonEmail*, add a metadata key and a display claim entry as shown in the following code: ++```xml +<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail"> + ... + <Metadata> + ... + <!--Add this metadata entry. Set value to true to activate CAPTCHA--> + <Item Key="setting.enableCaptchaChallenge">true</Item> + ... + </Metadata> + ... + <DisplayClaims> + ... + <!--Add this display claim, which is a reference to the captcha display control--> + <DisplayClaim DisplayControlReferenceId="captchaControlChallengeCode" /> + ... + </DisplayClaims> + ... +</TechnicalProfile> +``` +The display claim entry references the display control that you configured earlier. ++### Enable CAPTCHA in MFA flow ++To enable CAPTCHA in MFA flow, you need to make an update in two technical profiles, that is, in the self-asserted technical profile, and in the [phone factor technical profile](phone-factor-technical-profile.md): ++1. Inspect your sign-up sign-in user journey, such as *SignUpOrSignIn*, to identify the self-asserted technical profile and phone factor technical profiles that are responsible for your sign-up or sign-in flow. ++1. In both of the technical profiles, add a metadata key and a display claim entry as shown in the following code: ++```xml +<TechnicalProfile Id="PhoneFactor-InputOrVerify"> + ... + <Metadata> + ... + <!--Add this metadata entry. Value set to true--> + <Item Key="setting.enableCaptchaChallenge">true</Item> + ... + </Metadata> + ... + <DisplayClaims> + ... + <!--Add this display claim--> + <DisplayClaim DisplayControlReferenceId="captchaControlChallengeCode" /> + ... + </DisplayClaims> + ... +</TechnicalProfile> +``` ++> [!NOTE] +> - You can't add CAPTCHA to an MFA step in a sign-up only user flow. +> - In an MFA flow, CAPTCHA is applicable where the MFA method you select is SMS or phone call, SMS only or Phone call only. ++## Upload the custom policy files ++Use the steps in [Upload the policies](tutorial-create-user-flows.md?pivots=b2c-custom-policy&branch=pr-en-us-260336#upload-the-policies) to upload your custom policy files. ++## Test the custom policy ++Use the steps in [Test the custom policy](tutorial-create-user-flows.md?pivots=b2c-custom-policy#test-the-custom-policy) to test and confirm that CAPTCHA is enabled for your chosen flow. You should be prompted to enter the characters you see or hear depending on the CAPTCHA type, visual or audio, you choose. ++## Next steps ++- Learn how to [Define a CAPTCHA technical profile](captcha-technical-profile.md). +- Learn how to [Configure CAPTCHA display control](display-control-captcha.md). |
active-directory-b2c | Captcha Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/captcha-technical-profile.md | + + Title: Define a CAPTCHA technical profile in a custom policy ++description: Define a CAPTCHA technical profile custom policy in Azure Active Directory B2C. +++++++ Last updated : 01/17/2024++++#Customer intent: As a developer integrating a customer-facing application with Azure AD B2C, I want to define a CAPTCHA technical profile, so that I can secure sign-up and sign-in flows from automated attacks. +++# Define a CAPTCHA technical profile in an Azure Active Directory B2C custom policy +++A Completely Automated Public Turing Tests to Tell Computer and Human Apart (CAPTCHA) technical profiles enables Azure Active Directory B2C (Azure AD B2C) to prevent automated attacks. Azure AD B2C's CAPTCHA technical profile supports both audio and visual CAPTCHA challenges types. ++## Protocol ++The **Name** attribute of the **Protocol** element needs to be set to `Proprietary`. The **handler** attribute must contain the fully qualified name of the protocol handler assembly that is used by Azure AD B2C, for CAPTCHA: +`Web.TPEngine.Providers.CaptchaProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null` ++> [!NOTE] +> This feature is in public preview ++The following example shows a self-asserted technical profile for email sign-up: ++```xml +<TechnicalProfile Id="HIP-GetChallenge"> + <DisplayName>Email signup</DisplayName> + <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.CaptchaProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> +``` +## CAPTCHA technical profile operations ++CAPTCHA technical profile operations have two operations: ++- **Get challenge operation** generates the CAPTCHA code string, then displays it on the user interface by using a [CAPTCHA display control](display-control-captcha.md). The display includes an input textbox. This operation directs the user to input the characters they see or hear into the input textbox. The user can switch between visual and audio challenge types as needed. ++- **Verify code operation** verifies the characters input by the user. ++## Get challenge ++The first operation generates the CAPTCHA code string, then displays it on the user interface. ++### Input claims ++The **InputClaims** element contains a list of claims to send to Azure AD B2C's CAPTCHA service. ++ | ClaimReferenceId | Required | Description | +| | -- | -- | +| challengeType | No | The CAPTCHA challenge type, Audio or Visual (default).| +| azureregion | Yes | The service region that serves the CAPTCHA challenge request. | ++### Display claims ++The **DisplayClaims** element contains a list of claims to be presented on the screen for the user to see. For example, the user is presented with the CAPTCHA challenge code to read. ++ | ClaimReferenceId | Required | Description | +| | -- | -- | +| challengeString | Yes | The CAPTCHA challenge code.| +++### Output claims ++The **OutputClaims** element contains a list of claims returned by the CAPTCHA technical profile. ++| ClaimReferenceId | Required | Description | +| | -- | -- | +| challengeId | Yes | A unique identifier for CAPTCHA challenge code.| +| challengeString | Yes | The CAPTCHA challenge code.| +| azureregion | Yes | The service region that serves the CAPTCHA challenge request.| +++### Metadata + | Attribute | Required | Description | +| | -- | -- | +| Operation | Yes | Value must be *GetChallenge*.| +| Brand | Yes | Value must be *HIP*.| ++### Example: Generate CAPTCHA code ++The following example shows a CAPTCHA technical profile that you use to generate a code: ++```xml +<TechnicalProfile Id="HIP-GetChallenge"> + <DisplayName>GetChallenge</DisplayName> + <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.CaptchaProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> ++ <Metadata> + <Item Key="Operation">GetChallenge</Item> + <Item Key="Brand">HIP</Item> + </Metadata> ++ <InputClaims> + <InputClaim ClaimTypeReferenceId="challengeType" /> + </InputClaims> ++ <DisplayClaims> + <DisplayClaim ClaimTypeReferenceId="challengeString" /> + </DisplayClaims> ++ <OutputClaims> + <OutputClaim ClaimTypeReferenceId="challengeId" /> + <OutputClaim ClaimTypeReferenceId="challengeString" PartnerClaimType="ChallengeString" /> + <OutputClaim ClaimTypeReferenceId="azureregion" /> + </OutputClaims> ++</TechnicalProfile> +``` +++## Verify challenge ++The second operation verifies the CAPTCHA challenge. ++### Input claims ++The **InputClaims** element contains a list of claims to send to Azure AD B2C's CAPTCHA service. ++ | ClaimReferenceId | Required | Description | +| | -- | -- | +| challengeType | No | The CAPTCHA challenge type, Audio or Visual (default).| +|challengeId| Yes | A unique identifier for CAPTCHA used for session verification. Populated from the *GetChallenge* call. | +|captchaEntered| Yes | The challenge code that the user inputs into the challenge textbox on the user interface. | +|azureregion| Yes | The service region that serves the CAPTCHA challenge request. Populated from the *GetChallenge* call.| +++### Display claims ++The **DisplayClaims** element contains a list of claims to be presented on the screen for collecting an input from the user. ++ | ClaimReferenceId | Required | Description | +| | -- | -- | +| captchaEntered | Yes | The CAPTCHA challenge code entered by the user.| ++### Output claims ++The **OutputClaims** element contains a list of claims returned by the captcha technical profile. ++| ClaimReferenceId | Required | Description | +| | -- | -- | +| challengeId | Yes | A unique identifier for CAPTCHA used for session verification.| +| isCaptchaSolved | Yes | A flag indicating whether the CAPTCHA challenge is successfully solved.| +| reason | Yes | Used to communicate to the user whether the attempt to solve the challenge is successful or not. | ++### Metadata + | Attribute | Required | Description | +| | -- | -- | +| Operation | Yes | Value must be **VerifyChallenge**.| +| Brand | Yes | Value must be **HIP**.| ++### Example: Verify CAPTCHA code ++The following example shows a CAPTCHA technical profile that you use to verify a CAPTCHA code: ++```xml + <TechnicalProfile Id="HIP-VerifyChallenge"> + <DisplayName>Verify Code</DisplayName> + <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.CaptchaProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> + <Metadata> + <Item Key="Brand">HIP</Item> + <Item Key="Operation">VerifyChallenge</Item> + </Metadata> ++ <InputClaims> + <InputClaim ClaimTypeReferenceId="challengeType" DefaultValue="Visual" /> + <InputClaim ClaimTypeReferenceId="challengeId" /> + <InputClaim ClaimTypeReferenceId="captchaEntered" PartnerClaimType="inputSolution" Required="true" /> + <InputClaim ClaimTypeReferenceId="azureregion" /> + </InputClaims> ++ <DisplayClaims> + <DisplayClaim ClaimTypeReferenceId="captchaEntered" /> + </DisplayClaims> ++ <OutputClaims> + <OutputClaim ClaimTypeReferenceId="challengeId" /> + <OutputClaim ClaimTypeReferenceId="isCaptchaSolved" PartnerClaimType="solved" /> + <OutputClaim ClaimTypeReferenceId="reason" PartnerClaimType="reason" /> + </OutputClaims> ++ </TechnicalProfile> +``` ++## Next steps ++- [Enable CAPTCHA in Azure Active Directory B2C](add-captcha.md). |
active-directory-b2c | Custom Policy Developer Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policy-developer-notes.md | Azure Active Directory B2C [user flows and custom policies](user-flow-overview.m | [Phone sign-up and sign-in](phone-authentication-user-flows.md) | GA | GA | | | [Conditional Access and Identity Protection](conditional-access-user-flow.md) | GA | GA | Not available for SAML applications | | [Smart lockout](threat-management.md) | GA | GA | |+| [CAPTCHA](add-captcha.md) | Preview | Preview | You can enable it during sign-up or sign-in for Local accounts. | ## OAuth 2.0 application authorization flows The following table summarizes the Security Assertion Markup Language (SAML) app |[Amazon](identity-provider-amazon.md) | GA | GA | | |[Apple](identity-provider-apple-id.md) | GA | GA | | |[Microsoft Entra ID (Single-tenant)](identity-provider-azure-ad-single-tenant.md) | GA | GA | |-|[Microsoft Entra ID (Multi-tenant)](identity-provider-azure-ad-multi-tenant.md) | NA | GA | | +|[Microsoft Entra ID (multitenant)](identity-provider-azure-ad-multi-tenant.md) | NA | GA | | |[Azure AD B2C](identity-provider-azure-ad-b2c.md) | GA | GA | | |[eBay](identity-provider-ebay.md) | NA | Preview | | |[Facebook](identity-provider-facebook.md) | GA | GA | | |
active-directory-b2c | Display Control Captcha | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/display-control-captcha.md | + + Title: Verify CAPTCHA code using CAPTCHA display controls ++description: Learn how to define a CAPTCHA display controls custom policy in Azure AD B2C. +++++++ Last updated : 01/17/2024++++#Customer intent: As a developer integrating customer-facing apps with Azure AD B2C, I want to learn how to define a CAPTCHA display control for Azure AD B2C's custom policies so that I can protect my authentication flows from automated attacks. +++# Verify CAPTCHA challenge string using CAPTCHA display control ++Use CAPTCHA display controls to generate a CAPTCHA challenge string, then verify it by asking the user to enter what they see or hear. To display a CAPTCHA display control, you reference it from a [self-asserted technical profile](self-asserted-technical-profile.md), and you must set the self-asserted technical profile's `setting.enableCaptchaChallenge` metadata value to *true*. ++The screenshot shows the CAPTCHA display control shown on a sign-up page: +++The sign-up page loads with the CAPTCHA display control. The user then inputs the characters they see or hear. The **Send verification code** button sends a verification code to the user's email, and isn't CAPTCHA display control element, but it causes the CAPTCHA challenge string to be verified. ++## CAPTCHA display control elements ++This table summarizes the elements that a CAPTCHA display control contains. ++| Element | Required | Description | +| | -- | -- | +| UserInterfaceControlType | Yes | Value must be *CaptchaControl*.| +| InputClaims | Yes | One or more claims required as input to specify the CAPTCHA challenge type and to uniquely identify the challenge. | +| DisplayClaims | Yes | The claims to be shown to the user such as the CAPTCHA challenge code, or collected from the user, such as code input by the user | +| OutputClaim | No | Any claim to be returned to the self-asserted page after the user completes CAPTCHA code verification process. | +| Actions | Yes | CAPTCHA display control contains two actions, *GetChallenge* and *VerifyChallenge*. <br> *GetChallenge* action generates, then displays a CAPTCHA challenge code on the user interface. <br> *VerifyChallenge* action verifies the CAPTCHA challenge code that the user inputs. | ++The following XML snippet code shows an example of CaptchaProvider display control: ++```xml +<DisplayControls> + ... + <DisplayControl Id="captchaControlChallengeCode" UserInterfaceControlType="CaptchaControl" DisplayName="Help us beat the bots"> + <InputClaims> + <InputClaim ClaimTypeReferenceId="challengeType" /> + <InputClaim ClaimTypeReferenceId="challengeId" /> + </InputClaims> + + <DisplayClaims> + <DisplayClaim ClaimTypeReferenceId="challengeType" ControlClaimType="ChallengeType" /> + <DisplayClaim ClaimTypeReferenceId="challengeId" ControlClaimType="ChallengeId" /> + <DisplayClaim ClaimTypeReferenceId="challengeString" ControlClaimType="ChallengeString" /> + <DisplayClaim ClaimTypeReferenceId="captchaEntered" ControlClaimType="CaptchaEntered" /> + </DisplayClaims> + + <Actions> + <Action Id="GetChallenge"> + <ValidationClaimsExchange> + <ValidationClaimsExchangeTechnicalProfile + TechnicalProfileReferenceId="HIP-GetChallenge" /> + </ValidationClaimsExchange> + </Action> + + <Action Id="VerifyChallenge"> + <ValidationClaimsExchange> + <ValidationClaimsExchangeTechnicalProfile + TechnicalProfileReferenceId="HIP-VerifyChallenge" /> + </ValidationClaimsExchange> + </Action> + </Actions> + </DisplayControl> + ... +</DisplayControls> +``` ++## Next steps ++- [Enable CAPTCHA in Azure Active Directory B2C](add-captcha.md). |
active-directory-b2c | Display Control Verification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/display-control-verification.md | |
active-directory-b2c | Display Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/display-controls.md | The **DisplayControl** element contains the following attributes: | Attribute | Required | Description | | | -- | -- | | `Id` | Yes | An identifier that's used for the display control. It can be [referenced](#referencing-display-controls). |-| `UserInterfaceControlType` | Yes | The type of the display control. Currently supported is [VerificationControl](display-control-verification.md), and [TOTP controls](display-control-time-based-one-time-password.md). | +| `UserInterfaceControlType` | Yes | The type of the display control. Currently supported is [VerificationControl](display-control-verification.md), [TOTP controls](display-control-time-based-one-time-password.md), and [CAPTCHA controls](display-control-captcha.md). | ### Verification control |
active-directory-b2c | Localization String Ids | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/localization-string-ids.md | Title: Localization string IDs - Azure Active Directory B2C -description: Specify the IDs for a content definition with an ID of api.signuporsignin in a custom policy in Azure Active Directory B2C. +description: Specify the IDs for a content definition with an ID of api.signuporsignin in a custom policy in Azure AD B2C. -#Customer intent: As a developer implementing user interface localization in Azure Active Directory B2C, I want to access the list of localization string IDs, so that I can use them in my policy to support multiple locales or languages in the user journeys. +#Customer intent: As a developer implementing user interface localization in Azure AD B2C, I want to access the list of localization string IDs, so that I can use them in my policy to support multiple locales or languages in the user journeys. The following IDs are used for a content definition with an ID of `api.signupors | `button_signin` | Sign in | `All` | | `social_intro` | Sign in with your social account | `All` | | `remember_me` |Keep me signed in. | `All` |-| `unknown_error` | We are having trouble signing you in. Please try again later. | `All` | +| `unknown_error` | We're having trouble signing you in. Please try again later. | `All` | | `divider_title` | OR | `All` | | `local_intro_email` | Sign in with your existing account | `< 2.0.0` | | `logonIdentifier_email` | Email Address | `< 2.0.0` | The following IDs are used for a content definition with an ID of `api.signupors | `requiredField_password` | Please enter your password | `< 2.0.0` | | `createaccount_link` | Sign up now | `< 2.0.0` | | `cancel_message` | The user has forgotten their password | `< 2.0.0` |-| `invalid_password` | The password you entered is not in the expected format. | `< 2.0.0` | +| `invalid_password` | The password you entered isn't in the expected format. | `< 2.0.0` | | `createaccount_one_link` | Sign up now | `>= 2.0.0` | | `createaccount_two_links` | Sign up with {0} or {1} | `>= 2.0.0` | | `createaccount_three_links` | Sign up with {0}, {1}, or {2} | `>= 2.0.0` | The following IDs are used for a content definition having an ID of `api.localac | `month` | Month | | `ver_success_msg` | E-mail address verified. You can now continue. | | `months` | January, February, March, April, May, June, July, August, September, October, November, December |-| `ver_fail_server` | We are having trouble verifying your email address. Please enter a valid email address and try again. | +| `ver_fail_server` | We're having trouble verifying your email address. Please enter a valid email address and try again. | | `error_requiredFieldMissing` | A required field is missing. Please fill out all required fields and try again. | | `heading` | User Details | | `initial_intro` | Please provide the following details. | The following IDs are used for a content definition having an ID of `api.localac ### Sign-up and self-asserted pages disclaimer links -The following `UxElement` string IDs will display disclaimer link(s) at the bottom of the self-asserted page. These links are not displayed by default unless specified in the localized strings. +The following `UxElement` string IDs display disclaimer links at the bottom of the self-asserted page. These links aren't displayed by default unless specified in the localized strings. | ID | Example value | | | - | The following example shows the use of some of the user interface elements in th ![Sign-up page with its UI element names labeled](./media/localization-string-ids/localization-sign-up.png) -The following example shows the use of some of the user interface elements in the sign-up page, after user clicks on send verification code button: +The following example shows the use of some of the user interface elements in the sign-up page, after user select on send verification code button: ![Sign-up page email verification UX elements](./media/localization-string-ids/localization-email-verification.png) The following IDs are used for [Microsoft Entra ID SSPR technical profile](aad-s ## One-time password error messages -The following IDs are used for a [one-time password technical profile](one-time-password-technical-profile.md) error messages +The following IDs are used for a [one-time password technical profile](one-time-password-technical-profile.md) error messages. | ID | Default value | Description | | | - | -- |-| `UserMessageIfSessionDoesNotExist` | No | The message to display to the user if the code verification session has expired. It is either the code has expired or the code has never been generated for a given identifier. | -| `UserMessageIfMaxRetryAttempted` | No | The message to display to the user if they've exceeded the maximum allowed verification attempts. | +| `UserMessageIfSessionDoesNotExist` | No | The message to display to the user if the code verification session is expired. It's either the code is expired or the code has never been generated for a given identifier. | +| `UserMessageIfMaxRetryAttempted` | No | The message to display to the user if they exceed the maximum allowed verification attempts. | | `UserMessageIfMaxNumberOfCodeGenerated` | No | The message to display to the user if the code generation has exceeded the maximum allowed number of attempts. |-| `UserMessageIfInvalidCode` | No | The message to display to the user if they've provided an invalid code. | -| `UserMessageIfVerificationFailedRetryAllowed` | No | The message to display to the user if they've provided an invalid code, and user is allowed to provide the correct code. | -| `UserMessageIfSessionConflict` | No | The message to display to the user if the code cannot be verified.| +| `UserMessageIfInvalidCode` | No | The message to display to the user if they enter an invalid code. | +| `UserMessageIfVerificationFailedRetryAllowed` | No | The message to display to the user if they enter an invalid code, and user is allowed to provide the correct code. | +| `UserMessageIfSessionConflict` | No | The message to display to the user if the code can't be verified.| ### One time password example The following IDs are used for claims transformations error messages: | `UserMessageIfClaimsTransformationStringsAreNotEqual` |[AssertStringClaimsAreEqual](string-transformations.md#assertstringclaimsareequal) | Claim value comparison failed using StringComparison "OrdinalIgnoreCase".| ### Claims transformations example 1:-This example shows localized messages for local account signup. +This example shows localized messages for local account sign-up. ```xml <LocalizedResources Id="api.localaccountsignup.en"> This example shows localized messages for local account password reset. </LocalizedResources> ``` +## CAPTCHA display control user interface elements ++The following IDs are used for a [CAPTCHA display control](display-control-captcha.md): ++| ID | Default value | Description | +| | - | -- | +| `newCaptcha_arialabel` | Create new CAPTCHA | The tooltip message to display to the user when they move the mouse pointer over the CAPTCHA replay icon. | +| `switchCaptchaType_title` | Switch CAPTCHA type to {0} | The tooltip message to display to they user when the move the mouse pointer over the CAPTCHA Audio or image icon. | +| `captchatype_visual_help` | Enter the characters you see | The placeholder text in the input box where the user inputs the CAPTCHA code if the user is in visual mode. | +| `captchatype_audio_title` | Press audio button to play the challenge | The tooltip message to display to the user when they move the mouse pointer over the CAPTCHA speaker icon if the user switches to audio mode. | +| `captchatype_audio_help` | Enter the characters you hear | The placeholder text in the input box where the user inputs the CAPTCHA code if the user switches to audio mode. | +| `charsnotmatched_error` | The characters did not match for CAPTCHA challenge. Please try again | The message to display to the user if they enter a wrong CAPTCHA code. | +| `api_error` | API error on CAPTCHA control | The message to display to the user if an error occurs while Azure AD B2C attempts to validate the CAPTCHA code. | +| `captcha_resolved` | Success! | The message to display to the user if they enter a correct CAPTCHA code. | +|`DisplayName`| Help us beat the bots. | The CAPTCHA display control's display name. | ++### CAPTCHA display control example ++This example shows localized messages for CAPTCHA display control. ++```xml + <LocalizedResources Id="api.localaccountsignup.en"> + <LocalizedStrings> + <LocalizedString ElementType="UxElement" StringId="newCaptcha_arialabel">Create new CAPTCHA</LocalizedString> + <LocalizedString ElementType="UxElement" StringId="switchCaptchaType_title">Switch CAPTCHA type to {0}</LocalizedString> + <LocalizedString ElementType="UxElement" StringId="captchatype_visual_help">Enter the characters you see</LocalizedString> + <LocalizedString ElementType="UxElement" StringId="captchatype_audio_title">Press audio button to play the challenge</LocalizedString> + <LocalizedString ElementType="UxElement" StringId="captchatype_audio_help"> Enter the characters you hear</LocalizedString> + <LocalizedString ElementType="ErrorMessage" StringId="charsnotmatched_error"> The characters did not match for CAPTCHA challenge. Please try again</LocalizedString> + <LocalizedString ElementType="ErrorMessage" StringId="api_error"> Api error on CAPTCHA control</LocalizedString> + <LocalizedString ElementType="UxElement" StringId="captcha_resolved"> Success!</LocalizedString> + <LocalizedString ElementType="DisplayControl" ElementId="captchaControlChallengeCode" StringId="DisplayName">Help us beat the bots</LocalizedString> + </LocalizedStrings> + </LocalizedResources> +``` + ## Next steps See the following articles for localization examples: -- [Language customization with custom policy in Azure Active Directory B2C](language-customization.md)-- [Language customization with user flows in Azure Active Directory B2C](language-customization.md)+- [Language customization with custom policy in Azure AD B2C](language-customization.md) +- [Language customization with user flows in Azure AD B2C](language-customization.md) |
active-directory-b2c | Page Layout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/page-layout.md | Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## Self-asserted page (selfasserted) +**2.1.29** ++- Add CAPTCHA + **2.1.26** -- Replaced `Keypress` to `Key Down` event and avoid `Asterisk` for non-required in classic mode.+- Replaced `Keypress` to `Key Down` event and avoid `Asterisk` for nonrequired in classic mode. **2.1.25** - Fixed content security policy (CSP) violation and remove additional request header X-Aspnetmvc-Version. -- Introduced Captcha mechanism for Self-asserted and Unified SSP Flows (_Beta-version-Internal use only_).- **2.1.24** - Fixed accessibility bugs. Azure AD B2C page layout uses the following versions of the [jQuery library](htt **2.1.21** -- Additional sanitization of script tags to avoid XSS attacks. This revision breaks any script tags in the `<body>`. You should add script tags to the `<head>` tag. For more information, see [Enable JavaScript and page layout versions in Azure Active Directory B2C](javascript-and-page-layout.md?pivots=b2c-user-flow).+- More sanitization of script tags to avoid XSS attacks. This revision breaks any script tags in the `<body>`. You should add script tags to the `<head>` tag. For more information, see [Enable JavaScript and page layout versions in Azure Active Directory B2C](javascript-and-page-layout.md?pivots=b2c-user-flow). **2.1.20** - Fixed Enter event trigger on MFA. - CSS changes rendering page text/control in vertical manner for small screens **2.1.19**-- Fixed accessibility bugs.-- Handled Undefined Error message for existing user sign up.-- Moved Password mismatch error to Inline instead of page level.-- Accessibility changes related to High Contrast button display and anchor focus improvements+- Fix accessibility bugs. +- Handle Undefined Error message for existing user sign-up. +- Move Password mismatch error to Inline instead of page level. **2.1.18** - Add asterisk for required fields-- TOTP Store Icons position fixes for Classic Template+- Fix TOTP Store Icons position for Classic Template - Activate input items only when verification code is verified - Add Alt Text for Background Image - Added customization for server errors by TOTP verification Azure AD B2C page layout uses the following versions of the [jQuery library](htt - Add descriptive error message and fixed forgotPassword link - Make checkbox as group - Enforce Validation Error Update on control change and enable continue on email verified-- Added additional field to error code to validation failure response+- Add more field to error code to validation failure response **2.1.16**-- Fixed "Claims for verification control have not been verified" bug while verifying code.+- Fixed "Claims for verification control haven't been verified" bug while verifying code. - Hide error message on validation succeeds and send code to verify **2.1.15** Azure AD B2C page layout uses the following versions of the [jQuery library](htt **1.2.0** -- The username/email and password fields now use the `form` HTML element to allow Edge and Internet Explorer (IE) to properly save this information.+- The username/email and password fields now use the `form` HTML element to allow Microsoft Edge and Internet Explorer (IE) to properly save this information. - Added a configurable user input validation delay for improved user experience. - Accessibility fixes-- Fixed an accessibility issue so that error messages are now read by Narrator. +- Fix an accessibility issue so that error messages are read by Narrator. - Focus is now placed on the password field after the email is verified. - Removed `autofocus` from the checkbox control. - Added support for a display control for phone number verification. - You can now add the `data-preload="true"` attribute [in your HTML tags](customize-ui-with-html.md#guidelines-for-using-custom-page-content) - Load linked CSS files at the same time as your HTML template so it doesn't 'flicker' between loading the files. - Control the order in which your `script` tags are fetched and executed before the page load.-- Email field is now `type=email` and mobile keyboards will provide the correct suggestions.-- Support for Chrome translate.+- Email field is now `type=email` and mobile keyboards provide the correct suggestions. +- Support for Chrome translates. - Added support for company branding in user flow pages. **1.1.0** Azure AD B2C page layout uses the following versions of the [jQuery library](htt > [!TIP] > If you localize your page to support multiple locales, or languages in a user flow. The [localization IDs](localization-string-ids.md) article provides the list of localization IDs that you can use for the page version you select. +**2.1.17** ++- Add CAPTCHA. + **2.1.14** - Replaced `Keypress` to `Key Down` event. **2.1.13** -- Fixed content security policy (CSP) violation and remove additional request header X-Aspnetmvc-Version--- Introduced Captcha mechanism for Self-asserted and Unified SSP Flows (_Beta-version-Internal use only_)+- Fixed content security policy (CSP) violation and remove more request header X-Aspnetmvc-Version **2.1.12** Azure AD B2C page layout uses the following versions of the [jQuery library](htt **1.2.0** -- The username/email and password fields now use the `form` HTML element to allow Edge and Internet Explorer (IE) to properly save this information.+- The username/email and password fields now use the `form` HTML element to allow Microsoft Edge and Internet Explorer (IE) to properly save this information. - Accessibility fixes - You can now add the `data-preload="true"` attribute [in your HTML tags](customize-ui-with-html.md#guidelines-for-using-custom-page-content) to control the load order for CSS and JavaScript. - Load linked CSS files at the same time as your HTML template so it doesn't 'flicker' between loading the files. - Control the order in which your `script` tags are fetched and executed before the page load.-- Email field is now `type=email` and mobile keyboards will provide the correct suggestions.-- Support for Chrome translate.+- Email field is now `type=email` and mobile keyboards provide the correct suggestions. +- Support for Chrome translates. - Added support for tenant branding in user flow pages. **1.1.0** Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## MFA page (multifactor) +**1.2.15** ++- Add CAPTCHA to MFA page. + **1.2.12** - Replaced `KeyPress` to `KeyDown` event. Azure AD B2C page layout uses the following versions of the [jQuery library](htt **1.2.9** -- Fixed `Enter` event trigger on MFA.+- Fix `Enter` event trigger on MFA. - CSS changes render page text/control in vertical manner for small screens -- Fixed Multifactor tab navigation bug.+- Fix Multifactor tab navigation bug. **1.2.8** Azure AD B2C page layout uses the following versions of the [jQuery library](htt - Minor bug fixes. **1.2.2**-- Fixed an issue with auto-filling the verification code when using iOS.+- Fixed an issue with autofilling the verification code when using iOS. - Fixed an issue with redirecting a token to the relying party from Android Webview. -- Added a UXString `heading` in addition to `intro` to display on the page as a title. This messages is hidden by default. +- Added a UXString `heading` in addition to `intro` to display on the page as a title. This message is hidden by default. - Added support for using policy or the QueryString parameter `pageFlavor` to select the layout (classic, oceanBlue, or slateGray). **1.2.1** Azure AD B2C page layout uses the following versions of the [jQuery library](htt - You can now add the `data-preload="true"` attribute [in your HTML tags](customize-ui-with-html.md#guidelines-for-using-custom-page-content) to control the load order for CSS and JavaScript. - Load linked CSS files at the same time as your HTML template so it doesn't 'flicker' between loading the files. - Control the order in which your `script` tags are fetched and executed before the page load.-- Email field is now `type=email` and mobile keyboards will provide the correct suggestions-- Support for Chrome translate.+- Email field is now `type=email` and mobile keyboards provide the correct suggestions +- Support for Chrome translates. - Added support for tenant branding in user flow pages. **1.1.0** Azure AD B2C page layout uses the following versions of the [jQuery library](htt - You can now add the `data-preload="true"` attribute [in your HTML tags](customize-ui-with-html.md#guidelines-for-using-custom-page-content) to control the load order for CSS and JavaScript. - Load linked CSS files at the same time as your HTML template so it doesn't 'flicker' between loading the files. - Control the order in which your `script` tags are fetched and executed before the page load.-- Email field is now `type=email` and mobile keyboards will provide the correct suggestions-- Support for Chrome translate+- Email field is now `type=email` and mobile keyboards provide the correct suggestions +- Support for Chrome translates **1.1.0** Azure AD B2C page layout uses the following versions of the [jQuery library](htt - You can now add the `data-preload="true"` attribute [in your HTML tags](customize-ui-with-html.md#guidelines-for-using-custom-page-content) to control the load order for CSS and JavaScript. - Load linked CSS files at the same time as your HTML template so it doesn't 'flicker' between loading the files. - Control the order in which your `script` tags are fetched and executed before the page load.-- Email field is now `type=email` and mobile keyboards will provide the correct suggestions-- Support for Chrome translate+- Email field is now `type=email` and mobile keyboards provide the correct suggestions +- Support for Chrome translates **1.0.0** |
active-directory-b2c | Partner Asignio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-asignio.md | - Title: Configure Asignio with Azure Active Directory B2C for multifactor authentication- -description: Configure Azure Active Directory B2C with Asignio for multifactor authentication ---- Previously updated : 01/26/2024----zone_pivot_groups: b2c-policy-type --# Customer intent: I'm a developer integrating Asignio with Azure AD B2C for multifactor authentication. I want to configure an application with Asignio and set it up as an identity provider (IdP) in Azure AD B2C, so I can provide a passwordless, soft biometric, and multifactor authentication experience to customers. ---# Configure Asignio with Azure Active Directory B2C for multifactor authentication --Learn to integrate Microsoft Entra ID (Azure AD B2C) authentication with [Asignio](https://www.web.asignio.com/). With this integration, provide passwordless, soft biometric, and multifactor authentication experience to customers. Asignio uses patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature helps to reduce passwords, fraud, phishing, and credential reuse through omni-channel authentication. --## Before you begin --Choose a policy type selector to indicate the policy type setup. Azure AD B2C has two methods to define how users interact with your applications: --* Predefined user flows -* Configurable custom policies --The steps in this article differ for each method. --Learn more: --* [User flows and custom policies overview](user-flow-overview.md) -* [Azure AD B2C custom policy overview](custom-policy-overview.md) ---## Prerequisites --* An Azure subscription. --* If you don't have on, get an [Azure free account](https://azure.microsoft.com/free/) --- An Azure AD B2C tenant linked to the Azure subscription-- See, [Tutorial: Create an Azure Active Directory B2C tenant](./tutorial-create-tenant.md) --- An Asignio Client ID and Client Secret issued by Asignio. -- These tokens are obtained by registering your mobile or web applications with Asignio.--### For custom policies --Complete [Tutorial: Create user flows and custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy) --## Scenario description --This integration includes the following components: --* **Azure AD B2C** - authorization server that verifies user credentials -* **Web or mobile applications** - to secure with Asignio MFA -* **Asignio web application** - signature biometric collection on the user touch device --The following diagram illustrates the implementation. -- ![Diagram showing the implementation architecture.](./media/partner-asignio/partner-asignio-architecture-diagram.png) ---1. User opens Azure AD B2C sign in page on their mobile or web application, and then signs in or signs up. -2. Azure AD B2C redirects the user to Asignio using an OpenID Connect (OIDC) request. -3. The user is redirected to the Asignio web application for biometric sign in. If the user hasn't registered their Asignio Signature, they can use an SMS One-Time-Password (OTP) to authenticate. After authentication, user receives a registration link to create their Asignio Signature. -4. The user authenticates with Asignio Signature and facial verification, or voice and facial verification. -5. The challenge response goes to Asignio. -6. Asignio returns the OIDC response to Azure AD B2C sign in. -7. Azure AD B2C sends an authentication verification request to Asignio to confirm receipt of the authentication data. -8. The user is granted or denied access to the application. --## Configure an application with Asignio --Configurating an application with Asignio is with the Asignio Partner Administration site. --1. Go to asignio.com [Asignio Partner Administration](https://partner.asignio.com) page to request access for your organization. -2. With credentials, sign into Asignio Partner Administration. -3. Create a record for the Azure AD B2C application using your Azure AD B2C tenant. When you use Azure AD B2C with Asignio, Azure AD B2C manages connected applications. Asignio apps represent apps in the Azure portal. -4. In the Asignio Partner Administration site, generate a Client ID and Client Secret. -5. Note and store Client ID and Client Secret. You'll use them later. Asignio doesn't store Client Secrets. -6. Enter the redirect URI in your site the user is returned to after authentication. Use the following URI pattern. --`[https://<your-b2c-domain>.b2clogin.com/<your-b2c-domain>.onmicrosoft.com/oauth2/authresp]`. --7. Upload a company logo. It appears on Asignio authentication when users sign in. --## Register a web application in Azure AD B2C --Register applications in a tenant you manage, then they can interact with Azure AD B2C. --Learn more: [Application types that can be used in Active Directory B2C](application-types.md) --For this tutorial, you're registering `https://jwt.ms`, a Microsoft web application with decoded token contents that don't leave your browser. --### Register a web application and enable ID token implicit grant --Complete [Tutorial: Register a web application in Azure Active Directory B2C](tutorial-register-applications.md?tabs=app-reg-ga) --## Configure Asignio as an identity provider in Azure AD B2C --For the following instructions, use the Microsoft Entra tenant with the Azure subscription. --1. Sign in to the [Azure portal](https://portal.azure.com/#home) as the Global Administrator of the Azure AD B2C tenant. -2. In the Azure portal toolbar, select **Directories + subscriptions**. -3. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Microsoft Entra directory. -4. Select **Switch**. -5. In the top-left corner of the Azure portal, select **All services**. -6. Search for and select **Azure AD B2C**. -7. In the Azure portal, search for and select **Azure AD B2C**. -8. In the left menu, select **Identity providers**. -9. Select **New OpenID Connect Provider**. -10. Select **Identity provider type** > **OpenID Connect**. -11. For **Name**, enter the Asignio sign in, or a name you choose. -12. For **Metadata URL**, enter `https://authorization.asignio.com/.well-known/openid-configuration`. -13. For **Client ID**, enter the Client ID you generated. -14. For **Client Secret**, enter the Client Secret you generated. -15. For **Scope**, use **openid email profile**. -16. For **Response type**, use **code**. -17. For **Response mode**, use **query**. -18. For Domain hint, use `https://asignio.com`. -19. Select **OK**. -20. Select **Map this identity provider's claims**. -21. For **User ID**, use **sub**. -22. For **Display Name**, use **name**. -23. For **Given Name**, use **given_name**. -24. For **Surname**, use **family_name**. -25. For **Emai**l, use **email**. -26. Select **Save**. --## SCreate a user flow policy --1. In your Azure AD B2C tenant, under **Policies**, select **User flows**. -2. Select **New user flow**. -3. Select **Sign up and sign in** user flow type. -4. Select **Version Recommended**. -5. Select **Create**. -6. Enter a user flow **Name**, such as `AsignioSignupSignin`. -7. Under **Identity providers**, for **Local Accounts**, select **None**. This action disables email and password authentication. -8. For **Custom identity providers**, select the created Asignio Identity provider. -9. Select **Create**. --## Test your user flow --1. In your Azure AD B2C tenant, select **User flows**. -2. Select the created user flow. -3. For **Application**, select the web application you registered. The **Reply URL** is `https://jwt.ms`. -4. Select **Run user flow**. -5. The browser is redirected to the Asignio sign in page. -6. A sign in screen appears. -7. At the bottom, select **Asignio** authentication. --If you have an Asignio Signature, complete the prompt to authenticate. If not, supply the device phone number to authenticate via SMS OTP. Use the link to register your Asignio Signature. --8. The browser is redirected to `https://jwt.ms`. The token contents returned by Azure AD B2C appear. --## Create Asignio policy key --1. Store the generated Client Secret in the Azure AD B2C tenant. -2. Sign in to the [Azure portal](https://portal.azure.com/). -3. In the portal toolbar, select the **Directories + subscriptions**. -4. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Azure AD B2C directory. -5. Select **Switch**. -6. In the top-left corner of the Azure portal, select **All services**. -7. Search for and select **Azure AD B2C**. -8. On the Overview page, select **Identity Experience Framework**. -9. Select **Policy Keys**. -10. Select **Add**. -11. For **Options**, select **Manual**. -12. Enter a policy key **Name** for the policy key. The prefix `B2C_1A_` is appended to the key name. -13. In **Secret**, enter the Client Secret that you noted. -14. For **Key usage**, select **Signature**. -15. Select **Create**. --## Configure Asignio as an Identity provider -->[!TIP] ->Before you begin, ensure the Azure AD B2C policy is configured. If not, follow the instructions in [Custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack). --For users to sign in with Asignio, define Asignio as a claims provider that Azure AD B2C communicates with through an endpoint. The endpoint provides claims Azure AD B2C uses to verify user authentication with using digital ID on the device. --### Add Asignio as a claims provider --Get the custom policy starter packs from GitHub, then update the XML files in the LocalAccounts starter pack with your Azure AD B2C tenant name: --1. Download the zip [active-directory-b2c-custom-policy-starterpack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository: -- ``` - git clone https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack - ``` - -2. In the files in the **LocalAccounts** directory, replace the string `yourtenant` with the Azure AD B2C tenant name. -3. Open the **LocalAccounts/ TrustFrameworkExtensions.xml**. -4. Find the **ClaimsProviders** element. If there isn't one, add it under the root element, `TrustFrameworkPolicy`. -5. Add a new **ClaimsProvider** similar to the following example: -- ```xml - <ClaimsProvider> - <Domain>contoso.com</Domain> - <DisplayName>Asignio</DisplayName> - <TechnicalProfiles> - <TechnicalProfile Id="Asignio-Oauth2"> - <DisplayName>Asignio</DisplayName> - <Description>Login with your Asignio account</Description> - <Protocol Name="OAuth2" /> - <Metadata> - <Item Key="ProviderName">authorization.asignio.com</Item> - <Item Key="authorization_endpoint">https://authorization.asignio.com/authorize</Item> - <Item Key="AccessTokenEndpoint">https://authorization.asignio.com/token</Item> - <Item Key="ClaimsEndpoint">https://authorization.asignio.com/userinfo</Item> - <Item Key="ClaimsEndpointAccessTokenName">access_token</Item> - <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item> - <Item Key="HttpBinding">POST</Item> - <Item Key="scope">openid profile email</Item> - <Item Key="UsePolicyInRedirectUri">0</Item> - <!-- Update the Client ID below to the Asignio Application ID --> - <Item Key="client_id">00000000-0000-0000-0000-000000000000</Item> - <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item> --- <!-- trying to add additional claim--> - <!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111--> - <Item Key="11111111-1111-1111-1111-111111111111"></Item> - <!--Insert b2c-extensions-app application ObjectId here, for example: 22222222-2222-2222-2222-222222222222--> - <Item Key="22222222-2222-2222-2222-222222222222"></Item> - <!-- The key below allows you to specify each of the Azure AD tenants that can be used to sign in. Update the GUIDs below for each tenant. --> - <!--<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>--> - <!-- The commented key below specifies that users from any tenant can sign-in. Uncomment if you would like anyone with an Azure AD account to be able to sign in. --> - <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item> - </Metadata> - <CryptographicKeys> - <Key Id="client_secret" StorageReferenceId="B2C_1A_AsignioSecret" /> - </CryptographicKeys> - <OutputClaims> - <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" /> - <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /> - <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" /> - <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" DefaultValue="https://authorization.asignio.com" /> - <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" /> - <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /> - <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /> - <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /> - <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" /> - </OutputClaims> - <OutputClaimsTransformations> - <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /> - <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /> - <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /> - <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /> - </OutputClaimsTransformations> - <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" /> - </TechnicalProfile> - </TechnicalProfiles> - </ClaimsProvider> - ``` --6. Set **client_id** with the Asignio Application ID you noted. -7. Update **client_secret** section with the policy key you created. For example, `B2C_1A_AsignioSecret`: -- ```xml - <Key Id="client_secret" StorageReferenceId="B2C_1A_AsignioSecret" /> - ``` --8. Save the changes. --## Add a user journey --The identity provider isn't in the sign in pages. --1. If you have a custom user journey continue to **Configure the relying party policy**, otherwise, copy a template user journey: -2. From the starter pack, open the **LocalAccounts/ TrustFrameworkBase.xml**. -3. Locate and copy the contents of the **UserJourney** element that include `Id=SignUpOrSignIn`. -4. Open the **LocalAccounts/ TrustFrameworkExtensions.xml**. -5. Locate the **UserJourneys** element. If there isn't one, add one. -6. Paste the UserJourney element contents as a child of the UserJourneys element.] -7. Rename the user journey **ID**. For example, `Id=AsignioSUSI`. --Learn more: [User journeys](custom-policy-overview.md#user-journeys) --## Add the identity provider to a user journey --Add the new identity provider to the user journey. --1. Find the orchestration step element that includes `Type=CombinedSignInAndSignUp`, or `Type=ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element has an identity provider list that users sign in with. The order of the elements controls the order of the sign in buttons. -2. Add a **ClaimsProviderSelection** XML element. -3. Set the value of **TargetClaimsExchangeId** to a friendly name. -4. Add a **ClaimsExchange** element. -5. Set the **Id** to the value of the target claims exchange ID. -6. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created. --The following XML demonstrates user journey orchestration with the identity provider. --```xml - <UserJourney Id="AsignioSUSI"> - <OrchestrationSteps> - <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> - <ClaimsProviderSelections> - <ClaimsProviderSelection TargetClaimsExchangeId="AsignioExchange" /> - <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" /> - </ClaimsProviderSelections> - <ClaimsExchanges> - <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" /> - </ClaimsExchanges> - </OrchestrationStep> - <!-- Check if the user has selected to sign in using one of the social providers --> - <OrchestrationStep Order="2" Type="ClaimsExchange"> - <Preconditions> - <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> - <Value>objectId</Value> - <Action>SkipThisOrchestrationStep</Action> - </Precondition> - </Preconditions> - <ClaimsExchanges> - <ClaimsExchange Id="AsignioExchange" TechnicalProfileReferenceId="Asignio-Oauth2" /> - <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" /> - </ClaimsExchanges> - </OrchestrationStep> - <OrchestrationStep Order="3" Type="ClaimsExchange"> - <Preconditions> - <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> - <Value>authenticationSource</Value> - <Value>localAccountAuthentication</Value> - <Action>SkipThisOrchestrationStep</Action> - </Precondition> - </Preconditions> - <ClaimsExchanges> - <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" /> - </ClaimsExchanges> - </OrchestrationStep> - <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). This can only happen when authentication happened using a social IDP. If local account was created or authentication done using ESTS in step 2, then an user account must exist in the directory by this time. --> - <OrchestrationStep Order="4" Type="ClaimsExchange"> - <Preconditions> - <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> - <Value>objectId</Value> - <Action>SkipThisOrchestrationStep</Action> - </Precondition> - </Preconditions> - <ClaimsExchanges> - <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" /> - </ClaimsExchanges> - </OrchestrationStep> - <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent in the token. --> - <OrchestrationStep Order="5" Type="ClaimsExchange"> - <Preconditions> - <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> - <Value>authenticationSource</Value> - <Value>socialIdpAuthentication</Value> - <Action>SkipThisOrchestrationStep</Action> - </Precondition> - </Preconditions> - <ClaimsExchanges> - <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /> - </ClaimsExchanges> - </OrchestrationStep> - <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect from the user. So, in that case, create the user in the directory if one does not already exist (verified using objectId which would be set from the last step if account was created in the directory. --> - <OrchestrationStep Order="6" Type="ClaimsExchange"> - <Preconditions> - <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> - <Value>objectId</Value> - <Action>SkipThisOrchestrationStep</Action> - </Precondition> - </Preconditions> - <ClaimsExchanges> - <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" /> - </ClaimsExchanges> - </OrchestrationStep> - <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" /> - </OrchestrationSteps> - <ClientDefinition ReferenceId="DefaultWeb" /> - </UserJourney> -``` --## Configure the relying party policy --The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts/SignUpOrSignin.xml), specifies the user journey Azure AD B2C executes. --1. In the relying party, locate the **DefaultUserJourney** element. -2. Update the **ReferenceId** to match the user journey ID, in which you added the identity provider. --In the following example, for the `AsignioSUSI` user journey, the **ReferenceId** is set to `AsignioSUSI`: --```xml - <RelyingParty> - <DefaultUserJourney ReferenceId="AsignioSUSI" /> - <TechnicalProfile Id="PolicyProfile"> - <DisplayName>PolicyProfile</DisplayName> - <Protocol Name="OpenIdConnect" /> - <OutputClaims> - <OutputClaim ClaimTypeReferenceId="displayName" /> - <OutputClaim ClaimTypeReferenceId="givenName" /> - <OutputClaim ClaimTypeReferenceId="surname" /> - <OutputClaim ClaimTypeReferenceId="email" /> - <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> - <OutputClaim ClaimTypeReferenceId="identityProvider" /> - <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /> - <OutputClaim ClaimTypeReferenceId="correlationId" DefaultValue="{Context:CorrelationId}" /> - </OutputClaims> - <SubjectNamingInfo ClaimType="sub" /> - </TechnicalProfile> - </RelyingParty> --``` --## Upload the custom policy --1. Sign in to the [Azure portal](https://portal.azure.com/#home). -2. In the portal toolbar, select the **Directories + subscriptions**. -3. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Azure AD B2C directory. -4. Select **Switch**. -5. In the Azure portal, search for and select **Azure AD B2C**. -6. Under Policies, select **Identity Experience Framework**. -7. Select **Upload Custom Policy**. -8. Upload the two policy files you changed in the following order: -- * Extension policy, for example `TrustFrameworkExtensions.xml` - * Relying party policy, such as `SignUpOrSignin.xml` --## Test your custom policy --1. In your Azure AD B2C tenant, and under **Policies**, select **Identity Experience Framework**. -2. Under **Custom policies**, select **AsignioSUSI**. -3. For **Application**, select the web application that you registered. The **Reply URL** is `https://jwt.ms`. -4. Select **Run now**. -5. The browser is redirected to the Asignio sign in page. -6. A sign in screen appears. -7. At the bottom, select **Asignio** authentication. --If you have an Asignio Signature, you're prompted to authenticate with your Asignio Signature. If not, supply the device phone number to authenticate via SMS OTP. Use the link to register your Asignio Signature. --8. The browser is redirected to `https://jwt.ms`. The token contents returned by Azure AD B2C appear. --## Next steps --* [Solutions and Training for Azure Active Directory B2C](solution-articles.md) -* Ask questions on [Stackoverflow](https://stackoverflow.com/questions/tagged/azure-ad-b2c) -* [Azure AD B2C Samples](https://stackoverflow.com/questions/tagged/azure-ad-b2c) -* YouTube: [Identity Azure AD B2C Series](https://www.youtube.com/playlist?list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0) -* [Azure AD B2C custom policy overview](custom-policy-overview.md) -* [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy) ++ Title: Configure Asignio with Azure Active Directory B2C for multifactor authentication ++description: Learn how to configure Azure Active Directory B2C with Asignio for multifactor authentication ++++ Last updated : 01/26/2024++++zone_pivot_groups: b2c-policy-type ++# Customer intent: As a developer integrating Asignio with Azure AD B2C for multifactor authentication. I want to configure an application with Asignio and set it up as an identity provider (IdP) in Azure AD B2C, so I can provide a passwordless, soft biometric, and multifactor authentication experience to customers. +++# Configure Asignio with Azure Active Directory B2C for multifactor authentication ++Learn to integrate Microsoft Entra ID (Azure AD B2C) authentication with [Asignio](https://www.web.asignio.com/). With this integration, provide passwordless, soft biometric, and multifactor authentication experience to customers. Asignio uses patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature helps to reduce passwords, fraud, phishing, and credential reuse through omni-channel authentication. ++## Before you begin ++Choose a policy type selector to indicate the policy type setup. Azure AD B2C has two methods to define how users interact with your applications: ++* Predefined user flows +* Configurable custom policies ++The steps in this article differ for each method. ++Learn more: ++* [User flows and custom policies overview](user-flow-overview.md) +* [Azure AD B2C custom policy overview](custom-policy-overview.md) +++## Prerequisites ++* An Azure subscription. ++* If you don't have on, get an [Azure free account](https://azure.microsoft.com/free/) ++- An Azure AD B2C tenant linked to the Azure subscription +- See, [Tutorial: Create an Azure Active Directory B2C tenant](./tutorial-create-tenant.md) ++- An Asignio Client ID and Client Secret issued by Asignio. +- These tokens are obtained by registering your mobile or web applications with Asignio. ++### For custom policies ++Complete [Tutorial: Create user flows and custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy) ++## Scenario description ++This integration includes the following components: ++* **Azure AD B2C** - authorization server that verifies user credentials +* **Web or mobile applications** - to secure with Asignio MFA +* **Asignio web application** - signature biometric collection on the user touch device ++The following diagram illustrates the implementation. ++ ![Diagram showing the implementation architecture.](./media/partner-asignio/partner-asignio-architecture-diagram.png) +++1. User opens Azure AD B2C sign in page on their mobile or web application, and then signs in or signs up. +2. Azure AD B2C redirects the user to Asignio using an OpenID Connect (OIDC) request. +3. The user is redirected to the Asignio web application for biometric sign in. If the user hasn't registered their Asignio Signature, they can use an SMS One-Time-Password (OTP) to authenticate. After authentication, user receives a registration link to create their Asignio Signature. +4. The user authenticates with Asignio Signature and facial verification, or voice and facial verification. +5. The challenge response goes to Asignio. +6. Asignio returns the OIDC response to Azure AD B2C sign in. +7. Azure AD B2C sends an authentication verification request to Asignio to confirm receipt of the authentication data. +8. The user is granted or denied access to the application. ++## Configure an application with Asignio ++Configurating an application with Asignio is with the Asignio Partner Administration site. ++1. Go to asignio.com [Asignio Partner Administration](https://partner.asignio.com) page to request access for your organization. +2. With credentials, sign into Asignio Partner Administration. +3. Create a record for the Azure AD B2C application using your Azure AD B2C tenant. When you use Azure AD B2C with Asignio, Azure AD B2C manages connected applications. Asignio apps represent apps in the Azure portal. +4. In the Asignio Partner Administration site, generate a Client ID and Client Secret. +5. Note and store Client ID and Client Secret. You'll use them later. Asignio doesn't store Client Secrets. +6. Enter the redirect URI in your site the user is returned to after authentication. Use the following URI pattern. ++`[https://<your-b2c-domain>.b2clogin.com/<your-b2c-domain>.onmicrosoft.com/oauth2/authresp]`. ++7. Upload a company logo. It appears on Asignio authentication when users sign in. ++## Register a web application in Azure AD B2C ++Register applications in a tenant you manage, then they can interact with Azure AD B2C. ++Learn more: [Application types that can be used in Active Directory B2C](application-types.md) ++For this tutorial, you're registering `https://jwt.ms`, a Microsoft web application with decoded token contents that don't leave your browser. ++### Register a web application and enable ID token implicit grant ++Complete [Tutorial: Register a web application in Azure Active Directory B2C](tutorial-register-applications.md?tabs=app-reg-ga) ++## Configure Asignio as an identity provider in Azure AD B2C ++For the following instructions, use the Microsoft Entra tenant with the Azure subscription. ++1. Sign in to the [Azure portal](https://portal.azure.com/#home) as the Global Administrator of the Azure AD B2C tenant. +2. In the Azure portal toolbar, select **Directories + subscriptions**. +3. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Microsoft Entra directory. +4. Select **Switch**. +5. In the top-left corner of the Azure portal, select **All services**. +6. Search for and select **Azure AD B2C**. +7. In the Azure portal, search for and select **Azure AD B2C**. +8. In the left menu, select **Identity providers**. +9. Select **New OpenID Connect Provider**. +10. Select **Identity provider type** > **OpenID Connect**. +11. For **Name**, enter the Asignio sign in, or a name you choose. +12. For **Metadata URL**, enter `https://authorization.asignio.com/.well-known/openid-configuration`. +13. For **Client ID**, enter the Client ID you generated. +14. For **Client Secret**, enter the Client Secret you generated. +15. For **Scope**, use **openid email profile**. +16. For **Response type**, use **code**. +17. For **Response mode**, use **query**. +18. For Domain hint, use `https://asignio.com`. +19. Select **OK**. +20. Select **Map this identity provider's claims**. +21. For **User ID**, use **sub**. +22. For **Display Name**, use **name**. +23. For **Given Name**, use **given_name**. +24. For **Surname**, use **family_name**. +25. For **Emai**l, use **email**. +26. Select **Save**. ++## SCreate a user flow policy ++1. In your Azure AD B2C tenant, under **Policies**, select **User flows**. +2. Select **New user flow**. +3. Select **Sign up and sign in** user flow type. +4. Select **Version Recommended**. +5. Select **Create**. +6. Enter a user flow **Name**, such as `AsignioSignupSignin`. +7. Under **Identity providers**, for **Local Accounts**, select **None**. This action disables email and password authentication. +8. For **Custom identity providers**, select the created Asignio Identity provider. +9. Select **Create**. ++## Test your user flow ++1. In your Azure AD B2C tenant, select **User flows**. +2. Select the created user flow. +3. For **Application**, select the web application you registered. The **Reply URL** is `https://jwt.ms`. +4. Select **Run user flow**. +5. The browser is redirected to the Asignio sign in page. +6. A sign in screen appears. +7. At the bottom, select **Asignio** authentication. ++If you have an Asignio Signature, complete the prompt to authenticate. If not, supply the device phone number to authenticate via SMS OTP. Use the link to register your Asignio Signature. ++8. The browser is redirected to `https://jwt.ms`. The token contents returned by Azure AD B2C appear. ++## Create Asignio policy key ++1. Store the generated Client Secret in the Azure AD B2C tenant. +2. Sign in to the [Azure portal](https://portal.azure.com/). +3. In the portal toolbar, select the **Directories + subscriptions**. +4. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Azure AD B2C directory. +5. Select **Switch**. +6. In the top-left corner of the Azure portal, select **All services**. +7. Search for and select **Azure AD B2C**. +8. On the Overview page, select **Identity Experience Framework**. +9. Select **Policy Keys**. +10. Select **Add**. +11. For **Options**, select **Manual**. +12. Enter a policy key **Name** for the policy key. The prefix `B2C_1A_` is appended to the key name. +13. In **Secret**, enter the Client Secret that you noted. +14. For **Key usage**, select **Signature**. +15. Select **Create**. ++## Configure Asignio as an Identity provider ++>[!TIP] +>Before you begin, ensure the Azure AD B2C policy is configured. If not, follow the instructions in [Custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack). ++For users to sign in with Asignio, define Asignio as a claims provider that Azure AD B2C communicates with through an endpoint. The endpoint provides claims Azure AD B2C uses to verify user authentication with using digital ID on the device. ++### Add Asignio as a claims provider ++Get the custom policy starter packs from GitHub, then update the XML files in the LocalAccounts starter pack with your Azure AD B2C tenant name: ++1. Download the zip [active-directory-b2c-custom-policy-starterpack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository: ++ ``` + git clone https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack + ``` + +2. In the files in the **LocalAccounts** directory, replace the string `yourtenant` with the Azure AD B2C tenant name. +3. Open the **LocalAccounts/ TrustFrameworkExtensions.xml**. +4. Find the **ClaimsProviders** element. If there isn't one, add it under the root element, `TrustFrameworkPolicy`. +5. Add a new **ClaimsProvider** similar to the following example: ++ ```xml + <ClaimsProvider> + <Domain>contoso.com</Domain> + <DisplayName>Asignio</DisplayName> + <TechnicalProfiles> + <TechnicalProfile Id="Asignio-Oauth2"> + <DisplayName>Asignio</DisplayName> + <Description>Login with your Asignio account</Description> + <Protocol Name="OAuth2" /> + <Metadata> + <Item Key="ProviderName">authorization.asignio.com</Item> + <Item Key="authorization_endpoint">https://authorization.asignio.com/authorize</Item> + <Item Key="AccessTokenEndpoint">https://authorization.asignio.com/token</Item> + <Item Key="ClaimsEndpoint">https://authorization.asignio.com/userinfo</Item> + <Item Key="ClaimsEndpointAccessTokenName">access_token</Item> + <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item> + <Item Key="HttpBinding">POST</Item> + <Item Key="scope">openid profile email</Item> + <Item Key="UsePolicyInRedirectUri">0</Item> + <!-- Update the Client ID below to the Asignio Application ID --> + <Item Key="client_id">00000000-0000-0000-0000-000000000000</Item> + <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item> +++ <!-- trying to add additional claim--> + <!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111--> + <Item Key="11111111-1111-1111-1111-111111111111"></Item> + <!--Insert b2c-extensions-app application ObjectId here, for example: 22222222-2222-2222-2222-222222222222--> + <Item Key="22222222-2222-2222-2222-222222222222"></Item> + <!-- The key below allows you to specify each of the Azure AD tenants that can be used to sign in. Update the GUIDs below for each tenant. --> + <!--<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>--> + <!-- The commented key below specifies that users from any tenant can sign-in. Uncomment if you would like anyone with an Azure AD account to be able to sign in. --> + <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item> + </Metadata> + <CryptographicKeys> + <Key Id="client_secret" StorageReferenceId="B2C_1A_AsignioSecret" /> + </CryptographicKeys> + <OutputClaims> + <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" /> + <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /> + <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" /> + <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" DefaultValue="https://authorization.asignio.com" /> + <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" /> + <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /> + <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /> + <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /> + <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" /> + </OutputClaims> + <OutputClaimsTransformations> + <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /> + <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /> + <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /> + <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /> + </OutputClaimsTransformations> + <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" /> + </TechnicalProfile> + </TechnicalProfiles> + </ClaimsProvider> + ``` ++6. Set **client_id** with the Asignio Application ID you noted. +7. Update **client_secret** section with the policy key you created. For example, `B2C_1A_AsignioSecret`: ++ ```xml + <Key Id="client_secret" StorageReferenceId="B2C_1A_AsignioSecret" /> + ``` ++8. Save the changes. ++## Add a user journey ++The identity provider isn't in the sign in pages. ++1. If you have a custom user journey continue to **Configure the relying party policy**, otherwise, copy a template user journey: +2. From the starter pack, open the **LocalAccounts/ TrustFrameworkBase.xml**. +3. Locate and copy the contents of the **UserJourney** element that include `Id=SignUpOrSignIn`. +4. Open the **LocalAccounts/ TrustFrameworkExtensions.xml**. +5. Locate the **UserJourneys** element. If there isn't one, add one. +6. Paste the UserJourney element contents as a child of the UserJourneys element.] +7. Rename the user journey **ID**. For example, `Id=AsignioSUSI`. ++Learn more: [User journeys](custom-policy-overview.md#user-journeys) ++## Add the identity provider to a user journey ++Add the new identity provider to the user journey. ++1. Find the orchestration step element that includes `Type=CombinedSignInAndSignUp`, or `Type=ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element has an identity provider list that users sign in with. The order of the elements controls the order of the sign in buttons. +2. Add a **ClaimsProviderSelection** XML element. +3. Set the value of **TargetClaimsExchangeId** to a friendly name. +4. Add a **ClaimsExchange** element. +5. Set the **Id** to the value of the target claims exchange ID. +6. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created. ++The following XML demonstrates user journey orchestration with the identity provider. ++```xml + <UserJourney Id="AsignioSUSI"> + <OrchestrationSteps> + <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> + <ClaimsProviderSelections> + <ClaimsProviderSelection TargetClaimsExchangeId="AsignioExchange" /> + <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" /> + </ClaimsProviderSelections> + <ClaimsExchanges> + <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" /> + </ClaimsExchanges> + </OrchestrationStep> + <!-- Check if the user has selected to sign in using one of the social providers --> + <OrchestrationStep Order="2" Type="ClaimsExchange"> + <Preconditions> + <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> + <Value>objectId</Value> + <Action>SkipThisOrchestrationStep</Action> + </Precondition> + </Preconditions> + <ClaimsExchanges> + <ClaimsExchange Id="AsignioExchange" TechnicalProfileReferenceId="Asignio-Oauth2" /> + <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" /> + </ClaimsExchanges> + </OrchestrationStep> + <OrchestrationStep Order="3" Type="ClaimsExchange"> + <Preconditions> + <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> + <Value>authenticationSource</Value> + <Value>localAccountAuthentication</Value> + <Action>SkipThisOrchestrationStep</Action> + </Precondition> + </Preconditions> + <ClaimsExchanges> + <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" /> + </ClaimsExchanges> + </OrchestrationStep> + <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). This can only happen when authentication happened using a social IDP. If local account was created or authentication done using ESTS in step 2, then an user account must exist in the directory by this time. --> + <OrchestrationStep Order="4" Type="ClaimsExchange"> + <Preconditions> + <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> + <Value>objectId</Value> + <Action>SkipThisOrchestrationStep</Action> + </Precondition> + </Preconditions> + <ClaimsExchanges> + <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" /> + </ClaimsExchanges> + </OrchestrationStep> + <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent in the token. --> + <OrchestrationStep Order="5" Type="ClaimsExchange"> + <Preconditions> + <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> + <Value>authenticationSource</Value> + <Value>socialIdpAuthentication</Value> + <Action>SkipThisOrchestrationStep</Action> + </Precondition> + </Preconditions> + <ClaimsExchanges> + <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /> + </ClaimsExchanges> + </OrchestrationStep> + <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect from the user. So, in that case, create the user in the directory if one does not already exist (verified using objectId which would be set from the last step if account was created in the directory. --> + <OrchestrationStep Order="6" Type="ClaimsExchange"> + <Preconditions> + <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> + <Value>objectId</Value> + <Action>SkipThisOrchestrationStep</Action> + </Precondition> + </Preconditions> + <ClaimsExchanges> + <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" /> + </ClaimsExchanges> + </OrchestrationStep> + <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" /> + </OrchestrationSteps> + <ClientDefinition ReferenceId="DefaultWeb" /> + </UserJourney> +``` ++## Configure the relying party policy ++The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts/SignUpOrSignin.xml), specifies the user journey Azure AD B2C executes. ++1. In the relying party, locate the **DefaultUserJourney** element. +2. Update the **ReferenceId** to match the user journey ID, in which you added the identity provider. ++In the following example, for the `AsignioSUSI` user journey, the **ReferenceId** is set to `AsignioSUSI`: ++```xml + <RelyingParty> + <DefaultUserJourney ReferenceId="AsignioSUSI" /> + <TechnicalProfile Id="PolicyProfile"> + <DisplayName>PolicyProfile</DisplayName> + <Protocol Name="OpenIdConnect" /> + <OutputClaims> + <OutputClaim ClaimTypeReferenceId="displayName" /> + <OutputClaim ClaimTypeReferenceId="givenName" /> + <OutputClaim ClaimTypeReferenceId="surname" /> + <OutputClaim ClaimTypeReferenceId="email" /> + <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> + <OutputClaim ClaimTypeReferenceId="identityProvider" /> + <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /> + <OutputClaim ClaimTypeReferenceId="correlationId" DefaultValue="{Context:CorrelationId}" /> + </OutputClaims> + <SubjectNamingInfo ClaimType="sub" /> + </TechnicalProfile> + </RelyingParty> ++``` ++## Upload the custom policy ++1. Sign in to the [Azure portal](https://portal.azure.com/#home). +2. In the portal toolbar, select the **Directories + subscriptions**. +3. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Azure AD B2C directory. +4. Select **Switch**. +5. In the Azure portal, search for and select **Azure AD B2C**. +6. Under Policies, select **Identity Experience Framework**. +7. Select **Upload Custom Policy**. +8. Upload the two policy files you changed in the following order: ++ * Extension policy, for example `TrustFrameworkExtensions.xml` + * Relying party policy, such as `SignUpOrSignin.xml` ++## Test your custom policy ++1. In your Azure AD B2C tenant, and under **Policies**, select **Identity Experience Framework**. +2. Under **Custom policies**, select **AsignioSUSI**. +3. For **Application**, select the web application that you registered. The **Reply URL** is `https://jwt.ms`. +4. Select **Run now**. +5. The browser is redirected to the Asignio sign in page. +6. A sign in screen appears. +7. At the bottom, select **Asignio** authentication. ++If you have an Asignio Signature, you're prompted to authenticate with your Asignio Signature. If not, supply the device phone number to authenticate via SMS OTP. Use the link to register your Asignio Signature. ++8. The browser is redirected to `https://jwt.ms`. The token contents returned by Azure AD B2C appear. ++## Next steps ++* [Solutions and Training for Azure Active Directory B2C](solution-articles.md) +* Ask questions on [Stackoverflow](https://stackoverflow.com/questions/tagged/azure-ad-b2c) +* [Azure AD B2C Samples](https://stackoverflow.com/questions/tagged/azure-ad-b2c) +* YouTube: [Identity Azure AD B2C Series](https://www.youtube.com/playlist?list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0) +* [Azure AD B2C custom policy overview](custom-policy-overview.md) +* [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy) |
active-directory-b2c | Phone Factor Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/phone-factor-technical-profile.md | The **CryptographicKeys** element is not used. | setting.authenticationMode | No | The method to validate the phone number. Possible values: `sms`, `phone`, or `mixed` (default).| | setting.autodial| No| Specify whether the technical profile should auto dial or auto send an SMS. Possible values: `true`, or `false` (default). Auto dial requires the `setting.authenticationMode` metadata be set to `sms`, or `phone`. The input claims collection must have a single phone number. | | setting.autosubmit | No | Specifies whether the technical profile should auto submit the one-time password entry form. Possible values are `true` (default), or `false`. When auto-submit is turned off, the user needs to select a button to progress the journey. |+| setting.enableCaptchaChallenge | No | Specifies whether CAPTCHA challenge code should be displayed in an MFA flow. Possible values: `true` , or `false` (default). For this setting to work, the [CAPTCHA display control]() must be referenced in the display claims of the phone factor technical profile. [CAPTCHA feature](add-captcha.md) is in **public preview**.| ### UI elements |
active-directory-b2c | Self Asserted Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/self-asserted-technical-profile.md | -#Customer intent: As a developer using Azure Active Directory B2C, I want to define a self-asserted technical profile with display claims and output claims, so that I can collect and validate user input and return the claims to the next orchestration step. +#Customer intent: As a developer using Azure Active Directory B2C, I want to define a self-asserted technical profile with display, so that I can collect and validate user input. In the display claims collection, you can include a reference to a [DisplayContr The following example `TechnicalProfile` illustrates the use of display claims with display controls. * The first display claim makes a reference to the `emailVerificationControl` display control, which collects and verifies the email address.-* The fifth display claim makes a reference to the `phoneVerificationControl` display control, which collects and verifies a phone number. +* The second display claim makes a reference to the `captchaChallengeControl` display control, which generates and verifies CAPTCHA code. +* The sixth display claim makes a reference to the `phoneVerificationControl` display control, which collects and verifies a phone number. * The other display claims are ClaimTypes to be collected from the user. ```xml <TechnicalProfile Id="Id"> <DisplayClaims> <DisplayClaim DisplayControlReferenceId="emailVerificationControl" />+ <DisplayClaim DisplayControlReferenceId="captchaChallengeControl" /> <DisplayClaim ClaimTypeReferenceId="displayName" Required="true" /> <DisplayClaim ClaimTypeReferenceId="givenName" Required="true" /> <DisplayClaim ClaimTypeReferenceId="surName" Required="true" /> You can also call a REST API technical profile with your business logic, overwri | AllowGenerationOfClaimsWithNullValues| No| Allow to generate a claim with null value. For example, in a case user doesn't select a checkbox.| | ContentDefinitionReferenceId | Yes | The identifier of the [content definition](contentdefinitions.md) associated with this technical profile. | | EnforceEmailVerification | No | For sign-up or profile edit, enforces email verification. Possible values: `true` (default), or `false`. |-| setting.retryLimit | No | Controls the number of times a user can try to provide the data that is checked against a validation technical profile. For example, a user tries to sign-up with an account that already exists and keeps trying until the limit reached. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/technical-profiles/self-asserted#retry-limit) of this metadata.| +| setting.retryLimit | No | Controls the number of times a user can try to provide the data that is checked against a validation technical profile. For example, a user tries to sign up with an account that already exists and keeps trying until the limit reached. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/technical-profiles/self-asserted#retry-limit) of this metadata.| | SignUpTarget <sup>1</sup>| No | The sign-up target exchange identifier. When the user clicks the sign-up button, Azure AD B2C executes the specified exchange identifier. | | setting.showCancelButton | No | Displays the cancel button. Possible values: `true` (default), or `false`. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/technical-profiles/self-asserted#show-the-cancel-button) of this metadata.| | setting.showContinueButton | No | Displays the continue button. Possible values: `true` (default), or `false`. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/technical-profiles/self-asserted#show-the-continue-button) of this metadata. | You can also call a REST API technical profile with your business logic, overwri | setting.inputVerificationDelayTimeInMilliseconds <sup>3</sup>| No| Improves user experience, by waiting for the user to stop typing, and then validate the value. Default value 2000 milliseconds. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/technical-profiles/self-asserted#input-verification-delay-time-in-milliseconds) of this metadata. | | IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. | |setting.forgotPasswordLinkOverride <sup>4</sup>| No | A password reset claims exchange to be executed. For more information, see [Self-service password reset](add-password-reset-policy.md). |+| setting.enableCaptchaChallenge | No | Specifies whether CAPTCHA challenge code should be displayed. Possible values: `true` , or `false` (default). For this setting to work, the [CAPTCHA display control]() must be referenced in the [display claims](#display-claims) of the self-asserted technical profile. CAPTCHA feature is in **public preview**.| Notes: |
ai-services | Cognitive Services Support Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/cognitive-services-support-options.md | |
ai-services | Azure Container Instance Recipe | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/containers/azure-container-instance-recipe.md | |
ai-services | Container Reuse Recipe | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/containers/container-reuse-recipe.md | |
ai-services | Docker Compose Recipe | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/containers/docker-compose-recipe.md | |
ai-services | Create Account Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/create-account-terraform.md | description: 'In this article, you create an Azure AI services resource using Te keywords: Azure AI services, cognitive solutions, cognitive intelligence, cognitive artificial intelligence Previously updated : 4/14/2023 Last updated : 2/23/2024 - devx-track-terraform - ignite-2023+ai-usage: ai-assisted # Quickstart: Create an Azure AI services resource using Terraform |
ai-services | Assistants Reference Messages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/assistants-reference-messages.md | A [message](#message-object) object. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(thread_message) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/messages?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "role": "user", A list of [message](#message-object) objects. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(thread_messages.data) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/messages?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` A list of [message file](#message-file-object) objects from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(message_files) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/messages/files?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` The [message](#message-object) object matching the specified ID. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(message) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/messages/{message_id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` The [message file](#message-file-object) object. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(message_files) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/messages/{message_id}/files/{file_id}?api-version=2024-02-15-preview ``` \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` The modified [message](#message-object) object. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(message) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/messages/{message_id}?api-version=2024-02-15-preview ``` \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "metadata": { |
ai-services | Assistants Reference Runs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/assistants-reference-runs.md | Create a run. | `assistant_id` | string | Required | The ID of the assistant to use to execute this run. | | `model` | string or null | Optional | The model deployment name to be used to execute this run. If a value is provided here, it will override the model deployment name associated with the assistant. If not, the model deployment name associated with the assistant will be used. | | `instructions` | string or null | Optional | Overrides the instructions of the assistant. This is useful for modifying the behavior on a per-run basis. |-| `additional_instructions` | string or null | Optional | Appends additional instructions at the end of the instructions for the run. This is useful for modifying the behavior on a per-run basis without overriding other instructions. | | `tools` | array or null | Optional | Override the tools the assistant can use for this run. This is useful for modifying the behavior on a per-run basis. | | `metadata` | map | Optional | Set of 16 key-value pairs that can be attached to an object. This can be useful for storing additional information about the object in a structured format. Keys can be a maximum of 64 characters long and values can be a maximum of 512 characters long. | A run object. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(run) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/runs?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "assistant_id": "asst_abc123" A run object. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) run = client.beta.threads.create_and_run( ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/runs?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "assistant_id": "asst_abc123", A list of [run](#run-object) objects. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(runs) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/runs?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` A list of [run step](#run-step-object) objects. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(run_steps) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/runs/{run_id}/steps?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` The [run](#run-object) object matching the specified run ID. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(run) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/runs/{run_id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` The [run step](#run-step-object) object matching the specified ID. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(run_step) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/runs/{run_id}/steps/{step_id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` The modified [run](#run-object) object matching the specified ID. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(run) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/runs/{run_id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' -d '{ "metadata": { The modified [run](#run-object) object matching the specified ID. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(run) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/runs/{run_id}/submit_tool_outputs?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "tool_outputs": [ The modified [run](#run-object) object matching the specified ID. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(run) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}/runs/{run_id}/cancel?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -X POST ``` |
ai-services | Assistants Reference Threads | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/assistants-reference-threads.md | A [thread object](#thread-object). from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(empty_thread) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '' ``` The thread object matching the specified ID. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(my_thread) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}?api- ## Modify thread ```http-POST https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads{thread_id}?api-version=2024-02-15-preview +POST https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}?api-version=2024-02-15-preview ``` Modifies a thread. The modified [thread object](#thread-object) matching the specified ID. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(my_updated_thread) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "metadata": { curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}?api- ## Delete thread ```http-DELETE https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads{thread_id}?api-version=2024-02-15-preview +DELETE https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}?api-version=2024-02-15-preview ``` Delete a thread Deletion status. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(response) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/{thread_id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -X DELETE ``` |
ai-services | Assistants Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/assistants-reference.md | An [assistant](#assistant-object) object. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) assistant = client.beta.assistants.create( ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "instructions": "You are an AI assistant that can write code to help answer math questions.", An [assistant file](#assistant-file-object) object. from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(assistant_file) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants/{assistant_id}/files?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "file_id": "assistant-abc123" A list of [assistant](#assistant-object) objects from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(my_assistants.data) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` A list of [assistant file](#assistant-file-object) objects from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(assistant_files) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants/{assistant-id}/files?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` The [assistant](#assistant-object) object matching the specified ID. ```python client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(my_assistant) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants/{assistant-id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` The [assistant file](#assistant-file-object) object matching the specified ID ```python client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(assistant_file) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants/{assistant-id}/files/{file-id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' ``` The modified [assistant object](#assistant-object). ```python client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(my_updated_assistant) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants/{assistant-id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "instructions": "You are an HR bot, and you have access to files to answer employee questions about company policies. Always response with info from either of the files.", Deletion status. ```python client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(response) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants/{assistant-id}?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -X DELETE ``` File deletion status ```python client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(deleted_assistant_file) ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants/{assistant_id}/files/{file-id}?api-version=2024-02-15-preview ``` \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -X DELETE ``` |
ai-services | Content Filter | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/content-filter.md | import openai openai.api_type = "azure" openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT") openai.api_version = "2023-06-01-preview" # API version required to test out Annotations preview-openai.api_key = os.getenv("AZURE_OPENAI_KEY") +openai.api_key = os.getenv("AZURE_OPENAI_API_KEY") response = openai.Completion.create( engine="gpt-35-turbo", # engine = "deployment_name". import openai openai.api_type = "azure" openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT") openai.api_version = "2023-06-01-preview" # API version required to test out Annotations preview-openai.api_key = os.getenv("AZURE_OPENAI_KEY") +openai.api_key = os.getenv("AZURE_OPENAI_API_KEY") try: response = openai.Completion.create( except openai.error.InvalidRequestError as e: import os from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-10-01-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) main().catch((err) => { ```powershell-interactive # Env: for the endpoint and key assumes that you are using environment variables. $openai = @{- api_key = $Env:AZURE_OPENAI_KEY + api_key = $Env:AZURE_OPENAI_API_KEY api_base = $Env:AZURE_OPENAI_ENDPOINT # your endpoint should look like the following https://YOUR_RESOURCE_NAME.openai.azure.com/ api_version = '2023-10-01-preview' # this may change in the future name = 'YOUR-DEPLOYMENT-NAME-HERE' #This will correspond to the custom name you chose for your deployment when you deployed a model. |
ai-services | Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/models.md | In testing, OpenAI reports both the large and small third generation embeddings | MIRACL average | 31.4 | 44.0 | 54.9 | | MTEB average | 61.0 | 62.3 | 64.6 | -The third generation embeddings models support reducing the size of the embedding via a new `dimensions` parameter. Typically larger embeddings are more expensive from a compute, memory, and storage perspective. Being able to adjust the number of dimensions allows more control over overall cost and performance. Official support for the dimensions parameter was added to the OpenAI Python library in version `1.10.0`. If you are running an earlier version of the 1.x library you will need to upgrade `pip install openai --upgrade`. +The third generation embeddings models support reducing the size of the embedding via a new `dimensions` parameter. Typically larger embeddings are more expensive from a compute, memory, and storage perspective. Being able to adjust the number of dimensions allows more control over overall cost and performance. The `dimensions` parameter is not supported in all versions of the OpenAI 1.x Python library, to take advantage of this parameter we recommend upgrading to the latest version: `pip install openai --upgrade`. OpenAI's MTEB benchmark testing found that even when the third generation model's dimensions are reduced to less than `text-embeddings-ada-002` 1,536 dimensions performance remains slightly better. GPT-4 version 0125-preview is an updated version of the GPT-4 Turbo preview prev | gpt-4 (0613) | Australia East <br> Canada East <br> France Central <br> Sweden Central <br> Switzerland North | East US <br> East US 2 <br> Japan East <br> UK South | | gpt-4 (1106-preview) | Australia East <br> Canada East <br> East US 2 <br> France Central <br> Norway East <br> South India <br> Sweden Central <br> UK South <br> West US | | | gpt-4 (0125-preview) | East US <br> North Central US <br> South Central US <br> |-| gpt-4 (vision-preview) | Sweden Central <br> West US <br> Japan East| Switzerland North <br> Australia East | +| gpt-4 (vision-preview) | Sweden Central <br> West US <br> Japan East <br> Switzerland North <br> Australia East| | #### Azure Government regions |
ai-services | Provisioned Throughput | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/provisioned-throughput.md | An Azure OpenAI Deployment is a unit of management for a specific OpenAI Model. | Utilization | Provisioned-managed Utilization measure provided in Azure Monitor. | | Estimating size | Provided calculator in the studio & benchmarking script. | +## How do I get access to Provisioned? ++You need to speak with your Microsoft sales/account team to acquire provisioned throughput. If you don't have a sales/account team, unfortunately at this time, you cannot purchase provisioned throughput. + ## Key concepts ### Provisioned throughput units |
ai-services | Assistant Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/assistant-functions.md | To use all features of function calling including parallel functions, you need t from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) assistant = client.beta.assistants.create( ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "instructions": "You are a weather bot. Use the provided functions to answer questions.", You can then complete the **Run** by submitting the tool output from the functio from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) run = client.beta.threads.runs.submit_tool_outputs( ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/thread_abc123/runs/run_123/submit_tool_outputs?api-version=2024-02-15-preview \ -H "Content-Type: application/json" \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -d '{ "tool_outputs": [{ "tool_call_id": "call_abc123", |
ai-services | Assistant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/assistant.md | import json from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) When annotations are present in the Message content array, you'll see illegible from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) |
ai-services | Code Interpreter | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/code-interpreter.md | We recommend using assistants with the latest models to take advantage of the ne from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) assistant = client.beta.assistants.create( ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "instructions": "You are an AI assistant that can write code to help answer math questions.", curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants?api-version=2 from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) assistant = client.beta.assistants.create( # Upload a file with an "assistants" purpose curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/files?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -F purpose="assistants" \ -F file="@c:\\path_to_file\\file.csv" # Create an assistant using the file ID curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/assistants?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "instructions": "You are an AI assistant that can write code to help answer math questions.", In addition to making files accessible at the Assistants level you can pass file from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) thread = client.beta.threads.create( ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads/<YOUR-THREAD-ID>/messages?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ -H 'Content-Type: application/json' \ -d '{ "role": "user", You can download these generated files by passing the files to the files API: from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-02-15-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) with open("./my-image.png", "wb") as file: ```console curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/files/<YOUR-FILE-ID>/content?api-version=2024-02-15-preview \- -H "api-key: $AZURE_OPENAI_KEY" \ + -H "api-key: $AZURE_OPENAI_API_KEY" \ --output image.png ``` |
ai-services | Embeddings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/embeddings.md | import os from openai import AzureOpenAI client = AzureOpenAI(- api_key = os.getenv("AZURE_OPENAI_KEY"), + api_key = os.getenv("AZURE_OPENAI_API_KEY"), api_version = "2023-05-15", azure_endpoint =os.getenv("AZURE_OPENAI_ENDPOINT") ) foreach (float item in returnValue.Value.Data[0].Embedding.ToArray()) ```powershell-interactive # Azure OpenAI metadata variables $openai = @{- api_key = $Env:AZURE_OPENAI_KEY + api_key = $Env:AZURE_OPENAI_API_KEY api_base = $Env:AZURE_OPENAI_ENDPOINT # your endpoint should look like the following https://YOUR_RESOURCE_NAME.openai.azure.com/ api_version = '2023-05-15' # this may change in the future name = 'YOUR-DEPLOYMENT-NAME-HERE' #This will correspond to the custom name you chose for your deployment when you deployed a model. |
ai-services | Fine Tuning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/fine-tuning.md | Azure OpenAI Service lets you tailor our models to your personal datasets by usi - Higher quality results than what you can get just from [prompt engineering](../concepts/prompt-engineering.md) - The ability to train on more examples than can fit into a model's max request context limit.+- Token savings due to shorter prompts - Lower-latency requests, particularly when using smaller models. -A fine-tuned model improves on the few-shot learning approach by training the model's weights on your own data. A customized model lets you achieve better results on a wider number of tasks without needing to provide examples in your prompt. The result is less text sent and fewer tokens processed on every API call, potentially saving cost and improving request latency. +In contrast to few-shot learning, fine tuning improves the model by training on many more examples than can fit in a prompt, letting you achieve better results on a wide number of tasks. Because fine tuning adjusts the base modelΓÇÖs weights to improve performance on the specific task, you wonΓÇÖt have to include as many examples or instructions in your prompt. This means less text sent and fewer tokens processed on every API call, potentially saving cost, and improving request latency. ++We use LoRA, or low rank approximation, to fine-tune models in a way that reduces their complexity without significantly affecting their performance. This method works by approximating the original high-rank matrix with a lower rank one, thus only fine-tuning a smaller subset of "important" parameters during the supervised training phase, making the model more manageable and efficient. For users, this makes training faster and more affordable than other techniques. + ::: zone pivot="programming-language-studio" A fine-tuned model improves on the few-shot learning approach by training the mo ### How do I enable fine-tuning? Create a custom model is greyed out in Azure OpenAI Studio? In order to successfully access fine-tuning, you need **Cognitive Services OpenAI Contributor assigned**. Even someone with high-level Service Administrator permissions would still need this account explicitly set in order to access fine-tuning. For more information, please review the [role-based access control guidance](/azure/ai-services/openai/how-to/role-based-access-control#cognitive-services-openai-contributor).- ++### Why did my upload fail? ++If your file upload fails, you can view the error message under ΓÇ£data filesΓÇ¥ in Azure OpenAI Studio. Hover your mouse over where it says ΓÇ£errorΓÇ¥ (under the status column) and an explanation of the failure will be displayed. +++### My fine-tuned model does not seem to have improved ++- **Missing system message:** You need to provide a system message when you fine tune; you will want to provide that same system message when you use the fine-tuned model. If you provide a different system message, you may see different results than what you fine-tuned for. ++- **Not enough data:** while 10 is the minimum for the pipeline to run, you need hundreds to thousands of data points to teach the model a new skill. Too few data points risks overfitting and poor generalization. Your fine-tuned model may perform well on the training data, but poorly on other data because it has memorized the training examples instead of learning patterns. For best results, plan to prepare a data set with hundreds or thousands of data points. ++- **Bad data:** A poorly curated or unrepresentative dataset will produce a low-quality model. Your model may learn inaccurate or biased patterns from your dataset. For example, if you are training a chatbot for customer service, but only provide training data for one scenario (e.g. item returns) it will not know how to respond to other scenarios. Or, if your training data is bad (contains incorrect responses), your model will learn to provide incorrect results. ++ ## Next steps - Explore the fine-tuning capabilities in the [Azure OpenAI fine-tuning tutorial](../tutorials/fine-tune.md). |
ai-services | Function Calling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/function-calling.md | import json client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), - api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-12-01-preview" ) When functions are provided, by default the `function_call` is set to `"auto"` a import os import openai -openai.api_key = os.getenv("AZURE_OPENAI_KEY") +openai.api_key = os.getenv("AZURE_OPENAI_API_KEY") openai.api_version = "2023-07-01-preview" openai.api_type = "azure" openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT") import os from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-10-01-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) print(response.choices[0].message.model_dump_json(indent=2)) ```powershell-interactive $openai = @{- api_key = $Env:AZURE_OPENAI_KEY + api_key = $Env:AZURE_OPENAI_API_KEY api_base = $Env:AZURE_OPENAI_ENDPOINT # should look like https:/YOUR_RESOURCE_NAME.openai.azure.com/ api_version = '2023-10-01-preview' # may change in the future name = 'YOUR-DEPLOYMENT-NAME-HERE' # the custom name you chose for your deployment |
ai-services | Json Mode | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/json-mode.md | from openai import AzureOpenAI client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), - api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-12-01-preview" ) because they plan to use the output for further scripting. ```powershell-interactive $openai = @{- api_key = $Env:AZURE_OPENAI_KEY + api_key = $Env:AZURE_OPENAI_API_KEY api_base = $Env:AZURE_OPENAI_ENDPOINT # like the following https://YOUR_RESOURCE_NAME.openai.azure.com/ api_version = '2023-12-01-preview' # may change in the future name = 'YOUR-DEPLOYMENT-NAME-HERE' # name you chose for your deployment |
ai-services | Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/migration.md | import os import openai openai.api_type = "azure" openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT") -openai.api_key = os.getenv("AZURE_OPENAI_KEY") +openai.api_key = os.getenv("AZURE_OPENAI_API_KEY") openai.api_version = "2023-05-15" response = openai.ChatCompletion.create( from openai import AzureOpenAI client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), - api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-05-15" ) Additional examples can be found in our [in-depth Chat Completion article](chatg import os import openai -openai.api_key = os.getenv("AZURE_OPENAI_KEY") +openai.api_key = os.getenv("AZURE_OPENAI_API_KEY") openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT") # your endpoint should look like the following https://YOUR_RESOURCE_NAME.openai.azure.com/ openai.api_type = 'azure' openai.api_version = '2023-05-15' # this might change in the future import os from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-12-01-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) import os from openai import AzureOpenAI client = AzureOpenAI(- api_key = os.getenv("AZURE_OPENAI_KEY"), + api_key = os.getenv("AZURE_OPENAI_API_KEY"), api_version = "2023-05-15", azure_endpoint =os.getenv("AZURE_OPENAI_ENDPOINT") ) from openai import AsyncAzureOpenAI async def main(): client = AsyncAzureOpenAI( - api_key = os.getenv("AZURE_OPENAI_KEY"), + api_key = os.getenv("AZURE_OPENAI_API_KEY"), api_version = "2023-12-01-preview", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") ) |
ai-services | Provisioned Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/provisioned-get-started.md | The inferencing code for provisioned deployments is the same a standard deployme client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), - api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-05-15" ) from openai import AzureOpenAI # Configure the default for all requests: client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"),- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-05-15", max_retries=5,# default is 2 ) |
ai-services | Reproducible Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/reproducible-output.md | from openai import AzureOpenAI client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), - api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-12-01-preview" ) for i in range(3): ```powershell-interactive $openai = @{- api_key = $Env:AZURE_OPENAI_KEY + api_key = $Env:AZURE_OPENAI_API_KEY api_base = $Env:AZURE_OPENAI_ENDPOINT # like the following https://YOUR_RESOURCE_NAME.openai.azure.com/ api_version = '2023-12-01-preview' # may change in the future name = 'YOUR-DEPLOYMENT-NAME-HERE' # name you chose for your deployment from openai import AzureOpenAI client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), - api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-12-01-preview" ) for i in range(3): ```powershell-interactive $openai = @{- api_key = $Env:AZURE_OPENAI_KEY + api_key = $Env:AZURE_OPENAI_API_KEY api_base = $Env:AZURE_OPENAI_ENDPOINT # like the following https://YOUR_RESOURCE_NAME.openai.azure.com/ api_version = '2023-12-01-preview' # may change in the future name = 'YOUR-DEPLOYMENT-NAME-HERE' # name you chose for your deployment |
ai-services | Switching Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/switching-endpoints.md | import os from openai import AzureOpenAI client = AzureOpenAI(- api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-12-01-preview", azure_endpoint=os.getenv("AZURE_OPENAI_ENDPOINT") ) |
ai-services | Quotas Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/quotas-limits.md | The following sections provide you with a quick guide to the default quotas and | Max number of `/chat completions` tools | 128 | | Maximum number of Provisioned throughput units per deployment | 100,000 | | Max files per Assistant/thread | 20 |-| Max file size for Assistants | 512 MB | +| Max file size for Assistants & fine-tuning | 512 MB | | Assistants token limit | 2,000,000 token limit | ## Regional quota limits The default quota for models varies by model and region. Default quota limits are subject to change. -<table> - <tr> - <th>Model</th> - <th>Regions</th> - <th>Tokens per minute</th> - </tr> - <tr> - <td rowspan="2">gpt-35-turbo</td> - <td>East US, South Central US, West Europe, France Central, UK South</td> - <td>240 K</td> - </tr> - <tr> - <td>North Central US, Australia East, East US 2, Canada East, Japan East, Sweden Central, Switzerland North</td> - <td>300 K</td> - </tr> - <tr> - <td rowspan="2">gpt-35-turbo-16k</td> - <td>East US, South Central US, West Europe, France Central, UK South</td> - <td>240 K</td> - </tr> - <tr> - <td>North Central US, Australia East, East US 2, Canada East, Japan East, Sweden Central, Switzerland North</td> - <td>300 K</td> - </tr> - <tr> - <td>gpt-35-turbo-instruct</td> - <td>East US, Sweden Central</td> - <td>240 K</td> - </tr> - <tr> - <td>gpt-35-turbo (1106)</td> - <td> Australia East, Canada East, France Central, South India, Sweden Central, UK South, West US -</td> - <td>120 K</td> - </tr> - <tr> - <td rowspan="2">gpt-4</td> - <td>East US, South Central US, France Central</td> - <td>20 K</td> - </tr> - <tr> - <td>North Central US, Australia East, East US 2, Canada East, Japan East, UK South, Sweden Central, Switzerland North</td> - <td>40 K</td> - </tr> - <tr> - <td rowspan="2">gpt-4-32k</td> - <td>East US, South Central US, France Central</td> - <td>60 K</td> - </tr> - <tr> - <td>North Central US, Australia East, East US 2, Canada East, Japan East, UK South, Sweden Central, Switzerland North</td> - <td>80 K</td> - </tr> - <tr> - <td rowspan="2">gpt-4 (1106-preview)<br>GPT-4 Turbo </td> - <td>Australia East, Canada East, East US 2, France Central, UK South, West US</td> - <td>80 K</td> - </tr> - <tr> - <td>South India, Norway East, Sweden Central</td> - <td>150 K</td> - </tr> -<tr> - <td>gpt-4 (vision-preview)<br>GPT-4 Turbo with Vision</td> - <td>Sweden Central, Switzerland North, Australia East, West US</td> - <td>30 K</td> - </tr> - <tr> - <td rowspan="2">text-embedding-ada-002</td> - <td>East US, South Central US, West Europe, France Central</td> - <td>240 K</td> - </tr> - <tr> - <td>North Central US, Australia East, East US 2, Canada East, Japan East, UK South, Switzerland North</td> - <td>350 K</td> - </tr> -<tr> - <td>Fine-tuning models (babbage-002, davinci-002, gpt-35-turbo-0613)</td> - <td>North Central US, Sweden Central</td> - <td>50 K</td> - </tr> - <tr> - <td>all other models</td> - <td>East US, South Central US, West Europe, France Central</td> - <td>120 K</td> - </tr> -</table> ++| Region | Text-Embedding-Ada-002 | text-embedding-3-small | text-embedding-3-large | GPT-35-Turbo | GPT-35-Turbo-1106 | GPT-35-Turbo-16K | GPT-35-Turbo-Instruct | GPT-4 | GPT-4-32K | GPT-4-Turbo | GPT-4-Turbo-V | Babbage-002 | Babbage-002 - finetune | Davinci-002 | Davinci-002 - finetune | GPT-35-Turbo - finetune | GPT-35-Turbo-1106 - finetune | +|:--|:-|:-|:-|:|:--|:-|:|:--|:|:--|:-|:--|:-|:--|:-|:--|:-| +| australiaeast | 350 K | - | - | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - | +| brazilsouth | 350 K | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | +| canadaeast | 350 K | 350 K | 350 K | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - | +| eastus | 240 K | 350 K | 350 K | 240 K | - | 240 K | 240 K | - | - | 80 K | - | - | - | - | - | - | - | +| eastus2 | 350 K | 350 K | 350 K | 300 K | - | 300 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - | +| francecentral | 240 K | - | - | 240 K | 120 K | 240 K | - | 20 K | 60 K | 80 K | - | - | - | - | - | - | - | +| japaneast | 350 K | - | - | 300 K | - | 300 K | - | 40 K | 80 K | - | 30 K | - | - | - | - | - | - | +| northcentralus | 350 K | - | - | 300 K | - | 300 K | - | - | - | 80 K | - | 240 K | 250 K | 240 K | 250 K | 250 K | 250 K | +| norwayeast | 350 K | - | - | - | - | - | - | - | - | 150 K | - | - | - | - | - | - | - | +| southafricanorth | 350 K | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | +| southcentralus | 240 K | - | - | 240 K | - | - | - | - | - | 80 K | - | - | - | - | - | - | - | +| southindia | 350 K | - | - | - | 120 K | - | - | - | - | 150 K | - | - | - | - | - | - | - | +| swedencentral | 350 K | - | - | 300 K | 120 K | 300 K | 240 K | 40 K | 80 K | 150 K | 30 K | 240 K | 250 K | 240 K | 250 K | 250 K | 250 K | +| switzerlandnorth | 350 K | - | - | 300 K | - | 300 K | - | 40 K | 80 K | - | 30 K | - | - | - | - | - | - | +| uksouth | 350 K | - | - | 240 K | 120 K | 240 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - | +| westeurope | 240 K | - | - | 240 K | - | - | - | - | - | - | - | - | - | - | - | - | - | +| westus | 350 K | - | - | - | 120 K | - | - | - | - | 80 K | 30 K | - | - | - | - | - | - | ### General best practices to remain within rate limits |
ai-services | Text To Speech Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/text-to-speech-quickstart.md | To successfully make a call against Azure OpenAI, you need an **endpoint** and a |Variable name | Value | |--|-| | `AZURE_OPENAI_ENDPOINT` | This value can be found in the **Keys & Endpoint** section when examining your resource from the Azure portal. Alternatively, you can find the value in the **Azure OpenAI Studio** > **Playground** > **Code View**. An example endpoint is: `https://aoai-docs.openai.azure.com/`.|-| `AZURE_OPENAI_KEY` | This value can be found in the **Keys & Endpoint** section when examining your resource from the Azure portal. You can use either `KEY1` or `KEY2`.| +| `AZURE_OPENAI_API_KEY` | This value can be found in the **Keys & Endpoint** section when examining your resource from the Azure portal. You can use either `KEY1` or `KEY2`.| Go to your resource in the Azure portal. The **Endpoint and Keys** can be found in the **Resource Management** section. Copy your endpoint and access key as you need both for authenticating your API calls. You can use either `KEY1` or `KEY2`. Always having two keys allows you to securely rotate and regenerate keys without causing a service disruption. Create and assign persistent environment variables for your key and endpoint. # [Command Line](#tab/command-line) ```CMD-setx AZURE_OPENAI_KEY "REPLACE_WITH_YOUR_KEY_VALUE_HERE" +setx AZURE_OPENAI_API_KEY "REPLACE_WITH_YOUR_KEY_VALUE_HERE" ``` ```CMD setx AZURE_OPENAI_ENDPOINT "REPLACE_WITH_YOUR_ENDPOINT_HERE" # [PowerShell](#tab/powershell) ```powershell-[System.Environment]::SetEnvironmentVariable('AZURE_OPENAI_KEY', 'REPLACE_WITH_YOUR_KEY_VALUE_HERE', 'User') +[System.Environment]::SetEnvironmentVariable('AZURE_OPENAI_API_KEY', 'REPLACE_WITH_YOUR_KEY_VALUE_HERE', 'User') ``` ```powershell setx AZURE_OPENAI_ENDPOINT "REPLACE_WITH_YOUR_ENDPOINT_HERE" # [Bash](#tab/bash) ```Bash-echo export AZURE_OPENAI_KEY="REPLACE_WITH_YOUR_KEY_VALUE_HERE" >> /etc/environment && source /etc/environment +echo export AZURE_OPENAI_API_KEY="REPLACE_WITH_YOUR_KEY_VALUE_HERE" >> /etc/environment && source /etc/environment ``` ```Bash |
ai-services | Fine Tune | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/tutorials/fine-tune.md | from openai import AzureOpenAI client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), - api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-12-01-preview" # This API version or later is required to access fine-tuning for turbo/babbage-002/davinci-002 ) job_id = response.id # The fine-tuning job will take some time to start and complete. print("Job ID:", response.id)-print("Status:", response.id) +print("Status:", response.status) print(response.model_dump_json(indent=2)) ``` import openai openai.api_type = "azure" openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT") openai.api_version = "2023-05-15"-openai.api_key = os.getenv("AZURE_OPENAI_KEY") +openai.api_key = os.getenv("AZURE_OPENAI_API_KEY") response = openai.ChatCompletion.create( engine="gpt-35-turbo-ft", # engine = "Custom deployment name you chose for your fine-tuning model" from openai import AzureOpenAI client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), - api_key=os.getenv("AZURE_OPENAI_KEY"), + api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2023-05-15" ) |
ai-services | Whisper Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/whisper-quickstart.md | To successfully make a call against Azure OpenAI, you'll need an **endpoint** an |Variable name | Value | |--|-| | `AZURE_OPENAI_ENDPOINT` | This value can be found in the **Keys & Endpoint** section when examining your resource from the Azure portal. Alternatively, you can find the value in the **Azure OpenAI Studio** > **Playground** > **Code View**. An example endpoint is: `https://aoai-docs.openai.azure.com/`.|-| `AZURE_OPENAI_KEY` | This value can be found in the **Keys & Endpoint** section when examining your resource from the Azure portal. You can use either `KEY1` or `KEY2`.| +| `AZURE_OPENAI_API_KEY` | This value can be found in the **Keys & Endpoint** section when examining your resource from the Azure portal. You can use either `KEY1` or `KEY2`.| Go to your resource in the Azure portal. The **Endpoint and Keys** can be found in the **Resource Management** section. Copy your endpoint and access key as you'll need both for authenticating your API calls. You can use either `KEY1` or `KEY2`. Always having two keys allows you to securely rotate and regenerate keys without causing a service disruption. Create and assign persistent environment variables for your key and endpoint. # [Command Line](#tab/command-line) ```CMD-setx AZURE_OPENAI_KEY "REPLACE_WITH_YOUR_KEY_VALUE_HERE" +setx AZURE_OPENAI_API_KEY "REPLACE_WITH_YOUR_KEY_VALUE_HERE" ``` ```CMD setx AZURE_OPENAI_ENDPOINT "REPLACE_WITH_YOUR_ENDPOINT_HERE" # [PowerShell](#tab/powershell) ```powershell-[System.Environment]::SetEnvironmentVariable('AZURE_OPENAI_KEY', 'REPLACE_WITH_YOUR_KEY_VALUE_HERE', 'User') +[System.Environment]::SetEnvironmentVariable('AZURE_OPENAI_API_KEY', 'REPLACE_WITH_YOUR_KEY_VALUE_HERE', 'User') ``` ```powershell setx AZURE_OPENAI_ENDPOINT "REPLACE_WITH_YOUR_ENDPOINT_HERE" # [Bash](#tab/bash) ```Bash-echo export AZURE_OPENAI_KEY="REPLACE_WITH_YOUR_KEY_VALUE_HERE" >> /etc/environment && source /etc/environment +echo export AZURE_OPENAI_API_KEY="REPLACE_WITH_YOUR_KEY_VALUE_HERE" >> /etc/environment && source /etc/environment ``` ```Bash |
ai-studio | Ai Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/ai-resources.md | While projects show up as their own tracking resources in the Azure portal, they Azure AI offers a set of connectors that allows you to connect to different types of data sources and other Azure tools. You can take advantage of connectors to connect with data such as indices in Azure AI Search to augment your flows. -Connections can be set up as shared with all projects in the same Azure AI hub resource, or created exclusively for one project. To manage project connections via Azure AI Studio, navigate to a project page, then navigate to **Settings** > **Connections**. To manage shared connections, navigate to the **Manage** page. As an administrator, you can audit both shared and project-scoped connections on an Azure AI hub resource level to have a single pane of glass of connectivity across projects. +Connections can be set up as shared with all projects in the same Azure AI hub resource, or created exclusively for one project. To manage project connections via Azure AI Studio, navigate to a project page, then navigate to **AI project settings** > **Connections**. To manage shared connections, navigate to the **Manage** page. As an administrator, you can audit both shared and project-scoped connections on an Azure AI hub resource level to have a single pane of glass of connectivity across projects. ## Azure AI dependencies In the Azure portal, you can find resources that correspond to your Azure AI pro > [!NOTE] > This section assumes that the Azure AI hub resource and Azure AI project are in the same resource group. -1. In [Azure AI Studio](https://ai.azure.com), go to **Build** > **Settings** to view your Azure AI project resources such as connections and API keys. There's a link to your Azure AI hub resource in Azure AI Studio and links to view the corresponding project resources in the [Azure portal](https://portal.azure.com). +1. In [Azure AI Studio](https://ai.azure.com), go to **Build** > **AI project settings** to view your Azure AI project resources such as connections and API keys. There's a link to your Azure AI hub resource in Azure AI Studio and links to view the corresponding project resources in the [Azure portal](https://portal.azure.com). :::image type="content" source="../media/concepts/azureai-project-view-ai-studio.png" alt-text="Screenshot of the Azure AI project and related resources in the Azure AI Studio." lightbox="../media/concepts/azureai-project-view-ai-studio.png"::: |
ai-studio | Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/connections.md | Title: Connections in Azure AI Studio -description: This article introduces connections in Azure AI Studio +description: This article introduces connections in Azure AI Studio. - ignite-2023 Previously updated : 11/15/2023 Last updated : 2/22/2024 -Connections in Azure AI Studio are a way to authenticate and consume both Microsoft and third-party resources within your Azure AI projects. For example, connections can be used for prompt flow, training data, and deployments. [Connections can be created](../how-to/connections-add.md) exclusively for one project or shared with all projects in the same Azure AI hub resource. +Connections in Azure AI Studio are a way to authenticate and consume both Microsoft and non-Microsoft resources within your Azure AI projects. For example, connections can be used for prompt flow, training data, and deployments. [Connections can be created](../how-to/connections-add.md) exclusively for one project or shared with all projects in the same Azure AI hub resource. ## Connections to Azure AI services As another example, you can create a connection to an Azure AI Search resource. :::image type="content" source="../media/prompt-flow/vector-db-lookup-tool-connection.png" alt-text="Screenshot of a connection used by the Vector DB Lookup tool in prompt flow." lightbox="../media/prompt-flow/vector-db-lookup-tool-connection.png"::: -## Connections to third-party services +## Connections to non-Microsoft services -Azure AI Studio supports connections to third-party services, including the following: -- The [API key connection](../how-to/connections-add.md?tabs=api-key#connection-details) handles authentication to your specified target on an individual basis. This is the most common third-party connection type.-- The [custom connection](../how-to/connections-add.md?tabs=custom#connection-details) allows you to securely store and access keys while storing related properties, such as targets and versions. Custom connections are useful when you have many targets that or cases where you would not need a credential to access. LangChain scenarios are a good example where you would use custom service connections. Custom connections don't manage authentication, so you will have to manage authenticate on your own.+Azure AI Studio supports connections to non-Microsoft services, including the following: +- The [API key connection](../how-to/connections-add.md?tabs=api-key#connection-details) handles authentication to your specified target on an individual basis. This is the most common non-Microsoft connection type. +- The [custom connection](../how-to/connections-add.md?tabs=custom#connection-details) allows you to securely store and access keys while storing related properties, such as targets and versions. Custom connections are useful when you have many targets that or cases where you wouldn't need a credential to access. LangChain scenarios are a good example where you would use custom service connections. Custom connections don't manage authentication, so you'll have to manage authentication on your own. ## Connections to datastores Azure Blob Container| Γ£ô | Γ£ô| Microsoft OneLake| Γ£ô | Γ£ô| Azure Data Lake Gen2| Γ£ô | Γ£ô| -A Uniform Resource Identifier (URI) represents a storage location on your local computer, Azure storage, or a publicly available http(s) location. These examples show URIs for different storage options: +A Uniform Resource Identifier (URI) represents a storage location on your local computer, Azure storage, or a publicly available http or https location. These examples show URIs for different storage options: -|Storage location | URI examples | -||| -|Azure AI Studio connection | `azureml://datastores/<data_store_name>/paths/<folder1>/<folder2>/<folder3>/<file>.parquet` | -|Local files | `./home/username/data/my_data` | -|Public http(s) server | `https://raw.githubusercontent.com/pandas-dev/pandas/main/doc/data/titanic.csv` | -|Blob storage | `wasbs://<containername>@<accountname>.blob.core.windows.net/<folder>/`| -|Azure Data Lake (gen2) | `abfss://<file_system>@<account_name>.dfs.core.windows.net/<folder>/<file>.csv` | -|Microsoft OneLake | `abfss://<file_system>@<account_name>.dfs.core.windows.net/<folder>/<file>.csv` `https://<accountname>.dfs.fabric.microsoft.com/<artifactname>` | +| Storage location | URI examples | +||--| +| Azure AI Studio connection | `azureml://datastores/<data_store_name>/paths/<folder1>/<folder2>/<folder3>/<file>.parquet` | +| Local files | `./home/username/data/my_data` | +| Public http or https server | `https://raw.githubusercontent.com/pandas-dev/pandas/main/doc/data/titanic.csv` | +| Blob storage | `wasbs://<containername>@<accountname>.blob.core.windows.net/<folder>/` | +| Azure Data Lake (gen2) | `abfss://<file_system>@<account_name>.dfs.core.windows.net/<folder>/<file>.csv` | +| Microsoft OneLake | `abfss://<file_system>@<account_name>.dfs.core.windows.net/<folder>/<file>.csv` `https://<accountname>.dfs.fabric.microsoft.com/<artifactname>` | ## Key vaults and secrets Connections allow you to securely store credentials, authenticate access, and consume data and information. Secrets associated with connections are securely persisted in the corresponding Azure Key Vault, adhering to robust security and compliance standards. As an administrator, you can audit both shared and project-scoped connections on an Azure AI hub resource level (link to connection rbac). -Azure connections serve as key vault proxies, and interactions with connections are direct interactions with an Azure key vault. Azure AI Studio connections store API keys securely, as secrets, in a key vault. The key vault [Azure role-based access control (Azure RBAC)](./rbac-ai-studio.md) controls access to these connection resources. A connection references the credentials from the key vault storage location for further use. You won't need to directly deal with the credentials after they are stored in the Azure AI hub resource's key vault. You have the option to store the credentials in the YAML file. A CLI command or SDK can override them. We recommend that you avoid credential storage in a YAML file, because a security breach could lead to a credential leak. +Azure connections serve as key vault proxies, and interactions with connections are direct interactions with an Azure key vault. Azure AI Studio connections store API keys securely, as secrets, in a key vault. The key vault [Azure role-based access control (Azure RBAC)](./rbac-ai-studio.md) controls access to these connection resources. A connection references the credentials from the key vault storage location for further use. You won't need to directly deal with the credentials after they're stored in the Azure AI hub resource's key vault. You have the option to store the credentials in the YAML file. A CLI command or SDK can override them. We recommend that you avoid credential storage in a YAML file, because a security breach could lead to a credential leak. ## Next steps |
ai-studio | Content Filtering | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/content-filtering.md | The content filtering models have been trained and tested on the following langu You can create a content filter or use the default content filter for Azure OpenAI model deployment, and can also use a default content filter for other text models curated by Azure AI in the [model catalog](../how-to/model-catalog.md). The custom content filters for those models aren't yet available. Models available through Models as a Service have content filtering enabled by default and can't be configured. ## How to create a content filter? -For any model deployment in Azure AI Studio, you could directly use the default content filter, but when you want to have more customized setting on content filter, for example set a stricter or looser filter, or enable more advanced capabilities, like jailbreak risk detection and protected material detection. To create a content filter, you could go to **Build**, choose one of your projects, then select **Content filters** in the left navigation bar, and create a content filter. +For any model deployment in [Azure AI Studio](https://ai.azure.com), you could directly use the default content filter, but when you want to have more customized setting on content filter, for example set a stricter or looser filter, or enable more advanced capabilities, like jailbreak risk detection and protected material detection. To create a content filter, you could go to **Build**, choose one of your projects, then select **Content filters** in the left navigation bar, and create a content filter. :::image type="content" source="../media/content-safety/content-filter/create-content-filter.png" alt-text="Screenshot of create content filter." lightbox="../media/content-safety/content-filter/create-content-filter.png"::: The default content filtering configuration is set to filter at the medium sever <sup>1</sup> For Azure OpenAI models, only customers who have been approved for modified content filtering have full content filtering control, including configuring content filters at severity level high only or turning off content filters. Apply for modified content filters via this form: [Azure OpenAI Limited Access Review: Modified Content Filters and Abuse Monitoring (microsoft.com)](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xURE01NDY1OUhBRzQ3MkQxMUhZSE1ZUlJKTiQlQCN0PWcu) -### More filters for Gen-AI scenarios -You could also enable filters for Gen-AI scenarios: jailbreak risk detection and protected material detection. +### More filters for generative AI scenarios +You could also enable filters for generative AI scenarios: jailbreak risk detection and protected material detection. :::image type="content" source="../media/content-safety/content-filter/additional-models.png" alt-text="Screenshot of additional models." lightbox="../media/content-safety/content-filter/additional-models.png"::: |
ai-studio | Evaluation Approach Gen Ai | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/evaluation-approach-gen-ai.md | |
ai-studio | Evaluation Improvement Strategies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/evaluation-improvement-strategies.md | |
ai-studio | Evaluation Metrics Built In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/evaluation-metrics-built-in.md | |
ai-studio | Retrieval Augmented Generation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/retrieval-augmented-generation.md | |
ai-studio | Vulnerability Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/vulnerability-management.md | + + Title: Vulnerability management ++description: Learn how Azure AI Studio manages vulnerabilities in images that the service provides, and how you can get the latest security updates for the components that you manage. ++++ Last updated : 02/22/2024+++++# Vulnerability management for Azure AI Studio +++Vulnerability management involves detecting, assessing, mitigating, and reporting on any security vulnerabilities that exist in an organization's systems and software. Vulnerability management is a shared responsibility between you and Microsoft. ++This article discusses these responsibilities and outlines the vulnerability management controls that Azure AI Studio provides. You learn how to keep your service instance and applications up to date with the latest security updates, and how to minimize the window of opportunity for attackers. ++## Microsoft-managed VM images ++Azure AI Studio manages host OS virtual machine (VM) images for compute instances and serverless compute clusters. The update frequency is monthly and includes the following details: ++* For each new VM image version, the latest updates are sourced from the original publisher of the OS. Using the latest updates helps ensure that you get all applicable OS-related patches. For Azure AI Studio, the publisher is Canonical for all the Ubuntu images. ++* VM images are updated monthly. ++* In addition to patches that the original publisher applies, Azure AI Studio updates system packages when updates are available. ++* Azure AI Studio checks and validates any machine learning packages that might require an upgrade. In most circumstances, new VM images contain the latest package versions. ++* All VM images are built on secure subscriptions that run vulnerability scanning regularly. Azure AI Studio flags any unaddressed vulnerabilities and fixes them within the next release. ++* The frequency is a monthly interval for most images. For compute instances, the image release is aligned with the release cadence of the Azure AI Studio SDK that's preinstalled in the environment. ++In addition to the regular release cadence, Azure AI Studio applies hotfixes if vulnerabilities surface. Microsoft rolls out hotfixes within 72 hours for serverless compute clusters and within a week for compute instances. ++> [!NOTE] +> The host OS is not the OS version that you might specify for an environment when you're training or deploying a model. Environments run inside Docker. Docker runs on the host OS. ++## Microsoft-managed container images ++[Base docker images](https://github.com/Azure/AzureML-Containers) that Azure AI Studio maintains get security patches frequently to address newly discovered vulnerabilities. ++Azure AI Studio releases updates for supported images every two weeks to address vulnerabilities. As a commitment, we aim to have no vulnerabilities older than 30 days in the latest version of supported images. ++Patched images are released under a new immutable tag and an updated `:latest` tag. Using the `:latest` tag or pinning to a particular image version might be a tradeoff between security and environment reproducibility for your machine learning job. ++## Managing environments and container images ++In Azure AI Studio, Docker images are used to provide a runtime environment for [prompt flow deployments](../how-to/flow-deploy.md). The images are built from a base image that Azure AI Studio provides. ++Although Azure AI Studio patches base images with each release, whether you use the latest image might be tradeoff between reproducibility and vulnerability management. It's your responsibility to choose the environment version that you use for your jobs or model deployments. ++By default, dependencies are layered on top of base images when you're building an image. After you install more dependencies on top of the Microsoft-provided images, vulnerability management becomes your responsibility. ++Associated with your AI hub resource is an Azure Container Registry instance that functions as a cache for container images. Any image that materializes is pushed to the container registry. The workspace uses it when deployment is triggered for the corresponding environment. ++The AI hub doesn't delete any image from your container registry. You're responsible for evaluating the need for an image over time. To monitor and maintain environment hygiene, you can use [Microsoft Defender for Container Registry](/azure/defender-for-cloud/defender-for-container-registries-usage) to help scan your images for vulnerabilities. To automate your processes based on triggers from Microsoft Defender, see [Automate remediation responses](/azure/defender-for-cloud/workflow-automation). +++## Vulnerability management on compute hosts ++Managed compute nodes in Azure AI Studio use Microsoft-managed OS VM images. When you provision a node, it pulls the latest updated VM image. This behavior applies to compute instance, serverless compute cluster, and managed inference compute options. ++Although OS VM images are regularly patched, Azure AI Studio doesn't actively scan compute nodes for vulnerabilities while they're in use. For an extra layer of protection, consider network isolation of your computes. + +Ensuring that your environment is up to date and that compute nodes use the latest OS version is a shared responsibility between you and Microsoft. Nodes that aren't idle can't be updated to the latest VM image. Considerations are slightly different for each compute type, as listed in the following sections. ++### Compute instance ++Compute instances get the latest VM images at the time of provisioning. Microsoft releases new VM images on a monthly basis. After you deploy a compute instance, it isn't actively updated. To keep current with the latest software updates and security patches, you can use one of these methods: ++* Re-create a compute instance to get the latest OS image (recommended). ++ If you use this method, you'll lose data and customizations (such as installed packages) that are stored on the instance's OS and temporary disks. + + For more information about image releases, see the [Azure Machine Learning compute instance image release notes](/azure/machine-learning/azure-machine-learning-ci-image-release-notes). ++* Regularly update OS and Python packages. ++ * Use Linux package management tools to update the package list with the latest versions: ++ ```bash + sudo apt-get update + ``` ++ * Use Linux package management tools to upgrade packages to the latest versions. Package conflicts might occur when you use this approach. ++ ```bash + sudo apt-get upgrade + ``` ++ * Use Python package management tools to upgrade packages and check for updates: ++ ```bash + pip list --outdated + ``` ++You can install and run additional scanning software on the compute instance to scan for security issues: ++* Use [Trivy](https://github.com/aquasecurity/trivy) to discover OS and Python package-level vulnerabilities. +* Use [ClamAV](https://www.clamav.net/) to discover malware. It comes preinstalled on compute instances. ++Microsoft Defender for Servers agent installation is currently not supported. ++### Endpoints ++Endpoints automatically receive OS host image updates that include vulnerability fixes. The update frequency of images is at least once a month. ++Compute nodes are automatically upgraded to the latest VM image version when that version is released. You don't need to take any action. ++## Next steps ++* [Azure AI hub resources](ai-resources.md) +* [Create and manage compute instances](../how-to/create-manage-compute.md) |
ai-studio | Autoscale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/autoscale.md | |
ai-studio | Cli Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/cli-install.md | |
ai-studio | Connections Add | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/connections-add.md | Here's a table of the available connection types in Azure AI Studio with descrip ## Create a new connection 1. Sign in to [Azure AI Studio](https://aka.ms/azureaistudio) and select your project via **Build** > **Projects**. If you don't have a project already, first create a project.-1. Select **Settings** from the collapsible left menu. +1. Select **AI project settings** from the collapsible left menu. 1. Select **View all** from the **Connections** section. 1. Select **+ Connection** under **Resource connections**. 1. Select the service you want to connect to from the list of available external resources. |
ai-studio | Costs Plan Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/costs-plan-manage.md | For the examples in this section, assume that all Azure AI Studio resources are Here's an example of how to monitor costs for an Azure AI Studio project. The costs are used as an example only. Your costs will vary depending on the services that you use and the amount of usage. 1. Sign in to [Azure AI Studio](https://ai.azure.com).-1. Select your project and then select **Settings** from the left navigation menu. +1. Select your project and then select **AI project settings** from the left navigation menu. :::image type="content" source="../media/cost-management/project-costs/project-settings-go-view-costs.png" alt-text="Screenshot of the Azure AI Studio portal showing how to see project settings." lightbox="../media/cost-management/project-costs/project-settings-go-view-costs.png"::: |
ai-studio | Create Manage Compute | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/create-manage-compute.md | In this article, you learn how to create a compute instance in Azure AI Studio. You need a compute instance to: - Use prompt flow in Azure AI Studio. - Create an index-- Open Visual Studio Code (Web) in the Azure AI Studio.+- Open Visual Studio Code (Web or Desktop) in Azure AI Studio. You can use the same compute instance for multiple scenarios and workflows. Note that a compute instance can't be shared. It can only be used by a single assigned user. By default, it will be assigned to the creator and you can change this to a different user in the security step. You can start or stop a compute instance from the Azure AI Studio. ## Next steps - [Create and manage prompt flow runtimes](./create-manage-runtime.md)+- [Vulnerability management](../concepts/vulnerability-management.md) |
ai-studio | Create Manage Runtime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/create-manage-runtime.md | Automatic is the default option for a runtime. You can start an automatic runtim 1. Sign in to [Azure AI Studio](https://ai.azure.com) and select your project from the **Build** page. If you don't have a project, create one. -1. On the collapsible left menu, select **Settings**. +1. On the collapsible left menu, select **AI project settings**. 1. In the **Compute instances** section, select **View all**. |
ai-studio | Create Projects | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/create-projects.md | Projects are hosted by an Azure AI hub resource that provides enterprise-grade s ## Project details -In the project details page (select **Build** > **Settings**), you can find information about the project, such as the project name, description, and the Azure AI hub resource that hosts the project. You can also find the project ID, which is used to identify the project in the Azure AI Studio API. +In the project details page (select **Build** > **AI project settings**), you can find information about the project, such as the project name, description, and the Azure AI hub resource that hosts the project. You can also find the project ID, which is used to identify the project in the Azure AI Studio API. - Name: The name of the project corresponds to the selected project in the left panel. - AI hub: The Azure AI hub resource that hosts the project. |
ai-studio | Data Add | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/data-add.md | The supported source paths are shown in Azure AI Studio. You can create a data f # [Python SDK](#tab/python) -If you're using SDK or CLI to create data, you must specify a `path` that points to the data location. Supported paths include: +If you're using the SDK or CLI to create data, you must specify a `path` that points to the data location. Supported paths include: |Location | Examples | ||| |
ai-studio | Evaluate Flow Results | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/evaluate-flow-results.md | -The Azure AI Studio's evaluation page is a versatile hub that not only allows you to visualize and assess your results but also serves as a control center for optimizing, troubleshooting, and selecting the ideal AI model for your deployment needs. It's a one-stop solution for data-driven decision-making and performance enhancement in your AI projects. You can seamlessly access and interpret the results from various sources, including your flow, the playground quick test session, evaluation submission UI, generative SDK and CLI. This flexibility ensures that you can interact with your results in a way that best suits your workflow and preferences. +The Azure AI Studio evaluation page is a versatile hub that not only allows you to visualize and assess your results but also serves as a control center for optimizing, troubleshooting, and selecting the ideal AI model for your deployment needs. It's a one-stop solution for data-driven decision-making and performance enhancement in your AI projects. You can seamlessly access and interpret the results from various sources, including your flow, the playground quick test session, evaluation submission UI, generative SDK and CLI. This flexibility ensures that you can interact with your results in a way that best suits your workflow and preferences. Once you've visualized your evaluation results, you can dive into a thorough examination. This includes the ability to not only view individual results but also to compare these results across multiple evaluation runs. By doing so, you can identify trends, patterns, and discrepancies, gaining invaluable insights into the performance of your AI system under various conditions. In this article you learn to: -- View the evaluation result and metrics -- Compare the evaluation results -- Understand the built-in evaluation metrics -- Improve the performance -- View the evaluation results and metrics +- View the evaluation result and metrics. +- Compare the evaluation results. +- Understand the built-in evaluation metrics. +- Improve the performance. +- View the evaluation results and metrics. ## Find your evaluation results -Upon submitting your evaluation, you can locate the submitted evaluation run within the run list by navigating to the 'Evaluation' tab. +Upon submitting your evaluation, you can locate the submitted evaluation run within the run list by navigating to the **Evaluation** page. -You can oversee your evaluation runs within the run list. With the flexibility to modify the columns using the column editor and implement filters, you can customize and create your own version of the run list. Additionally, you have the ability to swiftly review the aggregated evaluation metrics across the runs, enabling you to perform quick comparisons. +You can monitor and manage your evaluation runs within the run list. With the flexibility to modify the columns using the column editor and implement filters, you can customize and create your own version of the run list. Additionally, you have the ability to swiftly review the aggregated evaluation metrics across the runs, enabling you to perform quick comparisons. :::image type="content" source="../media/evaluations/view-results/evaluation-run-list.png" alt-text="Screenshot of the evaluation run list." lightbox="../media/evaluations/view-results/evaluation-run-list.png"::: |
ai-studio | Evaluate Generative Ai App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/evaluate-generative-ai-app.md | |
ai-studio | Evaluate Prompts Playground | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/evaluate-prompts-playground.md | |
ai-studio | Fine Tune Model Llama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/fine-tune-model-llama.md | Verify the subscription is registered to the `Microsoft.Network` resource provid 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select **Subscriptions** from the left menu. 1. Select the subscription you want to use.-1. Select **Settings** > **Resource providers** from the left menu. +1. Select **AI project settings** > **Resource providers** from the left menu. 1. Confirm that **Microsoft.Network** is in the list of resource providers. Otherwise add it. :::image type="content" source="../media/how-to/fine-tune/llama/subscription-resource-providers.png" alt-text="Screenshot of subscription resource providers in Azure portal." lightbox="../media/how-to/fine-tune/llama/subscription-resource-providers.png"::: |
ai-studio | Index Add | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/index-add.md | This can happen if you are trying to create an index using an **Owner**, **Contr If the Azure AI hub resource the project uses was created through Azure AI Studio: 1. Sign in to [Azure AI Studio](https://aka.ms/azureaistudio) and select your project via **Build** > **Projects**. -1. Select **Settings** from the collapsible left menu. +1. Select **AI project settings** from the collapsible left menu. 1. From the **Resource Configuration** section, select the link for your resource group name that takes you to the Azure portal. 1. In the Azure portal under **Overview** > **Resources** select the Azure AI service type. It's named similar to "YourAzureAIResourceName-aiservices." If the Azure AI hub resource the project uses was created through Azure AI Studi If the Azure AI hub resource the project uses was created through Azure portal: 1. Sign in to [Azure AI Studio](https://aka.ms/azureaistudio) and select your project via **Build** > **Projects**. -1. Select **Settings** from the collapsible left menu. +1. Select **AI project settings** from the collapsible left menu. 1. From the **Resource Configuration** section, select the link for your resource group name that takes you to the Azure portal. 1. Select **Access control (IAM)** > **+ Add** to add a role assignment. 1. Add the **Cognitive Services OpenAI User** role to the user who wants to make an index. `Cognitive Services OpenAI Contributor` and `Cognitive Services Contributor` also work, but they assign more permissions than needed for creating an index in Azure AI Studio. |
ai-studio | Model Catalog | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/model-catalog.md | |
ai-studio | Monitor Quality Safety | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/monitor-quality-safety.md | Follow these steps to set up monitoring for your prompt flow deployment: :::image type="content" source="../media/deploy-monitor/monitor/monitor-metrics.png" alt-text="Screenshot of the monitoring result metrics." lightbox = "../media/deploy-monitor/monitor/monitor-metrics.png"::: -By default, operational metrics such as requests per minute and request latency show up. The default safety and quality monitoring signal are configured with a 10% sample rate and run on your default workspace Azure Open AI connection. +By default, operational metrics such as requests per minute and request latency show up. The default safety and quality monitoring signal are configured with a 10% sample rate and run on your default workspace Azure OpenAI connection. Your monitor is created with default settings: - 10% sample rate |
ai-studio | Content Safety Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/content-safety-tool.md | Azure AI Content Safety is a content moderation service that helps detect harmfu Create an Azure Content Safety connection: 1. Sign in to [Azure AI Studio](https://studio.azureml.net/).-1. Go to **Settings** > **Connections**. +1. Go to **AI project settings** > **Connections**. 1. Select **+ New connection**. 1. Complete all steps in the **Create a new connection** dialog box. You can use an Azure AI hub resource or Azure AI Content Safety resource. An Azure AI hub resource that supports multiple Azure AI services is recommended. ## Build with the Content Safety tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ More tools** > **Content Safety (Text)** to add the Content Safety tool to your flow. :::image type="content" source="../../media/prompt-flow/content-safety-tool.png" alt-text="Screenshot of the Content Safety tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/content-safety-tool.png"::: You can use the following parameters as inputs for this tool: | action_by_category | string | A binary value for each category: *Accept* or *Reject*. This value shows if the text meets the sensitivity level that you set in the request parameters for that category. | | suggested_action | string | An overall recommendation based on the four categories. If any category has a *Reject* value, the `suggested_action` is *Reject* as well. | -- ## Next steps - [Learn more about how to create a flow](../flow-develop.md) |
ai-studio | Embedding Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/embedding-tool.md | The prompt flow *Embedding* tool enables you to convert text into dense vector r ## Build with the Embedding tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ More tools** > **Embedding** to add the Embedding tool to your flow. :::image type="content" source="../../media/prompt-flow/embedding-tool.png" alt-text="Screenshot of the Embedding tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/embedding-tool.png"::: |
ai-studio | Faiss Index Lookup Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/faiss-index-lookup-tool.md | The prompt flow *Faiss Index Lookup* tool is tailored for querying within a user ## Build with the Faiss Index Lookup tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ More tools** > **Faiss Index Lookup** to add the Faiss Index Lookup tool to your flow. :::image type="content" source="../../media/prompt-flow/faiss-index-lookup-tool.png" alt-text="Screenshot of the Faiss Index Lookup tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/faiss-index-lookup-tool.png"::: |
ai-studio | Index Lookup Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/index-lookup-tool.md | The prompt flow *Index Lookup* tool enables the usage of common vector indices ( ## Build with the Index Lookup tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ More tools** > **Index Lookup** to add the Index Lookup tool to your flow. :::image type="content" source="../../media/prompt-flow/configure-index-lookup-tool.png" alt-text="Screenshot of the Index Lookup tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/configure-index-lookup-tool.png"::: |
ai-studio | Llm Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/llm-tool.md | Prepare a prompt as described in the [prompt tool](prompt-tool.md#prerequisites) ## Build with the LLM tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ LLM** to add the LLM tool to your flow. :::image type="content" source="../../media/prompt-flow/llm-tool.png" alt-text="Screenshot of the LLM tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/llm-tool.png"::: |
ai-studio | Prompt Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/prompt-tool.md | For more information and best practices, see [prompt engineering techniques](../ ## Build with the Prompt tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ Prompt** to add the Prompt tool to your flow. :::image type="content" source="../../media/prompt-flow/prompt-tool.png" alt-text="Screenshot of the Prompt tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/prompt-tool.png"::: |
ai-studio | Python Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/python-tool.md | The prompt flow *Python* tool offers customized code snippets as self-contained ## Build with the Python tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ Python** to add the Python tool to your flow. :::image type="content" source="../../media/prompt-flow/python-tool.png" alt-text="Screenshot of the Python tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/python-tool.png"::: |
ai-studio | Serp Api Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/serp-api-tool.md | Sign up at [SERP API homepage](https://serpapi.com/) Create a Serp connection: 1. Sign in to [Azure AI Studio](https://studio.azureml.net/).-1. Go to **Settings** > **Connections**. +1. Go to **AI project settings** > **Connections**. 1. Select **+ New connection**. 1. Add the following custom keys to the connection: - `azureml.flow.connection_type`: `Custom` The connection is the model used to establish connections with Serp API. Get you ## Build with the Serp API tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ More tools** > **Serp API** to add the Serp API tool to your flow. :::image type="content" source="../../media/prompt-flow/serp-api-tool.png" alt-text="Screenshot of the Serp API tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/serp-api-tool.png"::: |
ai-studio | Vector Db Lookup Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/vector-db-lookup-tool.md | The tool searches data from a third-party vector database. To use it, you should ## Build with the Vector DB Lookup tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ More tools** > **Vector DB Lookup** to add the Vector DB Lookup tool to your flow. :::image type="content" source="../../media/prompt-flow/vector-db-lookup-tool.png" alt-text="Screenshot of the Vector DB Lookup tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/embedding-tool.png"::: |
ai-studio | Vector Index Lookup Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/vector-index-lookup-tool.md | The prompt flow *Vector index lookup* tool is tailored for querying within vecto ## Build with the Vector index lookup tool -1. Create or open a flow in Azure AI Studio. For more information, see [Create a flow](../flow-develop.md). +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). 1. Select **+ More tools** > **Vector Index Lookup** to add the Vector index lookup tool to your flow. :::image type="content" source="../../media/prompt-flow/vector-index-lookup-tool.png" alt-text="Screenshot of the Vector Index Lookup tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/vector-index-lookup-tool.png"::: |
ai-studio | Prompt Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow.md | -Prompt flow is available independently as an open-source project on [GitHub](https://github.com/microsoft/promptflow), with its own SDK and [VS Code extension](https://marketplace.visualstudio.com/items?itemName=prompt-flow.prompt-flow). Prompt flow is also available and recommended to use as a feature within both [Azure AI Studio](https://aka.ms/AzureAIStudio) and [Azure Machine Learning studio](https://aka.ms/AzureAIStudio). This set of documentation focuses on prompt flow in Azure AI Studio. +Prompt flow is available independently as an open-source project on [GitHub](https://github.com/microsoft/promptflow), with its own SDK and [VS Code extension](https://marketplace.visualstudio.com/items?itemName=prompt-flow.prompt-flow). Prompt flow is also available and recommended to use as a feature within both [Azure AI Studio](https://ai.azure.com) and [Azure Machine Learning studio](https://ml.azure.com). This set of documentation focuses on prompt flow in Azure AI Studio. Definitions: - *Prompt flow* is a feature that can be used to generate, customize, or run a flow. |
ai-studio | Simulator Interaction Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/simulator-interaction-data.md | aoai_config = AzureOpenAIModelConfiguration.from_connection( "max_token": 300 ) ```-`max_tokens` and `temperature` are optional, the default value for `max_tokens` is 300, the default value for `temperature` is 0.9 ++The `max_tokens` and `temperature` parameters are optional. The default value for `max_tokens` is 300 and the default value for `temperature` is 0.9. ## Initialize simulator class |
ai-studio | Troubleshoot Deploy And Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/troubleshoot-deploy-and-monitor.md | For the general deployment error code reference, you can go to the [Azure Machin **Question:** I got an "out of quota" error message. What should I do? **Answer:** For more information about managing quota, see:-- [Quota for deploying and inferencing a model](../how-to/deploy-models-openai.md#quota-for-deploying-and-inferencing-a-model)-- [Manage Azure OpenAI Service quota documentation](/azure/ai-services/openai/how-to/quota?tabs=rest)+- [Quota for deploying and inferencing a model](../how-to/deploy-models-openai.md#quota-for-deploying-and-inferencing-a-model) +- [Manage Azure OpenAI Service quota documentation](/azure/ai-services/openai/how-to/quota?tabs=rest) - [Manage and increase quotas for resources with Azure AI Studio](quota.md) **Question:** After I deployed a prompt flow, I got an error message "Tool load failed in 'search_question_from_indexed_docs': (ToolLoadError) Failed to load package tool 'Vector Index Lookup': (HttpResponseError) (AuthorizationFailed)". How can I resolve this? **Answer:** You can follow this instruction to manually assign ML Data scientist role to your endpoint to resolve this issue. It might take several minutes for the new role to take effect. -1. Go to your project and select **Settings** from the left menu. +1. Go to your project and select **AI project settings** from the left menu. 2. Select the link to your resource group. 3. Once you're redirected to the resource group in Azure portal, Select **Access control (IAM)** on the left navigation menu. 4. Select **Add role assignment**. You might have come across an ImageBuildFailure error: This happens when the env Option 1: Find the build log for the Azure default blob storage. 1. Go to your project in [Azure AI Studio](https://ai.azure.com) and select the settings icon on the lower left corner.-2. Select your Azure AI hub resource name under **Resource configurations** on the **Settings** page. +2. Select your Azure AI hub resource name under **Resource configurations** on the **AI project settings** page. 3. On the Azure AI hub overview page, select your storage account name. This should be the name of storage account listed in the error message you received. You'll be taken to the storage account page in the [Azure portal](https://portal.azure.com). 4. On the storage account page, select **Containers** under **Data Storage** on the left menu. 5. Select the container name listed in the error message you received. |
ai-studio | Playground Completions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/quickstarts/playground-completions.md | To use the Azure OpenAI for text completions in the playground, follow these ste 1. From the Azure AI Studio Home page, select **Build** > **Playground**. 1. Select your deployment from the **Deployments** dropdown. 1. Select **Completions** from the **Mode** dropdown menu.-1. Select **Generate product name ideas** from the **Examples** dropdown menu. The system prompt is prepopulated with something resembling the following text: +1. In the **Prompt** text box, enter the following text: ``` Generate product name ideas for a yet to be launched wearable health device that will allow users to monitor their health and wellness in real-time using AI and share their health metrics with their friends and family. The generated product name ideas should reflect the product's key features, have an international appeal, and evoke positive emotions. To use the Azure OpenAI for text completions in the playground, follow these ste :::image type="content" source="../media/quickstarts/playground-completions-generate-before.png" alt-text="Screenshot of the Azure AI Studio playground with the Generate product name ideas dropdown selection visible." lightbox="../media/quickstarts/playground-completions-generate-before.png"::: -1. Select `Generate`. Azure OpenAI generates product name ideas based on. You should get a result that resembles the following list: +1. Select **Generate**. Azure OpenAI generates product name ideas based on the prompt. You should get a result that resembles the following list: ``` Product names: |
ai-studio | Deploy Copilot Ai Studio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/tutorials/deploy-copilot-ai-studio.md | The **FormatReply** node formats the output of the **DetermineReply** node. In prompt flow, you should also see: - **Save**: You can save your prompt flow at any time by selecting **Save** from the top menu. Be sure to save your prompt flow periodically as you make changes in this tutorial. -- **Runtime**: The runtime that you created [earlier in this tutorial](#create-compute-and-runtime-that-are-needed-for-prompt-flow). You can start and stop runtimes and compute instances via **Settings** in the left menu. To work in prompt flow, make sure that your runtime is in the **Running** status.+- **Runtime**: The runtime that you created [earlier in this tutorial](#create-compute-and-runtime-that-are-needed-for-prompt-flow). You can start and stop runtimes and compute instances via **AI project settings** in the left menu. To work in prompt flow, make sure that your runtime is in the **Running** status. :::image type="content" source="../media/tutorials/copilot-deploy-flow/prompt-flow-overview.png" alt-text="Screenshot of the prompt flow editor and surrounding menus." lightbox="../media/tutorials/copilot-deploy-flow/prompt-flow-overview.png"::: |
ai-studio | Deploy Copilot Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/tutorials/deploy-copilot-sdk.md | In this tutorial, you use a prebuilt custom container via [Visual Studio Code (W In the left pane of Visual Studio Code, you see the `code` folder for personal work such as cloning git repos. There's also a `shared` folder that has files that everyone that is connected to this project can see. For more information about the directory structure, see [Get started with Azure AI projects in VS Code](../how-to/develop-in-vscode.md#the-custom-container-folder-structure). -You can still use the Azure AI Studio (that's still open in another browser tab) while working in VS Code Web. You can see the compute is running via **Build** > **Settings** > **Compute instances**. You can pause or stop the compute from here. +You can still use the Azure AI Studio (that's still open in another browser tab) while working in VS Code Web. You can see the compute is running via **Build** > **AI project settings** > **Compute instances**. You can pause or stop the compute from here. :::image type="content" source="../media/tutorials/copilot-sdk/compute-running.png" alt-text="Screenshot of the compute instance running in Azure AI Studio." lightbox="../media/tutorials/copilot-sdk/compute-running.png"::: |
ai-studio | Screen Reader | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/tutorials/screen-reader.md | This article is for people who use screen readers such as Microsoft's Narrator, Most Azure AI Studio pages are composed of the following structure: -- Banner (contains Azure AI Studio app title, settings and profile information) +- Banner (contains Azure AI Studio app title, settings, and profile information) - Primary navigation (contains Home, Explore, Build, and Manage) - Secondary navigation - Main page content For efficient navigation, it might be helpful to navigate by landmarks to move b In **Explore** you can explore the different capabilities of Azure AI before creating a project. You can find this page in the primary navigation landmark. -Within **Explore**, you can [explore many capabilities](../how-to/models-foundation-azure-ai.md) found within the secondary navigation. These include [model catalog](../how-to/model-catalog.md), model leaderboard, and pages for Azure AI services such as Speech, Vision, and Content Safety. -- [Model catalog](../how-to/model-catalog.md) contains three main areas: Announcements, Models and Filters. You can use Search and Filters to narrow down model selection +Within **Explore**, you can [explore many capabilities](../how-to/models-foundation-azure-ai.md) found within the secondary navigation. These include [model catalog](../how-to/model-catalog.md), model benchmarks, and pages for Azure AI services such as Speech, Vision, and Content Safety. +- [Model catalog](../how-to/model-catalog.md) contains three main areas: Announcements, Models, and Filters. You can use Search and Filters to narrow down model selection - Azure AI service pages such as Speech consist of many cards containing links. These cards lead you to demo experiences where you can sample our AI capabilities and might link out to another webpage. ## Projects To work within the Azure AI Studio, you must first [create a project](../how-to/create-projects.md): 1. In [Azure AI Studio](https://ai.azure.com), navigate to the **Build** tab in the primary navigation.-1. Press the **Tab** key until you hear *New project* and select this button. +1. Press the **Tab** key until you hear *new project* and select this button. 1. Enter the information requested in the **Create a new project** dialog. You then get taken to the project details page. Once you edit the system message or examples, your changes don't save automatica ### Chat session pane -The chat session pane is where you can chat to the model and test out your assistant +The chat session pane is where you can chat to the model and test out your assistant. - After you send a message, the model might take some time to respond, especially if the response is long. You hear a screen reader announcement "Message received from the chatbot" when the model finishes composing a response. -- Content in the chatbot follows this format: -- ``` - [message from user] [user image] - [chatbot image] [message from chatbot] - ``` - ## Using prompt flow -Prompt flow is a tool to create executable flows, linking LLMs, prompts and Python tools through a visualized graph. You can use this to prototype, experiment and iterate on your AI applications before deploying. --With the Build tab selected, navigate to the secondary navigation landmark and press the down arrow until you hear *flows*. +Prompt flow is a tool to create executable flows, linking LLMs, prompts, and Python tools through a visualized graph. You can use this to prototype, experiment, and iterate on your AI applications before deploying. -The prompt flow UI in Azure AI Studio is composed of the following main sections: Command toolbar, Flow (includes list of the flow nodes), Files and the Graph view. The Flow, Files and Graph sections each have their own H2 headings that can be used for navigation. +With the Build tab selected, navigate to the secondary navigation landmark and press the down arrow until you hear *prompt flow*. +The prompt flow UI in Azure AI Studio is composed of the following main sections: Command toolbar, Flow (includes list of the flow nodes), Files and the Graph view. The Flow, Files, and Graph sections each have their own H2 headings that can be used for navigation. ### Flow - This is the main working area where you can edit your flow, for example adding a new node, editing the prompt, selecting input data -- You can also open your flow in VS Code Web by selecting the **Work in VS Code Web** button.+- You can also open your flow in VS Code Web by selecting the **Open project in VS Code (Web)** button. - Each node has its own H3 heading, which can be used for navigation. ### Files The prompt flow UI in Azure AI Studio is composed of the following main sections ## Evaluations -Evaluation is a tool to help you evaluate the performance of your generative AI application. You can use this to prototype, experiment and iterate on your applications before deploying. +Evaluation is a tool to help you evaluate the performance of your generative AI application. You can use this to prototype, experiment, and iterate on your applications before deploying. ### Creating an evaluation To review evaluation metrics, you must first create an evaluation. 1. Navigate to the Build tab in the primary navigation.-1. Navigate to the secondary navigation landmark and press the down arrow until you hear *evaluations*. +1. Navigate to the secondary navigation landmark and press the down arrow until you hear *evaluation*. 1. Press the Tab key until you hear *new evaluation* and select this button. 1. Enter the information requested in the **Create a new evaluation** dialog. Once complete, your focus is returned to the evaluations list. Once you create an evaluation, you can access it from the list of evaluations. Evaluation runs are listed as links within the Evaluations grid. Selecting a link takes you to a dashboard view with information about your specific evaluation run. -You might prefer to export the data from your evaluation run so that you can view it in an application of your choosing. To do this, select your evaluation run link, then navigate to the **Export results** button and select it. +You might prefer to export the data from your evaluation run so that you can view it in an application of your choosing. To do this, select your evaluation run link, then navigate to the **Export result** button and select it. -There's also a dashboard view provided to allow you to compare evaluation runs. From the main Evaluations list page, navigate to the **Switch to dashboard view** button. You can also export all this data using the **Export table** button. +There's also a dashboard view provided to allow you to compare evaluation runs. From the main Evaluations list page, navigate to the **Switch to dashboard view** button. ## Technical support for customers with disabilities |
analysis-services | Analysis Services Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Analysis Services server using Terraform |
api-management | Quickstart Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quickstart-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure API Management instance using Terraform |
app-service | How To Migrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/how-to-migrate.md | description: Learn how to migrate your App Service Environment to App Service En Previously updated : 2/12/2024 Last updated : 2/22/2024 zone_pivot_groups: app-service-cli-portal Under **Get new IP addresses**, confirm that you understand the implications and When the previous step finishes, the IP addresses for your new App Service Environment v3 resource appear. Use the new IPs to update any resources and networking components so that your new environment functions as intended after migration is complete. It's your responsibility to make any necessary updates. -This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes in moving to App Service Environment v3. These changes include the port change for Azure Load Balancer, which now uses port 80. Don't move to the next step until you confirm that you made these updates. +This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes in moving to App Service Environment v3. These changes include the port change for Azure Load Balancer, which now uses port 80. Don't move to the next step until you confirmed that you made these updates. :::image type="content" source="./media/migration/ip-sample.png" alt-text="Screenshot that shows sample IPs generated during premigration."::: After you complete all of the preceding steps, you can start the migration. Make This step takes three to six hours for v2 to v3 migrations and up to six hours for v1 to v3 migrations, depending on the environment size. Scaling and modifications to your existing App Service Environment are blocked during this step. > [!NOTE]-> In rare cases, you might see a notification in the portal that says "Migration to App Service Environment v3 failed" after you start the migration. There's a known bug that might trigger this notification even if the migration is progressing. Check the activity log for the App Service Environment to determine the validity of this error message. +> In rare cases, you might see a notification in the portal that says "Migration to App Service Environment v3 failed" after you start the migration. There's a known bug that might trigger this notification even if the migration is progressing. Check the activity log for the App Service Environment to determine the validity of this error message. In most cases, refreshing the page resolves the issue, and the error message disappears. If the error message persists, contact support for assistance. >-> :::image type="content" source="./media/migration/migration-error.png" alt-text="Screenshot that shows the potential error notification after migration starts."::: +> :::image type="content" source="./media/migration/migration-error-2.png" alt-text="Screenshot that shows the potential error notification after migration starts."::: At this time, detailed migration statuses are available only when you're using the Azure CLI. For more information, see the [Azure CLI section for migrating to App Service Environment v3](#8-migrate-to-app-service-environment-v3-and-check-status). |
app-service | How To Side By Side Migrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/how-to-side-by-side-migrate.md | You have two App Service Environments at this stage in the migration process. Yo You can get the new IP addresses for your new App Service Environment v3 by running the following command. It's your responsibility to make any necessary updates. +> [!IMPORTANT] +> During the preview, the new inbound IP is returned incorrectly due to a known bug. Open a support ticket to receive the correct IP addresses for your App Service Environment v3. +> + ```azurecli az rest --method get --uri "${ASE_ID}?api-version=2022-03-01" ``` ## 10. Redirect customer traffic and complete migration -This step is your opportunity to test and validate your new App Service Environment v3. Once you confirm your apps are working as expected, you can redirect customer traffic to your new environment by running the following command. This command also deletes your old environment. +This step is your opportunity to test and validate your new App Service Environment v3. Your App Service Environment v2 frontends are still running, but the backing compute is an App Service Environment v3. If you're able to access your apps without issues, that means you're ready to complete the migration. ++Once you confirm your apps are working as expected, you can redirect customer traffic to your new App Service Environment v3 frontends by running the following command. This command also deletes your old environment. ```azurecli az rest --method post --uri "${ASE_ID}/NoDowntimeMigrate?phase=DnsChange&api-version=2022-03-01" |
app-service | Migrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/migrate.md | Title: Migrate to App Service Environment v3 by using the in-place migration fea description: Overview of the in-place migration feature for migration to App Service Environment v3. Previously updated : 02/15/2024 Last updated : 02/22/2024 If your App Service Environment doesn't pass the validation checks or you try to |Migrate cannot be called on this ASE until the active upgrade has finished. |App Service Environments can't be migrated during platform upgrades. You can set your [upgrade preference](how-to-upgrade-preference.md) from the Azure portal. In some cases, an upgrade is initiated when visiting the migration page if your App Service Environment isn't on the current build. |Wait until the upgrade finishes and then migrate. | |App Service Environment management operation in progress. |Your App Service Environment is undergoing a management operation. These operations can include activities such as deployments or upgrades. Migration is blocked until these operations are complete. |You can migrate once these operations are complete. | |Migrate is not available for this subscription.|Support needs to be engaged for migrating this App Service Environment.|Open a support case to engage support to resolve your issue.|-|Your InteralLoadBalancingMode is not currently supported.|App Service Environments that have InternalLoadBalancingMode set to certain values can't be migrated using the migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. | +|Your InteralLoadBalancingMode is not currently supported.|App Service Environments that have InternalLoadBalancingMode set to certain values can't be migrated using the migration feature at this time. The InternalLoadBalancingMode must be manually changed by the Microsoft team. |Open a support case to engage support to resolve your issue. Request an update to the InternalLoadBalancingMode to allow migration. | |Migration is invalid. Your ASE needs to be upgraded to the latest build to ensure successful migration. We will upgrade your ASE now. Please try migrating again in few hours once platform upgrade has finished. |Your App Service Environment isn't on the minimum build required for migration. An upgrade is started. Your App Service Environment won't be impacted, but you won't be able to scale or make changes to your App Service Environment while the upgrade is in progress. You won't be able to migrate until the upgrade finishes. |Wait until the upgrade finishes and then migrate. | ## Overview of the migration process using the in-place migration feature |
app-service | Side By Side Migrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/side-by-side-migrate.md | Title: Migrate to App Service Environment v3 by using the side by side migration description: Overview of the side by side migration feature for migration to App Service Environment v3. Previously updated : 2/21/2024 Last updated : 2/22/2024 At this time, the side by side migration feature supports migrations to App Serv ### Azure Public - East Asia+- North Europe - West Central US+- West US 2 The following App Service Environment configurations can be migrated using the side by side migration feature. The table gives the App Service Environment v3 configuration when using the side by side migration feature based on your existing App Service Environment. If your App Service Environment doesn't pass the validation checks or you try to |Subscription has too many App Service Environments. Please remove some before trying to create more.|The App Service Environment [quota for your subscription](../../azure-resource-manager/management/azure-subscription-service-limits.md#app-service-limits) is met. |Remove unneeded environments or contact support to review your options. | |Migrate cannot be called on this ASE until the active upgrade has finished. |App Service Environments can't be migrated during platform upgrades. You can set your [upgrade preference](how-to-upgrade-preference.md) from the Azure portal. In some cases, an upgrade is initiated when visiting the migration page if your App Service Environment isn't on the current build. |Wait until the upgrade finishes and then migrate. | |App Service Environment management operation in progress. |Your App Service Environment is undergoing a management operation. These operations can include activities such as deployments or upgrades. Migration is blocked until these operations are complete. |You can migrate once these operations are complete. |-|Your InternalLoadBalancingMode is not currently supported.|App Service Environments that have InternalLoadBalancingMode set to certain values can't be migrated using the side by side migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. | +|Your InteralLoadBalancingMode is not currently supported.|App Service Environments that have InternalLoadBalancingMode set to certain values can't be migrated using the migration feature at this time. The InternalLoadBalancingMode must be manually changed by the Microsoft team. |Open a support case to engage support to resolve your issue. Request an update to the InternalLoadBalancingMode to allow migration. | |Migration is invalid. Your ASE needs to be upgraded to the latest build to ensure successful migration. We will upgrade your ASE now. Please try migrating again in few hours once platform upgrade has finished. |Your App Service Environment isn't on the minimum build required for migration. An upgrade is started. Your App Service Environment won't be impacted, but you won't be able to scale or make changes to your App Service Environment while the upgrade is in progress. You won't be able to migrate until the upgrade finishes. |Wait until the upgrade finishes and then migrate. | |Full migration cannot be called before IP addresses are generated. |This error appears if you attempt to migrate before finishing the premigration steps. |Ensure you complete all premigration steps before you attempt to migrate. See the [step-by-step guide for migrating](how-to-side-by-side-migrate.md). | The new default outbound to the internet public addresses are given so you can a ### Redirect customer traffic and complete migration -The final step is to redirect traffic to your new App Service Environment v3 and complete the migration. The platform does this change for you, but only when you initiate it. Before you do this step, you should review your new App Service Environment v3 and perform any needed testing to validate that it's functioning as intended. You can do this review using the IPs associated with your App Service Environment v3 from the IP generation steps. Once you're ready to redirect traffic, you can complete the final step of the migration. This step updates internal DNS records to point to the load balancer IP address of your new App Service Environment v3. Changes are effective immediately. This step also shuts down your old App Service Environment and deletes it. Your new App Service Environment v3 is now your production environment. +The final step is to redirect traffic to your new App Service Environment v3 and complete the migration. The platform does this change for you, but only when you initiate it. Before you do this step, you should review your new App Service Environment v3 and perform any needed testing to validate that it's functioning as intended. Your App Service Environment v2 frontends are still running, but the backing compute is an App Service Environment v3. If you're able to access your apps without issues, that means you're ready to complete the migration. ++Once you're ready to redirect traffic, you can complete the final step of the migration. This step updates internal DNS records to point to the load balancer IP address of your new App Service Environment v3 and the frontends that were created during the migration. Changes are effective immediately. This step also shuts down your old App Service Environment and deletes it. Your new App Service Environment v3 is now your production environment. > [!IMPORTANT] > During the preview, in some cases there may be up to 20 minutes of downtime when you complete the final step of the migration. This downtime is due to the DNS change. The downtime is expected to be removed once the feature is generally available. If you have a requirement for zero downtime, you should wait until the side by side migration feature is generally available. During preview, however, you can still use the side by side migration feature to migrate your dev environments to App Service Environment v3 to learn about the migration process and see how it impacts your workloads. |
application-gateway | Quick Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/quick-create-terraform.md | +ai-usage: ai-assisted # Quickstart: Direct web traffic with Azure Application Gateway - Terraform |
attestation | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/overview.md | Client applications can be designed to take advantage of TPM attestation by dele ### AMD SEV-SNP attestation -Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-solutions.md). CVM offers VM OS disk encryption option with platform-managed keys or customer-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements is sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware. +Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-options.md). CVM offers VM OS disk encryption option with platform-managed keys or customer-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements will be sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware. ### Trusted Launch attestation |
attestation | Quickstart Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/quickstart-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Attestation provider by using Terraform |
azure-arc | Enable Guest Management At Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/system-center-virtual-machine-manager/enable-guest-management-at-scale.md | keywords: "VMM, Arc, Azure" In this article, you learn how to install Arc agents at scale for SCVMM VMs and use Azure management capabilities. +>[!IMPORTANT] +>We recommend maintaining the SCVMM management server and the SCVMM console in the same Long-Term Servicing Channel (LTSC) and Update Rollup (UR) version. + >[!NOTE] >This article is applicable only if you are running: >- SCVMM 2022 UR1 or later |
azure-arc | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/system-center-virtual-machine-manager/overview.md | Title: Overview of the Azure Connected System Center Virtual Machine Manager description: This article provides a detailed overview of the Azure Arc-enabled System Center Virtual Machine Manager. Previously updated : 12/19/2023 Last updated : 02/23/2024 ms. To Arc-enable a System Center VMM management server, deploy [Azure Arc resource The following image shows the architecture for the Arc-enabled SCVMM: ## How is Arc-enabled SCVMM different from Arc-enabled Servers Azure Arc-enabled SCVMM doesn't store/process customer data outside the region t ## Next steps -[Create an Azure Arc VM](create-virtual-machine.md) +[Create an Azure Arc VM](create-virtual-machine.md). |
azure-arc | Quickstart Connect System Center Virtual Machine Manager To Arc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/system-center-virtual-machine-manager/quickstart-connect-system-center-virtual-machine-manager-to-arc.md | -This Quickstart shows you how to connect your SCVMM management server to Azure Arc using a helper script. The script deploys a lightweight Azure Arc appliance (called Azure Arc resource bridge) as a virtual machine running in your VMM environment and installs an SCVMM cluster extension on it, to provide a continuous connection between your VMM management server and Azure Arc. +This Quickstart shows you how to connect your SCVMM management server to Azure Arc using a helper script. The script deploys a lightweight Azure Arc appliance (called Azure Arc resource bridge) as a virtual machine running in your VMM environment and installs an SCVMM cluster extension on it to provide a continuous connection between your VMM management server and Azure Arc. ## Prerequisites Follow these instructions to run the script on a Windows machine. Follow these instructions to run the script on a Linux machine: -1. Open the terminal and navigate to the folder, where you've downloaded the Bash script. +1. Open the terminal and navigate to the folder where you've downloaded the Bash script. 2. Execute the script using the following command: ```sh The script execution will take up to half an hour and you'll be prompted for var | **SCVMM management server FQDN/Address** | FQDN for the VMM server (or an IP address). </br> Provide role name if itΓÇÖs a Highly Available VMM deployment. </br> For example: nyc-scvmm.contoso.com or 10.160.0.1 | | **SCVMM Username**</br> (domain\username) | Username for the SCVMM administrator account. The required permissions for the account are listed in the prerequisites above.</br> Example: contoso\contosouser | | **SCVMM password** | Password for the SCVMM admin account |-| **Private cloud selection** | Select the name of the private cloud where the Arc resource bridge VM should be deployed. | +| **Deployment location selection** | Select if you want to deploy the Arc resource bridge VM in an SCVMM Cloud or an SCVMM Host Group. | +| **Private cloud/Host group selection** | Select the name of the private cloud or the host group where the Arc resource bridge VM should be deployed. | | **Virtual Network selection** | Select the name of the virtual network to which *Arc resource bridge VM* needs to be connected. This network should allow the appliance to talk to the VMM management server and the Azure endpoints (or internet). | | **Static IP pool** | Select the VMM static IP pool that will be used to allot the IP address. | | **Control Plane IP** | Provide a reserved IP address in the same subnet as the static IP pool used for Resource Bridge deployment. This IP address should be outside of the range of static IP pool used for Resource Bridge deployment and shouldn't be assigned to any other machine on the network. | |
azure-arc | Quick Start Connect Vcenter To Arc Using Script | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/quick-start-connect-vcenter-to-arc-using-script.md | Title: Connect VMware vCenter Server to Azure Arc by using the helper script description: In this quickstart, you learn how to use the helper script to connect your VMware vCenter Server instance to Azure Arc. Previously updated : 11/06/2023 Last updated : 02/22/2024 First, the script deploys a virtual appliance called [Azure Arc resource bridge] - A virtual network that can provide internet access, directly or through a proxy. It must also be possible for VMs on this network to communicate with the vCenter server on TCP port (usually 443). -- At least three free static IP addresses on the above network. If you have a DHCP server on the network, the IP addresses must be outside the DHCP range. +- At least three free static IP addresses on the above network. - A resource pool or a cluster with a minimum capacity of 16 GB of RAM and four vCPUs. You need a Windows or Linux machine that can access both your vCenter Server ins 7. Select a subscription and resource group where the resource bridge will be created. -8. Under **Region**, select an Azure location where the resource metadata will be stored. Currently, supported regions are **East US**, **West Europe**, **Australia East** and **Canada Central**. +8. Under **Region**, select an Azure location where the resource metadata will be stored. Currently, the supported regions are **East US**, **West Europe**, **Australia East**, and **Canada Central**. 9. Provide a name for **Custom location**. You'll see this name when you deploy VMs. Name it for the datacenter or the physical location of your datacenter. For example: **contoso-nyc-dc**. A typical onboarding that uses the script takes 30 to 60 minutes. During the pro | **vCenter password** | Enter the password for the vSphere account. | | **Data center selection** | Select the name of the datacenter (as shown in the vSphere client) where the Azure Arc resource bridge VM should be deployed. | | **Network selection** | Select the name of the virtual network or segment to which the Azure Arc resource bridge VM must be connected. This network should allow the appliance to communicate with vCenter Server and the Azure endpoints (or internet). |-| **Static IP / DHCP** | For deploying Azure Arc resource bridge, the preferred configuration is to use Static IP. Enter **n** to select static IP configuration. While not recommended, if you have DHCP server in your network and want to use it instead, enter **y**. If you're using a DHCP server, reserve the IP address assigned to the Azure Arc Resource Bridge VM (Appliance VM IP). If you use DHCP, the cluster configuration IP address still needs to be a static IP address. </br>When you choose a static IP configuration, you're asked for the following information: </br> 1. **Static IP address prefix**: Network address in CIDR notation. For example: **192.168.0.0/24**. </br> 2. **Static gateway**: Gateway address. For example: **192.168.0.0**. </br> 3. **DNS servers**: IP address(es) of DNS server(s) used by Azure Arc resource bridge VM for DNS resolution. Azure Arc resource bridge VM must be able to resolve external sites, like mcr.microsoft.com and the vCenter server. </br> 4. **Start range IP**: Minimum size of two available IP addresses is required. One IP address is for the Azure Arc resource bridge VM, and the other is reserved for upgrade scenarios. Provide the starting IP address of that range. Ensure the Start range IP has internet access. </br> 5. **End range IP**: Last IP address of the IP range requested in the previous field. Ensure the End range IP has internet access. </br>| -| **Control Plane IP address** | Azure Arc resource bridge runs a Kubernetes cluster, and its control plane always requires a static IP address. Provide an IP address that meets the following requirements: <br> - The IP address must have internet access. <br> - The IP address must be within the subnet defined by IP address prefix. <br> - If you're using static IP address option for resource bridge VM IP address, the control plane IP address must be outside of the IP address range provided for the VM (Start range IP - End range IP). <br> - If there's a DHCP service on the network, the IP address must be outside of DHCP range.| +| **Static IP** | Arc Resource Bridge requires static IP address assignment and DHCP isn't supported. </br> 1. **Static IP address prefix**: Network address in CIDR notation. For example: **192.168.0.0/24**. </br> 2. **Static gateway**: Gateway address. For example: **192.168.0.0**. </br> 3. **DNS servers**: IP address(es) of DNS server(s) used by Azure Arc resource bridge VM for DNS resolution. Azure Arc resource bridge VM must be able to resolve external sites, like mcr.microsoft.com and the vCenter server. </br> 4. **Start range IP**: Minimum size of two available IP addresses is required. One IP address is for the Azure Arc resource bridge VM, and the other is reserved for upgrade scenarios. Provide the starting IP address of that range. Ensure the Start range IP has internet access. </br> 5. **End range IP**: Last IP address of the IP range requested in the previous field. Ensure the End range IP has internet access. </br>| +| **Control Plane IP address** | Azure Arc resource bridge runs a Kubernetes cluster, and its control plane always requires a static IP address. Provide an IP address that meets the following requirements: <br> - The IP address must have internet access. <br> - The IP address must be within the subnet defined by IP address prefix. <br> - If you're using static IP address option for resource bridge VM IP address, the control plane IP address must be outside of the IP address range provided for the VM (Start range IP - End range IP). | | **Resource pool** | Select the name of the resource pool to which the Azure Arc resource bridge VM will be deployed. | | **Data store** | Select the name of the datastore to be used for the Azure Arc resource bridge VM. | | **Folder** | Select the name of the vSphere VM and the template folder where the Azure Arc resource bridge's VM will be deployed. |-| **VM template Name** | Provide a name for the VM template that will be created in your vCenter Server instance based on the downloaded OVA file. For example: **arc-appliance-template**. | | **Appliance proxy settings** | Enter **y** if there's a proxy in your appliance network. Otherwise, enter **n**. </br> You need to populate the following boxes when you have a proxy set up: </br> 1. **Http**: Address of the HTTP proxy server. </br> 2. **Https**: Address of the HTTPS proxy server. </br> 3. **NoProxy**: Addresses to be excluded from the proxy. </br> 4. **CertificateFilePath**: For SSL-based proxies, the path to the certificate to be used. After the command finishes running, your setup is complete. You can now use the capabilities of Azure Arc-enabled VMware vSphere. |
azure-government | Documentation Government Impact Level 5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-impact-level-5.md | For Internet of Things services availability in Azure Government, see [Products ### [Azure IoT Hub](../iot-hub/index.yml) -- IoT Hub supports encryption of data at rest with customer-managed keys, also known as *bring your own key* (BYOK). Azure IoT Hub provides encryption of data at rest and in transit. By default, Azure IoT Hub uses Microsoft-managed keys to encrypt the data. Customer-managed key support enables you to encrypt data at rest by using an [encryption key that you manage via Azure Key Vault](../iot-hub/iot-hub-customer-managed-keys.md).-+- Azure IoT Hub provides encryption of data at rest and in transit. Azure IoT Hub uses Microsoft-managed keys to encrypt the data. ## Management and governance |
azure-maps | How To Creator Wfs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-creator-wfs.md | After the response returns, copy the feature `id` for one of the `unit` features > [!div class="nextstepaction"] > [How to create a feature stateset] +[Check the dataset creation status]: tutorial-creator-indoor-maps.md#check-the-dataset-creation-status [datasets]: /rest/api/maps-creator/dataset [WFS API]: /rest/api/maps-creator/wfs [Web Feature Service (WFS)]: /rest/api/maps-creator/wfs |
azure-maps | Migrate From Bing Maps Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-bing-maps-web-app.md | Learn more about migrating from Bing Maps to Azure Maps. [Load a map]: #load-a-map [Localization support in Azure Maps]: supported-languages.md [Localizing the map]: #localizing-the-map+[Microsoft Entra ID]: /entra/fundamentals/whatis [ng-azure-maps]: https://github.com/arnaudleclerc/ng-azure-maps [OpenLayers plugin]: /samples/azure-samples/azure-maps-OpenLayers/azure-maps-OpenLayers-plugin [OpenLayers]: https://openlayers.org/ |
azure-maps | Migrate From Bing Maps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-bing-maps.md | Learn the details of how to migrate your Bing Maps application with these articl > [!div class="nextstepaction"] > [Migrate a web app] -[Azure Active Directory authentication]: azure-maps-authentication.md#azure-ad-authentication [Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account [Azure Maps Blog]: https://aka.ms/AzureMapsTechBlog [Azure Maps code samples]: https://samples.azuremaps.com/ |
azure-maps | Migrate From Google Maps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-google-maps.md | Learn the details of how to migrate your Google Maps application with these arti > [!div class="nextstepaction"] > [Migrate a web app](migrate-from-google-maps-web-app.md) -[Azure Active Directory authentication]: azure-maps-authentication.md#azure-ad-authentication [Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account [Azure Maps Blog]: https://aka.ms/AzureMapsBlog [Azure Maps developer forums]: https://aka.ms/AzureMapsForums Learn the details of how to migrate your Google Maps application with these arti [Azure support options]: https://azure.microsoft.com/support/options [free account]: https://azure.microsoft.com/free/ [Manage authentication in Azure Maps]: how-to-manage-authentication.md+[Microsoft Entra authentication]: azure-maps-authentication.md#microsoft-entra-authentication [Microsoft learning center shows]: https://aka.ms/AzureMapsVideos [subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account [terms of use]: https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46 |
azure-maps | Open Source Projects | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/open-source-projects.md | Find more open-source Azure Maps projects. [Azure Maps Jupyter Notebook samples]: https://github.com/Azure-Samples/Azure-Maps-Jupyter-Notebook [Azure Maps Leaflet plugin]: https://github.com/azure-samples/azure-maps-leaflet [Azure Maps OpenLayers plugin]: https://github.com/azure-samples/azure-maps-openlayers+[Azure Maps Open Source Projects]: https://github.com/Microsoft/Maps/blob/master/AzureMaps.md [Azure Maps Overview Map module]: https://github.com/Azure-Samples/azure-maps-overview-map [Azure Maps Scale Bar Control module]: https://github.com/Azure-Samples/azure-maps-scale-bar-control [Azure Maps Selection Control module]: https://github.com/Azure-Samples/azure-maps-selection-control |
azure-maps | Schema Stateset Stylesobject | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/schema-stateset-stylesobject.md | Learn more about Creator for indoor maps by reading: [`StyleObject`]: #styleobject [Creator for indoor maps]: creator-indoor-maps.md [Feature State service]: /rest/api/maps-creator/feature-state-[Implement dynamic styling for Creator  indoor maps]: indoor-map-dynamic-styling.md +[Implement dynamic styling for Creator indoor maps]: indoor-map-dynamic-styling.md [RangeObject]: #rangeobject [What is Azure Maps Creator?]: about-creator.md |
azure-maps | Weather Service Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/weather-service-tutorial.md | The following table displays the combined historical and forecast data for one o grouped_weather_data.get_group(station_ids[0]).reset_index() ``` -<center>![Grouped data](./media/weather-service-tutorial/grouped-data.png)</center> +![Grouped data](./media/weather-service-tutorial/grouped-data.png) ## Plot forecast data windsPlot.set_ylabel("Wind direction") The following graphs visualize the forecast data. For the change of wind speed, see the left graph. For change in wind direction, see the right graph. This data is prediction for next 15 days from the day the data is requested. -<center> ![Wind speed plot](./media/weather-service-tutorial/speed-date-plot.png) ![Wind direction plot](./media/weather-service-tutorial/direction-date-plot.png)-</center> In this tutorial, you learned how to call Azure Maps REST APIs to get weather forecast data. You also learned how to visualize the data on graphs. |
azure-monitor | Action Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/action-groups.md | Global requests from clients can be processed by action group services in any re 1. Configure basic action group settings. In the **Project details** section: - Select values for **Subscription** and **Resource group**. - Select the region.+ + > [!NOTE] + > Service Health Alerts are only supported in public clouds within the global region. For Action Groups to properly function in response to a Service Health Alert the region of the action group must be set as "Global". | Option | Behavior | | | -- | |
azure-monitor | Convert Classic Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/convert-classic-resource.md | If you don't wish to have your classic resource automatically migrated to a work ### Is there any implication on the cost from migration? -There's usually no difference, with a couple of exceptions: +There's usually no difference, with one exeception - Application Insights resources that were receiving 1 GB per month free via legacy Application Insights pricing model will no longer receive the free data. +The migration to workspace-based Application Insights offers a number of options to further [optimize cost](../logs/cost-logs.md), including [Log Analytics commitment tiers](../logs/cost-logs.md#commitment-tiers), [dedicated clusters](../logs/cost-logs.md#dedicated-clusters), and [basic logs](../logs/cost-logs.md#basic-logs). ### How will telemetry capping work? To avoid this issue, make sure to use the latest version of the Terraform [azure For backwards compatibility, calls to the old API for creating Application Insights resources will continue to work. Each of these calls will eventually create both a workspace-based Application Insights resource and a Log Analytics workspace to store the data. -We strongly encourage updating to the [new API](https://learn.microsoft.com/azure/azure-monitor/app/resource-manager-app-resource) for better control over resource creation. +We strongly encourage updating to the [new API](resource-manager-app-resource.md) for better control over resource creation. ### Should I migrate diagnostic settings on classic Application Insights before moving to a workspace-based AI? Yes, we recommend migrating diagnostic settings on classic Application Insights resources before transitioning to a workspace-based Application Insights. It ensures continuity and compatibility of your diagnostic settings. |
azure-netapp-files | Azure Netapp Files Resize Capacity Pools Or Volumes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-resize-capacity-pools-or-volumes.md | Last updated 02/21/2023 # Resize a capacity pool or a volume+ You can change the size of a capacity pool or a volume as necessary, for example, when a volume or capacity pool fills up. For information about monitoring a volumeΓÇÖs capacity, see [Monitor the capacity of a volume](monitor-volume-capacity.md). For information about monitoring a volumeΓÇÖs capacity, see [Monitor the capacit * Capacity pools with Basic network features have a minimum size of 4 TiB. For capacity pools with Standard network features, the minimum size is 1 TiB. For more information, see [Resource limits](azure-netapp-files-resource-limits.md) * Volume resize operations are nearly instantaneous but not always immediate. There can be a short delay for the volume's updated size to appear in the portal. Verify the size from a host perspective before re-attempting the resize operation. +>[!IMPORTANT] +>If you are using a capacity pool with a size of 2 TiB or smaller and have `ANFStdToBasicNetworkFeaturesRevert` and `ANFBasicToStdNetworkFeaturesUpgrade` AFECs enabled and want to change the capacity pool's QoS type from auto manual, you must [perform the operation with the REST API](#resizing-the-capacity-pool-or-a-volume-using-rest-api) using the `2023-07-01` API version or later. + ## Resize the capacity pool using the Azure portal You can change the capacity pool size in 1-TiB increments or decrements. However, the capacity pool size cannot be smaller than the sum of the capacity of the volumes hosted in the pool. |
azure-netapp-files | Configure Network Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-network-features.md | See [regions supported for this feature](azure-netapp-files-network-topologies.m > [!IMPORTANT] > Updating the network features option might cause a network disruption on the volumes for up to 5 minutes. +>[!NOTE] +>If you have enabled both the `ANFStdToBasicNetworkFeaturesRevert` and `ANFBasicToStdNetworkFeaturesUpgrade` AFECs are using 1 or 2-TiB capacity pools, see [Resize a capacity pool or a volume](azure-netapp-files-resize-capacity-pools-or-volumes.md) for information about sizing your capacity pools. + 1. Navigate to the volume for which you want to change the network features option. 1. Select **Change network features**. 1. The **Edit network features** window displays the volumes that are in the same network sibling set. Confirm whether you want to modify the network features option. |
azure-resource-manager | Manage Resource Groups Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/manage-resource-groups-python.md | Last updated 01/27/2024 content_well_notification: - AI-contribution+ai-usage: ai-assisted # Manage Azure resource groups by using Python |
azure-resource-manager | Deploy Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deploy-python.md | Title: Deploy resources with Python and template description: Use Azure Resource Manager and Python to deploy resources to Azure. The resources are defined in an Azure Resource Manager template. Previously updated : 04/24/2023 Last updated : 02/23/2024 content_well_notification: - AI-contribution +ai-usage: ai-assisted # Deploy resources with ARM templates and Python This article explains how to use Python with Azure Resource Manager templates (A * A template to deploy. If you don't already have one, download and save an [example template](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.storage/storage-account-create/azuredeploy.json) from the Azure Quickstart templates repo. -* Python 3.7 or later installed. To install the latest, see [Python.org](https://www.python.org/downloads/) +* Python 3.8 or later installed. To install the latest, see [Python.org](https://www.python.org/downloads/) * The following Azure library packages for Python installed in your virtual environment. To install any of the packages, use `pip install {package-name}` * azure-identity |
azure-vmware | Move Azure Vmware Solution Across Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/move-azure-vmware-solution-across-regions.md | description: This article describes how to move Azure VMware Solution resources Previously updated : 12/18/2023 Last updated : 2/23/2024 # Customer intent: As an Azure service administrator, I want to move my Azure VMware Solution resources from Azure Region A to Azure Region B. You can move Azure VMware Solution resources to a different region for several r This article helps you plan and migrate Azure VMware Solution from one Azure region to another, such as Azure region A to Azure region B. - The diagram shows the recommended ExpressRoute connectivity between the two Azure VMware Solution environments. An HCX site pairing and service mesh are created between the two environments. The HCX migration traffic and Layer-2 extension moves (depicted by the red line) between the two environments. For VMware recommended HCX planning, see [Planning an HCX Migration](https://vmc.techzone.vmware.com/vmc-solutions/docs/deploy/planning-an-hcx-migration#section1). :::image type="content" source="media/move-across-regions/move-ea-csp-across-regions-2.png" alt-text="Diagram showing ExpressRoute Global Reach communication between the source and target Azure VMware Solution environments." border="false"::: The diagram shows the recommended ExpressRoute connectivity between the two Azur >[!NOTE] >You don't need to migrate any workflow back to on-premises because the traffic will flow between the private clouds (source and target): >->**Azure VMware Solution private cloud (source) > ExpressRoute gateway (source) > ExpressRoute gateway (target) > Azure VMware Solution private cloud (target)** +>**Azure VMware Solution private cloud (source) > ExpressRoute gateway (source) > Global Reach -> ExpressRoute gateway (target) > Azure VMware Solution private cloud (target)** The diagram shows the connectivity between both Azure VMware Solution environments. :::image type="content" source="media/move-across-regions/move-ea-csp-across-regions-connectivity-diagram.png" alt-text="Diagram showing communication between the source and target Azure VMware Solution environments." border="false"::: - In this article, walk through the steps to: > [!div class="checklist"] The following steps show how to prepare your Azure VMware Solution private cloud Before you can move the source configuration, you need to [deploy the target environment](plan-private-cloud-deployment.md). - ### Back up the source configuration Back up the Azure VMware Solution (source) configuration that includes vCenter Server, NSX-T Data Center, and firewall policies and rules. -- **Compute:** Export existing inventory configuration. For Inventory backup, you can use RVtools (an open-source app).--- **Network and firewall policies and rules:** On the Azure VMware Solution target, create the same network segments as the source environment.+- **Compute:** Export existing inventory configuration. For Inventory backup, you can use [RVTools (an open-source app)](https://www.robware.net/home). + +- **Network and firewall policies and rules:** This is included as part of the VMware HCX Network Extension. Azure VMware Solution supports all backup solutions. You need CloudAdmin privileges to install, backup data, and restore backups. For more information, see [Backup solutions for Azure VMware Solution VMs](ecosystem-back-up-vms.md). Azure VMware Solution supports all backup solutions. You need CloudAdmin privile 3. Copy the sourceΓÇÖs **ExpressRoute ID**. You need it to peer between the private clouds. - ### Create the targetΓÇÖs authorization key 1. From the target, sign in to the [Azure portal](https://portal.azure.com/). Azure VMware Solution supports all backup solutions. You need CloudAdmin privile > [!NOTE] > If you need access to the Azure US Gov portal, go to https://portal.azure.us/ - - 1. Select **Manage** > **Connectivity** > **ExpressRoute**, then select **+ Request an authorization key**. :::image type="content" source="media/expressroute-global-reach/start-request-authorization-key.png" alt-text="Screenshot showing how to request an ExpressRoute authorization key." border="true" lightbox="media/expressroute-global-reach/start-request-authorization-key.png"::: After you establish connectivity, you'll create a VMware HCX site pairing betwee 1. In **Advanced Configuration - Network Extension Appliance Scale Out**, review and select **Continue**. - You can have up to eight VLANs per appliance, but you can deploy another appliance to add another eight VLANs. You must also have IP space to account for the more appliances, and it's one IP per appliance. For more information, see [VMware HCX Configuration Limits](https://configmax.vmware.com/guest?vmwareproduct=VMware%20HCX&release=VMware%20HCX&categories=41-0,42-0,43-0,44-0,45-0). + You can have up to eight Network Segments per appliance, but you can deploy another appliance to add another eight Network Segments. You must also have IP space to account for the more appliances, and it's one IP per appliance. For more information, see [VMware HCX Configuration Limits](https://configmax.vmware.com/guest?vmwareproduct=VMware%20HCX&release=VMware%20HCX&categories=41-0,42-0,43-0,44-0,45-0). :::image type="content" source="media/tutorial-vmware-hcx/extend-networks-increase-vlan.png" alt-text="Screenshot that shows where to increase the VLAN count." lightbox="media/tutorial-vmware-hcx/extend-networks-increase-vlan.png"::: In this step, copy the source vSphere configuration and move it to the target en 2. From the source's vCenter Server, use the same VM folder name and [create the same VM folder](https://docs.vmware.com/en/VMware-Validated-Design/6.1/sddc-deployment-of-cloud-operations-and-automation-in-the-first-region/GUID-9D935BBC-1228-4F9D-A61D-B86C504E469C.html) on the target's vCenter Server under **Folders**. -3. Use VMware HCX to migrate all VM templates from the source's vCenter Server to the target's vCenter. +3. Use VMware HCX to migrate all VM templates from the source's vCenter Server to the target's vCenter Server. 1. From the source, convert the existing templates to VMs and then migrate them to the target. In this step, copy the source vSphere configuration and move it to the target en 4. Select **Sync Now**. - ### Configure the target NSX-T Data Center environment -In this step, use the source NSX-T Data Center configuration to configure the target NSX-T environment. +In this step, use the source NSX-T Data Center configuration to configure the target NSX-T Data Center environment. >[!NOTE]->You'll have multiple features configured on the source NSX-T Data Center, so you must copy or read from the source NSX-T Data Center and recreate it in the target private cloud. Use L2 Extension to keep same IP address and Mac Address of the VM while migrating Source to target AVS Private Cloud to avoid downtime due to IP change and related configuration. +>You'll have multiple features configured on the source NSX-T Data Center, so you must copy or read from the source NSX-T Data Center and recreate it in the target private cloud. Use L2 Extension to keep same IP address and Mac Address of the VM while migrating Source to target Azure VMware Solution Private Cloud to avoid downtime due to IP change and related configuration. 1. [Configure NSX-T Data Center network components](tutorial-nsx-t-network-segment.md) required in the target environment under default Tier-1 gateway. Before the gateway cutover, verify all migrated workload services and performanc For VMware recommendations, see [Cutover of extended networks](https://vmc.techzone.vmware.com/vmc-solutions/docs/deploy/planning-an-hcx-migration#section9). - ### Public IP DNAT for migrated DMZ VMs To this point, you migrated the workloads to the target environment. These application workloads must be reachable from the public internet. The target environment provides two ways of hosting any application. Applications can be: |
batch | Quick Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/quick-create-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Batch account using Terraform |
cdn | Cdn Add To Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-add-to-web-app.md | What you learned: Learn how to optimize CDN performance in the following articles: > [!div class="nextstepaction"]-> [Tutorial: Add a custom domain to your Azure CDN endpoint](cdn-map-content-to-custom-domain.md) +> [Tutorial: Optimize Azure CDN for the type of content delivery.](cdn-optimization-overview.md) |
cdn | Create Profile Endpoint Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/create-profile-endpoint-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure CDN profile and endpoint using Terraform |
certification | Concepts Legacy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/concepts-legacy.md | - Title: Legacy devices on the Azure Certified Device catalog -description: An explanation of legacy devices on the Azure Certified Device catalog ---- Previously updated : 04/07/2021----# Legacy devices on the Azure Certified Device catalog --You may have noticed on the Azure Certified Device catalog that some devices don't have the blue outline or the "Azure Certified Device" label. These devices (dubbed "legacy devices") were previously certified under the legacy program. --## Certified for Azure IoT program --Before the launch of the Azure Certified Device program, hardware partners could previously certify their products under the Certified for Azure IoT program. The Azure Certified Device certification program refocuses its mission to deliver on customer promises rather than technical device capabilities. --Devices that have been certified as an ΓÇÿIoT Hub certified deviceΓÇÖ appear on the Azure Certified Device catalog as a ΓÇÿlegacy device.ΓÇÖ This label indicates devices have previously qualified through the now-retired program, but haven't been certified through the updated Azure Certified Device program. These devices are clearly noted in the catalog by their lack of blue outline, and can be found through the "IoT Hub Certified devices (legacy)" filter. --## Next steps --Interested in recertifying a legacy device under the Azure Certified Device program? You can submit your device through our portal and leave a note to our review team to coordinate. Follow the link below to get started! --- [Tutorial: Select your certification program](./tutorial-00-selecting-your-certification.md) |
certification | Concepts Marketing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/concepts-marketing.md | - Title: Marketing properties -description: A description of the different marketing fields collected in the portal and how they will appear on the Azure Certified Device catalog ---- Previously updated : 06/22/2021---# Marketing properties --In the process of [adding your device details](tutorial-02-adding-device-details.md), you will be required to supply marketing information that will be displayed on the [Azure Certified Device catalog](https://devicecatalog.azure.com). This information is collected within the Azure Certified Device portal during the certification submission process and will be used as filter parameters on the catalog. This article provides a mapping between the fields collected in the portal to how they appear on the catalog. After reading this article, partners should better understand what information to provide during the certification process to best represent their product on the catalog. --![PDP overview](./media/concepts-marketing/pdp-overview.png) --## Azure Certified Device catalog product tile --Visitors to the catalog will first interact with your device as a catalog product tile on the search page. This will provide a basic overview of the device and certifications it has been awarded. --![Product tile template](./media/concepts-marketing/product-tile.png) --| Field | Description | Where to add in the portal | -||-|-| -| Device Name | Public name of your certified device | Basics tab of Device details| -| Company name| Public name of your company | Not editable in the portal. Extracted from MPN account name | -| Product photo | Image of your device with minimum resolution 200p x 200p | Marketing details | -| Certification classification | Mandatory Azure Certified Device certification label and optional certification badges | Basics tab of Device details. Must pass appropriate testing in Connect & test section. | --## Product description page information --Once a customer has clicked on your device tile from the catalog search page, they will be navigated to the product description page of your device. This is where the bulk of the information provided during the certification process will be found. --The top of the product description page highlights key characteristics, some of which were already used for the product tile. --![PDP top bar](./media/concepts-marketing/pdp-top.png) --| Field | Description | Where to add in the portal | -||-|-| -| Device class | Classification of the form factor and primary purpose of your device ([Learn more](./resources-glossary.md)) | Basics tab of Device details| -| Device type | Classification of device based on implementation readiness ([Learn more](./resources-glossary.md)) | Basics tab of Device details | -| Geo availability | Regions that your device is available for purchase | Marketing details | -| Operating systems | Operating system(s) that your device supports | Product details tab of Device details | -| Target industries | Top 3 industries that your device is optimized for | Marketing details | -| Product description | Free text field for you to write your marketing description of your product. This can capture details not listed in the portal, or add additional context for the benefits of using your device. | Marketing details| --The remainder of the page is focused on displaying the technical specifications of your device in table format that will help your customer better understand your product. For convenience, the information displayed at the top of the page is also listed here, along with some additional device information. The rest of the table is sectioned by the components specified in the portal. --![PDP bottom page](./media/concepts-marketing/pdp-bottom.png) --| Field | Description | Where to add in the portal | -||-|-| -| Environmental certifications | Official certifications received for performance in different environments | Hardware of Device details | -| Operating conditions | Ingress Protection value or temperature ranges the device is qualified for | Software of device details | -| Azure software set-up | Classification of the set-up process to connect the device to Azure ([Learn more](./how-to-software-levels.md)) | Software of Device details | -| Component type | Classification of the form factor and primary purpose of your device ([Learn more](./resources-glossary.md)) | Hardware of Device details| -| Component name| Name of the component you are describing | Product details of Device details | -| Additional component information | Additional hardware specifications such as included sensors, connectivity, accelerators, etc. | Additional component information of Device details ([Learn more](./how-to-using-the-components-feature.md)) | -| Device dependency text | Partner-provided text describing the different dependencies the product requires to connect to Azure ([Learn more](./how-to-indirectly-connected-devices.md)) | Customer-facing comments section of Dependencies tab of Device details | -| Device dependency link | Link to a certified device that your current product requires | Dependencies tab of Device details | --## Shop links -Available both on the product tile and product description page is a Shop button. When clicked by the customer, a window opens that allows them to select a distributor (you are allowed to list up to 5 distributors). Once selected, the customer is redirected to the partner-provided URL. --![Image of Shop pop-up experience](./media/concepts-marketing/shop.png) --| Field | Description | Where to add in the portal | -||-|-| -| Distributor name | Name of the distributor who is selling your product | Marketing details| -| Get Device| Link to external website for customer to purchase the device (or request a quote from the distributor). This may be the same as the Manufacturer's page if the distributor is the same as the device manufacturer. If a purchase page is not available, this will redirect to the distributor's page for customer to contact them directly. | Distributor product page URL in marketing details. If no purchase page is available, link will default to Distributor URL in Marketing detail. | --## External links --Also included within the Product Description page are links that navigate to partner-provided sites or files that help the customer better understand the product. They appear towards the top of the page, beneath the product description text. The links displayed will differ for different device types and certification programs. --| Link | Description | Where to add in the portal | -||-|-| -| Get Started guide* | PDF file with user instructions to connect and use your device with Azure services | Add 'Get Started' guide section of the portal| -| Manufacturer's page*|Link to manufacturer's page. This page may be the specific product page for your device, or to the company home page if a marketing page is not available. | Manufacturer's marketing page in Marketing details | -| Device model | Public DTDL models for IoT Plug and Play solutions | Not editable in the portal. Device model must be uploaded to the ([public model repository](https://aka.ms/modelrepo) | -| Device source code | URL to device source code for Dev Kit device types| Basics tab of Device details | -- **Required for all published devices* --## Next steps -Now that you have an understanding of how we use the information you provide during certification, you are now ready to certify your device! Begin your certification project, or jump back into the device details stage to add your own marketing information. --- [Start your certification journey](./tutorial-00-selecting-your-certification.md)-- [Adding device details](./tutorial-02-adding-device-details.md) |
certification | Edge Secured Core Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/edge-secured-core-devices.md | + + Title: Edge Secured-core certified devices +description: List of devices that have passed the Edge Secured-core certifications +++ Last updated : 01/26/2024+++++# Edge Secured-core certified devices +This page contains a list of devices that have successfully passed the Edge Secured-core certification. ++|Manufacturer|Device Name|OS|Last Updated| +||| +|Asus|[PE200U](https://www.asus.com/networking-iot-servers/aiot-industrial-solutions/embedded-computers-edge-ai-systems/pe200u/)|Windows 10 IoT Enterprise|2022-04-20| +|Asus|[PN64-E1 vPro](https://www.asus.com/ca-en/displays-desktops/mini-pcs/pn-series/asus-expertcenter-pn64-e1/)|Windows 10 IoT Enterprise|2023-08-08| +|AAEON|[SRG-TG01](https://newdata.aaeon.com.tw/DOWNLOAD/2014%20datasheet/Systems/SRG-TG01.pdf)|Windows 10 IoT Enterprise|2022-06-14| +|Intel|[NUC13L3Hv7](https://www.asus.com/us/displays-desktops/nucs/nuc-kits/nuc-13-pro-kit/techspec/)|Windows 10 IoT Enterprise|2023-04-28| +|Intel|[NUC13L3Hv5](https://www.asus.com/us/displays-desktops/nucs/nuc-kits/nuc-13-pro-kit/techspec/)|Windows 10 IoT Enterprise|2023-04-12| +|Intel|[NUC13ANKv7](https://www.asus.com/us/displays-desktops/nucs/nuc-kits/nuc-13-pro-kit/techspec/)|Windows 10 IoT Enterprise|2023-01-27| +|Intel|[NUC12WSKv5](https://www.asus.com/displays-desktops/nucs/nuc-mini-pcs/nuc-12-pro-mini-pc/techspec/)|Windows 10 IoT Enterprise|2023-03-16| +|Intel|ELM12HBv5+CMB1AB|Windows 10 IoT Enterprise|2023-03-17| +|Intel|[NUC12WSKV7](https://www.asus.com/displays-desktops/nucs/nuc-mini-pcs/nuc-12-pro-mini-pc/techspec/)|Windows 10 IoT Enterprise|2022-10-31| +|Intel|BELM12HBv716W+CMB1AB|Windows 10 IoT Enterprise|2022-10-25| +|Intel|NUC11TNHv5000|Windows 10 IoT Enterprise|2022-06-14| +|Lenovo|[ThinkEdge SE30](https://www.lenovo.com/us/en/p/desktops/thinkedge/thinkedge-se30/len102c0004)|Windows 10 IoT Enterprise|2022-04-06| |
certification | Edge Secured Core Get Certified | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/edge-secured-core-get-certified.md | + + Title: Get your device certified +description: Instructions to achieve Edge Secured-core certifications +++ Last updated : 01/26/2024+++++# Get your device certified +This page contains a series of steps to get a new device Edge Secured-core certified. ++## Prerequisites +Create a [Microsoft Partner Center account.](https://partner.microsoft.com/dashboard/account/exp/enrollment/welcome?cloudInstance=Global&accountProgram=Reseller) ++## Certification steps +1. Review [Edge Secured-core certification requirements](program-requirements-edge-secured-core.md). +2. Submit a [form](https://forms.office.com/r/HSAtk0Ghru) to express interest in getting your device certified. +3. Microsoft reaches out to you on next steps and provides instructions to validate that your device meets the program's requirements. +4. Once your device validation is completed based on the instructions provided, share the results with Microsoft. +5. Microsoft reviews and communicates the status of your submission. +6. If the device is approved for Edge Secured-core certification, notification is sent and the device appears on the [Edge Secured-core device listing](edge-secured-core-devices.md) page. +7. If the device didn't meet requirements for Edge Secured-core certification, notification is sent and you can submit new/additional validation data to Microsoft. ++[![Diagram showing flowchart for certification process.](./media/images/certification-flowchart.png)](./media/images/certification-flowchart-expanded.png#lightbox) |
certification | How To Edit Published Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/how-to-edit-published-device.md | - Title: How to edit your published Azure Certified Device -description: A guide to edit you device information after you have certified and published your device through the Azure Certified Device program. ---- Previously updated : 07/13/2021----# Edit your published device --After your device has been certified and published to the Azure Certified Device catalog, you may need to update your device details. This may be due to an update to your distributor list, changes to purchase page URLs, or updates to the hardware specifications (such as operating system version or a new component addition). You may also have to update your IoT Plug and Play device model from what you originally uploaded to the model repository. ---## Prerequisites --- You should be signed in and have an **approved** project for your device on the [Azure Certified Device portal](https://certify.azure.com). If you don't have a certified device, you can view this [tutorial](tutorial-01-creating-your-project.md) to get started.---## Editing your published project information --On the project summary, you should notice that your project is in read-only mode since it has already been reviewed and accepted. To make changes, you will have to request an edit to your project and have the update re-approved by the Azure Certification team. --1. Click the `Request Metadata Edit` button on the top of the page -- ![Request metadata update](./media/images/request-metadata-edit.png) --1. Acknowledge the notification on the page that you will be required to submit your product for review after editing. - > [!NOTE] - > By confirming this edit, you are **not** removing your device from the Azure Certified Device catalog if it has already been published. Your previous version of the product will remain on the catalog until you have republished your device. - > You will also not have to repeat the Connect & test section of the portal. --1. Once acknowledging this warning, you can edit your device details. Make sure to leave a note in the `Comments for Reviewer` section of `Device Details` of what has been changed. -- ![Note of metadata edit](./media/images/edit-notes.png) --1. On the project summary page, click `Submit for review` to have your changes reapproved by the Azure Certification team. -1. After your changes have been reviewed and approved, you can then republish your changes to the catalog through the portal (See our [tutorial](./tutorial-04-publishing-your-device.md)). --## Editing your IoT Plug and Play device model --Once you have submitted your device model to the public model repository, it cannot be removed. If you update your device model and would like to re-link your certified device to the new model, you **must re-certify** your device as a new project. If you do this, please leave a note in the 'Comments for Reviewer' section so the certification team can remove your old device entry. --## Next steps --You've now successfully edited your device on the Azure Certified Device catalog. You can check out your changes on the catalog, or certify another device! -- [Azure Certified Device catalog](https://devicecatalog.azure.com/)-- [Get started with certifying a device](./tutorial-01-creating-your-project.md) |
certification | How To Indirectly Connected Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/how-to-indirectly-connected-devices.md | - -# Mandatory fields. Title: Certify bundled or indirectly connected devices--description: Learn how to submit a bundled or indirectly connected device for Azure Certified Device certification. See how to configure dependencies and components. -- Previously updated : 06/07/2022-----# Optional fields. Don't forget to remove # if you need a field. -# -# ---# Device bundles and indirectly connected devices --Many devices interact with Azure indirectly. Some communicate through another device, such as a gateway. Others connect through software as a service (SaaS) or platform as a service (PaaS) offerings. --The [submission portal](https://certify.azure.com/) and [device catalog](https://devicecatalog.azure.com) offer support for indirectly connected devices: --- By listing dependencies in the portal, you can specify that your device needs another device or service to connect to Azure.-- By adding components, you can indicate that your device is part of a bundle.--This functionality gives indirectly connected devices access to the Azure Certified Device program. --Depending on your product line and the services that you offer or use, your situation might require a combination of dependencies and bundling. The Azure Edge Certification Portal provides a way for you to list dependencies and additional components. ---## Sensors and indirect devices --Many sensors require a device to connect to Azure. In addition, you might have multiple compatible devices that work with the sensor. **To accommodate these scenarios, certify the devices before you certify the sensor that passes information through them.** --The following matrix provides some examples of submission combinations: ---To certify a sensor that requires a separate device: --1. Go to the [Azure Certified Device portal](https://certify.azure.com) to certify the device and publish it to the Azure Certified Device catalog. If you have multiple, compatible pass-through devices, as in the earlier example, submit them separately for certification and catalog publication. --1. With the sensor connected through the device, submit the sensor for certification. In the **Dependencies** tab of the **Device details** section, set the following values: -- - **Dependency type**: Select **Hardware gateway**. - - **Dependency URL**: Enter the URL of the device in the device catalog. - - **Used during testing**: Select **Yes**. - - **Customer-facing comments**: Enter any comments that you'd like to provide to a user who sees the product description in the device catalog. For example, you might enter **Series 100 devices are required for sensors to connect to Azure**. --1. If you'd like to add more devices as optional for this device: -- 1. Select **Add additional dependency**. - 1. Enter **Dependency type** and **Dependency URL** values. - 1. For **Used during testing**, select **No**. - 1. For **Customer-facing comments**, enter a comment that informs your customers that other devices are available as alternatives to the device that was used during testing. ---## PaaS and SaaS offerings --As part of your product portfolio, you might certify a device that requires services from your company or third-party companies. To add this type of dependency: --1. Go to the [Azure Certified Device portal](https://certify.azure.com) and start the submission process for your device. --1. In the **Dependencies** tab, enter the following values: -- - **Dependency type**: Select **Software service**. - - **Service name**: Enter the name of your product. - - **Dependency URL**: Enter the URL of a product page that describes the service. - - **Customer-facing comments**: Enter any comments that you'd like to provide to a user who sees the product description in the Azure Certified Device catalog. --1. If you have other software, services, or hardware dependencies that you'd like to add as optional for this device, select **Add additional dependency** and enter the required information. ---## Bundled products --With bundled product listings, a device is successfully certified in the Azure Certified Device program with other components. The device and the components are then sold together under one product listing. --The following matrix provides some examples of bundled products. You can submit a device that includes extra components such as a temperature sensor and a camera sensor, as in submission example 1. You can also submit a touch sensor that includes a pass-through device, as in submission example 2. ---Use the component feature to add multiple components to your listing. Format the product listing image to indicate that your product comes with other components. If your bundle requires additional services for certification, identify those services through service dependencies. --For a more detailed description of how to use the component functionality in the Azure Certified Device portal, see [Add components on the portal](./how-to-using-the-components-feature.md). --If a device is a pass-through device with a separate sensor in the same product, create one component to reflect the pass-through device, and another component to reflect the sensor. As the following screenshot shows, you can add components to your project in the **Product details** tab of the **Device details** section: ---Configure the pass-through device first. For **Component type**, select **Customer Ready Product**. Enter the other values, as relevant for your product. The following screenshot provides an example: ---For the sensor, add a second component. For **Component type**, select **Peripheral**. For **Attachment method**, select **Discrete**. The following screenshot provides an example: ---After you've created the sensor component, enter its information. Then go to the **Sensors** tab and enter detailed sensor information, as the following screenshot shows. ---Complete the rest of your project's details, and then submit your device for certification as usual. |
certification | How To Software Levels | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/how-to-software-levels.md | - Title: Software levels of Azure Certified Devices -description: A breakdown of the different software levels that an Azure Certified Device may be classified as. ---- Previously updated : 06/22/2021----# Software levels of Azure Certified Devices --Software levels are a feature defined by the Azure Certified Device program to help device builders indicate the technical level of difficulty a customer can expect when connecting the device to Azure services. Appearing on the catalog as "Azure software set-up," these values are aimed to help viewers better understand the product and its connection to Azure. The definitions of each of these levels are provided below. --## Level 1 --User can immediately connect device to Azure by simply adding provisioning details. The certified IoT device already contains pre-installed software that was used for certification upon purchase. This level is most similar to having an "out-of-the-box" set-up experience for IoT beginners who are not as comfortable with compiling source code. --## Level 2 --User must flash/apply manufacturer-provided software image to the device to connect to Azure. Extra tools/software experience may be required. The link to the software image is also provided in our catalog. --## Level 3 --User must follow a manufacturer-provided guide to prepare and install Azure-specific software. No Azure-specific software image is provided, so some customization and compilation of provided source code is required. --## Level 4 --User must develop, customize, and recompile their own device code to connect to Azure. No manufacturer-supported source code is available. This level is most well suited for developers looking to create custom deployments for their device. --## Next steps --These levels are aimed to help you get started with building IoT solutions with Azure! Ready to get started? Visit the [Azure Certified Device catalog](https://devicecatalog.azure.com) to get searching for devices! --Are you a device builder who is looking to add this software level to your certified device? Check out the links below. -- [Edit a previously published device](how-to-edit-published-device.md)-- [Tutorial: Adding device details](tutorial-02-adding-device-details.md) |
certification | How To Test Device Update | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/how-to-test-device-update.md | - Title: How to test Device Update for IoT Hub -description: A guide describing how to test Device Update for IoT Hub on a Linux host in preparation for Edge Secured-core certification. ---- Previously updated : 06/20/2022----# How to test Device Update for IoT Hub -The [Device Update for IoT Hub](..\iot-hub-device-update\understand-device-update.md) test exercises your deviceΓÇÖs ability to receive an update from IoT Hub. The following steps will guide you through the process to test Device Update for IoT Hub when attempting device certification. --## Prerequisites -* Device must be capable of running Linux [IoT Edge supported container](..\iot-edge\support.md). -* Your device must be capable of receiving an [.SWU update](https://swupdate.org/) and be able to return to a running and connected state after the update is applied. -* The update package and manifest must be applicable to the device under test. (Example: If the device is running ΓÇ£Version 1.0ΓÇ¥, the update should be ΓÇ£Version 2.0ΓÇ¥.) -* Upload your .SWU file to a blob storage location of your choice. -* Create a SAS URL for accessing the uploaded .SWU file. --## Test the device -1. On the Connect + test page, select **"Yes"** for the **"Are you able to test Device Update for IoT Hub?"** question. - > [!Note] - > If you are not able to test Device Update and select No, you will still be able to run all other Secured-core tests, but your product will not be eligible for certification. -- :::image type="content" source="./media/how-to-adu/connect-test.png" alt-text="Dialog to confirm that you are able to test device for IoT Hub."::: --2. Proceed with connecting your device to the test infrastructure. --3. On the Select Requirement Validation step, select **"Upload"**. - :::image type="content" source="./media/how-to-adu/connect-and-test.png" alt-text="Dialog that shows the selected tests that will be validated."::: --4. Upload your .importmanifest.json file by selecting the **Choose File** button. Select your file and then select the **Upload** button. - > [!Note] - > The file extension must be .importmanifest.json. - - :::image type="content" source="./media/how-to-adu/upload-manifest.png" alt-text="Dialog to instruct the user to upload the .importmanifest.json file by selecting the choose File button."::: --5. Copy and Paste the SAS URL to the location of your .SWU file in the provided input box, then select the **Validate** button. - :::image type="content" source="./media/how-to-adu/input-sas-url.png" alt-text="Dialog that shows how the SAS url is applied."::: --6. Once weΓÇÖve validated our service can reach the provided URL, select **Import**. - :::image type="content" source="./media/how-to-adu/finalize-import.png" alt-text="Dialog to inform the user that the SAS URL was reachable and that the user needs to click import."::: -- > [!Note] - > If you receive an ΓÇ£Invalid SAS URLΓÇ¥ message, generate a new SAS URL from your storage blob and try again. --7. Select **Continue** to proceed --8. Congratulations! You're now ready to proceed with Edge Secured-core testing. --9. Select the **Run tests** button to begin the testing process. Your device will be updated as the final step in our Edge Secured-core testing. |
certification | How To Using The Components Feature | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/how-to-using-the-components-feature.md | - Title: How to use the components feature in the Azure Certified Device portal -description: A guide on how to best use the components feature of the Device details section to accurately describe your device ---- Previously updated : 05/04/2021----# Add components on the portal --While completing the [tutorial to add device details](tutorial-02-adding-device-details.md) to your certification project, you will be expected to describe the hardware specifications of your device. To do so, users can highlight multiple, separate hardware products (referred to as **components**) that make up your device. This enables you to better promote devices that come with additional hardware, and allows customers to find the right product by searching on the catalog based on these features. --## Prerequisites --- You should be signed in and have a project for your device created on the [Azure Certified Device portal](https://certify.azure.com). For more information, view the [tutorial](tutorial-01-creating-your-project.md).--## How to add components --Every project submitted for certification will include one **Customer Ready Product** component (which in many cases will represent the holistic product itself). To better understand the distinction of a Customer Ready Product component type, view our [certification glossary](./resources-glossary.md). All additional components are at your discretion to include to accurately capture your device. --1. Select `Add a component` on the Hardware tab. -- ![Add a component link](./media/images/add-component-new.png) --1. Complete relevant form fields for the component. -- ![Component details section](./media/images/component-details-section.png) --1. Save your information using the `Save Product Details` button at the bottom of the page: -- ![Save Product Details button](./media/images/save-product-details-button.png) --1. Once you have saved your component, you can further tailor the hardware capabilities it supports. Select the `Edit` link by the component name. -- ![Edit Component button](./media/images/component-edit.png) --1. Provide relevant hardware capability information where appropriate. -- ![Image of editable component sections](./media/images/component-selection-area.png) -- The editable component fields (shown above) include: -- - **General**: Hardware details such as processors and secure hardware - - **Connectivity**: Connectivity options, protocols, and interfaces such as radio(s) and GPIO - - **Accelerators**: Specify hardware acceleration such as GPU and VPU - - **Sensors**: Specify available sensors such as GPS and vibration - - **Additional Specs**: Additional information about the device such as physical dimensions and storage/battery information --1. Select `Save Product Details` at the bottom of the Product details page. --## Component use requirements and recommendations --You may have questions regarding how many components to include, or what component type to use. Below are examples of a few sample scenarios of devices that you may be certifying, and how you can use the components feature. --| Product Type | No. Components | Component 1 / Attachment Type | Components 2+ / Attachment Type | -|-||-|--| -| Finished Product | 1 | Customer Ready Product, Discrete | N/A | -| Finished Product with **detachable peripheral(s)** | 2 or more | Customer Ready Product, Discrete | Peripheral / Discrete or Integrated | -| Finished Product with **integrated component(s)** | 2 or more | Customer Ready Product, Discrete | Select appropriate type / Discrete or integrated | -| Solution-Ready Dev Kit | 1 or more | Customer Ready Product or Development Board, Discrete or Integrated| Select appropriate type / Discrete or integrated | --## Example component usage --Below are examples of how an OEM called Contoso would use the components feature to certify their product, called Falcon. --1. Falcon is a complete stand-alone device that does not integrate into a larger product. - 1. No. of components: 1 - 1. Component device type: Customer Ready Product - 1. Attachment type: Discrete -- ![Image of customer ready product](./media/images/customer-ready-product.png) --1. Falcon is a device that includes an integrated peripheral camera module manufactured by INC Electronics that connects via USB to Falcon. - 1. No. of components: 2 - 1. Component device type: Customer Ready Product, Peripheral - 1. Attachment type: Discrete, Integrated - - > [!Note] - > The peripheral component is considered integrated because it is not removable. -- ![Image of peripheral example component](./media/images/peripheral.png) --1. Falcon is a device that includes an integrated System on Module from INC Electronics that uses a built-in processor Apollo52 from company Espressif and has an ARM64 architecture. - 1. No. of components: 2 - 1. Component device type: Customer Ready Product, System on Module - 1. Attachment type: Discrete, Integrated -- > [!Note] - > The peripheral component is considered integrated because it is not removable. The SoM component would also include processor information. -- ![Image of system on module example component ](./media/images/system-on-module.png) --## Additional tips --We've provided below more clarifications regarding our component usage policy. If you have any questions about appropriate component usage, contact our team at [iotcert@microsoft.com](mailto:iotcert@microsoft.com), and we'll be more than happy to help! --1. A project must contain **only** one Customer Ready Product component. If you are certifying a project with two independent devices, those devices should be certified separately. -1. It is primarily up to you to use (or not use) components to promote your device's capabilities to potential customers. -1. During our review of your device, the Azure Certification team will only require at least one Customer Ready Product component to be listed. However, we may request edits to the component information if the details are not clear or appear to be lacking (for example, component manufacturer is not supplied for a Customer Ready Product type). --## Next steps --Now that you're ready to use our components feature, you're now ready to complete your device details or edit your project for further clarity. --- [Tutorial: Adding device details](tutorial-02-adding-device-details.md)-- [Editing your published device](how-to-edit-published-device.md) |
certification | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/overview.md | Title: Overview of the Azure Certified Device program -description: An overview of the Azure Certified Device program for our partners and customers. Use these resources to start the device certification process. Find out how to certify your device, from IoT device requirements to publishing your device. --+ Title: Overview of the Edge Secured-core program +description: An overview of the Edge Secured-core program for our partners and customers. Use these resources to start the certification process. Find out how to certify your device, from IoT device requirements to the device being published. ++ Previously updated : 04/09/2021 Last updated : 02/07/2024 +# Edge Secured-core Program +> _Note: As of February 2024, the Azure Certified Device program has been retired. This page has been updated as a new home for the Edge Secured-core program._ +## What is the Edge Secured-core program? ## +Edge Secured-Core is Microsoft's recommended standard for highly secured embedded devices. Such devices must include hardware security features, must be shipped in a secured state, and must be able to connect to services that enable that security monitoring and maintenance for the lifetime of the device. -# What is the Azure Certified Device program? -> [!Note] -> The Azure Certified Device program has met its goals and will conclude on February 23, 2024. This means that the Azure Certified Device catalog, along with certifications for Azure Certified Device, Edge Managed, and IoT Plug and Play will no longer be available after this date. However, the Edge Secured-core program will remain active and will be relocated to a new home at [aka.ms/EdgeSecuredCoreHome](https://aka.ms/EdgeSecuredCoreHome). +## Program purpose ## +Edge Secured-core is a security certification for devices running a full operating system. Edge Secured-core currently supports Windows IoT and Azure Sphere OS. Linux support is coming in the future. Devices meeting this criteria enable these promises: -Thank you for your interest in the Azure Certified Device program! Azure Certified Device is a free program that enables you to differentiate, certify, and promote your IoT devices built to run on Azure. From intelligent cameras to connected sensors to edge infrastructure, this enhanced IoT device certification program helps device builders increase their product visibility and saves customers time in building solutions. --## Our certification promise --The Azure Certified Device program ensures customer solutions work great on Azure. It is a program that utilizes tools, services, and a catalog to share industry knowledge with our community of builders within the IoT ecosystem to help builders and customers alike. --Across the device certification process, the three tenets of this program are: --- **Giving customers confidence:** Customers can confidently purchase Azure certified devices that carry the Microsoft promise.--- **Matchmaking customers with the right devices for them:** Device builders can set themselves apart with certification that highlights their unique capabilities, and customers can easily find IoT qualified devices that fit their needs.--- **Promoting certified devices:** Device builders get increased visibility, contact with customers, and usage of MicrosoftΓÇÖs Azure Certified Device brand.+1. Hardware-based device identity +2. Capable of enforcing system integrity +3. Stays up to date and is remotely manageable +4. Provides data at-rest protection +5. Provides data in-transit protection +6. Built-in security agent and hardening ## User roles -The Azure Certified Device program serves two different audiences. --1. **Device builders**: Do you build IoT devices? Easily differentiate your IoT device capabilities and gain access to a worldwide audience looking to reliably purchase devices built to run on Azure. Use the Azure Certified Device Catalog to increase product visibility and connect with customers by certifying your device and show it meets specific IoT device requirements. -1. **Solution builders**: Wondering what are IoT qualified devices? Confidently find and purchase IoT devices built to run on Azure, knowing they meet specific IoT requirements. Easily search and select the right certified device for your IoT solution on the [Azure Certified Device catalog](https://devicecatalog.azure.com/). --## Our certification programs and IoT device requirements. +The Edge Secured-core program serves two different audiences. -There are four different certifications available now! Each certification is focused on delivering a different customer value. Depending on the type of device and your target audience, you can choose which certification(s) is most applicable for you to apply for. Select the titles of each program to learn more about the program and IoT requirements. --| Certification program | Overview | -|-| -| [Azure Certified Device](program-requirements-azure-certified-device.md) | Azure Certified Device certification validates that a device can connect with Azure IoT Hub and securely provision through the Device Provisioning Service (DPS). This certification reflects a device's functionality and interoperability, which are a **required baseline** for all other certifications. | -| [IoT Plug and Play](program-requirements-pnp.md) | IoT Plug and Play certification, an incremental certification beyond the baseline Azure Certified Device certification, validates Digital Twin Definition Language version 2 (DTDL) and interaction based on your device model. It enables a seamless device-to-cloud integration experience and enables hardware partners to build devices that can seamlessly integrate without the need to write custom code. | -| [Edge Managed](program-requirements-edge-managed.md) | Edge Managed certification, an incremental certification beyond the baseline Azure Certified Device certification, focuses on device management standards for Azure connected devices. | -| [Edge Secured Core](program-requirements-edge-secured-core.md) | Edge Secured-core certification, an incremental certification beyond the baseline Azure Certified Device certification, is for IoT devices running a full operating system such as Linux or Windows 10 IoT. It validates devices meet additional security requirements around device identity, secure boot, operating system hardening, device updates, data protection, and vulnerability disclosures. | --## How to certify your device --Certifying a device involves several major steps on the [Azure Certified Device portal](https://certify.azure.com): --1. Select the right certification for your device based on the IoT device requirements. -1. Create your project in the [Azure Certified Device portal](https://certify.azure.com). -1. Add device details including hardware capability information to begin the device certification process. -1. Validate device functionality -1. Submit and complete the review process --> [!Note] -> The review process can take up to a week to complete, though sometimes may take longer. --Once you have certified your device, you then can optionally complete two of the following activities: --1. Publishing to the Azure Certified Device Catalog (optional) -1. Updating your project after it has been approved/published (optional) +1. **Device builders**: Do you build Edge devices? Easily differentiate your Edge device capabilities by certifying your device, showing that it meets specific security requirements. +1. **Solution builders**: Wondering what Edge devices are capable of security? Confidently purchase Edge devices from Device builders, knowing they meet specific security requirements. Check out the list of current Device builders with certified [Edge Secured-core devices](edge-secured-core-devices.md). ## Next steps -Ready to get started with your certification journey? View our resources below to start the device certification process! +Ready to get started with your certification journey? View our resources to start the device certification process! ++- [Edge Secured-core program requirements](program-requirements-edge-secured-core.md) +- [Start the certification process](edge-secured-core-get-certified.md) -- [Starting the certification process](tutorial-00-selecting-your-certification.md)-- If you have other questions or feedback, contact [the Azure Certified Device team](mailto:iotcert@microsoft.com). |
certification | Program Requirements Azure Certified Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/program-requirements-azure-certified-device.md | - Title: Azure Certified Device Certification Requirements -description: Azure Certified Device Certification Requirements --- Previously updated : 03/15/2021-------# Azure Certified Device Certification Requirements -> [!Note] -> The Azure Certified Device program has met its goals and will conclude on February 23, 2024. This means that the Azure Certified Device catalog, along with certifications for Azure Certified Device, Edge Managed, and IoT Plug and Play will no longer be available after this date. However, the Edge Secured-core program will remain active and will be relocated to a new home at [aka.ms/EdgeSecuredCoreHome](https://aka.ms/EdgeSecuredCoreHome). --This document outlines the device specific capabilities that will be represented in the Azure Certified Device catalog. A capability is singular device attribute that may be software implementation or combination of software and hardware implementations. --## Program Purpose --Microsoft is simplifying IoT and Azure Certified Device certification is baseline certification program to ensure any device types are provisioned to Azure IoT Hub securely. --Promise of Azure Certified Device certification are: --1. Device support telemetry that works with IoT Hub -2. Device support IoT Hub Device Provisioning Service (DPS) to securely provisioned to Azure IoT Hub -3. Device supports easy input of target DPS ID scope transfer without requiring user to recompile embedded code. -4. Optionally validates other elements such as cloud to device messages, direct methods and device twin --## Requirements --**[Required] Device to cloud: The purpose of test is to make sure devices that send telemetry works with IoT Hub** --| **Name** | AzureCertified.D2C | -| -- | | -| **Target Availability** | Available now | -| **Applies To** | Leaf device/Edge device | -| **OS** | Agnostic | -| **Validation Type** | Automated | -| **Validation** | Device must send any telemetry schemas to IoT Hub. Microsoft provides the [portal workflow](https://certify.azure.com/) to execute the tests. Device to cloud (required): **1.** Validates that the device can send message to AICS managed IoT Hub **2.** User must specify the number and frequency of messages. **3.** AICS validates the telemetry is received by the Hub instance | -| **Resources** | [Certification steps](./overview.md) (has all the additional resources) | --**[Required] DPS: The purpose of test is to check the device implements and supports IoT Hub Device Provisioning Service with one of the three attestation methods** --| **Name** | AzureCertified.DPS | -| -- | | -| **Target Availability** | New | -| **Applies To** | Any device | -| **OS** | Agnostic | -| **Validation Type** | Automated | -| **Validation** | Device supports easy input of target DPS ID scope ownership. Microsoft provides the [portal workflow](https://certify.azure.com) to execute the tests to validate that the device supports DPS **1.** User must select one of the attestation methods (X.509, TPM and SAS key) **2.** Depending on the attestation method, user needs to take corresponding action such as **a)** Upload X.509 cert to AICS managed DPS scope **b)** Implement SAS key or endorsement key into the device | -| **Resources** | [Device provisioning service overview](../iot-dps/about-iot-dps.md) | --**[If implemented] Cloud to device: The purpose of test is to make sure messages can be sent from cloud to devices** --| **Name** | AzureCertified.C2D | -| -- | | -| **Target Availability** | Available now | -| **Applies To** | Leaf device/Edge device | -| **OS** | Agnostic | -| **Validation Type** | Automated | -| **Validation** | Device must be able to Cloud to Device messages from IoT Hub. Microsoft provides the [portal workflow](https://certify.azure.com) to execute these tests.Cloud to device (if implemented): **1.** Validates that the device can receive message from IoT Hub **2.** AICS sends random message and validates via message ACK from the device | -| **Resources** | **a)** [Certification steps](./overview.md) (has all the additional resources) **b)** [Send cloud to device messages from an IoT Hub](../iot-hub/iot-hub-devguide-messages-c2d.md) | --**[If implemented] Direct methods: The purpose of test is to make sure devices works with IoT Hub and supports direct methods** --| **Name** | AzureCertified.DirectMethods | -| -- | | -| **Target Availability** | Available now | -| **Applies To** | Leaf device/Edge device | -| **OS** | Agnostic | -| **Validation Type** | Automated | -| **Validation** | Device must be able to receive and reply commands requests from IoT Hub. Microsoft provides the [portal workflow](https://certify.azure.com) to execute the tests. Direct methods (if implemented) **1.** User has to specify the method payload of direct method. **2.** AICS validates the specified payload request is sent from Hub and ACK message received by the device | -| **Resources** | **a)** [Certification steps](./overview.md) (has all the additional resources) **b)** [Understand direct methods from IoT Hub](../iot-hub/iot-hub-devguide-direct-methods.md) | --**[If implemented] Device twin property: The purpose of test is to make sure devices that send telemetry works with IoT Hub and supports some of the IoT Hub capabilities such as direct methods, and device twin property** --| **Name** | AzureCertified.DeviceTwin | -| -- | | -| **Target Availability** | Available now | -| **Applies To** | Leaf device/Edge device | -| **OS** | Agnostic | -| **Validation Type** | Automated | -| **Validation** | Device must send any telemetry schemas to IoT Hub. Microsoft provides the [portal workflow](https://certify.azure.com) to execute the tests. Device twin property (if implemented) **1.** AICS validates the read/write-able property in device twin JSON **2.** User has to specify the JSON payload to be changed **3.** AICS validates the specified desired properties sent from IoT Hub and ACK message received by the device | -| **Resources** | **a)** [Certification steps](./overview.md) (has all the additional resources) **b)** [Use device twins with IoT Hub](../iot-hub/iot-hub-devguide-device-twins.md) | --**[Required] Limit Recompile: The purpose of this policy ensures devices by default should not need users to re-compile code to deploy the device.** --| **Name** | AzureCertified.Policy.LimitRecompile | -| -- | | -| **Target Availability** | Policy | -| **Applies To** | Any device | -| **OS** | Agnostic | -| **Validation Type** | Policy | -| **Validation** | To simplify device configuration for users, we require all devices can be configured to connect to Azure without the need to recompile and deploy device source code. This includes DPS information, such as Scope ID, which should be set as configuration settings and not compiled. However, if your device contains certain secure hardware or if there are extenuating circumstances in which the user will expect to compile and deploy code, contact the certification team to request an exception review. | -| **Resources** | **a)** [Device provisioning service overview](../iot-dps/about-iot-dps.md) **b)** Sample config file for DPS ID Scope transfer | |
certification | Program Requirements Edge Managed | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/program-requirements-edge-managed.md | - Title: Edge Managed Certification Requirements -description: Edge Managed Certification Requirements --- Previously updated : 03/15/2021-------# Edge Managed Certification Requirements -> [!Note] -> The Azure Certified Device program has met its goals and will conclude on February 23, 2024. This means that the Azure Certified Device catalog, along with certifications for Azure Certified Device, Edge Managed, and IoT Plug and Play will no longer be available after this date. However, the Edge Secured-core program will remain active and will be relocated to a new home at [aka.ms/EdgeSecuredCoreHome](https://aka.ms/EdgeSecuredCoreHome). --This document outlines the device specific capabilities that will be represented in the Azure Certified Device catalog. A capability is singular device attribute that may describe the device. --## Program Purpose --Edge Managed certification, an incremental certification beyond the baseline Azure Certified Device certification. Edge Managed focuses on device management standards for Azure connected devices and validates the IoT Edge runtime compatibility for module deployment and management. (Previously, this program was identified as the IoT Edge certification program.) --Edge Managed certification validates IoT Edge runtime compatibility for module deployment and management. This program provides confidence in the management of Azure connected IoT devices. --## Requirements --The Edge Managed certification requires that all requirements from the [Azure Certified Device baseline program](.\program-requirements-azure-certified-device.md). --**DPS: The purpose of test is to check the device implements and supports IoT Hub Device Provisioning Service with one of the three attestation methods** --| **Name** | AzureReady.DPS | -| -- | | -| **Target Availability** | Available now | -| **Applies To** | Any device | -| **OS** | Agnostic | -| **Validation Type** | Automated | -| **Validation** | AICS validates the device code support DPS. **1.** User has to select one of the attestation methods (X.509, TPM and SAS key). **2.** Depending on the attestation method, user needs to take corresponding action such as **a)** Upload X.509 cert to AICS managed DPS scope **b)** Implement SAS key or endorsement key into the device. **3.** Then, user will hit ΓÇÿConnectΓÇÖ button to connect to AICS managed IoT Hub via DPS | -| **Resources** | | -| **Azure Recommended:** | N/A | --## IoT Edge --**Edge runtime exists: The purpose of test is to make sure the device contains IoT Edge runtime ($edgehub and $edgeagent) are functioning correctly.** --| **Name** | EdgeManaged.EdgeRT | -| -- | | -| **Target Availability** | Available now | -| **Applies To** | IoT Edge device | -| **OS** | [Tier1 and Tier2 OS](../iot-edge/support.md) | -| **Validation Type** | Automated | -| **Validation** | AICS validates the deploy-ability of the installed IoT Edge RT. **1.** User needs to specify specific OS (OS not on the list of Tier1/2 are not accepted) **2.** AICS generates its config.yaml and deploys canonical [simulated temp sensor edge module](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azure-iot.simulated-temperature-sensor?tab=Overview) **3.** AICS validates that docker compatible container subsystem (Moby) is installed on the device **4.** Test result is determined based on successful deployment of the simulated temp sensor edge module and functionality of docker compatible container subsystem | -| **Resources** | **a)** [AICS blog](https://azure.microsoft.com/blog/expanding-azure-iot-certification-service-to-support-azure-iot-edge-device-certification/), **b)** [Certification steps](./overview.md) (has all the additional resources), **c)** [Requirements](./program-requirements-azure-certified-device.md) | -| **Azure Recommended:** | N/A | --### Capability Template: --**IoT Edge easy setup: The purpose of test is to make sure IoT Edge device is easy to set up and validates IoT Edge runtime is preinstalled during physical device validation** --| **Name** | EdgeManaged.PhysicalDevice | -| -- | | -| **Target Availability** | Available now (currently on hold due to COVID-19) | -| **Applies To** | IoT Edge device | -| **OS** | [Tier1 and Tier2 OS](../iot-edge/support.md) | -| **Validation Type** | Manual / Lab Verified | -| **Validation** | OEM must ship the physical device to IoT administration (HCL). HCL performs manual validation on the physical device to check: **1.** EdgeRT is using Moby subsystem (allowed redistribution version). Not docker **2.** Pick the latest edge module to validate ability to deploy edge. | -| **Resources** | **a)** [AICS blog](https://azure.microsoft.com/blog/expanding-azure-iot-certification-service-to-support-azure-iot-edge-device-certification/), **b)** [Certification steps](./overview.md) , **c)** [Requirements](./program-requirements-azure-certified-device.md) | -| **Azure Recommended:** | N/A | |
certification | Program Requirements Edge Secured Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/program-requirements-edge-secured-core.md | Title: Edge Secured-core Certification Requirements description: Edge Secured-core Certification program requirements--++ Previously updated : 06/21/2021 Last updated : 02/20/2024 zone_pivot_groups: app-service-platform-windows-linux-sphere-rtos -# Azure Certified Device - Edge Secured-core # --## Edge Secured-Core certification requirements ## --### Program purpose ### -Edge Secured-core is a security certification for devices running a full operating system. Edge Secured-core currently supports Windows IoT and Azure Sphere OS. Linux support is coming in the future. This program enables device partners to differentiate their devices by meeting an additional set of security criteria. Devices meeting this criteria enable these promises: --1. Hardware-based device identity -2. Capable of enforcing system integrity -3. Stays up to date and is remotely manageable -4. Provides data at-rest protection -5. Provides data in-transit protection -6. Built in security agent and hardening -+# Edge Secured-Core certification requirements ::: zone pivot="platform-windows" ## Windows IoT OS Support-Edge Secured-core for Windows IoT requires Windows 10 IoT Enterprise version 1903 or greater +Edge Secured-core requires a version of Windows IoT that has at least five years of support from Microsoft remaining in its support lifecycle, at time of certification such as: * [Windows 10 IoT Enterprise Lifecycle](/lifecycle/products/windows-10-iot-enterprise)-> [!Note] -> The Windows secured-core tests require you to download and run the following package (https://aka.ms/Scforwiniot) from an Administrator Command Prompt on the IoT device being validated. +* [Windows 10 IoT Enterprise LTSC 2021 Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021) +* [Windows 11 IoT Enterprise Lifecycle](/lifecycle/products/windows-11-iot-enterprise) ## Windows IoT Hardware/Firmware Requirements > [!Note] Edge Secured-core for Windows IoT requires Windows 10 IoT Enterprise version 190 > * Trusted Platform Module (TPM) 2.0 > * <b>For Intel systems:</b> Intel Virtualization Technology for Directed I/O (VT-d), Intel Trusted Execution Technology (TXT), and SINIT ACM driver package must be included in the Windows system image (for DRTM) > * <b>For AMD systems:</b> AMD IOMMU and AMD-V virtualization, and SKINIT package must be integrated in the Windows system image (for DRTM)-> * Kernel DMA Protection (also known as Memory Access Protection) +> * Kernel Direct Memory Access Protection (also known as Memory Access Protection) </br> Edge Secured-core for Windows IoT requires Windows 10 IoT Enterprise version 190 |Name|SecuredCore.Hardware.Identity| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate the device identity is rooted in hardware and can be the primary authentication method with Azure IoT Hub Device Provisioning Service (DPS).| -|Requirements dependency|TPM v2.0 device| -|Validation Type|Manual/Tools| -|Validation|Devices are enrolled to DPS using the TPM authentication mechanism during testing.| -|Resources|Azure IoT Hub Device Provisioning Service: <ul><li>[Quickstart - Provision a simulated TPM device to Microsoft Azure IoT Hub](../iot-dps/quick-create-simulated-device-tpm.md) </li><li>[TPM Attestation Concepts](../iot-dps/concepts-tpm-attestation.md)</li></ul>| +|Description|The device identity must be rooted in hardware.| +|Purpose|Protects against cloning and masquerading of the device root identity, which is key in underpinning trust in upper software layers extended through a chain-of-trust. Provide an attestable, immutable and cryptographically secure identity.| +|Dependencies|Trusted Platform Module (TPM) v2.0 device| </br> Edge Secured-core for Windows IoT requires Windows 10 IoT Enterprise version 190 |Name|SecuredCore.Hardware.MemoryProtection| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that DMA isn't enabled on externally accessible ports.| -|Requirements dependency|Only if DMA capable ports exist| -|Validation Type|Manual/Tools| -|Validation|If DMA capable external ports exist on the device, toolset to validate that the IOMMU, or SMMU is enabled and configured for those ports.| -+|Description|All Direct Memory Access (DMA) enabled externally accessible ports must sit behind an enabled and appropriately configured Input-output Memory Management Unit (IOMMU) or System Memory Management Unit (SMMU).| +|Purpose|Protects against drive-by and other attacks that seek to use other DMA controllers to bypass CPU memory integrity protections.| +|Dependencies|Enabled and appropriately configured input/output Memory Management Unit (IOMMU) or System Memory Management Unit (SMMU)| </br> Edge Secured-core for Windows IoT requires Windows 10 IoT Enterprise version 190 |Name|SecuredCore.Firmware.Protection| |:|:| |Status|Required|-|Description|The purpose of the requirement is to ensure that device has adequate mitigations from Firmware security threats.| -|Requirements dependency|DRTM + UEFI| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through [Edge Secured-core Agent](https://aka.ms/Scforwiniot) toolset to confirm it's protected from firmware security threats through one of the following approaches: <ul><li>DRTM + UEFI Management Mode mitigations</li><li>DRTM + UEFI Management Mode hardening</li></ul> | -|Resources| <ul><li>https://trustedcomputinggroup.org/</li><li>[Intel's DRTM based computing whitepaper](https://www.intel.com/content/dam/www/central-libraries/us/en/documents/drtm-based-computing-whitepaper.pdf)</li><li>[AMD Security whitepaper](https://www.amd.com/system/files/documents/amd-security-white-paper.pdf)</li></ul> | +|Description|The device boot sequence must support Dynamic Root of Trust for Measurement (DRTM) alongside UEFI Management Mode mitigations.| +|Purpose|Protects against firmware weaknesses, untrusted code, and rootkits that seek to exploit early and privileged boot stages to bypass OS protections.| +|Dependencies|DRTM + UEFI| +|Resources| <ul><li>[Trusted Computing Group](https://trustedcomputinggroup.org/)</li><li>[Intel's DRTM based computing whitepaper](https://www.intel.com/content/dam/www/central-libraries/us/en/documents/drtm-based-computing-whitepaper.pdf)</li><li>[AMD Security whitepaper](https://www.amd.com/system/files/documents/amd-security-white-paper.pdf)</li></ul>| </br> Edge Secured-core for Windows IoT requires Windows 10 IoT Enterprise version 190 |Name|SecuredCore.Firmware.SecureBoot| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate the boot integrity of the device.| -|Requirements dependency|UEFI| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through [Edge Secured-core Agent](https://aka.ms/Scforwiniot) toolset to ensure that firmware and kernel signatures are validated every time the device boots. <ul><li>UEFI: Secure boot is enabled</li></ul>| -+|Description|UEFI Secure Boot must be enabled.| +|Purpose|Ensures that the firmware and OS kernel, executed as part of the boot sequence, have first been signed by a trusted authority and retain integrity.| +|Dependencies|UEFI| </br> Edge Secured-core for Windows IoT requires Windows 10 IoT Enterprise version 190 |Name|SecuredCore.Firmware.Attestation| |:|:| |Status|Required|-|Description|The purpose of the requirement is to ensure the device can remotely attest to the Microsoft Azure Attestation service.| -|Requirements dependency|Azure Attestation Service| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that platform boot logs and measurements of boot activity can be collected and remotely attested to the Microsoft Azure Attestation service.| -|Resources| [Microsoft Azure Attestation](../attestation/index.yml) | +|Description|The device identity, along with its platform boot logs and measurements, must be remotely attestable to the Microsoft Azure Attestation (MAA) service.| +|Purpose|Enables services to establish the trustworthiness of the device. Allows for reliable security posture monitoring and other trust scenarios such as the release of access credentials.| +|Dependencies|Microsoft Azure Attestation service| +|Resources| [Microsoft Azure Attestation](../attestation/index.yml)| -## Windows IoT configuration requirements +## Windows IoT Configuration requirements </br> |Name|SecuredCore.Encryption.Storage| |:|:| |Status|Required|-|Description|The purpose of the requirement to validate that sensitive data can be encrypted on nonvolatile storage.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through [Edge Secured-core Agent](https://aka.ms/Scforwiniot) toolset to ensure Secure-boot and BitLocker is enabled and bound to PCR7.| -+|Description|Sensitive and private data must be encrypted at rest using BitLocker or similar, with encryption keys backed by hardware protection.| +|Purpose|Protects against exfiltration of sensitive or private data by unauthorized actors or tampered software.| </br> Edge Secured-core for Windows IoT requires Windows 10 IoT Enterprise version 190 |Name|SecuredCore.Encryption.TLS| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate support for required TLS versions and cipher suites.| -|Requirements dependency|Windows 10 IoT Enterprise Version 1903 or greater. Note: other requirements might require greater versions for other services. | -|Validation Type|Manual/Tools| -Validation|Device to be validated through toolset to ensure the device supports a minimum TLS version of 1.2 and supports the following required TLS cipher suites.<ul><li>TLS_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_RSA_WITH_AES_128_CBC_SHA256</li><li>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</li><li>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</li><li>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</li></ul>| -|Resources| [TLS support in IoT Hub](../iot-hub/iot-hub-tls-support.md) <br /> [TLS Cipher suites in Windows 10](/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1903) | +|Description|The OS must support a minimum Transport Layer Security (TLS) version of 1.2 and have the following TLS cipher suites available and enabled:<ul><li>TLS_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_RSA_WITH_AES_128_CBC_SHA256</li><li>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</li><li>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</li><li>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</li></ul>| +|Purpose|Ensures that applications are able to use end-to-end encryption protocols and ciphers without known weaknesses, that are supported by Azure Services.| +|Dependencies|Windows 10 IoT Enterprise Version 1903 or greater. Note: other requirements might require greater versions for other services.| +|Resources| [TLS cipher suites in Windows](/windows/win32/secauthn/cipher-suites-in-schannel)| </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Protection.CodeIntegrity| |:|:| |Status|Required|-|Description|The purpose of this requirement is to validate that code integrity is available on this device.| -|Requirements dependency|HVCI is enabled on the device.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through [Edge Secured-core Agent](https://aka.ms/Scforwiniot) toolset to ensure that HVCI is enabled on the device.| -|Resources| [Hypervisor-protected Code Integrity enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement) | +|Description|The OS must have virtualization-based code integrity features enabled (VBS + HVCI).| +|Purpose|Protects against modified/malicious code from within the kernel by ensuring that only code with verifiable integrity is able to run.| +|Dependencies|VBS + HVCI is enabled on the device.| +|Resources| [Hypervisor-protected Code Integrity enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement)| </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Protection.NetworkServices| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that services listening for input from the network aren't running with elevated privileges.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through [Edge Secured-core Agent](https://aka.ms/Scforwiniot) toolset to ensure that third party services accepting network connections aren't running with elevated LocalSystem and LocalService privileges. <ol><li>Exceptions might apply</li></ol>| -+|Description|Services listening for input from the network must not run with elevated privileges. Exceptions may apply for security-related services.| +|Purpose|Limits the exploitability of compromised networked services.| Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Built-in.Security| |:|:| |Status|Required|-|Description|The purpose of the requirement is to make sure devices can report security information and events by sending data to Azure Defender for IoT. <br>Note: Download and deploy security agent from GitHub| -|Target Availability|2022| -|Validation Type|Manual/Tools| -|Validation |Device must generate security logs and alerts. Device logs and alerts messages to Azure Security Center.<ol><li>Device must have the Azure Defender microagent running</li><li>Configuration_Certification_Check must report TRUE in the module twin</li><li>Validate alert messages from Azure Defender for IoT.</li></ol>| -|Resources|[Azure Docs IoT Defender for IoT](../defender-for-iot/how-to-configure-agent-based-solution.md)| +|Description|Devices must be able to send security logs and alerts to a cloud-native security monitoring solution, such as Microsoft Defender for Endpoint.| +|Purpose|Enables fleet posture monitoring, diagnosis of security threats, and protects against latent and in-progress attacks.| +|Resources| [Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-endpoints-script)| </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Protection.Baselines| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that the system conforms to a baseline security configuration.| -|Target Availability|2022| -|Requirements dependency|Azure Defender for IoT| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that Defender IOT system configurations benchmarks have been run.| -|Resources| https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines <br> https://www.cisecurity.org/cis-benchmarks/ | +|Description|The system is able to successfully apply a baseline security configuration.| +|Purpose|Ensures a secure-by-default configuration posture, reducing the risk of compromise through incorrectly configured security-sensitive settings.| +|Resources|[Microsoft Security Baselines](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)<br>[CIS Benchmarks List](https://www.cisecurity.org/cis-benchmarks)| -## Windows IoT Policy Requirements --Some requirements of this program are based on a business agreement between your company and Microsoft. The following requirements aren't validated through our test harness, but are required by your company in certifying the device. +|Name|SecuredCore.Protection.Update Resiliency| +|:|:| +|Status|Required| +|Description|The device must be restorable to the last known good state if an update causes issues.| +|Purpose|Ensures that devices can be restored to a functional, secure, and updatable state.| --</br> +++## Windows IoT Policy Requirements |Name|SecuredCore.Policy.Protection.Debug| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that debug functionality on the device is disabled.| -|Requirements dependency|| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that debug functionality requires authorization to enable.| -+|Description|Debug functionality on the device must be disabled or require authorization to enable.| +|Purpose|Ensures that software and hardware protections cannot be bypassed through debugger intervention and back-channels.| </br> Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Policy.Manageability.Reset| |:|:| |Status|Required|-|Description|The purpose of this requirement is to validate the device against two use cases: a) Ability to perform a reset (remove user data, remove user configs), b) Restore device to last known good in the case of an update causing issues.| -|Requirements dependency|| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through a combination of toolset and submitted documentation that the device supports this functionality. The device manufacturer can determine whether to implement these capabilities to support remote reset or only local reset.| -+|Description|It must be possible to reset the device (remove user data, remove user configs).| +|Purpose|Protects against exfiltration of sensitive or private data during device ownership or lifecycle transitions.| </br> Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Policy.Updates.Duration| |:|:| |Status|Required|-|Description|The purpose of this policy is to ensure that the device remains secure.| -|Validation Type|Manual| -|Validation|Commitment from submission that devices certified can be kept up to date for 60 months from date of submission. Specifications available to the purchaser and devices itself in some manner should indicate the duration for which their software will be updated.| -+|Description|Software updates must be provided for at least 60 months from date of submission.| +|Purpose|Ensures a minimum period of continuous security.| </br> Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Policy.Vuln.Disclosure| |:|:| |Status|Required|-|Description|The purpose of this policy is to ensure that there's a mechanism for collecting and distributing reports of vulnerabilities in the product.| -|Validation Type|Manual| -|Validation|Documentation on the process for submitting and receiving vulnerability reports for the certified devices will be reviewed.| -+|Description|A mechanism for collecting and distributing reports of vulnerabilities in the product must be available.| +|Purpose|Provides a clear path for discovered vulnerabilities to be reported, assessed, and disclosed, enabling effective risk management and timely fixes.| +|Resources|[MSRC Portal](https://msrc.microsoft.com/report/vulnerability/new)| </br> Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Policy.Vuln.Fixes| |:|:| |Status|Required|-|Description|The purpose of this policy is to ensure that vulnerabilities that are high/critical (using CVSS 3.0) are addressed within 180 days of the fix being available.| -|Validation Type|Manual| -|Validation|Documentation on the process for submitting and receiving vulnerability reports for the certified devices will be reviewed.| -+|Description|Vulnerabilities that are high/critical (using Common Vulnerability Scoring System 3.0) must be addressed within 180 days of the fix being available.| +|Purpose|Ensures that high-impact vulnerabilities are addressed in a timely manner, reducing likelihood and impact of a successful exploit.| </br> Some requirements of this program are based on a business agreement between your ## Linux OS Support >[!Note]-> Linux is not yet supported. The below represent expected requirements. Please contact iotcert@microsoft.com if you are interested in certifying a Linux device, including device HW and OS specs, and whether or not it meets each of the draft requirements below. +> Linux is not yet supported. The below represent expected requirements. Please fill out this [form](https://forms.office.com/r/HSAtk0Ghru) if you are interested in certifying a Linux device. ## Linux Hardware/Firmware Requirements Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Hardware.Identity| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate the device identify is rooted in hardware.| -|Requirements dependency|TPM v2.0 </br><sup>or *other supported method</sup>| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that the device has a HWRoT present and that it can be provisioned through DPS using TPM or SE.| -|Resources|[Setup auto provisioning with DPS](../iot-dps/quick-setup-auto-provision.md)| +|Description|The device identity must be rooted in hardware.| +|Purpose|Protects against cloning and masquerading of the device root identity, which is key in underpinning trust in upper software layers extended through a chain-of-trust. Provide an attestable, immutable and cryptographically secure identity.| +|Dependencies|Trusted Platform Module (TPM) v2.0 </br><sup>or *other supported method</sup>| </br> Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Hardware.MemoryProtection| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate ensure that memory integrity helps protect the device from vulnerable peripherals.| -|Validation Type|Manual/Tools| -|Validation|memory regions for peripherals must be gated with hardware/firmware such as memory region domain controllers or SMMU (System memory management Unit).| -+|Description|All DMA-enabled externally accessible ports must sit behind an enabled and appropriately configured Input-output Memory Management Unit (IOMMU) or System Memory Management Unit (SMMU).| +|Purpose|Protects against drive-by and other attacks that seek to use other DMA controllers to bypass CPU memory integrity protections.| +|Dependencies|Enabled and appropriately configured Input-output Memory Management Unit (IOMMU) or System Memory Management Unit (SMMU)| + </br> -+ |Name|SecuredCore.Firmware.Protection| |:|:| |Status|Required|-|Description|The purpose of the requirement is to ensure that device has adequate mitigations from Firmware security threats.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to confirm it's protected from firmware security threats through one of the following approaches: <ul><li>Approved FW that does SRTM + runtime firmware hardening</li><li>Firmware scanning and evaluation by approved Microsoft third party</li></ul> | -|Resources| https://trustedcomputinggroup.org/ | +|Description|The device boot sequence must support either: <ul><li>Approved firmware with SRTM support + runtime firmware hardening</li><li>Firmware scanning and evaluation by approved Microsoft third party</li></ul>| +|Purpose|Protects against firmware weaknesses, untrusted code, and rootkits that seek to exploit early and privileged boot stages to bypass OS protections.| +|Resources| [Trusted Computing Group](https://trustedcomputinggroup.org/) | </br> Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Firmware.SecureBoot| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate the boot integrity of the device.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that firmware and kernel signatures are validated every time the device boots. <ul><li>UEFI: Secure boot is enabled</li><li>Uboot: Verified boot is enabled</li></ul>| -+|Description|Either:<ul><li>UEFI: Secure boot must be enabled</li><li>Uboot: Verified boot must be enabled</li></ul>| +|Purpose|Ensures that the firmware and OS kernel, executed as part of the boot sequence, have first been signed by a trusted authority and retain integrity.| </br> Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Firmware.Attestation| |:|:| |Status|Required|-|Description|The purpose of the requirement is to ensure the device can remotely attest to the Microsoft Azure Attestation service.| -|Dependency|TPM 2.0 </br><sup>or *supported OP-TEE based application chained to a HWRoT (Secure Element or Secure Enclave)</sup>| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that platform boot logs and applicable runtime measurements can be collected and remotely attested to the Microsoft Azure Attestation service.| -|Resources| [Microsoft Azure Attestation](../attestation/index.yml) </br> Certification portal test includes an attestation client that when combined with the TPM 2.0 can validate the Microsoft Azure Attestation service.| +|Description|The device identity, along with its platform boot logs and measurements, must be remotely attestable to the Microsoft Azure Attestation (MAA) service.| +|Purpose|Enables services to establish the trustworthiness of the device. Allows for reliable security posture monitoring and other trust scenarios such as the release of access credentials.| +|Dependencies|Trusted Platform Module (TPM) 2.0 </br><sup>or *supported OP-TEE based application chained to a HWRoT (Secure Element or Secure Enclave)</sup>| +|Resources| [Microsoft Azure Attestation](../attestation/index.yml)| </br> |Name|SecuredCore.Hardware.SecureEnclave| |:|:|-|Status|Required| -|Description|The purpose of the requirement to validate the existence of a secure enclave and that the enclave can be used for security functions.| -|Validation Type|Manual/Tools| -|Validation|| +|Status|Optional| +|Description|The device must feature a secure enclave capable of performing security functions.| +|Purpose|Ensures that sensitive cryptographic operations (those key to device identity and chain-of-trust) are isolated and protected from the primary OS and some forms of side-channel attack.| ## Linux Configuration Requirements Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Encryption.Storage| |:|:| |Status|Required|-|Description|The purpose of the requirement to validate that sensitive data can be encrypted on nonvolatile storage.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure storage encryption is enabled and default algorithm is XTS-AES, with key length 128 bits or higher.| -+|Description|Sensitive and private data must be encrypted at rest using dm-crypt or similar, supporting XTS-AES as the default algorithm with a key length of 128 bits or higher, with encryption keys backed by hardware protection.| +|Purpose|Protects against exfiltration of sensitive or private data by unauthorized actors or tampered software.| </br> Some requirements of this program are based on a business agreement between your |Name|SecuredCore.Encryption.TLS| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate support for required TLS versions and cipher suites.| -|Validation Type|Manual/Tools| -Validation|Device to be validated through toolset to ensure the device supports a minimum TLS version of 1.2 and supports the following required TLS cipher suites.<ul><li>TLS_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_RSA_WITH_AES_128_CBC_SHA256</li><li>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</li><li>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</li><li>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</li></ul>| -|Resources| [TLS support in IoT Hub](../iot-hub/iot-hub-tls-support.md) <br /> | +|Description|The OS must support a minimum Transport Layer Security (TLS) version of 1.2 and have the following TLS cipher suites available and enabled:<ul><li>TLS_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_RSA_WITH_AES_128_CBC_SHA256</li><li>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</li><li>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</li><li>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</li><li>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</li></ul>| +|Purpose|Ensure that applications are able to use end-to-end encryption protocols and ciphers without known weaknesses, that are supported by Azure Services.| </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Protection.CodeIntegrity| |:|:| |Status|Required|-|Description|The purpose of this requirement is to validate that authorized code runs with least privilege.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that code integrity is enabled by validating dm-verity and IMA| -+|Description|The OS must have dm-verity and IMA code integrity features enabled, with code operating under least privilege.| +|Purpose|Protects against modified/malicious code, ensuring that only code with verifiable integrity is able to run.| </br> |Name|SecuredCore.Protection.NetworkServices| |:|:|-|Status|<sup>*</sup>Required| -|Description|The purpose of the requirement is to validate that applications accepting input from the network aren't running with elevated privileges.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that services accepting network connections aren't running with SYSTEM or root privileges.| --+|Status|Required| +|Description|Services listening for input from the network must not run with elevated privileges, such as SYSTEM or root. Exceptions may apply for security-related services.| +|Purpose|Limits the exploitability of compromised networked services.| ## Linux Software/Service Requirements |Name|SecuredCore.Built-in.Security| |:|:| |Status|Required|-|Description|The purpose of the requirement is to make sure devices can report security information and events by sending data to Microsoft Defender for IoT.| -|Validation Type|Manual/Tools| -|Validation |<ol><li>Device must generate security logs and alerts.</li><li>Device logs and alerts messages to Azure Security Center.</li><li>Device must have the Azure Defender for IoT microagent running</li><li>Configuration_Certification_Check must report TRUE in the module twin</li><li>Validate alert messages from Azure Defender for IoT.</li></ol>| -|Resources|[Azure Docs IoT Defender for IoT](../defender-for-iot/how-to-configure-agent-based-solution.md)| +|Description|Devices must be able to send security logs and alerts to a cloud-native security monitoring solution, such as Microsoft Defender for Endpoint.| +|Purpose|Enables fleet posture monitoring, diagnosis of security threats, and protects against latent and in-progress attacks.| +|Resources| [Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-endpoints-script)| </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Manageability.Configuration| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that device supports auditing and setting of system configuration (and certain management actions such as reboot) through Azure.| +|Description|The device must support auditing and setting of system configuration (and certain management actions such as reboot) through Azure. Note: Use of other system management toolchains (e.g. Ansible) by operators aren't prohibited, but the device must include the azure-osconfig agent for Azure management.| +|Purpose|Enables the application of security baselines as part of a secure-by-default configuration posture, reducing the risk of compromise through incorrectly configured security-sensitive settings.| |Dependency|azure-osconfig|-|Validation Type|Manual/Tools| -|Validation|<ol><li>Device must report, via IoT Hub, its firewall state, firewall fingerprint, ip addresses, network adapter state, host name, hosts file, TPM (absence, or presence with version) and package manager sources (see What can I manage) </li><li>Device must accept the creation, via IoT Hub, of a default firewall policy (accept vs drop), and at least one firewall rule, with positive remote acknowledgment (see configurationStatus)</li><li>Device must accept the replacement of /etc/hosts file contents via IoT Hub, with positive remote acknowledgment (see https://learn.microsoft.com/en-us/azure/osconfig/howto-hosts?tabs=portal#the-object-model )</li><li>Device must accept and implement, via IoT Hub, remote reboot</li></ol> Note: Use of other system management toolchains (for example, Ansible, etc.) by operators are not prohibited, but the device must include the azure-osconfig agent such that it's ready to be managed from Azure.| - </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Update| |:|:| |Status|Audit|-|Description|The purpose of the requirement is to validate the device can receive and update its firmware and software.| -|Validation Type|Manual/Tools| -|Validation|Partner confirmation that they were able to send an update to the device through Azure Device update and other approved services.| -|Resources|[Device Update for IoT Hub](../iot-hub-device-update/index.yml)| +|Description|The device must be able to receive and update its firmware and software through Azure Device Update or other approved services.| +|Purpose|Enables continuous security and renewable trust.| </br> -|Name|SecuredCore.Protection.Baselines| +|Name|SecuredCore.UpdateResiliency| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate the extent to which the device implements the Azure Security Baseline| -|Dependency|azure-osconfig| -|Validation Type|Manual/Tools| -|Validation|OSConfig is present on the device and reporting to what extent it implements the Azure Security Baseline.| -|Resources|<ul><li>https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines</li><li>https://www.cisecurity.org/cis-benchmarks/</li><li>https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-linux</li></ul>| +|Description|The device must be restorable to the last known good state if an update causes issues.| +|Purpose|Ensures that devices can be restored to a functional, secure, and updatable state.| </br> -|Name|SecuredCore.Protection.SignedUpdates| +|Name|SecuredCore.Protection.Baselines| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that updates must be signed.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that updates to the operating system, drivers, application software, libraries, packages and firmware won't be applied unless properly signed and validated. +|Description|The system is able to successfully apply a baseline security configuration.| +|Purpose|Ensures a secure-by-default configuration posture, reducing the risk of compromise through incorrectly configured security-sensitive settings.| +|Resources|<ul><li>[Microsoft Security Baselines](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)</li><li>[CIS Benchmarks List](https://www.cisecurity.org/cis-benchmarks/)</li><li>[Linux Security Baseline](../governance/policy/samples/guest-configuration-baseline-linux.md)</li></ul>| ++</br> +|Name|SecuredCore.Protection.SignedUpdates| +|:|:| +|Status|Required| +|Description|Updates to the operating system, drivers, application software, libraries, packages, and firmware must be signed.| +|Purpose|Prevents unauthorized or malicious code from being installed during the update process.| ## Linux Policy Requirements Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Policy.Protection.Debug| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that debug functionality on the device is disabled.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through toolset to ensure that debug functionality requires authorization to enable.| -+|Description|Debug functionality on the device must be disabled or require authorization to enable.| +|Purpose|Ensures that software and hardware protections cannot be bypassed through debugger intervention and back-channels.| </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Policy.Manageability.Reset| |:|:| |Status|Required|-|Description|The purpose of this requirement is to validate the device against two use cases: a) Ability to perform a reset (remove user data, remove user configs), b) Restore device to last known good if an update causing issues.| -|Validation Type|Manual/Tools| -|Validation|Device to be validated through a combination of toolset and submitted documentation that the device supports this functionality. The device manufacturer can determine whether to implement these capabilities to support remote reset or only local reset.| -+|Description|It must be possible to reset the device (remove user data, remove user configs).| +|Purpose|Protects against exfiltration of sensitive or private data during device ownership or lifecycle transitions.| </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Policy.Updates.Duration| |:|:| |Status|Required|-|Description|The purpose of this policy is to ensure that the device remains secure.| -|Validation Type|Manual| -|Validation|Commitment from submission that devices certified will be required to keep devices up to date for 60 months from date of submission. Specifications available to the purchaser and devices itself in some manner should indicate the duration for which their software will be updated.| -+|Description|Software updates must be provided for at least 60 months from date of submission.| +|Purpose|Ensures a minimum period of continuous security.| </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Policy.Vuln.Disclosure| |:|:| |Status|Required|-|Description|The purpose of this policy is to ensure that there's a mechanism for collecting and distributing reports of vulnerabilities in the product.| -|Validation Type|Manual| -|Validation|Documentation on the process for submitting and receiving vulnerability reports for the certified devices will be reviewed.| -+|Description|A mechanism for collecting and distributing reports of vulnerabilities in the product must be available.| +|Purpose|Provides a clear path for discovered vulnerabilities to be reported, assessed, and disclosed, enabling effective risk management and timely fixes.| </br> Validation|Device to be validated through toolset to ensure the device supports |Name|SecuredCore.Policy.Vuln.Fixes| |:|:| |Status|Required|-|Description|The purpose of this policy is to ensure that vulnerabilities that are high/critical (using CVSS 3.0) are addressed within 180 days of the fix being available.| -|Validation Type|Manual| -|Validation|Documentation on the process for submitting and receiving vulnerability reports for the certified devices will be reviewed.| -+|Description|Vulnerabilities that are high/critical (using Common Vulnerability Scoring System 3.0) must be addressed within 180 days of the fix being available.| +|Purpose|Ensures that high-impact vulnerabilities are addressed in a timely manner, reducing likelihood and impact of a successful exploit.| </br> ::: zone-end Validation|Device to be validated through toolset to ensure the device supports <!-> ::: zone pivot="platform-sphere" -## Azure Sphere platform Support -The Mediatek MT3620AN must be included in your design. Additional guidance for building secured Azure Sphere applications can be within the [Azure Sphere application notes](/azure-sphere/app-notes/app-notes-overview). +## Azure Sphere Platform Support +The Mediatek MT3620AN must be included in your design. More guidance for building secured Azure Sphere applications can be found within the [Azure Sphere application notes](/azure-sphere/app-notes/app-notes-overview). ## Azure Sphere Hardware/Firmware Requirements The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Hardware.Identity| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate the device identity is rooted in hardware.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| +|Description|The device identity must be rooted in hardware.| +|Purpose|Protects against cloning and masquerading of the device root identity, which is key in underpinning trust in upper software layers extended through a chain-of-trust. Provide an attestable, immutable and cryptographically secure identity.| +|Dependencies| Azure Sphere meets this requirement as MT3620 includes the integrated Pluton security processor.| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Hardware.MemoryProtection| |:|:| |Status|Required|-|Description|The purpose of the requirement is to ensure that memory integrity helps protect the device from vulnerable peripherals.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -+|Description|All DMA-enabled externally accessible ports must sit behind an enabled and appropriately configured Input-output Memory Management Unit (IOMMU) or System Memory Management Unit (SMMU).| +|Purpose|Protects against drive-by and other attacks that seek to use other DMA controllers to bypass CPU memory integrity protections.| +|Dependencies| Azure Sphere meets this requirement through a securely configurable peripheral firewall.| + </br> - |Name|SecuredCore.Firmware.Protection| |:|:| |Status|Required|-|Description|The purpose of the requirement is to ensure that device has adequate mitigations from Firmware security threats.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -+|Description|The device boot sequence must protect against firmware security threats.| +|Purpose|Protects against firmware weaknesses, persistent untrusted code, and rootkits that seek to exploit early and privileged boot stages to bypass OS protections.| +|Dependencies| Azure Sphere meets this requirement through a Microsoft-managed, hardened, and authenticated boot chain.| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Firmware.SecureBoot| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate the boot integrity of the device.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -+|Description|The device boot sequence must be authenticated.| +|Purpose|Ensures that the firmware and OS kernel, executed as part of the boot sequence, have first been signed by a trusted authority and retain integrity.| +|Dependencies| Azure Sphere meets this requirement through a Microsoft-managed authenticated boot chain.</li></ul>| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Firmware.Attestation| |:|:| |Status|Required|-|Description|The purpose of the requirement is to ensure the device can remotely attest to a Microsoft Azure Attestation service.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -+|Description|The device identity, along with its platform boot logs and measurements, must be remotely attestable to a Microsoft Azure Attestation (MAA) service.| +|Purpose|Enables services to establish the trustworthiness of the device. Allows for reliable security posture monitoring and other trust scenarios such as the release of access credentials.| +|Dependencies| Azure Sphere meets this requirement through the Device Authentication and Attestation (DAA) service provided as part of the Azure Sphere Security Service (AS3).| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Hardware.SecureEnclave| |:|:| |Status|Required|-|Description|The purpose of this requirement is to validate hardware security that is accessible from a secure operating system.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| +|Description|The device must feature a secure enclave capable of performing security functions.| +|Purpose|Ensures that sensitive cryptographic operations (those key to device identity and chain-of-trust) are isolated and protected from the primary OS and some forms of side-channel attack.| +|Dependencies| Azure Sphere meets this requirement as MT3260 includes the Pluton security processor.| ## Azure Sphere OS Configuration Requirements The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Encryption.Storage| |:|:| |Status|Required|-|Description|The purpose of this requirement is to validate that sensitive data can be encrypted on nonvolatile storage.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -|Resources|[Data at rest protection on Azure Sphere](/azure-sphere/app-notes/app-notes-overview)| +|Description|Sensitive and private data must be encrypted at rest, with encryption keys backed by hardware protection.| +|Purpose|Protects against exfiltration of sensitive or private data by unauthorized actors or tampered software.| +|Dependencies| Azure Sphere enables this requirement to be met using the Pluton security processor, in-package non-volatile memory, and customer-exposed wolfCrypt APIs.| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Encryption.TLS| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate support for required TLS versions and cipher suites.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -|Resources| [TLS support in IoT Hub](../iot-hub/iot-hub-tls-support.md) <br /> | +|Description|The OS must support a minimum Transport Layer Security (TLS) version of 1.2 and have secure TLS cipher suites available.| +|Purpose|Ensures that applications are able to use end-to-end encryption protocols and ciphers without known weaknesses, that are supported by Azure Services.| +|Dependencies| Azure Sphere meets this requirement through a Microsoft-managed wolfSSL library using only secure TLS cipher suites, backed by Device Authentication and Attestation (DAA) certificates.| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Protection.CodeIntegrity| |:|:| |Status|Required|-|Description|The purpose of this requirement is to validate that authorized code runs with least privilege.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| +|Description|The OS must feature code integrity support, with code operating under least privilege.| +|Purpose|Protects against modified/malicious code, ensuring that only code with verifiable integrity is able to run.| +|Dependencies| Azure Sphere meets this requirement through the Microsoft-managed and hardened OS with read-only filesystem stored on in-package non-volatile memory storage and executed in on-die RAM, with restricted/contained and least-privileged workloads.| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Protection.NetworkServices| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that applications accepting input from the network aren't running with elevated privileges.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| +|Description|Services listening for input from the network must not run with elevated privileges, such as SYSTEM or root. Exceptions may apply for security-related services.| +|Purpose|Limits the exploitability of compromised networked services.| +|Dependencies| Azure Sphere meets this requirement through restricted/contained and least-privileged workloads.| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Protection.NetworkFirewall| |:|:| |Status|Required|-|Description|The purpose of this requirement is to validate that applications can't connect to endpoints that haven't been authorized.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -+|Description|Applications can't connect to endpoints that haven't been authorized.| +|Purpose|Limits the exploitability of compromised or malicious applications for upstream network traffic and remote access/control.| +|Dependencies| Azure Sphere meets this requirement through a securely configurable network firewall and Device Authentication and Attestation (DAA) certificates.| ## Azure Sphere Software/Service Requirements |Name|SecuredCore.Built-in.Security| |:|:| |Status|Required|-|Description|The purpose of this requirement is to make sure devices can report security information and events by sending data to a Microsoft telemetry service.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| +|Description|Devices must be able to send security logs and alerts to a cloud-native security monitoring solution.| +|Purpose|Enables fleet posture monitoring, diagnosis of security threats, and protects against latent and in-progress attacks.| +|Dependencies| Azure Sphere meets this requirement through integration of Azure Sphere Security Service (AS3) telemetry with Azure Monitor and the ability for applications to send security logs and alerts via Azure services.| |Resources|[Collect and interpret error data - Azure Sphere](/azure-sphere/deployment/interpret-error-data?tabs=cliv2beta)</br>[Configure crash dumps - Azure Sphere](/azure-sphere/deployment/configure-crash-dumps)| The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Manageability.Configuration| |:|:| |Status|Required|-|Description|The purpose of this requirement is to validate the device supports remote administration via service-based configuration control.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| +|Description|The device must support auditing and setting of system configuration (and certain management actions) through Azure.| +|Purpose|Enables the application of security baselines as part of a secure-by-default configuration posture, reducing the risk of compromise through incorrectly configured security-sensitive settings.| +|Dependencies| Azure Sphere meets this requirement through secure customer application configuration manifests, underpinned by a Microsoft-managed, and hardened OS. </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Update| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate the device can receive and update its firmware and software.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| +|Description|The device must be able to receive and update its firmware and software.| +|Purpose|Enables continuous security and renewable trust.| +|Dependencies| Azure Sphere meets this requirement through a Microsoft-managed and automatically updated OS, with customer application updates delivered remotely via the Azure Sphere Security Service (AS3).| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Protection.Baselines| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that the system conforms to a baseline security configuration| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| +|Description|The system is able to successfully apply a baseline security configuration.| +|Purpose|Ensures a secure-by-default configuration posture, reducing the risk of compromise through incorrectly configured security-sensitive settings.| +|Dependencies| Azure Sphere meets this requirement through a Microsoft-managed and hardened OS.| </br> -|Name|SecuredCore.Protection.SignedUpdates| +|Name|SecuredCore.Protection.Update Resiliency| |:|:| |Status|Required|-|Description|The purpose of the requirement is to validate that updates must be signed.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| +|Description|The device must be restorable to the last known good state if an update causes issues.| +|Purpose|Ensures that devices can be restored to a functional, secure, and updatable state.| +|Dependencies| Azure Sphere meets this requirement through a built-in rollback mechanism for updates.| ++</br> +|Name|SecuredCore.Protection.SignedUpdates| +|:|:| +|Status|Required| +|Description|Updates to the operating system, drivers, application software, libraries, packages, and firmware must be signed.| +|Purpose|Prevents unauthorized or malicious code from being installed during the update process.| +|Dependencies| Azure Sphere meets this requirement.| ## Azure Sphere Policy Requirements |Name|SecuredCore.Policy.Protection.Debug| |:|:| |Status|Required|-|Description|The purpose of the policy requires that debug functionality on the device is disabled.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -+|Description|Debug functionality on the device must be disabled or require authorization to enable.| +|Purpose|Ensures that the software and hardware protections cannot be bypassed through debugger intervention and back-channels.| +|Dependencies| Azure Sphere OS meets this requirement as debug functionality requires a signed capability that is only provided to the device OEM owner.| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Policy.Manageability.Reset| |:|:| |Status|Required|-|Description|The policy requires that the device can execute two use cases: a) Ability to perform a reset (remove user data, remove user configurations), b) Restore device to last known good in the case of an update causing issues.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -+|Description|It must be possible to reset the device (remove user data, remove user configs).| +|Purpose|Protects against exfiltration of sensitive or private data during device ownership or lifecycle transitions.| +|Dependencies| The Azure Sphere OS enables OEM applications to implement reset functionality.| </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Policy.Updates.Duration| |:|:| |Status|Required|-|Description|The purpose of this policy is to ensure that the device remains secure.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -+|Description|Software updates must be provided for at least 60 months from date of submission.| +|Purpose|Ensures a minimum period of continuous security.| +|Dependencies| The Azure Sphere OS meets this requirement as Microsoft provides OS security updates, and the AS3 service enables OEMs to provide application software updates. | </br> The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Policy.Vuln.Disclosure| |:|:| |Status|Required|-|Description|The purpose of this policy is to ensure that there's a mechanism for collecting and distributing reports of vulnerabilities in the product.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Azure Sphere vulnerabilities are collected by Microsoft through MSRC and are published to customers through the Tech Community Blog, Azure Sphere “What’s New” page, and through Mitre’s CVE database.| +|Description|A mechanism for collecting and distributing reports of vulnerabilities in the product must be available.| +|Purpose|Provides a clear path for discovered vulnerabilities to be reported, assessed, and disclosed, enabling effective risk management and timely fixes.| +|Dependencies| Azure Sphere OS vulnerabilities can be reported to Microsoft Security Response Center (MSRC) and are published to customers through the Azure Sphere “What’s New” page, and through Mitre’s CVE database.| |Resources|<ul><li>[Report an issue and submission guidelines](https://www.microsoft.com/msrc/faqs-report-an-issue)</li><li>[What's new - Azure Sphere](/azure-sphere/product-overview/whats-new)</li><li>[Azure Sphere CVEs](/azure-sphere/deployment/azure-sphere-cves)</li></ul>| The Mediatek MT3620AN must be included in your design. Additional guidance for b |Name|SecuredCore.Policy.Vuln.Fixes| |:|:| |Status|Required|-|Description|The purpose of this policy is to ensure that vulnerabilities that are high/critical (using CVSS 3.0) are addressed within 180 days of the fix being available.| -|Validation Type|Prevalidated, no additional validation is required| -|Validation|Provided by Microsoft| -+|Description|Vulnerabilities that are high/critical (using Common Vulnerability Scoring System 3.0) must be addressed within 180 days of the fix being available.| +|Purpose|Ensures that high-impact vulnerabilities are addressed in a timely manner, reducing likelihood and impact of a successful exploit.| +|Dependencies| Azure Sphere OS meets this requirement as Microsoft provides OS security updates meeting the above requirement. The AS3 service enables OEMs to provide application software updates meeting this requirement.| </br> ::: zone-end |
certification | Resources Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/resources-glossary.md | - Title: Azure Certified Device program glossary -description: A list of common terms used in the Azure Certified Device program ---- Previously updated : 03/03/2021----# Azure Certified Device program glossary --This guide provides definitions of terms commonly used in the Azure Certified Device program and portal. Refer to this glossary for clarification to the certification process. For your convenience, this glossary is categorized based on major certification concepts that you may have questions about. --## Device class --When creating your certification project, you will be asked to specify a device class. Device class refers to the form factor or classification that best represents your device. --- **Gateway**-- A device that processes data sent over an IoT network. --- **Sensor**-- A device that detects and responds to changes to an environment and connects to gateways to process the changes. --- **Other**-- If you select Other, add a description of your device class in your own words. Over time, we may continue to add new values to this list, particularly as we continue to monitor feedback from our partners. --## Device type --You will also be asked to select one of two device types during the certification process. --- **Finished Product**-- A device that is solution-ready and ready for production deployment. Typically in a finished form factor with firmware and an operating system. These may be general-purpose devices that require additional customization or specialized devices that require no modifications for usage. -- **Solution-Ready Dev Kit**-- A development kit containing hardware and software ideal for easy prototyping, typically not in a finished form factor. Usually includes sample code and tutorials to enable quick prototyping. --## Component type --In the Device details section, you'll describe your device by listing components by component type. You can view more guidance on components [here](./how-to-using-the-components-feature.md). --- **Customer Ready Product**-- A component representation of the overall or primary device. This is different from a **Finished Product**, which is a classification of the device as being ready for customer use without further development. A Finished Product will contain a Customer Ready Product component. -- **Development Board**-- Either an integrated or detachable board with microprocessor for easy customization. -- **Peripheral**-- Either an integrated or detachable addition to the product (such as an accessory). These are typically devices that connect to the main device, but does not contribute to device primary functions. Instead, it provides additional functions. Memory, RAM, storage, hard disks, and CPUs are not considered peripheral devices (they instead should be listed under Additional Specs of the Customer Ready Product component). -- **System-On-Module** -- A board-level circuit that integrates a system function in a single module. --## Component attachment method --Component attachment method is another component detail that informs the customer about how the component is integrated into the overall product. --- **Integrated**- - Refers to when a device component is a part of the main chassis of the product. This most commonly refers to a peripheral component type that cannot be removed from the device. - Example: An integrated temperature sensor inside a gateway chassis. --- **Discrete**-- Refers to when a component is **not** a part of main chassis of the product. - Example: An external temperature sensor that must be attached to the device. ---## Next steps --This glossary will guide you through the process of certifying your project on the portal. You're now ready to begin your project! -- [Tutorial: Creating your project](./tutorial-01-creating-your-project.md) |
certification | Tutorial 00 Selecting Your Certification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/tutorial-00-selecting-your-certification.md | - Title: Azure Certified Device program - Tutorial - Selecting your certification program -description: Step-by-step guide to selecting the right certification programs for your device ---- Previously updated : 03/19/2021----# Tutorial: Select your certification program --Congratulations on choosing the Azure Certified Device program! We're excited to have you join our ecosystem of certified devices. To begin, you must first determine which certification programs best suit your device capabilities. --In this tutorial, you learn to: --> [!div class="checklist"] -> * Select the best certification program(s) for your device --## Selecting a certification program for your device --All devices are required to meet the baseline requirements outlined by the **Azure Certified Device** certification. To better promote your device and help set it apart, we offer optional certification programs (ΓÇ£IoT Plug and PlayΓÇ¥, ΓÇ£Edge ManagedΓÇ¥ and ΓÇ£Edge Secured-core *preview") that validate additional capabilities. --1. Review each of the certification programs' in the table below to help identify which program is best suited to promote your device. -- |Program Requirements|Processor|Architecture|OS| - ||| - [Azure Certified Device](./program-requirements-azure-certified-device.md)|Any|Any|Any| - [IoT Plug and Play](./program-requirements-edge-secured-core.md)|Any|Any|Any| - [Edge Managed](./program-requirements-edge-managed.md)|MPU/CPU|ARM/x86/AMD64|[Tier 1 OS](../iot-edge/support.md?view=iotedge-2018-06&preserve-view=true)| - [*Edge Secured-core](./program-requirements-edge-secured-core.md)|MPU/CPU|ARM/AMD64|[Tier 1 OS](../iot-edge/support.md?view=iotedge-2018-06&preserve-view=true)| - --1. Review the specific requirements for the selected program and make sure your device is prepared to connect to Azure to validate the requirements. --## Next steps --You're now ready to begin certifying your device! Advance to the next article to begin your project. -> [!div class="nextstepaction"] ->[Tutorial: Creating your project](tutorial-01-creating-your-project.md) |
certification | Tutorial 01 Creating Your Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/tutorial-01-creating-your-project.md | - Title: Azure Certified Device program - Tutorial - Creating your project -description: Guide to create a project on the Azure Certified Device portal ---- Previously updated : 06/22/2021----# Tutorial: Create your project --Congratulations on choosing to certify your device through the Azure Certified Device program! You've now selected the appropriate certification program for your device, and are ready to get started on the portal. --In this tutorial, you will learn how to: --> [!div class="checklist"] -> * Sign into the [Azure Certified Device portal](https://certify.azure.com/) -> * Create a new certification project for your device -> * Specify basic device details of your project --## Prerequisites --- Valid work/school [Microsoft Entra account](../active-directory/fundamentals/active-directory-whatis.md).-- Verified Microsoft Partner Network (MPN) account. If you don't have an MPN account, [join the partner network](https://partner.microsoft.com/) before you begin. --> [!NOTE] -> If you're having problems setting up or validating your MPN account, see the [Partner Center Support](/partner-center) documentation. ---## Signing into the Azure Certified Device portal --To get started, you must sign in to the portal, where you'll be providing your device information, completing certification testing, and managing your device publications to the Azure Certified Device catalog. --1. Go to the [Azure Certified Device portal](https://certify.azure.com). -1. Select `Company profile` on the left-hand side and update your manufacturer information. - ![Company profile section](./media/images/company-profile.png) -1. Accept the program agreement to begin your project. --## Creating your project on the portal --Now that you're all set up in the portal, you can begin the certification process. First, you must create a project for your device. --1. On the home screen, select `Create new project`. This will open a window to add basic device information in the next section. -- ![Image of the Create new project button](./media/images/create-new-project.png) --## Identifying basic device information --Then, you must supply basic device information. You can to edit this information later. --1. Complete the fields requested under the `Basics` section. Refer to the table below for clarification regarding the **required** fields: -- | Fields | Description | - ||-| - | Project name | Internal name that will not be visible on the Azure Certified Device catalog | - | Device name | Public name for your device | - | Device type | Specification of Finished Product or Solution-Ready Developer Kit. For more information about the terminology, see [Certification glossary](./resources-glossary.md). | - | Device class | Gateway, Sensor, or other. For more information about the terminology, see [Certification glossary](./resources-glossary.md). | - | Device source code URL | Required if you are certifying a Solution-Ready Dev Kit, optional otherwise. URL must be to a GitHub location for your device code. | -- > [!Note] - > If you are marketing a Microsoft service (e.g. Azure Sphere), please ensure that your device name adheres to Microsoft [branding guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks). --1. Select the `Next` button to continue to the `Certifications` tab. -- ![Image of the Create new project form, Certifications tab](./media/images/select-the-certification.png) --1. Specify which certification(s) you wish to achieve for your device. -1. Select `Create` and the new project will be saved and visible in the home page of the portal. -- ![Image of project table](./media/images/project-table.png) --1. Select on the Project name in the table. This will launch the project summary page where you can add and view other details about your device. -- ![Image of the project details page](./media/images/device-details-section.png) --## Next steps --You are now ready to add device details and test your device using our certification service. Advance to the next article to learn how to edit your device details. -> [!div class="nextstepaction"] -> [Tutorial: Adding device details](tutorial-02-adding-device-details.md) |
certification | Tutorial 02 Adding Device Details | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/tutorial-02-adding-device-details.md | - Title: Azure Certified Device program - Tutorial - Adding device details -description: A step-by-step guide to add device details to your project on the Azure Certified Device portal ---- Previously updated : 05/04/2021----# Tutorial: Add device details --Now you've created your project for your device, and you're all set to begin the certification process! First, let's add your device details. These will include technical specifications that your customers will be able to view on the Azure Certified Device catalog and the marketing details that they will use to purchase once they've made a decision. --In this tutorial, you learn how to: --> [!div class="checklist"] -> * Add device details using the Components and Dependencies features -> * Upload a Get Started guide for your device -> * Specify marketing details for customers to purchase your device -> * Optionally identify any industry certifications --## Prerequisites --* You should be signed in and have a project for your device created on the [Azure Certified Device portal](https://certify.azure.com). For more information, view the [tutorial](tutorial-01-creating-your-project.md). -* You should have a Get Started guide for your device in PDF format. We provide many Get Started templates for you to use, depending on both the certification program and your preferred language. The templates are available at our [Get started templates](https://aka.ms/GSTemplate "Get started templates") GitHub location. --## Adding technical device details --The first section of your project page, called 'Input device details', allows you to provide information on the core hardware capabilities of your device, such as device name, description, processor, operating system, connectivity options, hardware interfaces, industry protocols, physical dimensions, and more. While many of the fields are optional, most of this information will be made available to potential customers on the Azure Certified Device catalog if you choose to publish your device after it has been certified. --1. Click `Add` in the 'Input device details' section on your project summary page to open the device details section. You will see six sections for you to complete. --![Image of the project details page](./media/images/device-details-menu.png) --2. Review the information you previously provided when you created the project under the `Basics` tab. -1. Review the certifications you are applying for with your device under the `Certifications` tab. -1. Open the `Hardware` tab and add **at least** one discrete component that describes your device. You can also view our guidance on [component usage](how-to-using-the-components-feature.md). -1. Click `Save`. You will then be able to edit your component device and add more advanced details. -1. Add any relevant information regarding operating conditions (such as IP rating, operating temperature, or safety certification). --![Image of the hardware section](./media/images/hardware-section.png) --7. List additional device details not captured by the component details under `Additional product details`. -1. If you marked `Other` in any of the component fields or have a special circumstance you would like to flag with the Azure Certification team, leave a clarifying comment in the `Comments for reviewer` section. -1. Open the `Software` tab and select **at least** one operating system. -1. (**Required for Dev Kit devices** and highly recommended for all others) Select a level to indicate the expected set-up process to connect your device to Azure. If you select Level 2, you will be required to provide a link to the available software image. --![Image of the software section](./media/images/software-section.png) --11. Use the `Dependencies` tab to list any dependencies if your device requires additional hardware or services to send data to Azure. You can also view our additional guidance for [listing dependencies](how-to-indirectly-connected-devices.md). -1. Once you are satisfied with the information you've provided, you can use the `Review` tab for a read-only overview of the full set of device details that been entered. -1. Click `Project summary` at the top of the page to return to your summary page. --![Review project details page](./media/images/sample-device-details.png) --## Uploading a Get Started guide --The Get Started guide is a PDF document to simplify the setup and configuration and management of your product. Its purpose is to make it simple for customers to connect and support devices on Azure using your device. As part of the certification process, we require our partners to provide **one** Get Started guide for their most relevant certification program. --1. Double-check that you have provided all requested information in your Get Started guide PDF according to the supplied [templates](https://aka.ms/GSTemplate). The template that you use should be determined by the certification badge you are applying for. (For example, an IoT Plug and Play device will use the IoT Plug and Play template. Devices applying for *only* the Azure Certified Device baseline certification will use the Azure Certified Device template.) -1. Click `Add` in the 'Get Started' guide section of the project summary page. --![Image of GSG button](./media/images/gsg-menu.png) --2. Click 'Choose File' to upload your PDF. -1. Review the document in the preview for formatting. -1. Save your upload by clicking the 'Save' button. -1. Click `Project summary` at the top of the page to return to your summary page. --## Providing marketing details --In this area, you will provide customer-ready marketing information for your device. These fields will be showcased on the Azure Certified Device catalog if you choose to publish your certified device. --1. Click `Add` in the 'Add marketing details' section to open the marketing details page. --![Image of marketing details section](./media/images/marketing-details.png) --1. Upload a product photo in JPEG or PNG format that will be used in the catalog. -1. Write a short description of your device that will be displayed on the product description page of the catalog. -1. Indicate geographic availability of your device. -1. Provide a link to the manufacturer's marketing page for this device. This should be a link to a site that provides additional information about the device. - > [!Note] - > Please ensure all supplied URLs are valid or will be active at the time of publication following approval.*) --1. Indicate up to three target industries that your device is optimized for. -1. Provide information for up to five distributors of your device. This may include the manufacturer's own site. -- > [!Note] - > If no distributor product page URL is supplied, then the `Shop` button on the catalog will default to the link supplied for `Distributor page`, which may not be specific to the device. Ideally, the distributor URL should lead to a specific page where a customer can purchase a device, but is not mandatory. If the distributor is the same as the manufacturer, this URL may be the same as the manufacturer's marketing page.*) --1. Click `Save` to confirm your information. -1. Click `Project summary` at the top of the page to return to your summary page. --## Declaring additional industry certifications --You can also promote additional industry certifications you may have received for your device. These certifications can help provide further clarity on the intended use of your device and will be searchable on the Azure Certified Device catalog. --1. Click `Add` in the 'Provide industry certifications' section. -1. Click `Add a certification`to select from a list of the common industry certification programs. If your product has achieved a certification not in our list, you can specify a custom string value by selecting `Other (please specify)`. -1. Optionally provide a description or notes to the reviewer. However, these notes will not be publicly available to view on the catalog. -1. Click `Save` to confirm your information. -1. Click `Project summary` at the top of the page to return to your summary page. --## Next steps --Now you have completed the process of describing your device! This will help the Azure Certified Device review team and your customer better understand your product. Once you are satisfied with the information you've provided, you are now ready to move on to the testing phase of the certification process. -> [!div class="nextstepaction"] -> [Tutorial: Testing your device](tutorial-03-testing-your-device.md) |
certification | Tutorial 03 Testing Your Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/tutorial-03-testing-your-device.md | - Title: Azure Certified Device program - Tutorial - Testing your device -description: A step-by-step guide to test you device with AICS service on the Azure Certified Device portal ---- Previously updated : 03/02/2021----# Tutorial: Test and submit your device --The next major phase of the certification process (though it can be completed before adding your device details) involves testing your device. Through the portal, you'll use the Azure IoT Certification Service (AICS) to demonstrate your device performance according to our certification requirements. Once you've successfully passed the testing phase, you'll then submit your device for final review and approval by the Azure Certification team! --In this tutorial, you learn how to: --> [!div class="checklist"] -> * Connect your device to IoT Hub using Device Provisioning Service (DPS) -> * Test your device according to your selected certification program(s) -> * Submit your device for review by the Azure Certification team --## Prerequisites --- You should be signed in and have a project for your device created on the [Azure Certified Device portal](https://certify.azure.com). For more information, view the [tutorial](tutorial-01-creating-your-project.md).-- (Optional) We advise that you prepare your device and manually verify their performance according to certification requirements. This is because if you wish to re-test with different device code or certification program, you will have to create a new project.--## Connecting your device using DPS --All certified devices are required to demonstrate the ability to connect to IoT Hub using DPS. The following steps walk you through how to successfully connect your device for testing on the portal. --1. To begin the testing phase, select the `Connect & test` link on the project summary page: -- ![Connect and test link](./media/images/connect-and-test-link.png) --1. Depending on the certification(s) selected, you'll see the required tests on the 'Connect & test' page. Review these to ensure that you're applying for the correct certification program. -- ![Connect and test page](./media/images/connect-and-test.png) --1. Connect your device to IoT Hub using the Device Provisioning Service (DPS). DPS supports connectivity options of Symmetric keys, X.509 certification, and a Trusted Platform Module (TPM). This is required for all certifications. -- - *For more information on connecting your device to Azure IoT Hub with DPS, visit [Provisioning devices overview](../iot-dps/about-iot-dps.md "Device Provisioning Service overview").* - -1. If using symmetric keys, you'll then be asked to configure the DPS with the supplied DPS ID scope, Device ID, authentication key, and DPS endpoint. Otherwise, you will be asked to provide either X.509 certificate or endorsement key. --1. After configuring your device with DPS, confirm the connection by clicking the `Connect` button at the bottom of the page. Upon successful connection, you can proceed to the testing phase by clicking the `Next` button. -- ![Connect and Test connected](./media/images/connected.png) --## Testing your device --Once you have successfully connected your device to AICS, you are now ready to run the certification tests specific to the certification program you are applying for. --1. **For Azure Certified Device certification**: In the 'Select device capability' tab, you will review and select which tests you wish to run on your device. -1. **For IoT Plug and Play certification**: Carefully review the parameters that will be checked during the test that you declared in your device model. -1. **For Edge Managed certification**: No additional steps are required beyond demonstrating connectivity. -1. Once you have completed the necessary preparations for the specified certification program, select `Next` to proceed to the 'Test' phase. -1. Select `Run tests` on the page to begin running AICS with your device. -1. Once you have received a notification that you have passed the tests, select `Finish` to return to your summary page. --![Test passed](./media/images/test-pass.png) --7. If you have additional questions or need troubleshooting assistance with AICS, visit our troubleshooting guide. --> [!NOTE] -> While you will be able to complete the online certification process for IoT Plug and Play and Edge Managed without having to submit your device for manual review, you may be contacted by a Azure Certified Device team member for further device validation beyond what is tested through our automation service. --## Submitting your device for review --Once you have completed all of the mandatory fields in the 'Device details' section and successfully passed the automated testing in the 'Connect & test' process, you can now notify the Azure Certified Device team that you are ready for certification review. --1. select `Submit for review` on the project summary page: -- ![Review and Certify link](./media/images/review-and-certify.png) --1. Confirm your submission in the pop-up window. Once a device has been submitted, all device details will be read-only until editing is requested. (See [How to edit your device information after publishing](./how-to-edit-published-device.md).) -- ![Start Certification review dialog](./media/images/start-certification-review.png) --1. Once the project is submitted, the project summary page will indicate the project is `Under Certification Review` by the Azure Certification team: -- ![Under Review](./media/images/review-and-certify-under-review.png) --1. Within 5-7 business days, expect an email response from the Azure Certification team to the address provided in your company profile regarding the status of your device submission. -- - Approved submission - Once your project has been reviewed and approved, you will receive an email. The email will include a set of files including the Azure Certified Device badge, badge usage guidelines, and other information on how to amplify the message that your device is certified. Congratulations! -- - Pending submission - In the case your project is not approved, you will be able to make changes to the project details and then resubmit the device for certification once ready. An email will be sent with information on why the project was not approved and steps to resubmit for certification. --## Next steps --Congratulations! Your device has now successfully passed all of the tests and has been approved through the Azure Certified Device program. You can now publish your device to our Azure Certified Device catalog, where customers can shop for your products with confidence in their performance with Azure. -> [!div class="nextstepaction"] -> [Tutorial: Publishing your device](tutorial-04-publishing-your-device.md) - |
certification | Tutorial 04 Publishing Your Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/tutorial-04-publishing-your-device.md | - Title: Azure Certified Device program - Tutorial - Publishing your device -description: A step-by-step guide to publish your certified device to the Azure Certified Device catalog ---- Previously updated : 03/03/2021----# Tutorial: Publish your device --Congratulations on successfully certifying your device! Your product is joining an ecosystem of exceptional devices that work great with Azure. Now that your device has been certified, you can optionally publish your device details to the [Azure Certified Device catalog](https://devicecatalog.azure.com) for a world of customers to discover and buy. --In this tutorial, you learn how to: --> [!div class="checklist"] -> * Publish your device to the Azure Certified Device catalog --## Prerequisites --- You should be signed in and have an **approved** project for your device on the [Azure Certified Device portal](https://certify.azure.com). If you don't have a certified device, you can view this [tutorial](tutorial-01-creating-your-project.md) to get started.--## Publishing your device --Publishing your device is a simple process that will help bring customers to your product from the Azure Certified Device catalog. --1. To publish your device, click `Publish to Device Catalog` on the project summary page. -- ![Publish to Catalog](./media/images/publish-to-catalog.png) --1. Confirm the publication in the pop-up window -- ![Publish to Catalog confirmation](./media/images/publish-to-catalog-confirm.png) --1. You will receive notification to the email address in your company profile once the device has been processed the Azure Certified Device catalog. --## Next steps --Congratulations! Your certified device is now a part of the Azure Certified Device catalog, where customers can shop for your products with confidence in their performance with Azure! Thank you for being part of our ecosystem of certified IoT products. You will notice that your project page is now read-only. If you wish to make any updates to your device information, see our how-to guide. -> [!div class="nextstepaction"] -> [How to edit your published device](how-to-edit-published-device.md) - |
chaos-studio | Chaos Studio Limitations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-limitations.md | The following are known limitations in Chaos Studio. - **VMs require network access to Chaos studio** - For agent-based faults, the virtual machine must have outbound network access to the Chaos Studio agent service: - Regional endpoints to allowlist are listed in [Permissions and security in Azure Chaos Studio](chaos-studio-permissions-security.md#network-security). - If you're sending telemetry data to Application Insights, the IPs in [IP addresses used by Azure Monitor](../azure-monitor/ip-addresses.md) are also required.-+- **Network Disconnect Fault** - The agent-based "Network Disconnect" fault only affects new connections. Existing active connections continue to persist. You can restart the service or process to force connections to break. - **Version support** - Review the [Azure Chaos Studio version compatibility](chaos-studio-versions.md) page for more information on operating system, browser, and integration version compatibility.-- **Terraform** - Chaos Studio doesn't support Terraform at this time. - **PowerShell modules** - Chaos Studio doesn't have dedicated PowerShell modules at this time. For PowerShell, use our REST API - **Azure CLI** - Chaos Studio doesn't have dedicated AzCLI modules at this time. Use our REST API from AzCLI - **Azure Policy** - Chaos Studio doesn't support the applicable built-in policies for our service (audit policy for customer-managed keys and Private Link) at this time. -- **Private Link** To use Private Link for Agent Service, you need to have your subscription allowlisted and use our preview API version. We don't support Azure portal UI experiments for Agent-based experiments using Private Link. These restrictions do NOT apply to our Service-direct faults+- **Private Link** - We don't support Azure portal UI experiments for Agent-based experiments using Private Link. These restrictions do NOT apply to our Service-direct faults - **Customer-Managed Keys** You need to use our 2023-10-27-preview REST API via a CLI to create CMK-enabled experiments. We don't support portal UI experiments using CMK at this time.-- **Lockbox** At present, we don't have integration with Customer Lockbox. - **Java SDK** At present, we don't have a dedicated Java SDK. If this is something you would use, reach out to us with your feature request. - **Built-in roles** - Chaos Studio doesn't currently have its own built-in roles. Permissions can be attained to run a chaos experiment by either assigning an [Azure built-in role](chaos-studio-fault-providers.md) or a created custom role to the experiment's identity. - **Agent Service Tags** Currently we don't have service tags available for our Agent-based faults. |
cloud-services | Cloud Services Dotnet Install Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/cloud-services-dotnet-install-dotnet.md | You can use startup tasks to perform operations before a role starts. Installing if %ERRORLEVEL%== 0 echo %date% %time% : Successfully downloaded .NET framework %netfx% setup file. >> %startuptasklog% goto install - install: + :install REM ***** Installing .NET ***** echo Installing .NET with commandline: start /wait %~dp0%netfxinstallfile% /q /serialdownload /log %netfxinstallerlog% /chainingpackage "CloudService Startup Task" >> %startuptasklog% start /wait %~dp0%netfxinstallfile% /q /serialdownload /log %netfxinstallerlog% /chainingpackage "CloudService Startup Task" >> %startuptasklog% 2>>&1 |
communication-services | Azure Communication Services Azure Cognitive Services Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/call-automation/azure-communication-services-azure-cognitive-services-integration.md | Azure AI services can be easily integrated into any application regardless of th ### Build applications that can play and recognize speech -With the ability to, connect your Azure AI services to Azure Communication Services, you can enable custom play functionality, using [Text-to-Speech](../../../../articles/cognitive-services/Speech-Service/text-to-speech.md) and [SSML](../../../../articles/cognitive-services/Speech-Service/speech-synthesis-markup.md) configuration, to play more customized and natural sounding audio to users. Through the Azure AI services connection, you can also use the Speech-To-Text service to incorporate recognition of voice responses that can be converted into actionable tasks through business logic in the application. These functions can be further enhanced through the ability to create custom models within Azure AI services that are bespoke to your domain and region, through the ability to choose which languages are spoken and recognized, custom voices and custom models built based on your experience. +With the ability to connect your Azure AI services to Azure Communication Services. You can enable custom play functionality, using [Text-to-Speech](../../../../articles/cognitive-services/Speech-Service/text-to-speech.md) and [Speech Synthesis Markup Language (SSML)](../../../../articles/cognitive-services/Speech-Service/speech-synthesis-markup.md) configuration, to play more customized and natural sounding audio to users. Through the Azure AI services connection, you can also use the Speech-To-Text service to incorporate recognition of voice responses that can be converted into actionable tasks through business logic in the application. These functions can be further enhanced through the ability to create custom models within Azure AI services that are bespoke to your domain and region, through the ability to choose which languages are spoken and recognized, custom voices and custom models built based on your experience. ## Run time flow [![Screen shot of integration run time flow.](./media/run-time-flow.png)](./media/run-time-flow.png#lightbox) ## Azure portal experience-You will need to connect your Azure Communication Services resource with the Azure AI resource through the Azure portal. There are two ways you can accomplish this step: +You'll need to connect your Azure Communication Services resource with the Azure AI resource through the Azure portal. There are two ways you can accomplish this step: - By navigating through the steps of the Cognitive Services tab in your Azure Communication Services (recommended). - Manually adding the Managed Identity to your Azure Communication Services resource. This step is more advanced and requires a little more effort to connect your Azure Communication Services to your Azure AI services. You will need to connect your Azure Communication Services resource with the Azu ### Connecting through the Azure portal 1. Open your Azure Communication Services resource and click on the Cognitive Services tab.-2. If system-assigned managed identity isn't enabled, you will need to enable it. +2. If system-assigned managed identity isn't enabled, you'll need to enable it. 3. In the Cognitive Services tab, click on "Enable Managed Identity" button. [![Screenshot of Enable Managed Identity button.](./media/enabled-identity.png)](./media/enabled-identity.png#lightbox) This integration between Azure Communication Services and Azure AI services is o - brazilsouth - uaenorth +## Known limitations ++- Text-to-Speech text prompts support a maximum of 400 characters, if your prompt is longer than this we suggest using SSML for Text-to-Speech based play actions. +- For scenarios where you exceed your Speech service quota limit, you can request to increase this limit by following the steps outlined [here](../../../ai-services/speech-service/speech-services-quotas-and-limits.md). + ## Next steps - Learn about [playing audio](../../concepts/call-automation/play-action.md) to callers using Text-to-Speech. - Learn about [gathering user input](../../concepts/call-automation/recognize-action.md) with Speech-to-Text. |
communication-services | Play Action | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/call-automation/play-action.md | As part of compliance requirements in various industries, vendors are expected t ![Screenshot of flow for play action.](./media/play-action.png) ## Known limitations-- Play action isn't enabled to work with Teams Interoperability.+- Text-to-Speech text prompts support a maximum of 400 characters, if your prompt is longer than this we suggest using SSML for Text-to-Speech based play actions. +- For scenarios where you exceed your Speech service quota limit, you can request to increase this lilmit by following the steps outlined [here](../../../ai-services/speech-service/speech-services-quotas-and-limits.md). ## Next Steps - Check out our how-to guide to learn [how-to play custom voice prompts](../../how-tos/call-automation/play-action.md) to users. |
communication-services | Recognize Action | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/call-automation/recognize-action.md | The recognize action can be used for many reasons, here are a few examples of ho ## Known limitation - In-band DTMF is not supported, use RFC 2833 DTMF instead.+- Text-to-Speech text prompts support a maximum of 400 characters, if your prompt is longer than this we suggest using SSML for Text-to-Speech based play actions. +- For scenarios where you exceed your Speech service quota limit, you can request to increase this lilmit by following the steps outlined [here](../../../ai-services/speech-service/speech-services-quotas-and-limits.md). ## Next steps - Check out our how-to guide to learn how you can [gather user input](../../how-tos/call-automation/recognize-action.md). |
communication-services | Custom Context | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/how-tos/call-automation/custom-context.md | Title: Azure Communication Services Call Automation how-to for passing call contextual data in Call Automation description: Provides a how-to guide for passing contextual information with Call Automation.-+ For all the code samples, `client` is CallAutomationClient object that can be cr ## Technical parameters Call Automation supports up to 5 custom SIP headers and 1000 custom VOIP headers. Additionally, developers can include a dedicated User-To-User header as part of SIP headers list. -The custom SIP header key must start with a mandatory ΓÇÿX-MS-Custom-ΓÇÖ prefix. The maximum length of a SIP header key is 64 chars, including the X-MS-Custom prefix. The maximum length of SIP header value is 256 chars. The same limitations apply when configuring the SIP headers on your SBC. +The custom SIP header key must start with a mandatory ΓÇÿX-MS-Custom-ΓÇÖ prefix. The maximum length of a SIP header key is 64 chars, including the X-MS-Custom prefix. The SIP header key may consist of alphanumeric characters and a few selected symbols which includes ".", "!", "%", "\*", "_", "+", "~", "-". The maximum length of SIP header value is 256 chars. The same limitations apply when configuring the SIP headers on your SBC. The SIP header value may consist of alphanumeric characters and a few selected symbols which includes "=", ";", ".", "!", "%", "*", "_", "+", "~", "-". The maximum length of a VOIP header key is 64 chars. These headers can be sent without ΓÇÿx-MS-CustomΓÇÖ prefix. The maximum length of VOIP header value is 1024 chars. |
communication-services | Play Action | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/how-tos/call-automation/play-action.md | This guide will help you get started with playing audio files to participants by |PlayFailed | 500 | 9999 | Unknown internal server error | |PlayFailed | 500 | 8572 | Action failed due to play service shutdown. | +## Known limitations +- Text-to-Speech text prompts support a maximum of 400 characters, if your prompt is longer than this we suggest using SSML for Text-to-Speech based play actions. +- For scenarios where you exceed your Speech service quota limit, you can request to increase this lilmit by following the steps outlined [here](../../../ai-services/speech-service/speech-services-quotas-and-limits.md). ## Clean up resources |
communication-services | Recognize Action | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/how-tos/call-automation/recognize-action.md | This guide will help you get started with recognizing DTMF input provided by par ## Known limitations - In-band DTMF is not supported, use RFC 2833 DTMF instead.+- Text-to-Speech text prompts support a maximum of 400 characters, if your prompt is longer than this we suggest using SSML for Text-to-Speech based play actions. +- For scenarios where you exceed your Speech service quota limit, you can request to increase this lilmit by following the steps outlined [here](../../../ai-services/speech-service/speech-services-quotas-and-limits.md). ## Clean up resources |
confidential-computing | Quick Create Confidential Vm Azure Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-azure-cli.md | az group create --name myResourceGroup --location northeurope Create a VM with the [az vm create](/cli/azure/vm) command. The following example creates a VM named *myVM* and adds a user account named *azureuser*. The `--generate-ssh-keys` parameter is used to automatically generate an SSH key, and put it in the default key location(*~/.ssh*). To use a specific set of keys instead, use the `--ssh-key-values` option.-For `size`, select a confidential VM size. For more information, see [supported confidential VM families](virtual-machine-solutions.md). +For `size`, select a confidential VM size. For more information, see [supported confidential VM families](virtual-machine-options.md). Choose `VMGuestStateOnly` for no OS disk confidential encryption. Or, choose `DiskWithVMGuestState` for OS disk confidential encryption with a platform-managed key. Secure Boot is enabled by default, but is optional for `VMGuestStateOnly`. For more information, see [secure boot and vTPM](../virtual-machines/trusted-launch.md). For more information on disk encryption and encryption at host, see [confidential OS disk encryption](confidential-vm-overview.md) and [encryption at host](/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli). |
confidential-computing | Quick Create Confidential Vm Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-portal.md | To create a confidential VM in the Azure portal using an Azure Marketplace image h. Toggle [Generation 2](../virtual-machines/generation-2.md) images. Confidential VMs only run on Generation 2 images. To ensure, under **Image**, select **Configure VM generation**. In the pane **Configure VM generation**, for **VM generation**, select **Generation 2**. Then, select **Apply**. - i. For **Size**, select a VM size. For more information, see [supported confidential VM families](virtual-machine-solutions.md). + i. For **Size**, select a VM size. For more information, see [supported confidential VM families](virtual-machine-options.md). j. For **Authentication type**, if you're creating a Linux VM, select **SSH public key** . If you don't already have SSH keys, [create SSH keys for your Linux VMs](../virtual-machines/linux/mac-create-ssh-keys.md). |
confidential-computing | Trusted Execution Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/trusted-execution-environment.md | Azure confidential computing has two offerings: one for enclave-based workloads The enclave-based offering uses [Intel Software Guard Extensions (SGX)](virtual-machine-solutions-sgx.md) to create a protected memory region called Encrypted Protected Cache (EPC) within a VM. This allows customers to run sensitive workloads with strong data protection and privacy guarantees. Azure Confidential computing launched the first enclave-based offering in 2020. -The lift and shift offering uses [AMD SEV-SNP (GA)](virtual-machine-solutions.md) or [Intel TDX (preview)](tdx-confidential-vm-overview.md) to encrypt the entire memory of a VM. This allows customers to migrate their existing workloads to Azure confidential Compute without any code changes or performance degradation. +The lift and shift offering uses [AMD SEV-SNP (GA)](virtual-machine-options.md) or [Intel TDX (preview)](tdx-confidential-vm-overview.md) to encrypt the entire memory of a VM. This allows customers to migrate their existing workloads to Azure confidential Compute without any code changes or performance degradation. Many of these underlying technologies are used to deliver [confidential IaaS and PaaS services](overview-azure-products.md) in the Azure platform making it simple for customers to adopt confidential computing in their solutions. |
confidential-computing | Virtual Machine Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/virtual-machine-options.md | + + Title: Azure Confidential VM options +description: Azure Confidential Computing offers multiple options for confidential virtual machines on AMD and Intel processors. +++++++ Last updated : 11/15/2023+++# Azure Confidential VM options ++Azure offers multiple confidential VMs options leveraging Trusted Execution Environments (TEE) technologies from both AMD and Intel to harden the virtualization environment. These technologies enable you to provision confidential computing environments with excellent price-to-performance without code changes. ++AMD confidential VMs leverage [Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP)](https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf) which was introduced with 3rd Gen AMD EPYC™ processors. Intel confidential VMs use [Trust Domain Extensions (TDX)](https://cdrdv2-public.intel.com/690419/TDX-Whitepaper-February2022.pdf) which was introduced with 4th Gen Intel® Xeon® processors. ++## Sizes ++You can create confidential VMs in the following size families: ++| Size Family | TEE | Description | +| | | -- | +| **DCasv5-series** | AMD SEV-SNP | General purpose CVM with remote storage. No local temporary disk. | +| **DCesv5-series** | Intel TDX | General purpose CVM with remote storage. No local temporary disk. | +| **DCadsv5-series** | AMD SEV-SNP | General purpose CVM with local temporary disk. | +| **DCedsv5-series** | Intel TDX | General purpose CVM with local temporary disk. | +| **ECasv5-series** | AMD SEV-SNP | Memory-optimized CVM with remote storage. No local temporary disk. | +| **ECesv5-series** | Intel TDX | Memory-optimized CVM with remote storage. No local temporary disk. | +| **ECadsv5-series** | AMD SEV-SNP | Memory-optimized CVM with local temporary disk. | +| **ECedsv5-series** | Intel TDX | Memory-optimized CVM with local temporary disk. | ++> [!NOTE] +> Memory-optimized confidential VMs offer double the ratio of memory per vCPU count. ++## Azure CLI commands ++You can use the [Azure CLI](/cli/azure/install-azure-cli) with your confidential VMs. ++To see a list of confidential VM sizes, run the following command. Replace `<vm-series>` with the series you want to use. The output shows information about available regions and availability zones. ++```azurecli-interactive +vm_series='DCASv5' +az vm list-skus \ + --size dc \ + --query "[?family=='standard${vm_series}Family'].{name:name,locations:locationInfo[0].location,AZ_a:locationInfo[0].zones[0],AZ_b:locationInfo[0].zones[1],AZ_c:locationInfo[0].zones[2]}" \ + --all \ + --output table +``` ++For a more detailed list, run the following command instead: ++```azurecli-interactive +vm_series='DCASv5' +az vm list-skus \ + --size dc \ + --query "[?family=='standard${vm_series}Family']" +``` ++## Deployment considerations ++Consider the following settings and choices before deploying confidential VMs. ++### Azure subscription ++To deploy a confidential VM instance, consider a [pay-as-you-go subscription](/azure/virtual-machines/linux/azure-hybrid-benefit-linux) or other purchase option. If you're using an [Azure free account](https://azure.microsoft.com/free/), the quota doesn't allow the appropriate number of Azure compute cores. ++You might need to increase the cores quota in your Azure subscription from the default value. Default limits vary depending on your subscription category. Your subscription might also limit the number of cores you can deploy in certain VM size families, including the confidential VM sizes. ++To request a quota increase, [open an online customer support request](../azure-portal/supportability/per-vm-quota-requests.md). ++If you have large-scale capacity needs, contact Azure Support. Azure quotas are credit limits, not capacity guarantees. You only incur charges for cores that you use. ++### Pricing ++For pricing options, see the [Linux Virtual Machines Pricing](https://azure.microsoft.com/pricing/details/virtual-machines/linux/). ++### Regional availability ++For availability information, see which [VM products are available by Azure region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines). ++### Resizing ++Confidential VMs run on specialized hardware, so you can only [resize confidential VM instances](confidential-vm-faq.yml#can-i-convert-a-dcasv5-ecasv5-cvm-into-a-dcesv5-ecesv5-cvm-or-a-dcesv5-ecesv5-cvm-into-a-dcasv5-ecasv5-cvm-) to other confidential sizes in the same region. For example, if you have a DCasv5-series VM, you can resize to another DCasv5-series instance or a DCesv5-series instance. ++It's not possible to resize a non-confidential VM to a confidential VM. ++### Guest OS support ++OS images for confidential VMs have to meet certain security and compatibility requirements. Qualified images support the secure mounting, attestation, optional [confidential OS disk encryption](confidential-vm-overview.md#confidential-os-disk-encryption), and isolation from underlying cloud infrastructure. These images include: ++- Ubuntu 20.04 LTS (AMD SEV-SNP supported only) +- Ubuntu 22.04 LTS +- Red Hat Enterprise Linux 9.3 (AMD SEV-SNP supported only) +- Windows Server 2019 Datacenter - x64 Gen 2 (AMD SEV-SNP supported only) +- Windows Server 2019 Datacenter Server Core - x64 Gen 2 (AMD SEV-SNP supported only) +- Windows Server 2022 Datacenter - x64 Gen 2 +- Windows Server 2022 Datacenter: Azure Edition Core - x64 Gen 2 +- Windows Server 2022 Datacenter: Azure Edition - x64 Gen 2 +- Windows Server 2022 Datacenter Server Core - x64 Gen 2 +- Windows 11 Enterprise N, version 22H2 -x64 Gen 2 +- Windows 11 Pro, version 22H2 ZH-CN -x64 Gen 2 +- Windows 11 Pro, version 22H2 -x64 Gen 2 +- Windows 11 Pro N, version 22H2 -x64 Gen 2 +- Windows 11 Enterprise, version 22H2 -x64 Gen 2 +- Windows 11 Enterprise multi-session, version 22H2 -x64 Gen 2 ++As we work to onboard more OS images with confidential OS disk encryption, there are various images available in early preview that can be tested. You can sign up below: ++- [Red Hat Enterprise Linux 9.3 (Support for Intel TDX)](https://aka.ms/tdx-rhel-93-preview) +- [SUSE Enterprise Linux 15 SP5 (Support for Intel TDX, AMD SEV-SNP)](https://aka.ms/cvm-sles-preview) +- [SUSE Enterprise Linux 15 SAP SP5 (Support for Intel TDX, AMD SEV-SNP)](https://aka.ms/cvm-sles-preview) ++For more information about supported and unsupported VM scenarios, see [support for generation 2 VMs on Azure](../virtual-machines/generation-2.md). ++### High availability and disaster recovery ++You're responsible for creating high availability and disaster recovery solutions for your confidential VMs. Planning for these scenarios helps minimize and avoid prolonged downtime. ++### Deployment with ARM templates ++Azure Resource Manager is the deployment and management service for Azure. You can: ++- Secure and organize your resources after deployment with the management features, like access control, locks, and tags. +- Create, update, and delete resources in your Azure subscription using the management layer. +- Use [Azure Resource Manager templates (ARM templates)](../azure-resource-manager/templates/overview.md) to deploy confidential VMs on AMD processors. There is an available [ARM template for confidential VMs](https://aka.ms/CVMTemplate). ++Make sure to specify the following properties for your VM in the parameters section (`parameters`): ++- VM size (`vmSize`). Choose from the different [confidential VM families and sizes](#sizes). +- OS image name (`osImageName`). Choose from the qualified OS images. +- Disk encryption type (`securityType`). Choose from VMGS-only encryption (`VMGuestStateOnly`) or full OS disk pre-encryption (`DiskWithVMGuestState`), which might result in longer provisioning times. For Intel TDX instances only we also support another security type (`NonPersistedTPM`) which has no VMGS or OS disk encryption. ++## Next steps ++> [!div class="nextstepaction"] +> [Deploy a confidential VM from the Azure portal](quick-create-confidential-vm-portal.md) ++For more information see our [Confidential VM FAQ](confidential-vm-faq.yml). |
confidential-computing | Virtual Machine Solutions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/virtual-machine-solutions.md | Title: Azure Confidential VM options -description: Azure Confidential Computing offers multiple options for confidential virtual machines on AMD and Intel processors. + Title: For Deletion +description: For Deletion -# Azure Confidential VM options --Azure offers multiple confidential VMs options leveraging Trusted Execution Environments (TEE) technologies from both AMD and Intel to harden the virtualization environment. These technologies enable you to provision confidential computing environments with excellent price-to-performance without code changes. --AMD confidential VMs leverage [Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP)](https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf) which was introduced with 3rd Gen AMD EPYC™ processors. Intel confidential VMs use [Trust Domain Extensions (TDX)](https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf) which was introduced with 4th Gen Intel® Xeon® processors. --## Sizes --You can create confidential VMs in the following size families: --| Size Family | TEE | Description | -| | | -- | -| **DCasv5-series** | AMD SEV-SNP | General purpose CVM with remote storage. No local temporary disk. | -| **DCesv5-series** | Intel TDX | General purpose CVM with remote storage. No local temporary disk. | -| **DCadsv5-series** | AMD SEV-SNP | General purpose CVM with local temporary disk. | -| **DCedsv5-series** | Intel TDX | General purpose CVM with local temporary disk. | -| **ECasv5-series** | AMD SEV-SNP | Memory-optimized CVM with remote storage. No local temporary disk. | -| **ECesv5-series** | Intel TDX | Memory-optimized CVM with remote storage. No local temporary disk. | -| **ECadsv5-series** | AMD SEV-SNP | Memory-optimized CVM with local temporary disk. | -| **ECedsv5-series** | Intel TDX | Memory-optimized CVM with local temporary disk. | --> [!NOTE] -> Memory-optimized confidential VMs offer double the ratio of memory per vCPU count. --## Azure CLI commands --You can use the [Azure CLI](/cli/azure/install-azure-cli) with your confidential VMs. --To see a list of confidential VM sizes, run the following command. Replace `<vm-series>` with the series you want to use. The output shows information about available regions and availability zones. --```azurecli-interactive -vm_series='DCASv5' -az vm list-skus \ - --size dc \ - --query "[?family=='standard${vm_series}Family'].{name:name,locations:locationInfo[0].location,AZ_a:locationInfo[0].zones[0],AZ_b:locationInfo[0].zones[1],AZ_c:locationInfo[0].zones[2]}" \ - --all \ - --output table -``` --For a more detailed list, run the following command instead: --```azurecli-interactive -vm_series='DCASv5' -az vm list-skus \ - --size dc \ - --query "[?family=='standard${vm_series}Family']" -``` --## Deployment considerations --Consider the following settings and choices before deploying confidential VMs. --### Azure subscription --To deploy a confidential VM instance, consider a [pay-as-you-go subscription](/azure/virtual-machines/linux/azure-hybrid-benefit-linux) or other purchase option. If you're using an [Azure free account](https://azure.microsoft.com/free/), the quota doesn't allow the appropriate number of Azure compute cores. --You might need to increase the cores quota in your Azure subscription from the default value. Default limits vary depending on your subscription category. Your subscription might also limit the number of cores you can deploy in certain VM size families, including the confidential VM sizes. --To request a quota increase, [open an online customer support request](../azure-portal/supportability/per-vm-quota-requests.md). --If you have large-scale capacity needs, contact Azure Support. Azure quotas are credit limits, not capacity guarantees. You only incur charges for cores that you use. --### Pricing --For pricing options, see the [Linux Virtual Machines Pricing](https://azure.microsoft.com/pricing/details/virtual-machines/linux/). --### Regional availability --For availability information, see which [VM products are available by Azure region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines). --### Resizing --Confidential VMs run on specialized hardware, so you can only [resize confidential VM instances](confidential-vm-faq.yml#can-i-convert-a-dcasv5-ecasv5-cvm-into-a-dcesv5-ecesv5-cvm-or-a-dcesv5-ecesv5-cvm-into-a-dcasv5-ecasv5-cvm-) to other confidential sizes in the same region. For example, if you have a DCasv5-series VM, you can resize to another DCasv5-series instance or a DCesv5-series instance. --It's not possible to resize a non-confidential VM to a confidential VM. --### Guest Operating System Support --OS images for confidential VMs have to meet certain security and compatibility requirements. Qualified images support the secure mounting, attestation, optional [confidential OS disk encryption](confidential-vm-overview.md#confidential-os-disk-encryption), and isolation from underlying cloud infrastructure. These images include: --- Ubuntu 20.04 LTS (AMD SEV-SNP supported only)-- Ubuntu 22.04 LTS-- Red Hat Enterprise Linux 9.3 (AMD SEV-SNP supported only)-- Windows Server 2019 Datacenter - x64 Gen 2 (AMD SEV-SNP supported only)-- Windows Server 2019 Datacenter Server Core - x64 Gen 2 (AMD SEV-SNP supported only)-- Windows Server 2022 Datacenter - x64 Gen 2-- Windows Server 2022 Datacenter: Azure Edition Core - x64 Gen 2-- Windows Server 2022 Datacenter: Azure Edition - x64 Gen 2-- Windows Server 2022 Datacenter Server Core - x64 Gen 2-- Windows 11 Enterprise N, version 22H2 -x64 Gen 2-- Windows 11 Pro, version 22H2 ZH-CN -x64 Gen 2-- Windows 11 Pro, version 22H2 -x64 Gen 2-- Windows 11 Pro N, version 22H2 -x64 Gen 2-- Windows 11 Enterprise, version 22H2 -x64 Gen 2-- Windows 11 Enterprise multi-session, version 22H2 -x64 Gen 2--As we work to onboard more OS images with confidential OS disk encryption, there are various images available in early preview that can be tested. You can sign up below: --- [Red Hat Enterprise Linux 9.3 (Support for Intel TDX)](https://aka.ms/tdx-rhel-93-preview)-- [SUSE Enterprise Linux 15 SP5 (Support for Intel TDX, AMD SEV-SNP)](https://aka.ms/cvm-sles-preview)-- [SUSE Enterprise Linux 15 SAP SP5 (Support for Intel TDX, AMD SEV-SNP)](https://aka.ms/cvm-sles-preview)--For more information about supported and unsupported VM scenarios, see [support for generation 2 VMs on Azure](../virtual-machines/generation-2.md). --### High availability and disaster recovery --You're responsible for creating high availability and disaster recovery solutions for your confidential VMs. Planning for these scenarios helps minimize and avoid prolonged downtime. --### Deployment with ARM templates --Azure Resource Manager is the deployment and management service for Azure. You can: --- Secure and organize your resources after deployment with the management features, like access control, locks, and tags. -- Create, update, and delete resources in your Azure subscription using the management layer.-- Use [Azure Resource Manager templates (ARM templates)](../azure-resource-manager/templates/overview.md) to deploy confidential VMs on AMD processors. There is an available [ARM template for confidential VMs](https://aka.ms/CVMTemplate). --Make sure to specify the following properties for your VM in the parameters section (`parameters`): --- VM size (`vmSize`). Choose from the different [confidential VM families and sizes](#sizes).-- OS image name (`osImageName`). Choose from the qualified OS images. -- Disk encryption type (`securityType`). Choose from VMGS-only encryption (`VMGuestStateOnly`) or full OS disk pre-encryption (`DiskWithVMGuestState`), which might result in longer provisioning times. For Intel TDX instances only we also support another security type (`NonPersistedTPM`) which has no VMGS or OS disk encryption.--## Next steps --> [!div class="nextstepaction"] -> [Deploy a confidential VM from the Azure portal](quick-create-confidential-vm-portal.md) --For more information see our [Confidential VM FAQ](confidential-vm-faq.yml). +# For Deletion |
container-apps | Compare Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/compare-options.md | |
container-apps | Dapr Component Resiliency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/dapr-component-resiliency.md | -You can configure resiliency policies like retries and timeouts for the following outbound and inbound operation directions via a Dapr component: +You can configure resiliency policies like retries, timeouts, and circuit breakers for the following outbound and inbound operation directions via a Dapr component: - **Outbound operations:** Calls from the Dapr sidecar to a component, such as: - Persisting or retrieving state The following screenshot shows how an application uses a retry policy to attempt - [Timeouts](#timeouts) - [Retries (HTTP)](#retries)+- [Circuit breakers](#circuit-breakers) ## Configure resiliency policies You can choose whether to create resiliency policies using Bicep, the CLI, or th The following resiliency example demonstrates all of the available configurations. ```bicep-resource myPolicyDoc 'Microsoft.App/managedEnvironments/daprComponents/resiliencyPolicies@2023-08-01-preview' = { +resource myPolicyDoc 'Microsoft.App/managedEnvironments/daprComponents/resiliencyPolicies@2023-11-02-preview' = { name: 'my-component-resiliency-policies' parent: '${componentName}' properties: { resource myPolicyDoc 'Microsoft.App/managedEnvironments/daprComponents/resilienc initialDelayInMilliseconds: 1000 maxIntervalInMilliseconds: 10000 }- } + } + circuitBreakerPolicy: { + intervalInSeconds: 15 + consecutiveErrors: 10 + timeoutInSeconds: 5 + } } inboundPolicy: { timeoutPolicy: { resource myPolicyDoc 'Microsoft.App/managedEnvironments/daprComponents/resilienc initialDelayInMilliseconds: 1000 maxIntervalInMilliseconds: 10000 }- } + } + circuitBreakerPolicy: { + intervalInSeconds: 15 + consecutiveErrors: 10 + timeoutInSeconds: 5 + } } } } outboundPolicy: maxIntervalInMilliseconds: 10000 timeoutPolicy: responseTimeoutInSeconds: 15+ circuitBreakerPolicy: + intervalInSeconds: 15 + consecutiveErrors: 10 + timeoutInSeconds: 5 inboundPolicy: httpRetryPolicy: maxRetries: 3 retryBackOff: initialDelayInMilliseconds: 500 maxIntervalInMilliseconds: 5000+ circuitBreakerPolicy: + intervalInSeconds: 15 + consecutiveErrors: 10 + timeoutInSeconds: 5 ``` ### Update specific policies In the resiliency policy pane, select **Outbound** or **Inbound** to set policie Click **Save** to save the resiliency policies. +> [!NOTE] +> Currently, you can only set timeout and retry policies via the Azure portal. + You can edit or remove the resiliency policies by selecting **Edit resiliency**. :::image type="content" source="media/dapr-component-resiliency/edit-dapr-component-resiliency.png" alt-text="Screenshot showing how you can edit existing resiliency policies for the applicable Dapr component."::: properties: { | `retryBackOff.initialDelayInMilliseconds` | Yes | Delay between first error and first retry. | `1000` | | `retryBackOff.maxIntervalInMilliseconds` | Yes | Maximum delay between retries. | `10000` | +### Circuit breakers ++Define a `circuitBreakerPolicy` to monitor requests causing elevated failure rates and shut off all traffic to the impacted service when a certain criteria is met. ++```bicep +properties: { + outbound: { + circuitBreakerPolicy: { + intervalInSeconds: 15 + consecutiveErrors: 10 + timeoutInSeconds: 5 + } + }, + inbound: { + circuitBreakerPolicy: { + intervalInSeconds: 15 + consecutiveErrors: 10 + timeoutInSeconds: 5 + } + } +} +``` ++| Metadata | Required | Description | Example | +| -- | | -- | - | +| `intervalInSeconds` | No | Cyclical period of time (in seconds) used by the circuit breaker to clear its internal counts. If not provided, the interval is set to the same value as provided for `timeoutInSeconds`. | `15` | +| `consecutiveErrors` | Yes | Number of request errors allowed to occur before the circuit trips and opens. | `10` | +| `timeoutInSeconds` | Yes | Time period (in seconds) of open state, directly after failure. | `5` | ++#### Circuit breaker process ++Specifying `consecutiveErrors` (the circuit trip condition as +`consecutiveFailures > $(consecutiveErrors)-1`) sets the number of errors allowed to occur before the circuit trips and opens halfway. ++The circuit waits half-open for the `timeoutInSeconds` amount of time, during which the `consecutiveErrors` number of requests must consecutively succeed. +- _If the requests succeed,_ the circuit closes. +- _If the requests fail,_ the circuit remains in a half-opened state. ++If you didn't set any `intervalInSeconds` value, the circuit resets to a closed state after the amount of time you set for `timeoutInSeconds`, regardless of consecutive request success or failure. If you set `intervalInSeconds` to `0`, the circuit never automatically resets, only moving from half-open to closed state by successfully completing `consecutiveErrors` requests in a row. ++If you did set an `intervalInSeconds` value, that determines the amount of time before the circuit is reset to closed state, independent of whether the requests sent in half-opened state succeeded or not. + ## Resiliency logs From the *Monitoring* section of your container app, select **Logs**. |
container-apps | Service Discovery Resiliency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/service-discovery-resiliency.md | When you apply a policy to a container app, the rules are applied to all request The following resiliency example demonstrates all of the available configurations. ```bicep-resource myPolicyDoc 'Microsoft.App/containerApps/resiliencyPolicies@2023-08-01-preview' = { +resource myPolicyDoc 'Microsoft.App/containerApps/resiliencyPolicies@2023-11-02-preview' = { name: 'my-app-resiliency-policies' parent: '${appName}' properties: { |
container-instances | Container Instances Quickstart Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-quickstart-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Container Instance with a public IP address using Terraform |
cosmos-db | Cosmos Db Vs Mongodb Atlas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/cosmos-db-vs-mongodb-atlas.md | Last updated 06/03/2023 | MongoDB wire protocol | Yes | Yes | | Compatible with MongoDB tools and drivers | Yes | Yes | | Global Distribution | Yes, [globally distributed](../distribute-data-globally.md) with automatic and fast data replication across any number of Azure regions | Yes, globally distributed with manual and scheduled data replication across any number of cloud providers or regions |-| SLA covers cloud platform | Yes | "Services, hardware, or software provided by a third party, such as cloud platform services on which MongoDB Atlas runs are not covered" | +| SLA covers cloud platform | Yes | No. "Services, hardware, or software provided by a third party, such as cloud platform services on which MongoDB Atlas runs are not covered" | | 99.999% availability SLA | [Yes](../high-availability.md) | No | | Instantaneous Scaling | Yes, [database instantaneously scales](../provision-throughput-autoscale.md) with zero performance impact on your applications | No, requires 1+ hours to vertically scale up and 24+ hours to vertically scale down. Performance impact during scale up may be noticeable | | True active-active clusters | Yes, with [multi-primary writes](./how-to-configure-multi-region-write.md). Data for the same shard can be written to multiple regions | No | | Vector Search for AI applications | Yes, with [Azure Cosmos DB for MongoDB vCore Vector Search](./vcore/vector-search.md) | Yes |+| Vector Search in Free Tier | Yes, with [Azure Cosmos DB for MongoDB vCore Vector Search](./vcore/vector-search.md) | No | | Integrated text search, geospatial processing | Yes | Yes |-| Free tier | [1,000 request units (RUs) and 25 GB storage forever](../try-free.md). Prevents you from exceeding limits if you want | Yes, with 512 MB storage | +| Free tier | [1,000 request units (RUs) and 25 GB storage forever](../try-free.md). Prevents you from exceeding limits if you want. Azure Cosmos DB for MognoDB vCore offers Free Tier with 32GB storage forever. | Yes, with 512 MB storage | | Live migration | Yes | Yes | | Azure Integrations | Native [first-party integrations](./integrations-overview.md) with Azure services such as Azure Functions, Azure Logic Apps, Azure Stream Analytics, and Power BI and more | Limited number of third party integrations | | Choice of instance configuration | Yes, with [Azure Cosmos DB for MongoDB vCore](./vcore/introduction.md) | Yes | |
cosmos-db | Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/introduction.md | Last updated 08/28/2023 Azure Cosmos DB for MongoDB vCore provides developers with a fully managed MongoDB-compatible database service for building modern applications with a familiar architecture. With Cosmos DB for MongoDB vCore, developers can enjoy the benefits of native Azure integrations, low total cost of ownership (TCO), and the familiar vCore architecture when migrating existing applications or building new ones. +## Build AI-Driven Applications with a Single Database Solution ++Azure Cosmos DB for MongoDB vCore empowers generative AI applications with an integrated **Vector Search** feature. This enables efficient indexing and querying of data by characteristics for advanced use cases such as generative AI, without the complexity of external integrations. Unlike MongoDB Atlas and similar platforms, Azure Cosmos DB for MongoDB vCore keeps all data within the database for vector searches, ensuring simplicity and security. Even our free tier offers this capability, making sophisticated AI features accessible without additional cost. ++ ## Effortless integration with the Azure platform Azure Cosmos DB for MongoDB vCore provides a comprehensive and integrated solution for resource management, making it easy for developers to seamlessly manage their resources using familiar Azure tools. The service features deep integration into various Azure products, such as Azure Monitor and Azure CLI. This deep integration ensures that developers have everything they need to work efficiently and effectively. Here are the current tiers for the service: | Cluster tier | Base storage | RAM | vCPUs | | | | | |+| M25 | 32 GB | 8 GB | 2 burstable | | M30 | 128 GB | 8 GB | 2 | | M40 | 128 GB | 16 GB | 4 | | M50 | 128 GB | 32 GB | 8 | | M60 | 128 GB | 64 GB | 16 | | M80 | 128 GB | 128 GB | 32 |+| M200 | 128 GB | 256 GB | 64 | +| M300 | 128 GB | 324 GB | 48 | +| M400 | 128 GB | 432 GB | 64 | +| M600 | 128 GB | 640 GB | 80 | Azure Cosmos DB for MongoDB vCore is organized into easy to understand cluster tiers based on vCPUs, RAM, and attached storage. These tiers make it easy to lift and shift your existing workloads or build new applications. |
cosmos-db | Multi Cloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/multi-cloud.md | + + Title: Azure Cosmos DB for MongoDB vCore is your multi-cloud solution +description: Azure Cosmos DB for MongoDB vCore offers a flexible, multi-cloud database service, using the MongoDB wire protocol for seamless migration and integration across environments. +++++ Last updated : 02/12/2024+++# Azure Cosmos DB for MongoDB vCore: Your Multi-Cloud Solution +Azure Cosmos DB for MongoDB vCore represents a groundbreaking approach to database management, offering unparalleled flexibility and a multi-cloud capability that stands out in the modern cloud ecosystem. This document dives into the core aspects of Azure Cosmos DB for MongoDB vCore that make it an exceptional choice for organizations seeking a vendor-neutral and multi-cloud database service. ++### MongoDB Wire Protocol Compatibility +Azure Cosmos DB for MongoDB has compatibility with the MongoDB wire protocol. This compatibility ensures that Azure Cosmos DB seamlessly integrates with MongoDB's ecosystem, including services hosted in other clouds and on-premises environments. It allows for a wide range of MongoDB tools and applications to communicate with Azure Cosmos DB without any modifications, ensuring a smooth and efficient migration or integration process. ++## Multi-Cloud and On-Premises Support +The support for MongoDB wire protocol extends Azure Cosmos DB for MongoDB vCore's reach beyond Azure, making it an ideal solution for multi-cloud strategies. Organizations can use Azure Cosmos DB alongside other MongoDB services across different cloud providers or in on-premises data centers. This flexibility facilitates a hybrid cloud approach, allowing businesses to distribute their workloads across various environments based on their unique requirements and constraints. ++## Familiar Architecture and Easy Migration +Azure Cosmos DB for MongoDB vCore is designed with a familiar architecture that reduces the learning curve and operational overhead for teams accustomed to MongoDB. This design philosophy makes it straightforward to "lift and shift" existing MongoDB databases to Azure Cosmos DB, or move them back to on-premises or another cloud provider if needed. The ease of migration and interoperability ensures that organizations are not locked into a single vendor, providing the freedom to choose the best environment for their needs. ++## Proven Experience and Fully Managed Service +Since its general availability in 2017 with the Request Unit (RU) based service, Azure Cosmos DB for MongoDB has enabled users to run their MongoDB workloads on a native Azure service. This extensive experience underscores Microsoft's commitment to providing a robust, scalable, and fully managed MongoDB-compatible database solution. The Azure Cosmos DB team manages the database infrastructure, allowing users to focus on developing their applications without worrying about the underlying database management tasks. ++## Conclusion +Azure Cosmos DB for MongoDB vCore stands out as a flexible, multi-cloud compatible database service that uses the MongoDB wire protocol for seamless integration and migration. Its vendor-neutral approach, coupled with support for multi-cloud and on-premises environments, ensures that organizations have the freedom and flexibility to run their applications wherever they choose. With almost a decade of experience in offering MongoDB-compatible services and the backing of a fully managed service by Microsoft Azure, Azure Cosmos DB for MongoDB vCore is the optimal choice for businesses looking to scale and innovate in the cloud. ++## Next steps ++- Get started by [creating a cluster.](quickstart-portal.md). +- Review options for [migrating from MongoDB to Azure Cosmos DB for MongoDB vCore.](migration-options.md) +++ |
cosmos-db | Optimize Cost Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/optimize-cost-regions.md | -You can add and remove regions to your Azure Cosmos DB account at any time. The throughput that you configure for various Azure Cosmos DB databases and containers is reserved in each region associated with your account. If the throughput provisioned per hour, that is the sum of RU/s configured across all the databases and containers for your Azure Cosmos DB account is `T` and the number of Azure regions associated with your database account is `N`, then the total provisioned throughput for your Azure Cosmos DB account, for a given hour is equal to `T x N RU/s`. +You can add and remove regions to your Azure Cosmos DB account at any time. The throughput that you configure for various Azure Cosmos DB databases and containers is reserved in each region associated with your account. If the throughput provisioned per hour that is the sum of request units per second (RU/s) configured across all the databases and containers for your Azure Cosmos DB account is `T` and the number of Azure regions associated with your database account is `N`, then the total provisioned throughput for your Azure Cosmos DB account, for a given hour is equal to `T x N` RU/s. -Provisioned throughput with single write region costs $0.008/hour per 100 RU/s and provisioned throughput with multiple writable regions costs $0.016/per hour per 100 RU/s. To learn more, see Azure Cosmos DB [Pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/). +Provisioned throughput with single write region and provisioned throughput with multiple writable regions can vary in cost. For more information, see [Azure Cosmos DB pricing](https://azure.microsoft.com/pricing/details/cosmos-db/). ## Costs for multiple write regions -In a multi-region writes system, the net available RUs for write operations increases `N` times where `N` is the number of write regions. Unlike single region writes, every region is now writable and supports conflict resolution. From the cost planning point of view, to perform `M` RU/s worth of writes worldwide, you will need to provision M `RUs` at a container or database level. You can then add as many regions as you would like and use them for writes to perform `M` RU worth of worldwide writes. +In a multi-region writes system, the net available RU/s for write operations increases `N` times where `N` is the number of write regions. Unlike single region writes, every region is now writable and supports conflict resolution. From the cost planning point of view, to perform `M` RU/s worth of writes worldwide, you need to configure `M` RU/s at a container or database level. You can then add as many regions as you would like and use them for writes to perform `M` RU/s worth of worldwide writes. ### Example -Consider that you have a container in West US configured for single-region writes, provisioned with throughput of 10K RU/s, storing 0.5 TB of data this month. Let’s assume you add a region, East US, with the same storage and throughput and you want the ability to write to the containers in both the regions from your app. Your new total monthly bill (assuming 730 hours in a month) will be as follows: +Consider that you have a container in a single-region write scenario. That container is provisioned with throughput of `10K` RU/s and is storing `0.5` TB of data this month. Now, let’s assume you add another region with the same storage and throughput and you want the ability to write to the containers in both regions from your app. ++This example details your new total monthly consumption: ++| | Monthly usage | +| | | | +| **Throughput bill for container in a single write region** | `10K RU/s * 730 hours` | +| **Throughput bill for container in multiple write regions (two)** | `2 * 10K RU/s * 730 hours` | +| **Storage bill for container in a single write region** | `0.5 TB (or 512 GB)` | +| **Storage bill for container in two write regions** | `2 * 0.5 TB (or 1,024 GB)` | -|**Item**|**Usage (monthly)**|**Rate**|**Monthly Cost**| -|-|-|-|-| -|Throughput bill for container in West US (single write region) |10K RU/s * 730 hours |$0.008 per 100 RU/s per hour |$584 | -|Throughput bill for container in 2 regions - West US & East US (multiple write regions) |2 * 10K RU/s * 730 hours |$0.016 per 100 RU/s per hour |$2,336 | -|Storage bill for container in West US |0.5 TB (or 512 GB) |$0.25/GB |$128 | -|Storage bill for container in 2 regions - West US & East US |2 * 0.5 TB (or 1,024 GB) |$0.25/GB |$256 | +> [!NOTE] +> This example assumes 730 hours in a month. ## Improve throughput utilization on a per region-basis -If you have inefficient utilization, for example, one or more under-utilized read regions you can take steps to make the maximum use of the RUs in read regions by using change feed from the read-region or move it to another secondary if over-utilized. You will need to ensure you optimize provisioned throughput (RUs) in the write region first. Writes cost more than reads unless very large queries so maintaining even utilization can be challenging. Overall, monitor the consumed throughput in your regions and add or remove regions on demand to scale your read and write throughput, making to sure understand the impact to latency for any apps that are deployed in the same region. +If you have inefficient utilization, you can take steps to make the maximum use of the RU/s in read regions by using change feed from the read-region. Or, you can move to another secondary if over-utilized. For example, one or more under-utilized read regions is considered inefficient. You need to ensure you optimize provisioned throughput (RU/s) in the write region first. -## Next steps +Writes cost more than reads for most cases excluding large queries. Maintaining even utilization can be challenging. Overall, monitor the consumed throughput in your regions and add or remove regions on demand to scale your read and write throughput. Make sure to understand the effect to latency for any apps that are deployed in the same region. -Next you can proceed to learn more about cost optimization in Azure Cosmos DB with the following articles: +## Related content -* Learn more about [Optimizing for development and testing](optimize-dev-test.md) -* Learn more about [Understanding your Azure Cosmos DB bill](understand-your-bill.md) -* Learn more about [Optimizing throughput cost](optimize-cost-throughput.md) -* Learn more about [Optimizing storage cost](optimize-cost-storage.md) -* Learn more about [Optimizing the cost of reads and writes](optimize-cost-reads-writes.md) -* Learn more about [Optimizing the cost of queries](./optimize-cost-reads-writes.md) -* Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning. - * If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md) - * If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md) +- Learn more about [Optimizing for development and testing](optimize-dev-test.md) +- Learn more about [Understanding your Azure Cosmos DB bill](understand-your-bill.md) +- Learn more about [Optimizing throughput cost](optimize-cost-throughput.md) +- Learn more about [Optimizing storage cost](optimize-cost-storage.md) +- Learn more about [Optimizing the cost of reads and writes](optimize-cost-reads-writes.md) +- Learn more about [Optimizing the cost of queries](./optimize-cost-reads-writes.md) |
cost-management-billing | Automation Ingest Usage Details Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/automation-ingest-usage-details-overview.md | Sample actual cost report: | | | | | | | | | | | | xxxxxxxx-xxxx- xxxx - xxxx -xxxxxxxxxxx | OnDemand | Usage | 24 | 1 | 0.8 | 0.8 | 1 hour | 19.2 | Manual calculation of the actual charge: multiply 24 \* 0.8 \* 1 hour. | | xxxxxxxx-xxxx- xxxx - xxxx -xxxxxxxxxxx | Reservations/SavingsPlan | Usage | 24 | 1 | 0.8 | 0 | 1 hour | 0 | Manual calculation of the actual charge: multiply 24 \* 0 \* 1 hour. |-| xxxxxxxx-xxxx- xxxx - xxxx -xxxxxxxxxxx | Reservations | Purchase | 15 | 120 | 0.8 | 120 | 1 hour | 1800 | Manual calculation of the actual charge: multiply 15 \* 120 \* 1 hour. | +| xxxxxxxx-xxxx- xxxx - xxxx -xxxxxxxxxxx | Reservations | Purchase | 15 | 120 | 120 | 120 | 1 hour | 1800 | Manual calculation of the actual charge: multiply 15 \* 120 \* 1 hour. | Sample amortized cost report: Sample amortized cost report: >[!NOTE] > - Limitations on `PayGPrice`-> - For EA customers `PayGPrice` isn't populated when `PricingModel` = `Reservations`, `Spot`, `Marketplace`, or `SavingsPlan`. -> - For MCA customers, `PayGPrice` isn't populated when `PricingModel` = `Reservations`, `Spot`, or `Marketplace`. +> - For EA customers `PayGPrice` isn't populated when `PricingModel` = `Reservations`, `Marketplace`, or `SavingsPlan`. +> - For MCA customers, `PayGPrice` isn't populated when `PricingModel` = `Reservations` or `Marketplace`. >- Limitations on `UnitPrice`-> - For EA customers, `UnitPrice` isn't populated when `PricingModel` = `Spot`, or `MarketPlace`. -> - For MCA customers, `UnitPrice` isn't populated when `PricingModel` = `Reservations`, `Spot`, or `SavingsPlan`. +> - For EA customers, `UnitPrice` isn't populated when `PricingModel` = `MarketPlace`. +> - For MCA customers, `UnitPrice` isn't populated when `PricingModel` = `Reservations` or `SavingsPlan`. ## Unexpected charges |
cost-management-billing | Migrate Ea Balance Summary Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-balance-summary-api.md | +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. [Migrate to Microsoft Cost Management APIs](migrate-ea-reporting-arm-apis-overview.md) before then. + ## Assign permissions to an SPN to call the API Before calling the API, you need to configure a Service Principal with the correct permission. You use the service principal to call the API. For more information, see [Assign permissions to ACM APIs](cost-management-api-permissions.md). |
cost-management-billing | Migrate Ea Marketplace Store Charge Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-marketplace-store-charge-api.md | +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. [Migrate to Microsoft Cost Management APIs](migrate-ea-reporting-arm-apis-overview.md) before then. + Endpoints to migrate off: |Endpoint|API Comments| |
cost-management-billing | Migrate Ea Price Sheet Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-price-sheet-api.md | +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. [Migrate to Microsoft Cost Management APIs](migrate-ea-reporting-arm-apis-overview.md) before then. + ## Assign permissions to an SPN to call the API Before calling the API, you need to configure a Service Principal with the correct permission. You use the service principal to call the API. For more information, see [Assign permissions to ACM APIs](cost-management-api-permissions.md). |
cost-management-billing | Migrate Ea Reporting Arm Apis Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-reporting-arm-apis-overview.md | |
cost-management-billing | Migrate Ea Reserved Instance Charges Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-reserved-instance-charges-api.md | +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. [Migrate to Microsoft Cost Management APIs](migrate-ea-reporting-arm-apis-overview.md) before then. + ## Assign permissions to an SPN to call the API Before calling the API, you need to configure a Service Principal with the correct permission. You use the service principal to call the API. For more information, see [Assign permissions to ACM APIs](cost-management-api-permissions.md). |
cost-management-billing | Migrate Ea Reserved Instance Recommendations Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-reserved-instance-recommendations-api.md | +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. [Migrate to Microsoft Cost Management APIs](migrate-ea-reporting-arm-apis-overview.md) before then. + ## Assign permissions to an SPN to call the API Before calling the API, you need to configure a Service Principal with the correct permission. You use the service principal to call the API. For more information, see [Assign permissions to ACM APIs](cost-management-api-permissions.md). |
cost-management-billing | Migrate Ea Reserved Instance Usage Details Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-reserved-instance-usage-details-api.md | +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. [Migrate to Microsoft Cost Management APIs](migrate-ea-reporting-arm-apis-overview.md) before then. + ## Assign permissions to an SPN to call the API Before calling the API, you need to configure a Service Principal with the correct permission. You use the service principal to call the API. For more information, see [Assign permissions to ACM APIs](cost-management-api-permissions.md). |
cost-management-billing | Migrate Ea Reserved Instance Usage Summary Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-reserved-instance-usage-summary-api.md | +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. [Migrate to Microsoft Cost Management APIs](migrate-ea-reporting-arm-apis-overview.md) before then. + ## Assign permissions to an SPN to call the API Before calling the API, you need to configure a Service Principal with the correct permission. You use the service principal to call the API. For more information, see [Assign permissions to ACM APIs](cost-management-api-permissions.md). |
cost-management-billing | Migrate Ea Usage Details Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-usage-details-api.md | EA customers who were previously using the Enterprise Reporting APIs behind the The dataset is referred to as *cost details* instead of *usage details*. +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. [Migrate to Microsoft Cost Management APIs](migrate-ea-reporting-arm-apis-overview.md) before then. + ## New solutions generally available The following table provides a summary of the migration destinations that are available along with a summary of what to consider when choosing which solution is best for you. |
cost-management-billing | Migrate Enterprise Agreement Billing Periods Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-enterprise-agreement-billing-periods-api.md | +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. [Migrate to Microsoft Cost Management APIs](migrate-ea-reporting-arm-apis-overview.md) before then. + Endpoints to migrate off: | **Endpoint** | **API Comments** | |
cost-management-billing | Understand Usage Details Fields | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/understand-usage-details-fields.md | If you're using an older cost details solution and want to migrate to Exports or - [Migrate from EA to MCA APIs](../costs/migrate-cost-management-api.md) - [Migrate from Consumption Usage Details API](migrate-consumption-usage-details-api.md) +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. Any remaining Enterprise Reporting APIs will stop responding to requests. Customers need to transition to using Microsoft Cost Management APIs before then. +> To learn more, see [Migrate from Azure Enterprise Reporting to Microsoft Cost Management APIs overview](migrate-ea-reporting-arm-apis-overview.md). + ## List of fields and descriptions The following table describes the important terms used in the latest version of the cost details file. The list covers pay-as-you-go (also called Microsoft Online Services Program), Enterprise Agreement (EA), Microsoft Customer Agreement (MCA), and Microsoft Partner Agreement (MPA) accounts. |
cost-management-billing | Migrate Cost Management Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/migrate-cost-management-api.md | Title: Migrate EA to Microsoft Customer Agreement APIs - Azure description: This article helps you understand the consequences of migrating a Microsoft Enterprise Agreement (EA) to a Microsoft Customer Agreement. Previously updated : 07/19/2022 Last updated : 02/22/2024 The following items help you transition to MCA APIs. EA APIs use an API key for authentication and authorization. MCA APIs use Microsoft Entra authentication. +> [!NOTE] +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. Any remaining Enterprise Reporting APIs will stop responding to requests. Customers need to transition to using Microsoft Cost Management APIs before then. +> To learn more, see [Migrate from Azure Enterprise Reporting to Microsoft Cost Management APIs overview](../automate/migrate-ea-reporting-arm-apis-overview.md). + | Purpose | EA API | MCA API | | | | | | Balance and credits | [/balancesummary](/rest/api/billing/enterprise/billing-enterprise-api-balance-summary) | Microsoft.Billing/billingAccounts/billingProfiles/availableBalanceussae | |
cost-management-billing | Enterprise Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/enterprise-api.md | -> Microsoft no longer updates the Azure Enterprise Reporting APIs. Instead, you should use Cost Management APIs. To learn more, see [Migrate from Azure Enterprise Reporting to Microsoft Cost Management APIs overview](../automate/migrate-ea-reporting-arm-apis-overview.md). +> On May 1, 2024, Azure Enterprise Reporting APIs will be retired. Any remaining Enterprise Reporting APIs will stop responding to requests. Customers need to transition to using Microsoft Cost Management APIs before then. +> To learn more, see [Migrate from Azure Enterprise Reporting to Microsoft Cost Management APIs overview](../automate/migrate-ea-reporting-arm-apis-overview.md). The Azure Enterprise Reporting APIs enable Enterprise Azure customers to programmatically pull consumption and billing data into preferred data analysis tools. Enterprise customers signed an [Enterprise Agreement (EA)](https://azure.microsoft.com/pricing/enterprise-agreement/) with Azure to make negotiated Azure Prepayment (previously called monetary commitment) and gain access to custom pricing for Azure resources. |
cost-management-billing | Exchange And Refund Azure Reservations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/exchange-and-refund-azure-reservations.md | When you exchange reservations, the new purchase currency amount must be greater ## Exchange nonpremium storage for premium storage You can exchange a reservation purchased for a VM size that doesn't support premium storage to a corresponding VM size that does. For example, an _F1_ for an _F1s_. To make the exchange, go to Reservation Details and select **Exchange**. The exchange doesn't reset the term of the reserved instance or create a new transaction.-If you're exchanging for a different size, series, region or payment frequency, the term is reset for the new reservation. +If you're exchanging for a different size, series, region, or payment frequency, the term is reset for the new reservation. ## How transactions are processed If the original reservation purchase was made from an overage, the refund is ret For customers that pay by wire transfer, the refunded amount is automatically applied to the next month’s invoice. The return or refund doesn't generate a new invoice. -For customers that pay by credit card, the refunded amount is returned to the credit card that was used for the original purchase. If you've changed your card, [contact support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). +For customers that pay by credit card, the refunded amount is returned to the credit card that was used for the original purchase. If you changed your card, [contact support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). ### Pay-as-you-go invoice payments and CSP program -The original reservation purchase invoice is canceled and then a new invoice is created for the refund. For exchanges, the new invoice shows the refund and the new purchase. The refund amount is adjusted against the purchase. If you only refunded a reservation, then the prorated amount stays with Microsoft and it's adjusted against a future reservation purchase. If you bought a reservation at pay-as-you-go rates and later move to a CSP, the reservation can be returned and repurchased without a penalty. +The original reservation purchase invoice is canceled and then a new invoice is created for the refund. For exchanges, the new invoice shows the refund and the new purchase. The refund amount is adjusted against the purchase. If you only refunded a reservation, then the prorated amount stays with Microsoft and it gets adjusted against a future reservation purchase. If you bought a reservation at pay-as-you-go rates and later move to a CSP, the reservation can be returned and repurchased without a penalty. Although a CSP customer can’t exchange, cancel, renew, or refund a reservation themself, they can ask their partner to do it on their behalf. ### Pay-as-you-go credit card customers -The original invoice is canceled, and a new invoice is created. The money is refunded to the credit card that was used for the original purchase. If you've changed your card, [contact support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). +The original invoice is canceled, and a new invoice is created. The money is refunded to the credit card that was used for the original purchase. If you changed your card, [contact support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). ## Cancel, exchange, and refund policies Azure has the following policies for cancellations, exchanges, and refunds. - The new reservation's lifetime commitment should equal or be greater than the returned reservation's remaining commitment. Example: for a three-year reservation that's 100 USD per month and exchanged after the 18th payment, the new reservation's lifetime commitment should be 1,800 USD or more (paid monthly or upfront). - The new reservation purchased as part of exchange has a new term starting from the time of exchange. - There's no penalty or annual limits for exchanges.-- Exchanges will be unavailable for all compute reservations - Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations - purchased on or after **January 1, 2024**. Compute reservations purchased **prior to January 1, 2024** will reserve the right to **exchange one more time** after the policy change goes into effect. For more information about the exchange policy change, see [Changes to the Azure reservation exchange policy](reservation-exchange-policy-changes.md).+- Through a grace period, you will have the ability to exchange Azure compute reservations (Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations) **until at least July 1, 2024**. In October 2022, it was announced that the ability to exchange Azure compute reservations would be deprecated on January 1, 2024. This policy’s start date remains January 1, 2024 but with this grace period you now have until at least July 1, 2024 to exchange your Azure compute reservations. Compute reservations purchased prior to the end of the grace period will reserve the right to exchange one more time after the grace period ends. For more information about the exchange policy change, see [Changes to the Azure reservation exchange policy](reservation-exchange-policy-changes.md). **Refund policies** - We're currently not charging an early termination fee, but in the future there might be a 12% early termination fee for cancellations.-- The total canceled commitment can't exceed 50,000 USD in a 12-month rolling window for a billing profile or single enrollment. For example, assume you have a three-year reservation (36 months). It costs 100 USD per month. It's refunded in the 12th month. The canceled commitment is 2,400 USD (for the remaining 24 months). After the refund, your new available limit for refund is 47,600 USD (50,000-2,400). In 365 days from the refund, the 47,600 USD limit increases by 2,400 USD. Your new pool is 50,000 USD. Any other reservation cancellation for the billing profile or EA enrollment depletes the same pool, and the same replenishment logic applies.+- The total canceled commitment can't exceed 50,000 USD in a 12-month rolling window for a billing profile or single enrollment. For example, assume you have a three-year reservation (36 months). It costs 100 USD per month. It gets refunded in the 12th month. The canceled commitment is 2,400 USD (for the remaining 24 months). After the refund, your new available limit for refund is 47,600 USD (50,000-2,400). In 365 days from the refund, the 47,600 USD limit increases by 2,400 USD. Your new pool is 50,000 USD. Any other reservation cancellation for the billing profile or EA enrollment depletes the same pool, and the same replenishment logic applies. - Azure doesn't process any refund that exceeds the 50,000 USD limit in a 12-month window for a billing profile or EA enrollment. - Refunds that result from an exchange don't count against the refund limit. - Refunds are calculated based on the lowest price of either your purchase price or the current price of the reservation. If you have questions or need help, [create a support request](https://portal.az - [What are Azure Reservations?](save-compute-costs-reservations.md) - [Manage Reservations in Azure](manage-reserved-vm-instance.md) - [Understand how the reservation discount is applied](../manage/understand-vm-reservation-charges.md)- - [Understand reservation usage for your Pay-As-You-Go subscription](understand-reserved-instance-usage.md) + - [Understand reservation usage for your pay-as-you-go subscription](understand-reserved-instance-usage.md) - [Understand reservation usage for your Enterprise enrollment](understand-reserved-instance-usage-ea.md) - [Windows software costs not included with reservations](reserved-instance-windows-software-costs.md) - [Azure Reservations in the CSP program](/partner-center/azure-reservations) |
cost-management-billing | Prepare Buy Reservation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/prepare-buy-reservation.md | Notifications are sent to the following users: - Customers with Microsoft Customer Agreement (Azure Plan) - Notifications are sent to the reservation owners and the reservation administrator. - Cloud Solution Provider and new commerce partners- - Partner Center Action Center emails are sent to partners. For more information about how partners can update their transactional notifications, see [Action Center preferences](/partner-center/action-center-overview#preferences). + - Notifications are sent to the primary contact partner identified by the partner legal information account settings. For more information about how to update the primary contact email address for partner account settings, see [Verify or update your company profile information](/partner-center/update-your-partner-profile#update-your-legal-business-profile). - Individual subscription customers with pay-as-you-go rates - Emails are sent to users who are set up as account administrators, reservation owners, and the reservation administrator. |
data-factory | How To Access Secured Purview Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-access-secured-purview-account.md | If you have permission to approve the Microsoft Purview private endpoint connect 1. Go to **Manage** -> **Microsoft Purview** -> **Edit** 2. In the private endpoint list, click the **Edit** (pencil) button next to each private endpoint name 3. Click **Manage approvals in Azure portal** which will bring you to the resource.-4. On the given resource, go to **Networking** -> **Private endpoint connection** to approve it. The private endpoint is named as `data_factory_name.your_defined_private_endpoint_name` with description as "Requested by data_factory_name". +4. On the given resource, go to **Networking** -> **Private endpoint connection** or **Ingestion private endpoint connections** to approve it. The private endpoint is named as `data_factory_name.your_defined_private_endpoint_name` with description as "Requested by data_factory_name". 5. Repeat this operation for all private endpoints. If you don't have permission to approve the Microsoft Purview private endpoint connection, ask the Microsoft Purview account owner to do as follows. +For Microsoft Purview accounts using the [Microsoft Purview portal](/purview/purview-portal): ++1. Go to the Azure portal -> your Microsoft Purview account. +1. Select **Networking** -> **Ingestion private endpoint connections** to approve it. The private endpoint is named as `data_factory_name.your_defined_private_endpoint_name` with description as "Requested by data_factory_name". ++For Microsoft Purview accounts using the [classic Microsoft Purview governance portal](/purview/use-microsoft-purview-governance-portal): + - For *account* private endpoint, go to Azure portal -> your Microsoft Purview account -> Networking -> Private endpoint connection to approve.-- For *ingestion* private endpoints, go to Azure portal -> your Microsoft Purview account -> Managed resources, click into the Storage account and Event Hubs namespace respectively, and approve the private endpoint connection in Networking -> Private endpoint connection page.+- If your account was created after November 10 2023 (or deployed using API version 2023-05-01-preview onwards): + 1. Go to the Azure portal -> your Microsoft Purview account. + 1. Select **Networking** -> **Ingestion private endpoint connections** to approve it. The private endpoint is named as `data_factory_name.your_defined_private_endpoint_name` with description as "Requested by data_factory_name". +- If your account was created before November 10 2023 (or deployed using a version of the API older than 2023-05-01-preview): + 1. Go to Azure portal -> your Microsoft Purview account -> Managed resources. + 1. Select the Storage account and Event Hubs namespace respectively, and approve the private endpoint connection in Networking -> Private endpoint connection page. ++ >[!TIP] + > Your account will only have a managed Event Hubs namespace if it is [configured for Kafka notifications](/purview/configure-event-hubs-for-kafka). ### Monitor managed private endpoints |
ddos-protection | Manage Ddos Protection Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-terraform.md | +ai-usage: ai-assisted # Quickstart: Create and configure Azure DDoS Network Protection using Terraform |
defender-for-cloud | Github Action | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/github-action.md | Microsoft Security DevOps uses the following Open Source tools: - Open the [Microsoft Security DevOps GitHub action](https://github.com/marketplace/actions/security-devops-action) in a new window. -- Ensure that [Workflow permissions are set to Read and Write](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) on the GitHub repository.+- Ensure that [Workflow permissions are set to Read and Write](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) on the GitHub repository. This includes setting "id-token: write" permissions in the GitHub Workflow for federation with Defender for Cloud. ## Configure the Microsoft Security DevOps GitHub action Microsoft Security DevOps uses the following Open Source tools: # MSDO runs on windows-latest. # ubuntu-latest also supported runs-on: windows-latest-+ + permissions: + contents: read + id-token: write + steps: # Checkout your code repository to scan |
devtest-labs | Create Lab Windows Vm Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/quickstarts/create-lab-windows-vm-terraform.md | +ai-usage: ai-assisted # Quickstart: Create a lab in Azure DevTest Labs using Terraform |
dns | Dns Get Started Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-get-started-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure DNS zone and record using Terraform |
education-hub | Custom Tenant Set Up Classroom | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/education-hub/custom-tenant-set-up-classroom.md | Title: How to create a custom Azure for Classroom Tenant and Billing Profile -description: This article shows you how to make a custom tenant and billing profile for educators in your organization + Title: How to create a custom Azure Classroom Tenant and Billing Profile +description: This article shows you how to make a custom tenant and billing profile for educators in your organization. Previously updated : 3/17/2023 Last updated : 2/22/2024 # Create a custom Tenant and Billing Profile for Microsoft for Teaching Paid -This article is meant for IT Admins utilizing Azure for Classroom. When signing up for this offer, you should already have a tenant and billing profile created, but this article is meant to help walk you through how to create a custom tenant and billing profile and associate them with an educator. +This article is meant for IT Admins utilizing Azure Classroom (subject to regional availability). When signing up for this offer, you should already have a tenant and billing profile created, but this article is meant to help walk you through how to create a custom tenant and billing profile and associate them with an educator. ## Prerequisites -- Be signed up for Azure for Classroom+- Be signed up for Azure Classroom ## Create a new tenant -This section walks you through how to create a new tenant and associate it with your university tenant using multi-tenant +This section walks you through how to create a new tenant and associate it with your university tenant using multitenant. 1. Go to the Azure portal and search for "Microsoft Entra ID" 2. Create a new tenant in the "Manage tenants" tab 3. Fill in and Finalize Tenant information-4. After the tenant has been created copy the Tenant ID of the new tenant +4. Copy the Tenant ID of the newly created tenant ## Associate new tenant with university tenant This section walks through how to add an Educator to the newly created tenant. 1. Change the role to "Global administrator" :::image type="content" source="media/custom-tenant-set-up-classroom/add-user.png" alt-text="Screenshot of user inviting existing user." border="true"::: 1. Tell the Educator to accept the invitation to this tenant-2. After the Educator has joined the tenant, go into the tenant properties and click Yes under the Access management for Azure resources. +2. After the Educator has joined the tenant, go into the tenant properties and click Yes under the Access management for Azure resources Now that you've created a custom Tenant, you can go into Education Hub and begin distributing credit to Educators to use in labs. |
event-grid | Choose Right Tier | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/choose-right-tier.md | Use this tier if any of the following statements is true: * You require HTTP communication rates greater than 5 MB/s for ingress and egress using pull delivery or push delivery. Event Grid currently supports up to 40 MB/s for ingress and 80 MB/s for egress for events published to namespace topics (HTTP). MQTT supports a throughput rate of 40 MB/s for publisher and subscriber clients. * You require CloudEvents retention of up to 7 days. -For more information, see quotas and limits for [namespaces](quotas-limits.md#namespace-resource-limits). +For more information, see quotas and limits for [namespaces](quotas-limits.md#event-grid-namespace-resource-limits). ## Event Grid basic tier |
event-grid | Monitor Mqtt Delivery Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/monitor-mqtt-delivery-reference.md | This article provides a reference of log and metric data collected to analyze th | Protocol | The protocol used in the operation. The available values include: <br><br>- MQTT3: MQTT v3.1.1 <br>- MQTT5: MQTT v5 <br>- MQTT3-WS: MQTT v3.1.1 over WebSocket <br>- MQTT5-WS: MQTT v5 over WebSocket | Result | Result of the operation. The available values include: <br><br>- Success <br>- ClientError <br>- ServiceError | | Error | Error occurred during the operation.<br> The available values for MQTT: RequestCount, MQTT: Failed Published Messages, MQTT: Failed Subscription Operations metrics include: <br><br>-QuotaExceeded: the client exceeded one or more of the throttling limits that resulted in a failure <br>- AuthenticationError: a failure because of any authentication reasons. <br>- AuthorizationError: a failure because of any authorization reasons.<br>- ClientError: the client sent a bad request or used one of the unsupported features that resulted in a failure. <br>- ServiceError: a failure because of an unexpected server error or for a server's operational reason. <br><br> [Learn more about how the supported MQTT features.](mqtt-support.md) <br><br>The available values for MQTT: Failed Routed Messages metric include: <br><br>-AuthenticationError: the EventGrid Data Sender role for the custom topic configured as the destination for MQTT routed messages was deleted. <br>-TopicNotFoundError: The custom topic that is configured to receive all the MQTT routed messages was deleted. <br>-TooManyRequests: the number of MQTT routed messages per second exceeds the limit of the destination (namespace topic or custom topic) for MQTT routed messages. <br>- ServiceError: a failure because of an unexpected server error or for a server's operational reason. <br><br> [Learn more about how the MQTT broker handles each of these routing errors.](mqtt-routing.md#mqtt-message-routing-behavior)|-| ThrottleType | The type of throttle limit that got exceeded in the namespace. The available values include: <br>- InboundBandwidthPerNamespace <br>- InboundBandwidthPerConnection <br>- IncomingPublishPacketsPerNamespace <br>- IncomingPublishPacketsPerConnection <br>- OutboundPublishPacketsPerNamespace <br>- OutboundPublishPacketsPerConnection <br>- OutboundBandwidthPerNamespace <br>- OutboundBandwidthPerConnection <br>- SubscribeOperationsPerNamespace <br>- SubscribeOperationsPerConnection <br>- ConnectPacketsPerNamespace <br><br>[Learn more about the limits](quotas-limits.md#mqtt-limits-in-namespace). | +| ThrottleType | The type of throttle limit that got exceeded in the namespace. The available values include: <br>- InboundBandwidthPerNamespace <br>- InboundBandwidthPerConnection <br>- IncomingPublishPacketsPerNamespace <br>- IncomingPublishPacketsPerConnection <br>- OutboundPublishPacketsPerNamespace <br>- OutboundPublishPacketsPerConnection <br>- OutboundBandwidthPerNamespace <br>- OutboundBandwidthPerConnection <br>- SubscribeOperationsPerNamespace <br>- SubscribeOperationsPerConnection <br>- ConnectPacketsPerNamespace <br><br>[Learn more about the limits](quotas-limits.md#mqtt-limits-in-event-grid-namespace). | | QoS | Quality of service level. The available values are: 0, 1. | | Direction | The direction of the operation. The available values are: <br><br>- Inbound: inbound throughput to Event Grid. <br>- Outbound: outbound throughput from Event Grid. | | DropReason | The reason a session was dropped. The available values include: <br><br>- SessionExpiry: a persistent session has expired. <br>- TransientSession: a non-persistent session has expired. <br>- SessionOverflow: a client didn't connect during the lifespan of the session to receive queued QOS1 messages until the queue reached its maximum limit. <br>- AuthorizationError: a session drop because of any authorization reasons. Here are the columns of the `EventGridNamespaceFailedMqttSubscriptions` Log Anal See the following articles: - [Monitor pull delivery reference](monitor-pull-reference.md).-- [Monitor push delivery reference](monitor-push-reference.md).+- [Monitor push delivery reference](monitor-push-reference.md). |
firewall | Deploy Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/deploy-terraform.md | Last updated 10/15/2023 content_well_notification: - AI-contribution+ai-usage: ai-assisted # Quickstart: Deploy Azure Firewall with Availability Zones - Terraform |
firewall | Quick Create Ipgroup Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/quick-create-ipgroup-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Firewall and IP Groups - Terraform |
firewall | Quick Create Multiple Ip Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/quick-create-multiple-ip-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Firewall with multiple public IP addresses - Terraform |
frontdoor | Create Front Door Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Front Door Standard/Premium profile using Terraform |
frontdoor | Quickstart Create Front Door Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Front Door (classic) using Terraform |
governance | Assign Policy Azurecli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/assign-policy-azurecli.md | Title: "Quickstart: New policy assignment with Azure CLI" -description: In this quickstart, you use Azure CLI to create an Azure Policy assignment to identify non-compliant resources. Previously updated : 08/17/2021+ Title: "Quickstart: Create policy assignment using Azure CLI" +description: In this quickstart, you create an Azure Policy assignment to identify non-compliant resources using Azure CLI. Last updated : 02/23/2024 -+ -# Quickstart: Create a policy assignment to identify non-compliant resources with Azure CLI -The first step in understanding compliance in Azure is to identify the status of your resources. -This quickstart steps you through the process of creating a policy assignment to identify virtual -machines that aren't using managed disks. +# Quickstart: Create a policy assignment to identify non-compliant resources using Azure CLI -At the end of this process, you'll successfully identify virtual machines that aren't using managed -disks. They're _non-compliant_ with the policy assignment. +The first step in understanding compliance in Azure is to identify the status of your resources. In this quickstart, you create a policy assignment to identify non-compliant resources using Azure CLI. The policy is assigned to a resource group and audits virtual machines that don't use managed disks. After you create the policy assignment, you identify non-compliant virtual machines. -Azure CLI is used to create and manage Azure resources from the command line or in scripts. This -guide uses Azure CLI to create a policy assignment and to identify non-compliant resources in your -Azure environment. +Azure CLI is used to create and manage Azure resources from the command line or in scripts. This guide uses Azure CLI to create a policy assignment and to identify non-compliant resources in your Azure environment. ## Prerequisites -- If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/)- account before you begin. +- If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- [Azure CLI](/cli/azure/install-azure-cli). +- [Visual Studio Code](https://code.visualstudio.com/). +- `Microsoft.PolicyInsights` must be [registered](../../azure-resource-manager/management/resource-providers-and-types.md) in your Azure subscription. To register a resource provider, you must have permission to register resource providers. That permission is included in the Contributor and Owner roles. +- A resource group with at least one virtual machine that doesn't use managed disks. ++## Connect to Azure ++From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace `<subscriptionID>` with your Azure subscription ID. -- This quickstart requires that you run Azure CLI version 2.0.76 or later. To find the version, run- `az --version`. If you need to install or upgrade, see - [Install Azure CLI](/cli/azure/install-azure-cli). +```azurecli +az login -- Register the Azure Policy Insights resource provider using Azure CLI. Registering the resource- provider makes sure that your subscription works with it. To register a resource provider, you - must have permission to the register resource provider operation. This operation is included in - the Contributor and Owner roles. Run the following command to register the resource provider: +# Run these commands if you have multiple subscriptions +az account list --output table +az account set --subscription <subscriptionID> +``` ++## Register resource provider - ```azurecli-interactive - az provider register --namespace 'Microsoft.PolicyInsights' - ``` +When a resource provider is registered, it's available to use in your Azure subscription. - For more information about registering and viewing resource providers, see - [Resource Providers and Types](../../azure-resource-manager/management/resource-providers-and-types.md) +To verify if `Microsoft.PolicyInsights` is registered, run `Get-AzResourceProvider`. The resource provider contains several resource types. If the result is `NotRegistered` run `Register-AzResourceProvider`: -- If you haven't already, install the [ARMClient](https://github.com/projectkudu/ARMClient). It's a- tool that sends HTTP requests to Azure Resource Manager-based APIs. +```azurecli +az provider show \ + --namespace Microsoft.PolicyInsights \ + --query "{Provider:namespace,State:registrationState}" \ + --output table +az provider register --namespace Microsoft.PolicyInsights +``` -## Create a policy assignment +The Azure CLI commands use a backslash (`\`) for line continuation to improve readability. For more information, go to [az provider](/cli/azure/provider). -In this quickstart, you create a policy assignment and assign the **Audit VMs that do not use -managed disks** definition. This policy definition identifies resources that aren't compliant to the -conditions set in the policy definition. +## Create policy assignment -Run the following command to create a policy assignment: +Use the following commands to create a new policy assignment for your resource group. This example uses an existing resource group that contains a virtual machine _without_ managed disks. The resource group is the scope for the policy assignment. -```azurecli-interactive -az policy assignment create --name 'audit-vm-manageddisks' --display-name 'Audit VMs without managed disks Assignment' --scope '<scope>' --policy '<policy definition ID>' +Run the following commands and replace `<resourceGroupName>` with your resource group name: ++```azurepowershell +rgid=$(az group show --resource-group <resourceGroupName> --query id --output tsv) ++definition=$(az policy definition list \ + --query "[?displayName=='Audit VMs that do not use managed disks']".name \ + --output tsv) ``` -The preceding command uses the following information: +The `rgid` variable stores the resource group ID. The `definition` variable stores the policy definition's name, which is a GUID. -- **Name** - The actual name of the assignment. For this example, _audit-vm-manageddisks_ was used.-- **DisplayName** - Display name for the policy assignment. In this case, you're using _Audit VMs- without managed disks Assignment_. -- **Policy** - The policy definition ID, based on which you're using to create the assignment. In- this case, it's the ID of policy definition _Audit VMs that do not use managed disks_. To get the - policy definition ID, run this command: - `az policy definition list --query "[?displayName=='Audit VMs that do not use managed disks']"` -- **Scope** - A scope determines what resources or grouping of resources the policy assignment gets- enforced on. It could range from a subscription to resource groups. Be sure to replace - <scope> with the name of your resource group. +Run the following command to create the policy assignment: -## Identify non-compliant resources +```azurecli +az policy assignment create \ + --name 'audit-vm-managed-disks' \ + --display-name 'Audit VMs without managed disks Assignment' \ + --scope $rgid \ + --policy $definition \ + --description 'Azure CLI policy assignment to resource group' +``` -To view the resources that aren't compliant under this new assignment, get the policy assignment ID -by running the following commands: +- `name` creates the policy assignment name used in the assignment's `ResourceId`. +- `display-name` is the name for the policy assignment and is visible in Azure portal. +- `scope` uses the `$rgid` variable to assign the policy to the resource group. +- `policy` assigns the policy definition stored in the `$definition` variable. +- `description` can be used to add context about the policy assignment. ++The results of the policy assignment resemble the following example: ++```output +"description": "Azure CLI policy assignment to resource group", +"displayName": "Audit VMs without managed disks Assignment", +"enforcementMode": "Default", +"id": "/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/audit-vm-managed-disks", +"identity": null, +"location": null, +"metadata": { + "createdBy": "11111111-1111-1111-1111-111111111111", + "createdOn": "2024-02-23T18:42:27.4780803Z", + "updatedBy": null, + "updatedOn": null +}, +"name": "audit-vm-managed-disks", +``` -```azurecli-interactive -az policy assignment list --query "[?displayName=='Audit VMs without managed disks Assignment'].id" +If you want to redisplay the policy assignment information, run the following command: ++```azurecli +az policy assignment show --name "audit-vm-managed-disks" --scope $rgid ``` -For more information about policy assignment IDs, see -[az policy assignment](/cli/azure/policy/assignment). +For more information, go to [az policy assignment](/cli/azure/policy/assignment). ++## Identify non-compliant resources ++The compliance state for a new policy assignment takes a few minutes to become active and provide results about the policy's state. ++Use the following command to identify resources that aren't compliant with the policy assignment +you created: -Next, run the following command to get the resource IDs of the non-compliant resources that are -output into a JSON file: +```azurecli +policyid=$(az policy assignment show \ + --name "audit-vm-managed-disks" \ + --scope $rgid \ + --query id \ + --output tsv) -```console -armclient post "/subscriptions/<subscriptionID>/resourceGroups/<rgName>/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$filter=IsCompliant eq false and PolicyAssignmentId eq '<policyAssignmentID>'&$apply=groupby((ResourceId))" > <json file to direct the output with the resource IDs into> +az policy state list --resource $policyid --filter "(isCompliant eq false)" ``` -Your results resemble the following example: --```json -{ - "@odata.context": "https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest", - "@odata.count": 3, - "value": [{ - "@odata.id": null, - "@odata.context": "https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", - "ResourceId": "/subscriptions/<subscriptionId>/resourcegroups/<rgname>/providers/microsoft.compute/virtualmachines/<virtualmachineId>" - }, - { - "@odata.id": null, - "@odata.context": "https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", - "ResourceId": "/subscriptions/<subscriptionId>/resourcegroups/<rgname>/providers/microsoft.compute/virtualmachines/<virtualmachine2Id>" - }, - { - "@odata.id": null, - "@odata.context": "https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity", - "ResourceId": "/subscriptions/<subscriptionName>/resourcegroups/<rgname>/providers/microsoft.compute/virtualmachines/<virtualmachine3ID>" - } -- ] -} +The `policyid` variable uses an expression to get the policy assignment's ID. The `filter` parameter limits the output to non-compliant resources. ++The `az policy state list` output is verbose, but for this article the `complianceState` shows `NonCompliant`: ++```output +"complianceState": "NonCompliant", +"components": null, +"effectiveParameters": "", +"isCompliant": false, ``` -The results are comparable to what you'd typically see listed under **Non-compliant resources** in -the Azure portal view. +For more information, go to [az policy state](/cli/azure/policy/state). ## Clean up resources -To remove the assignment created, use the following command: +To remove the policy assignment, run the following command: ++```azurecli +az policy assignment delete --name "audit-vm-managed-disks" --scope $rgid +``` ++To sign out of your Azure CLI session: -```azurecli-interactive -az policy assignment delete --name 'audit-vm-manageddisks' --scope '/subscriptions/<subscriptionID>/<resourceGroupName>' +```azurecli +az logout ``` ## Next steps az policy assignment delete --name 'audit-vm-manageddisks' --scope '/subscriptio In this quickstart, you assigned a policy definition to identify non-compliant resources in your Azure environment. -To learn more about assigning policies to validate that new resources are compliant, continue to the -tutorial for: +To learn more how to assign policies that validate if new resources are compliant, continue to the +tutorial. > [!div class="nextstepaction"]-> [Creating and managing policies](./tutorials/create-and-manage.md) +> [Tutorial: Create and manage policies to enforce compliance](./tutorials/create-and-manage.md) |
governance | Australia Ism | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/australia-ism.md | Title: Regulatory Compliance details for Australian Government ISM PROTECTED description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Azure Security Benchmark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/azure-security-benchmark.md | Title: Regulatory Compliance details for Microsoft cloud security benchmark description: Details of the Microsoft cloud security benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Azure Cosmos DB should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F797b37f7-06b8-444c-b1ad-fc62867f335a) |Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation](../../../cosmos-db/how-to-configure-private-endpoints.md#blocking-public-network-access-during-account-creation). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateNetworkAccess_AuditDeny.json) | |[Azure Databricks Clusters should disable public IP](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F51c1490f-3319-459c-bbbc-7f391bbed753) |Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: [https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity](/azure/databricks/security/secure-cluster-connectivity). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_DisablePublicIP_Audit.json) | |[Azure Databricks Workspaces should be in a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9c25c9e4-ee12-4882-afd2-11fb9d87893f) |Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: [https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject](/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject). |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_VNETEnabled_Audit.json) |-|[Azure Databricks Workspaces should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e7849de-b939-4c50-ab48-fc6b0f5eeba2) |Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link](/azure/databricks/administration-guide/cloud-configurations/azure/private-link). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_AuditPublicNetworkAccess.json) | +|[Azure Databricks Workspaces should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e7849de-b939-4c50-ab48-fc6b0f5eeba2) |Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link](/azure/databricks/administration-guide/cloud-configurations/azure/private-link). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_AuditPublicNetworkAccess.json) | |[Azure Databricks Workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F258823f2-4595-4b52-b333-cc96192710d8) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/adbpe](https://aka.ms/adbpe). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_PrivateEndpoint_Audit.json) | |[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) | |[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | +|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | ### Ensure security of key and certificate repository initiative definition. |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |+|[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |Audit PostgreSQL flexible servers without Advanced Data Security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks](../../../defender-for-cloud/defender-for-containers-introduction.md) |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) | |[Microsoft Defender CSPM should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f90fc71-a595-4066-8974-d4d0802e8ef0) |Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Azure_Defender_CSPM_Audit.json) | |[Microsoft Defender for APIs should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7926a6d1-b268-4586-8197-e8ae90c877d7) |Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDefenderForAPIS_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |+|[Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd31e5c31-63b2-4f12-887b-e49456834fa1) |Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_Audit.json) | |[Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F938c4981-c2c9-4168-9cd6-972b8675f906) |Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ProtectDefenderForSQLOnArc_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc6283572-73bb-4deb-bf2c-7a2b8f7462cb) |To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: [https://aka.ms/SQLAMAMigration](https://aka.ms/SQLAMAMigration) |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DFSQL_AMA_Migration_Audit.json) | initiative definition. |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |+|[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |Audit PostgreSQL flexible servers without Advanced Data Security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks](../../../defender-for-cloud/defender-for-containers-introduction.md) |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) | |[Microsoft Defender CSPM should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f90fc71-a595-4066-8974-d4d0802e8ef0) |Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Azure_Defender_CSPM_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |+|[Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd31e5c31-63b2-4f12-887b-e49456834fa1) |Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_Audit.json) | |[Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F938c4981-c2c9-4168-9cd6-972b8675f906) |Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ProtectDefenderForSQLOnArc_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc6283572-73bb-4deb-bf2c-7a2b8f7462cb) |To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: [https://aka.ms/SQLAMAMigration](https://aka.ms/SQLAMAMigration) |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DFSQL_AMA_Migration_Audit.json) | initiative definition. |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |+|[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |Audit PostgreSQL flexible servers without Advanced Data Security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Microsoft Defender CSPM should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f90fc71-a595-4066-8974-d4d0802e8ef0) |Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Azure_Defender_CSPM_Audit.json) | |[Microsoft Defender for APIs should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7926a6d1-b268-4586-8197-e8ae90c877d7) |Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDefenderForAPIS_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |+|[Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd31e5c31-63b2-4f12-887b-e49456834fa1) |Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_Audit.json) | |[Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F938c4981-c2c9-4168-9cd6-972b8675f906) |Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ProtectDefenderForSQLOnArc_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc6283572-73bb-4deb-bf2c-7a2b8f7462cb) |To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: [https://aka.ms/SQLAMAMigration](https://aka.ms/SQLAMAMigration) |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DFSQL_AMA_Migration_Audit.json) | initiative definition. |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |+|[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |Audit PostgreSQL flexible servers without Advanced Data Security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Microsoft Defender CSPM should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f90fc71-a595-4066-8974-d4d0802e8ef0) |Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Azure_Defender_CSPM_Audit.json) | |[Microsoft Defender for APIs should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7926a6d1-b268-4586-8197-e8ae90c877d7) |Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDefenderForAPIS_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |+|[Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd31e5c31-63b2-4f12-887b-e49456834fa1) |Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_Audit.json) | |[Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F938c4981-c2c9-4168-9cd6-972b8675f906) |Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ProtectDefenderForSQLOnArc_Audit.json) | |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc6283572-73bb-4deb-bf2c-7a2b8f7462cb) |To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: [https://aka.ms/SQLAMAMigration](https://aka.ms/SQLAMAMigration) |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DFSQL_AMA_Migration_Audit.json) | initiative definition. |[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) | |[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) |-|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.5.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | +|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | |[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | |
governance | Canada Federal Pbmm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/canada-federal-pbmm.md | Title: Regulatory Compliance details for Canada Federal PBMM description: Details of the Canada Federal PBMM Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 This built-in initiative is deployed as part of the |[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) | |[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) | -### Flaw Remediation +### Malicious Code Protection -**ID**: CCCS SI-2 +**ID**: CCCS SI-3 |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |
governance | Cis Azure 1 1 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-1-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 This built-in initiative is deployed as part of the |[Enable dual or joint authorization](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c843d78-8f64-92b5-6a9b-e8186c0e7eb6) |CMA_0226 - Enable dual or joint authorization |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0226.json) | |[Maintain integrity of audit system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc0559109-6a27-a217-6821-5a6d44f92897) |CMA_C1133 - Maintain integrity of audit system |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1133.json) | |[Protect audit information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e696f5a-451f-5c15-5532-044136538491) |CMA_0401 - Protect audit information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0401.json) |-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | +|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | ### Ensure that logging for Azure KeyVault is 'Enabled' |
governance | Cis Azure 1 3 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-3-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Enable dual or joint authorization](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c843d78-8f64-92b5-6a9b-e8186c0e7eb6) |CMA_0226 - Enable dual or joint authorization |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0226.json) | |[Maintain integrity of audit system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc0559109-6a27-a217-6821-5a6d44f92897) |CMA_C1133 - Maintain integrity of audit system |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1133.json) | |[Protect audit information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e696f5a-451f-5c15-5532-044136538491) |CMA_0401 - Protect audit information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0401.json) |-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | +|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | ### Ensure that logging for Azure KeyVault is 'Enabled' |
governance | Cis Azure 1 4 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-4-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.4.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Enable dual or joint authorization](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c843d78-8f64-92b5-6a9b-e8186c0e7eb6) |CMA_0226 - Enable dual or joint authorization |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0226.json) | |[Maintain integrity of audit system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc0559109-6a27-a217-6821-5a6d44f92897) |CMA_C1133 - Maintain integrity of audit system |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1133.json) | |[Protect audit information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e696f5a-451f-5c15-5532-044136538491) |CMA_0401 - Protect audit information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0401.json) |-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | +|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | ### Ensure that logging for Azure KeyVault is 'Enabled' |
governance | Cis Azure 2 0 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-2-0-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 2.0.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 2.0.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.5.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | +|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) | ### Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' initiative definition. |[Enable dual or joint authorization](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c843d78-8f64-92b5-6a9b-e8186c0e7eb6) |CMA_0226 - Enable dual or joint authorization |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0226.json) | |[Maintain integrity of audit system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc0559109-6a27-a217-6821-5a6d44f92897) |CMA_C1133 - Maintain integrity of audit system |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1133.json) | |[Protect audit information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e696f5a-451f-5c15-5532-044136538491) |CMA_0401 - Protect audit information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0401.json) |-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | +|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | ### Ensure that logging for Azure Key Vault is 'Enabled' initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[\[Preview\]: Azure Key Vault should use RBAC permission model](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5) |Enable RBAC permission model across Key Vaults. Learn more at: [https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration](../../../key-vault/general/rbac-migration.md) |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVault_Should_Use_RBAC.json) | +|[Azure Key Vault should use RBAC permission model](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5) |Enable RBAC permission model across Key Vaults. Learn more at: [https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration](../../../key-vault/general/rbac-migration.md) |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVault_Should_Use_RBAC.json) | ### Ensure that Private Endpoints are Used for Azure Key Vault |
governance | Cmmc L3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cmmc-l3.md | Title: Regulatory Compliance details for CMMC Level 3 description: Details of the CMMC Level 3 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Fedramp High | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-high.md | Title: Regulatory Compliance details for FedRAMP High description: Details of the FedRAMP High Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[Control information flow](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59bedbdc-0ba9-39b9-66bb-1d1c192384e6) |CMA_0079 - Control information flow |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0079.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Employ flow control mechanisms of encrypted information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F79365f13-8ba4-1f6c-2ac4-aa39929f56d0) |CMA_0211 - Employ flow control mechanisms of encrypted information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0211.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | initiative definition. |[Display an explicit logout message](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0471c6b7-1588-701c-2713-1fade73b75f6) |CMA_C1056 - Display an explicit logout message |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1056.json) | |[Provide the logout capability](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdb580551-0b3c-4ea1-8a4c-4cdb5feb340f) |CMA_C1055 - Provide the logout capability |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1055.json) | -### Permitted Actions Without Identification Or -Authentication +### Permitted Actions Without Identification Or Authentication **ID**: FedRAMP High AC-14 **Ownership**: Shared Authentication |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Document mobility training](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83dfb2b8-678b-20a0-4c44-5c75ada023e6) |CMA_0191 - Document mobility training |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0191.json) | |[Document remote access guidelines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d492600-27ba-62cc-a1c3-66eb919f6a0d) |CMA_0196 - Document remote access guidelines |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0196.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | Authentication |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | Authentication ## Audit And Accountability -### Audit And Accountability Policy And -Procedures +### Audit And Accountability Policy And Procedures **ID**: FedRAMP High AU-1 **Ownership**: Shared Procedures ## Security Assessment And Authorization -### Security Assessment And Authorization -Policy And Procedures +### Security Assessment And Authorization Policy And Procedures **ID**: FedRAMP High CA-1 **Ownership**: Shared Policy And Procedures ||||| |[Review and update identification and authentication policies and procedures](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F29acfac0-4bb4-121b-8283-8943198b1549) |CMA_C1299 - Review and update identification and authentication policies and procedures |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1299.json) | -### Identification And Authentication -(Organizational Users) +### Identification And Authentication (Organizational Users) **ID**: FedRAMP High IA-2 **Ownership**: Shared Policy And Procedures |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) | |[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) | |[Audit Linux machines that do not have the passwd file permissions set to 0644](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe6955644-301c-44b5-a4c4-528577de6861) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json) | |[Audit Windows machines that do not store passwords using reversible encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fda0f98fe-a24b-4ad5-af69-bd0400233661) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not store passwords using reversible encryption |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json) | |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |+|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[Establish authenticator types and processes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0) |CMA_0267 - Establish authenticator types and processes |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0267.json) | Policy And Procedures |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Implement system boundary protection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F01ae60e2-38bb-0a32-7b20-d3a091423409) |CMA_0328 - Implement system boundary protection |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0328.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | Policy And Procedures |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Fedramp Moderate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-moderate.md | Title: Regulatory Compliance details for FedRAMP Moderate description: Details of the FedRAMP Moderate Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[Control information flow](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59bedbdc-0ba9-39b9-66bb-1d1c192384e6) |CMA_0079 - Control information flow |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0079.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Employ flow control mechanisms of encrypted information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F79365f13-8ba4-1f6c-2ac4-aa39929f56d0) |CMA_0211 - Employ flow control mechanisms of encrypted information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0211.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Document mobility training](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83dfb2b8-678b-20a0-4c44-5c75ada023e6) |CMA_0191 - Document mobility training |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0191.json) | |[Document remote access guidelines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d492600-27ba-62cc-a1c3-66eb919f6a0d) |CMA_0196 - Document remote access guidelines |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0196.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) | |[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) | |[Audit Linux machines that do not have the passwd file permissions set to 0644](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe6955644-301c-44b5-a4c4-528577de6861) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json) | |[Audit Windows machines that do not store passwords using reversible encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fda0f98fe-a24b-4ad5-af69-bd0400233661) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not store passwords using reversible encryption |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json) | |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |+|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[Establish authenticator types and processes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0) |CMA_0267 - Establish authenticator types and processes |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0267.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Implement system boundary protection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F01ae60e2-38bb-0a32-7b20-d3a091423409) |CMA_0328 - Implement system boundary protection |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0328.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Gov Azure Security Benchmark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-azure-security-benchmark.md | Title: Regulatory Compliance details for Microsoft cloud security benchmark (Azure Government) description: Details of the Microsoft cloud security benchmark (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Azure Cosmos DB should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F797b37f7-06b8-444c-b1ad-fc62867f335a) |Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation](../../../cosmos-db/how-to-configure-private-endpoints.md#blocking-public-network-access-during-account-creation). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateNetworkAccess_AuditDeny.json) | |[Azure Databricks Clusters should disable public IP](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F51c1490f-3319-459c-bbbc-7f391bbed753) |Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: [https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity](/azure/databricks/security/secure-cluster-connectivity). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_DisablePublicIP_Audit.json) | |[Azure Databricks Workspaces should be in a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9c25c9e4-ee12-4882-afd2-11fb9d87893f) |Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: [https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject](/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject). |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_VNETEnabled_Audit.json) |-|[Azure Databricks Workspaces should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e7849de-b939-4c50-ab48-fc6b0f5eeba2) |Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link](/azure/databricks/administration-guide/cloud-configurations/azure/private-link). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_AuditPublicNetworkAccess.json) | +|[Azure Databricks Workspaces should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e7849de-b939-4c50-ab48-fc6b0f5eeba2) |Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link](/azure/databricks/administration-guide/cloud-configurations/azure/private-link). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_AuditPublicNetworkAccess.json) | |[Azure Databricks Workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F258823f2-4595-4b52-b333-cc96192710d8) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/adbpe](https://aka.ms/adbpe). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_PrivateEndpoint_Audit.json) | |[Azure Event Grid domains should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) | |[Azure Event Grid topics should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) | initiative definition. |[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) | |[Azure Defender for Resource Manager should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at [https://aka.ms/defender-for-resource-manager](https://aka.ms/defender-for-resource-manager) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |[Azure Defender for servers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |+|[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |Audit PostgreSQL flexible servers without Advanced Data Security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |+|[Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd31e5c31-63b2-4f12-887b-e49456834fa1) |Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_Audit.json) | |[Microsoft Defender for Storage (Classic) should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) | ### Enable threat detection for identity and access management initiative definition. |[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) | |[Azure Defender for Resource Manager should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at [https://aka.ms/defender-for-resource-manager](https://aka.ms/defender-for-resource-manager) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |[Azure Defender for servers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |+|[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |Audit PostgreSQL flexible servers without Advanced Data Security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |+|[Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd31e5c31-63b2-4f12-887b-e49456834fa1) |Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_Audit.json) | |[Microsoft Defender for Storage (Classic) should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) | ### Enable logging for security investigation initiative definition. |[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) | |[Azure Defender for Resource Manager should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at [https://aka.ms/defender-for-resource-manager](https://aka.ms/defender-for-resource-manager) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |[Azure Defender for servers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |+|[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |Audit PostgreSQL flexible servers without Advanced Data Security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |+|[Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd31e5c31-63b2-4f12-887b-e49456834fa1) |Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_Audit.json) | |[Microsoft Defender for Storage (Classic) should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) | ### Detection and analysis - investigate an incident initiative definition. |[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) | |[Azure Defender for Resource Manager should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at [https://aka.ms/defender-for-resource-manager](https://aka.ms/defender-for-resource-manager) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) | |[Azure Defender for servers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |+|[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |Audit PostgreSQL flexible servers without Advanced Data Security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |+|[Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd31e5c31-63b2-4f12-887b-e49456834fa1) |Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_Audit.json) | |[Microsoft Defender for Storage (Classic) should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) | ## Posture and Vulnerability Management |
governance | Gov Cis Azure 1 1 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-1-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 This built-in initiative is deployed as part of the |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | +|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | ### Ensure that logging for Azure KeyVault is 'Enabled' |
governance | Gov Cis Azure 1 3 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-3-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | +|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | ### Ensure that logging for Azure KeyVault is 'Enabled' |
governance | Gov Cmmc L3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cmmc-l3.md | Title: Regulatory Compliance details for CMMC Level 3 (Azure Government) description: Details of the CMMC Level 3 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Gov Fedramp High | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-high.md | Title: Regulatory Compliance details for FedRAMP High (Azure Government) description: Details of the FedRAMP High (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. ## Identification And Authentication -### Identification And Authentication -(Organizational Users) +### Identification And Authentication (Organizational Users) **ID**: FedRAMP High IA-2 **Ownership**: Shared initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Gov Fedramp Moderate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-moderate.md | Title: Regulatory Compliance details for FedRAMP Moderate (Azure Government) description: Details of the FedRAMP Moderate (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Gov Irs 1075 Sept2016 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-irs-1075-sept2016.md | Title: Regulatory Compliance details for IRS 1075 September 2016 (Azure Government) description: Details of the IRS 1075 September 2016 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Gov Iso 27001 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-iso-27001.md | Title: Regulatory Compliance details for ISO 27001:2013 (Azure Government) description: Details of the ISO 27001:2013 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Gov Nist Sp 800 171 R2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-171-r2.md | Title: Regulatory Compliance details for NIST SP 800-171 R2 (Azure Government) description: Details of the NIST SP 800-171 R2 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | initiative definition. |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) | initiative definition. |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Gov Nist Sp 800 53 R4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-53-r4.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 (Azure Government) description: Details of the NIST SP 800-53 Rev. 4 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Gov Nist Sp 800 53 R5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-53-r5.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 (Azure Government) description: Details of the NIST SP 800-53 Rev. 5 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Hipaa Hitrust 9 2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/hipaa-hitrust-9-2.md | Title: Regulatory Compliance details for HIPAA HITRUST 9.2 description: Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Irs 1075 Sept2016 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/irs-1075-sept2016.md | Title: Regulatory Compliance details for IRS 1075 September 2016 description: Details of the IRS 1075 September 2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Iso 27001 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/iso-27001.md | Title: Regulatory Compliance details for ISO 27001:2013 description: Details of the ISO 27001:2013 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Mcfs Baseline Confidential | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/mcfs-baseline-confidential.md | Title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Confidential Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Confidential Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Mcfs Baseline Global | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/mcfs-baseline-global.md | Title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Global Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Global Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Nist Sp 800 171 R2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-171-r2.md | Title: Regulatory Compliance details for NIST SP 800-171 R2 description: Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Define information system account types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F623b5f0a-8cbd-03a6-4892-201d27302f0c) |CMA_0121 - Define information system account types |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0121.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | initiative definition. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |[Notify users of system logon or access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffe2dff43-0a8c-95df-0432-cb1c794b17d0) |CMA_0382 - Notify users of system logon or access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0382.json) | initiative definition. |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) | initiative definition. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[Control information flow](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59bedbdc-0ba9-39b9-66bb-1d1c192384e6) |CMA_0079 - Control information flow |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0079.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Employ flow control mechanisms of encrypted information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F79365f13-8ba4-1f6c-2ac4-aa39929f56d0) |CMA_0211 - Employ flow control mechanisms of encrypted information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0211.json) | |[Establish firewall and router configuration standards](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F398fdbd8-56fd-274d-35c6-fa2d3b2755a1) |CMA_0272 - Establish firewall and router configuration standards |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0272.json) | |[Establish network segmentation for card holder data environment](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff476f3b0-4152-526e-a209-44e5f8c968d7) |CMA_0273 - Establish network segmentation for card holder data environment |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0273.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Accounts with owner permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3e008c3-56b9-4133-8fd7-d3347377402a) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithOwnerPermissions_Audit.json) | |[Accounts with read permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithReadPermissions_Audit.json) | |[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) | initiative definition. |[Audit Linux machines that do not have the passwd file permissions set to 0644](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe6955644-301c-44b5-a4c4-528577de6861) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json) | |[Audit Windows machines that do not store passwords using reversible encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fda0f98fe-a24b-4ad5-af69-bd0400233661) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not store passwords using reversible encryption |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json) | |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |+|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |
governance | Nist Sp 800 53 R4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-53-r4.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 description: Details of the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[Control information flow](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59bedbdc-0ba9-39b9-66bb-1d1c192384e6) |CMA_0079 - Control information flow |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0079.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Employ flow control mechanisms of encrypted information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F79365f13-8ba4-1f6c-2ac4-aa39929f56d0) |CMA_0211 - Employ flow control mechanisms of encrypted information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0211.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Document mobility training](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83dfb2b8-678b-20a0-4c44-5c75ada023e6) |CMA_0191 - Document mobility training |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0191.json) | |[Document remote access guidelines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d492600-27ba-62cc-a1c3-66eb919f6a0d) |CMA_0196 - Document remote access guidelines |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0196.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) | |[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) | |[Audit Linux machines that do not have the passwd file permissions set to 0644](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe6955644-301c-44b5-a4c4-528577de6861) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json) | |[Audit Windows machines that do not store passwords using reversible encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fda0f98fe-a24b-4ad5-af69-bd0400233661) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not store passwords using reversible encryption |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json) | |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |+|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[Establish authenticator types and processes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0) |CMA_0267 - Establish authenticator types and processes |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0267.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Implement system boundary protection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F01ae60e2-38bb-0a32-7b20-d3a091423409) |CMA_0328 - Implement system boundary protection |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0328.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Nist Sp 800 53 R5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-53-r5.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 description: Details of the NIST SP 800-53 Rev. 5 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[Control information flow](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59bedbdc-0ba9-39b9-66bb-1d1c192384e6) |CMA_0079 - Control information flow |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0079.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Employ flow control mechanisms of encrypted information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F79365f13-8ba4-1f6c-2ac4-aa39929f56d0) |CMA_0211 - Employ flow control mechanisms of encrypted information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0211.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Document mobility training](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83dfb2b8-678b-20a0-4c44-5c75ada023e6) |CMA_0191 - Document mobility training |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0191.json) | |[Document remote access guidelines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d492600-27ba-62cc-a1c3-66eb919f6a0d) |CMA_0196 - Document remote access guidelines |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0196.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | initiative definition. |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) | |[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) | |[Audit Linux machines that do not have the passwd file permissions set to 0644](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe6955644-301c-44b5-a4c4-528577de6861) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json) | |[Audit Windows machines that do not store passwords using reversible encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fda0f98fe-a24b-4ad5-af69-bd0400233661) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not store passwords using reversible encryption |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json) | |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |+|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[Establish authenticator types and processes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0) |CMA_0267 - Establish authenticator types and processes |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0267.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Implement system boundary protection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F01ae60e2-38bb-0a32-7b20-d3a091423409) |CMA_0328 - Implement system boundary protection |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0328.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Nl Bio Cloud Theme | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nl-bio-cloud-theme.md | Title: Regulatory Compliance details for NL BIO Cloud Theme description: Details of the NL BIO Cloud Theme Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Azure Data Factory should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8b0323be-cc25-4b61-935d-002c3798c6ea) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/data-factory/data-factory-private-link](../../../data-factory/data-factory-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Factory/DataFactory_PrivateEndpoints_Audit.json) | |[Azure Databricks Clusters should disable public IP](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F51c1490f-3319-459c-bbbc-7f391bbed753) |Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: [https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity](/azure/databricks/security/secure-cluster-connectivity). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_DisablePublicIP_Audit.json) | |[Azure Databricks Workspaces should be in a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9c25c9e4-ee12-4882-afd2-11fb9d87893f) |Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: [https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject](/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject). |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_VNETEnabled_Audit.json) |-|[Azure Databricks Workspaces should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e7849de-b939-4c50-ab48-fc6b0f5eeba2) |Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link](/azure/databricks/administration-guide/cloud-configurations/azure/private-link). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_AuditPublicNetworkAccess.json) | +|[Azure Databricks Workspaces should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e7849de-b939-4c50-ab48-fc6b0f5eeba2) |Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link](/azure/databricks/administration-guide/cloud-configurations/azure/private-link). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_AuditPublicNetworkAccess.json) | |[Azure Databricks Workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F258823f2-4595-4b52-b333-cc96192710d8) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/adbpe](https://aka.ms/adbpe). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Databricks/Databricks_PrivateEndpoint_Audit.json) | |[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) | |[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) | initiative definition. |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) |-|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | +|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) | |[Event Hub namespaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb8564268-eb4a-4337-89be-a19db070c59d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/event-hubs/private-link-service](../../../event-hubs/private-link-service.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_PrivateEndpoint_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IoT Hub device provisioning service instances should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf39c015-56a4-45de-b4a3-efe77bed320d) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/iotdpsvnet](https://aka.ms/iotdpsvnet). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTDps_EnablePrivateEndpoint_Audit.json) | |
governance | Pci Dss 3 2 1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/pci-dss-3-2-1.md | Title: Regulatory Compliance details for PCI DSS 3.2.1 description: Details of the PCI DSS 3.2.1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) | -### PCI DSS requirement 1.3.4 --**ID**: PCI DSS v3.2.1 1.3.4 -**Ownership**: customer --|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | -||||| -|[Audit diagnostic setting for selected resource types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. |AuditIfNotExists |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) | -|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) | -|[Storage accounts should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F37e0d2fe-28a5-43d6-a273-67d37d1f5606) |Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) | -|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) |Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) | - ## Requirement 10 ### PCI DSS requirement 10.5.4 |
governance | Pci Dss 4 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/pci-dss-4-0.md | Title: Regulatory Compliance details for PCI DSS v4.0 description: Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Rbi Itf Banks 2016 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rbi-itf-banks-2016.md | Title: Regulatory Compliance details for Reserve Bank of India IT Framework for Banks v2016 description: Details of the Reserve Bank of India IT Framework for Banks v2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. ### Authentication Framework For Customers-9.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Authentication Framework For Customers-9.3 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Network Inventory-4.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Network Device Configuration Management-4.3 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Anomaly Detection-4.7 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Security Operation Centre-4.9 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Perimeter Protection And Detection-4.10 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Software Inventory-2.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Authorised Software Installation-2.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Security Update Management-2.3 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Patch/Vulnerability & Change Management-7.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Patch/Vulnerability & Change Management-7.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Patch/Vulnerability & Change Management-7.6 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Patch/Vulnerability & Change Management-7.7 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Maintenance, Monitoring, And Analysis Of Audit Logs-16.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Maintenance, Monitoring, And Analysis Of Audit Logs-16.3 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Secure Configuration-5.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Secure Configuration-5.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Secure Mail And Messaging Systems-10.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Secure Mail And Messaging Systems-10.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### User Access Control / Management-8.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### User Access Control / Management-8.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### User Access Control / Management-8.3 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### User Access Control / Management-8.4 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### User Access Control / Management-8.5 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### User Access Control / Management-8.8 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Vulnerability Assessment And Penetration Test And Red Team Exercises-18.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Vulnerability Assessment And Penetration Test And Red Team Exercises-18.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Vulnerability Assessment And Penetration Test And Red Team Exercises-18.4 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Risk Based Transaction Monitoring-20.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Metrics-21.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) | |[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) | |[Azure Key Vaults should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6abeaec-4d90-4a02-805f-6b26c4d3fbe9) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/akvprivatelink](https://aka.ms/akvprivatelink). |[parameters('audit_effect')] |[1.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVault_Should_Use_PrivateEndpoint_Audit.json) | |[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |+|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at [https://go.microsoft.com/fwlink/?linkid=2121321](https://go.microsoft.com/fwlink/?linkid=2121321). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) | |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |[Key vaults should have deletion protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) |Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) | initiative definition. ### Metrics-21.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Audit Log Settings-17.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Anti-Phishing-14.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Advanced Real-Timethreat Defenceand Management-13.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Advanced Real-Timethreat Defenceand Management-13.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Advanced Real-Timethreat Defenceand Management-13.3 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Advanced Real-Timethreat Defenceand Management-13.4 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Application Security Life Cycle (Aslc)-6.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Application Security Life Cycle (Aslc)-6.3 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Application Security Life Cycle (Aslc)-6.4 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Application Security Life Cycle (Aslc)-6.6 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Application Security Life Cycle (Aslc)-6.7 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Data Leak Prevention Strategy-15.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Data Leak Prevention Strategy-15.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Data Leak Prevention Strategy-15.3 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Forensics-22.1 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Responding To Cyber-Incidents:-19.2 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Recovery From Cyber - Incidents-19.4 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Recovery From Cyber - Incidents-19.5 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Recovery From Cyber - Incidents-19.6 -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Recovery From Cyber - Incidents-19.6b -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Recovery From Cyber - Incidents-19.6c -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| initiative definition. ### Recovery From Cyber - Incidents-19.6e -**ID**: +**ID**: |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |
governance | Rbi Itf Nbfc 2017 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rbi-itf-nbfc-2017.md | Title: Regulatory Compliance details for Reserve Bank of India - IT Framework for NBFC description: Details of the Reserve Bank of India - IT Framework for NBFC Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) | |[Network Watcher flow logs should have traffic analytics enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f080164-9f4d-497e-9db6-416dc9f7b48a) |Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_FlowLog_TrafficAnalytics_Audit.json) | |[SQL servers with auditing to storage account destination should be configured with 90 days retention or higher](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F89099bee-89e0-4b26-a5f4-165451757743) |For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditingRetentionDays_Audit.json) |-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | +|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | |[The Log Analytics extension should be installed on Virtual Machine Scale Sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fefbde977-ba53-4479-b8e9-10b957924fbf) |This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json) | |[Virtual machines should have the Log Analytics extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa70ca396-0a34-413a-88e1-b956c1e683be) |This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[App Configuration should use a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1) |Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/CustomerManagedKey_Audit.json) | |[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) | |[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) | initiative definition. |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) | |[Azure Key Vaults should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6abeaec-4d90-4a02-805f-6b26c4d3fbe9) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/akvprivatelink](https://aka.ms/akvprivatelink). |[parameters('audit_effect')] |[1.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVault_Should_Use_PrivateEndpoint_Audit.json) | |[Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea0dfaed-95fb-448c-934e-d6e713ce393d) |To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview](../../../azure-monitor/platform/customer-managed-keys.md#customer-managed-key-overview). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKDoubleEncryptionEnabled_Deny.json) |+|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Disk encryption should be enabled on Azure Data Explorer](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff4b53539-8df9-40e4-86c6-6b607703bd4e) |Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json) | |[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[\[Deprecated\]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feaebaea7-8013-4ceb-9d14-7eb32271373c) |Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. |Audit, Disabled |[3.1.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) |-|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[App Service apps should have Client Certificates (Incoming client certificates) enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F19dd1db6-f442-49cf-a838-b0786b4401ef) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ClientCert_Webapp_Audit.json) | |[Certificates should be issued by the specified integrated certificate authority](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e826246-c976-48f6-b03e-619bb92b3d82) |Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. |audit, Audit, deny, Deny, disabled, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Issuers_SupportedCAs.json) |+|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) | |[Certificates should use allowed key types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1151cede-290b-4ba0-8b38-0ad145ac888f) |Manage your organizational compliance requirements by restricting the key types allowed for certificates. |audit, Audit, deny, Deny, disabled, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_AllowedKeyTypes.json) | |[Certificates using elliptic curve cryptography should have allowed curve names](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd78111f-4953-4367-9fd5-7e08808b54bf) |Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at [https://aka.ms/akvpolicy](https://aka.ms/akvpolicy). |audit, Audit, deny, Deny, disabled, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_EC_AllowedCurveNames.json) | |[Certificates using RSA cryptography should have the specified minimum key size](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcee51871-e572-4576-855c-047c820360f0) |Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json) | |
governance | Rmit Malaysia | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rmit-malaysia.md | Title: Regulatory Compliance details for RMIT Malaysia description: Details of the RMIT Malaysia Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) | |[Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffa298e57-9444-42ba-bf04-86e8470e32c7) |Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries](../../../azure-monitor/platform/customer-managed-keys.md#customer-managed-key-for-saved-queries). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsWorkspaces_CMKBYOSQueryEnabled_Deny.json) | |[SQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a370ff3-6cab-4e85-8995-295fd854c5b8) |Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Deny.json) |-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | +|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | |[Storage accounts should use customer-managed key for encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) |Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) | ## Access Control |
governance | Swift Csp Cscf 2021 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/swift-csp-cscf-2021.md | Title: Regulatory Compliance details for SWIFT CSP-CSCF v2021 description: Details of the SWIFT CSP-CSCF v2021 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Swift Csp Cscf 2022 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/swift-csp-cscf-2022.md | Title: Regulatory Compliance details for SWIFT CSP-CSCF v2022 description: Details of the SWIFT CSP-CSCF v2022 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 initiative definition. |[Review file and folder activity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba) |CMA_0473 - Review file and folder activity |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0473.json) | |[Review role group changes weekly](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F70fe686f-1f91-7dab-11bf-bca4201e183b) |CMA_0476 - Review role group changes weekly |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0476.json) | |[Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffa298e57-9444-42ba-bf04-86e8470e32c7) |Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries](../../../azure-monitor/platform/customer-managed-keys.md#customer-managed-key-for-saved-queries). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsWorkspaces_CMKBYOSQueryEnabled_Deny.json) |-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | +|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) | |[The Log Analytics extension should be installed on Virtual Machine Scale Sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fefbde977-ba53-4479-b8e9-10b957924fbf) |This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json) | |[Virtual machines should have the Log Analytics extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa70ca396-0a34-413a-88e1-b956c1e683be) |This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json) | initiative definition. ## 10. Be Ready in case of Major Disaster -### Business continuity is ensured through a documented plan communicated to the potentially affected -parties (service bureau and customers). +### Business continuity is ensured through a documented plan communicated to the potentially affected parties (service bureau and customers). **ID**: SWIFT CSCF v2022 10.1 **Ownership**: Shared |
governance | Ukofficial Uknhs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/ukofficial-uknhs.md | Title: Regulatory Compliance details for UK OFFICIAL and UK NHS description: Details of the UK OFFICIAL and UK NHS Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/06/2024 Last updated : 02/22/2024 |
governance | Power Bi Connector Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/resource-graph/power-bi-connector-quickstart.md | Title: Run queries with the Azure Resource Graph Power BI connector + Title: Run queries with Azure Resource Graph Power BI connector description: In this quickstart, you learn how to run queries with the Azure Resource Graph Power BI connector. Previously updated : 01/29/2024 Last updated : 02/22/2024 # Quickstart: Run queries with the Azure Resource Graph Power BI connector -In this quickstart, you learn how to run queries with the Azure Resource Graph Power BI connector. By default the Power BI connector runs queries at the tenant level but you can change the scope to subscription or management group. Resource Graph by default returns a maximum of 1,000 records but the Power BI connector has an optional setting to return all records if your query results have more than 1,000 records. +In this quickstart, you learn how to run queries with the Azure Resource Graph Power BI connector. By default the Power BI connector runs queries at the tenant level but you can change the scope to subscription or management group. Azure Resource Graph by default returns a maximum of 1,000 records but the Power BI connector has an optional setting to return all records if your query results have more than 1,000 records. > [!NOTE] > The Azure Resource Graph Power BI connector is in public preview. In this quickstart, you learn how to run queries with the Azure Resource Graph P ## Prerequisites - If you don't have an Azure account with an active subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.-- [Power BI Desktop](https://powerbi.microsoft.com/desktop/).-- Azure role-based access control rights with at least _Reader_ role assignment to resources. Learn more about [how to assign roles](../../role-based-access-control/role-assignments-portal.md).+- [Power BI Desktop](https://powerbi.microsoft.com/desktop/) or a [Power BI service](https://app.powerbi.com/) workspace in your organization's tenant. +- Azure role-based access control rights with at least _Reader_ role assignment to resources. To learn more about role assignments, go to [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). -## Connect Resource Graph with Power BI connector +## Connect Azure Resource Graph with Power BI connector -After Power BI Desktop is installed, you can connect Resource Graph with Power BI connector so that you can run a query. If you don't have a query to run, you can use the following sample that queries for storage accounts. +You can run queries with Power BI Desktop or Power BI service. Don't use comments when you enter a query. ++If you don't have a query, you can use the following sample that queries for storage accounts: ```kusto resources | where type == 'microsoft.storage/storageaccounts' ``` +# [Power BI Desktop](#tab/power-bi-desktop) ++After Power BI Desktop is installed, you can connect Azure Resource Graph with Power BI connector so that you can run a query. + The following example runs a query with the default settings. 1. Open the Power BI Desktop app on your computer and close any dialog boxes that are displayed.+1. Select **Home** > **Options and settings** > **Data source settings**. 1. Go to **Home** > **Get data** > **More** > **Azure** > **Azure Resource Graph** and select **Connect**. :::image type="content" source="./media/power-bi-connector-quickstart/power-bi-get-data.png" alt-text="Screenshot of the get data dialog box in Power BI Desktop to select the Azure Resource Graph connector."::: The following example runs a query with the default settings. :::image type="content" source="./media/power-bi-connector-quickstart/query-dialog-box.png" alt-text="Screenshot of the Azure Resource Graph dialog box to enter a query and use the default settings."::: -1. Select **OK** to run the query and if prompted, enter your credentials. -1. Select **Connect** to run the query. The results are displayed in Power BI Desktop. +1. Select **OK**. If prompted, enter your credentials and select **Connect** to run the query. 1. Select **Load** or **Transform Data**. - **Load** imports the query results into Power BI Desktop. - **Transform Data** opens the Power Query Editor with your query results. +# [Power BI service](#tab/power-bi-service) ++You need a workspace with _Dataflow_ so you can connect Azure Resource Graph with Power BI connector and run a query. ++1. Go to your organization's [Power BI service](https://app.powerbi.com/). +1. Open a workspace and select **New** > **Dataflow**. +1. Select **Add new tables** from **Define new tables**. +1. In **Choose data source** type _azure resource graph_ to search for the connector. ++ :::image type="content" source="./media/power-bi-connector-quickstart/power-bi-service-get-data.png" alt-text="Screenshot of the get data dialog box in Power BI service to select the Azure Resource Graph connector."::: ++1. Select **Azure Resource Graph**. +1. Enter a query into the **Query** box. You can copy and paste the query. ++ :::image type="content" source="./media/power-bi-connector-quickstart/power-bi-service-query-dialog-box.png" alt-text="Screenshot of the Power BI service Azure Resource Graph dialog box to enter a query and use the default settings."::: ++1. Select **Sign in** to authenticate with your Organizational account. +1. Select **Next** to run the query. ++The results are displayed in Power Query. You can select to save or cancel. +++ ## Use optional settings You can select optional values to change the Azure subscription or management group that the query runs against or to get query results of more than 1,000 records. You can select optional values to change the Azure subscription or management gr | Scope | You can select subscription or management group. Tenant is the default scope when no selection is made. | | Subscription ID | Required if you select subscription scope. Specify the Azure subscription ID. Use a comma-separated list to query multiple subscriptions. | | Management group ID | Required if you select management group scope. Specify the Azure management group ID. Use a comma-separated list to query multiple management groups. |-| Advanced options | To get more than 1,000 records change `$resultTruncated` to `FALSE`. By default Resource Graph returns a maximum of 1,000 records. | +| Advanced options | To get more than 1,000 records change `$resultTruncated` to `FALSE`. By default Azure Resource Graph returns a maximum of 1,000 records. | For example, to run a query for a subscription that returns more than 1,000 records: For example, to run a query for a subscription that returns more than 1,000 reco - Enter a subscription ID. - Set `$resultTruncated` to `FALSE`. +# [Power BI Desktop](#tab/power-bi-desktop) +++# [Power BI service](#tab/power-bi-service) +++ ## Clean up resources When you're finished, close any Power BI Desktop or Power Query windows and save or discard your queries. -## Related content +## Next steps For more information about the query language or how to explore resources, go to the following articles. +- [Power BI connector troubleshooting guide](./troubleshoot/power-bi-connector.md). - [Understanding the Azure Resource Graph query language](./concepts/query-language.md). - [Explore your Azure resources with Resource Graph](./concepts/explore-resources.md). - Sample queries listed by [table](./samples/samples-by-table.md) or [category](./samples/samples-by-category.md). |
governance | Power Bi Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/resource-graph/troubleshoot/power-bi-connector.md | + + Title: Troubleshoot Azure Resource Graph Power BI connector +description: Learn how to troubleshoot issues with Azure Resource Graph Power BI connector. Last updated : 02/22/2024++++# Troubleshoot Azure Resource Graph Power BI connector ++> [!NOTE] +> The Azure Resource Graph Power BI connector is in public preview. ++The following descriptions help you troubleshoot Azure Resource Graph (ARG) data connector in Power BI. ++## Connector availability ++The ARG Power BI connector isn't available in all Power BI products and versions. ++| Version | Products | +| - | - | +| 2.123.x <br> (November 2023) or later | Power BI Datasets (Desktop + Service) <br> Power BI (Dataflows) <br> Fabric (Dataflow Gen2) | +++ARG Power BI connector isn't available in the following products: ++- Excel +- Power Apps (Dataflows) +- Dynamic 365 Customer Insights +- Analysis Services ++## Supported capabilities ++The ARG Power BI connector only supports [import connections](/power-bi/connect-data/desktop-directquery-about#import-connections). The ARG Power BI connector doesn't support `DirectQuery` connections. For more information about connectivity modes and their differences, go to [DirectQuery in Power BI](/power-bi/connect-data/desktop-directquery-about). ++## Load times and throttling ++The load time for ARG queries in Power BI is contingent on the query size. Larger query results might lead to extended load times. ++If you're experiencing a 429 error, which is due to throttling, go to [Guidance for throttled requests in Azure Resource Graph](../concepts/guidance-for-throttled-requests.md). ++## Unexpected Results ++If your query yields unexpected or inaccurate results, consider the following scenarios: ++- **Verify permissions**: Confirm that your [Azure role-based access control (Azure RBAC) permissions](../../../role-based-access-control/overview.md) are accurate. Ensure you have at least read access to the resources you want to query. Queries don't return results without adequate permissions to the Azure object or object group. +- **Check for comments**: Review your query and remove any comments (`//`) because Power BI doesn't support Kusto comments. Comments might affect your query results. +- **Compare results**: For parity checks, run your query in both the ARG Explorer in Azure portal and the ARG Power BI connector. Compare the results obtained from both platforms for consistency. ++## Errors ++The ARG connector's query capability behaves the same at [ARG Explorer](../first-query-portal.md) in the Azure portal. For information about ARG common errors, go to the [troubleshooting guide](general.md#general-errors). ++For Power BI errors, go to [common issues](/power-query/common-issues). ++The following table contains descriptions of common ARG Power BI connector errors. ++| Error | Description | +| - | - | +| Invalid query | Query that was entered isn't valid. Check the syntax of your query and refer to the ARG [Kusto Query Language (KQL)](../concepts/query-language.md#supported-kql-language-elements) for guidance. | +| Scope check | If you're querying at the tenant scope, delete all inputs in the subscription ID or management group ID fields. <br> <br> If you have inputs in the subscriptions ID or management group ID fields that you want to filter for, select either subscription or management group from the drop-down scope field. | +| Scope subscription mismatch | The subscription scope was selected from the scope drop-down field but a management group ID was entered. | +| Scope management group mismatch | The management group scope was selected from the scope drop-down field but a subscription ID was entered. | |
hdinsight | Apache Domain Joined Run Hbase | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/apache-domain-joined-run-hbase.md | Title: Apache HBase & Enterprise Security Package - Azure HDInsight + Title: Tutorial - Apache HBase & Enterprise Security Package - Azure HDInsight description: Tutorial - Learn how to configure Apache Ranger policies for HBase in Azure HDInsight with Enterprise Security Package. Learn how to configure Apache Ranger policies for Enterprise Security Package (E In this tutorial, you learn how to: > [!div class="checklist"]-> * Create domain users -> * Create Ranger policies -> * Create tables in an HBase cluster -> * Test Ranger policies +> * Create domain users. +> * Create Ranger policies. +> * Create tables in an HBase cluster. +> * Test Ranger policies. ## Before you begin * If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/).- * Sign in to the [Azure portal](https://portal.azure.com/).--* Create a [HDInsight HBase cluster with Enterprise Security Package](apache-domain-joined-configure-using-azure-adds.md). +* Create an [HDInsight HBase cluster with Enterprise Security Package](apache-domain-joined-configure-using-azure-adds.md). ## Connect to Apache Ranger Admin UI -1. From a browser, connect to the Ranger Admin user interface using the URL `https://<ClusterName>.azurehdinsight.net/Ranger/`. Remember to change `<ClusterName>` to the name of your HBase cluster. +1. From a browser, connect to the Ranger Admin user interface (UI) by using the URL `https://<ClusterName>.azurehdinsight.net/Ranger/`. Remember to change `<ClusterName>` to the name of your HBase cluster. - > [!NOTE] - > Ranger credentials are not the same as Hadoop cluster credentials. To prevent browsers from using cached Hadoop credentials, use a new InPrivate browser window to connect to the Ranger Admin UI. + > [!NOTE] + > Ranger credentials aren't the same as Hadoop cluster credentials. To prevent browsers from using cached Hadoop credentials, use a new InPrivate browser window to connect to the Ranger Admin UI. -2. Sign in using your Microsoft Entra admin credentials. The Microsoft Entra admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node SSH credentials. +1. Sign in by using your Microsoft Entra admin credentials. The Microsoft Entra admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node Secure Shell (SSH) credentials. ## Create domain users -Visit [Create a HDInsight cluster with Enterprise Security Package](./apache-domain-joined-configure-using-azure-adds.md), to learn how to create the **sales_user1** and **marketing_user1** domain users. In a production scenario, domain users come from your Active Directory tenant. +To learn how to create the **sales_user1** and **marketing_user1** domain users, see [Create an HDInsight cluster with Enterprise Security Package](./apache-domain-joined-configure-using-azure-adds.md). In a production scenario, domain users come from your Active Directory tenant. ## Create HBase tables and import sample data You can use SSH to connect to HBase clusters and then use [Apache HBase Shell](https://hbase.apache.org/0.94/book/shell.html) to create HBase tables, insert data, and query data. For more information, see [Use SSH with HDInsight](../hdinsight-hadoop-linux-use-ssh-unix.md). -### To use the HBase shell +### Use the HBase shell 1. From SSH, run the following HBase command: You can use SSH to connect to HBase clusters and then use [Apache HBase Shell](h hbase shell ``` -2. Create an HBase table `Customers` with two-column families: `Name` and `Contact`. +1. Create an HBase table `Customers` with two column-families: `Name` and `Contact`. ```hbaseshell create 'Customers', 'Name', 'Contact' list ```-3. Insert some data: +1. Insert some data: ```hbaseshell put 'Customers','1001','Name:First','Alice' You can use SSH to connect to HBase clusters and then use [Apache HBase Shell](h put 'Customers','1002','Contact:State','WA' put 'Customers','1002','Contact:ZipCode','98008' ```-4. View the contents of the table: +1. View the contents of the table: ```hbaseshell scan 'Customers' ``` - :::image type="content" source="./media/apache-domain-joined-run-hbase/hbase-shell-scan-table.png" alt-text="HDInsight Hadoop HBase shell output" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-hbase/hbase-shell-scan-table.png" alt-text="Screenshot that shows the HDInsight Hadoop HBase shell output." border="true"::: ## Create Ranger policies Create a Ranger policy for **sales_user1** and **marketing_user1**. -1. Open the **Ranger Admin UI**. Click **\<ClusterName>_hbase** under **HBase**. +1. Open the **Ranger Admin UI**. Under **HBase**, select **\<ClusterName>_hbase**. - :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-admin-login.png" alt-text="HDInsight Apache Ranger Admin UI" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-admin-login.png" alt-text="Screenshot that shows the HDInsight Apache Ranger Admin UI." border="true"::: -2. The **List of Policies** screen will display all Ranger policies created for this cluster. One pre-configured policy may be listed. Click **Add New Policy**. +1. The **List of Policies** screen shows all Ranger policies created for this cluster. One preconfigured policy might be listed. Select **Add New Policy**. - :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-hbase-policies-list.png" alt-text="Apache Ranger HBase policies list" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-hbase-policies-list.png" alt-text="Screenshot that shows the Apache Ranger HBase policies list." border="true"::: -3. On the **Create Policy** screen, enter the following values: +1. On the **Create Policy** screen, enter the following values: - |**Setting** |**Suggested value** | + |Setting |Suggested value | ||| |Policy Name | sales_customers_name_contact | |HBase Table | Customers | Create a Ranger policy for **sales_user1** and **marketing_user1**. * `*` indicates zero or more occurrences of characters. * `?` indicates single character. - :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-hbase-policy-create-sales.png" alt-text="Apache Ranger policy create sales" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-hbase-policy-create-sales.png" alt-text="Screenshot that shows the Apache Ranger policy Create sales." border="true"::: >[!NOTE]- >Wait a few moments for Ranger to sync with Microsoft Entra ID if a domain user is not automatically populated for **Select User**. + >Wait a few moments for Ranger to sync with Microsoft Entra ID if a domain user isn't automatically populated for **Select User**. -4. Click **Add** to save the policy. +1. Select **Add** to save the policy. -5. Click **Add New Policy** and then enter the following values: +1. Select **Add New Policy** and then enter the following values: - |**Setting** |**Suggested value** | + |Setting |Suggested value | ||| |Policy Name | marketing_customers_contact | |HBase Table | Customers | Create a Ranger policy for **sales_user1** and **marketing_user1**. |Select User | marketing_user1 | |Permissions | Read | - :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-hbase-policy-create-marketing.png" alt-text="Apache Ranger policy create marketing" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-hbase-policy-create-marketing.png" alt-text="Screenshot that shows the Apache Ranger policy Create marketing." border="true"::: -6. Click **Add** to save the policy. +1. Select **Add** to save the policy. ## Test the Ranger policies -Based on the Ranger policies configured, **sales_user1** can view all of the data for the columns in both the `Name` and `Contact` column families. The **marketing_user1** can only view data in the `Contact` column family. +Based on the Ranger policies configured, **sales_user1** can view all the data for the columns in both the `Name` and `Contact` column families. The **marketing_user1** can view data only in the `Contact` column family. ### Access data as sales_user1 Based on the Ranger policies configured, **sales_user1** can view all of the dat ssh sshuser@CLUSTERNAME-ssh.azurehdinsight.net ``` -1. Use the kinit command to change to the context of our desired user. +1. Use the `kinit` command to change to the context of the desired user: ```bash kinit sales_user1 ``` -2. Open the HBase shell and scan the table `Customers`. +1. Open the HBase shell and scan the table `Customers`: ```hbaseshell hbase shell scan `Customers` ``` -3. Notice that the sales user can view all columns of the `Customers` table including the two columns in the `Name` column-family, as well as the five columns in the `Contact` column-family. +1. Notice that the sales user can view all columns of the `Customers` table. The user can see the two columns in the `Name` column-family and the five columns in the `Contact` column-family. ```hbaseshell ROW COLUMN+CELL Based on the Ranger policies configured, **sales_user1** can view all of the dat ssh sshuser@CLUSTERNAME-ssh.azurehdinsight.net ``` -1. Use the kinit command to change to the context of our desired user +1. Use the `kinit` command to change to the context of our desired user: ```bash kinit marketing_user1 Based on the Ranger policies configured, **sales_user1** can view all of the dat 1. View the audit access events from the Ranger UI. - :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-admin-audit.png" alt-text="HDInsight Ranger UI Policy Audit" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-admin-audit.png" alt-text="Screenshot that shows the HDInsight Ranger UI Policy Audit." border="true"::: ## Clean up resources -If you're not going to continue to use this application, delete the HBase cluster that you created with the following steps: +If you aren't going to continue to use this application, delete the HBase cluster that you created: 1. Sign in to the [Azure portal](https://portal.azure.com/).-2. In the **Search** box at the top, type **HDInsight**. -1. Select **HDInsight clusters** under **Services**. -1. In the list of HDInsight clusters that appears, click the **...** next to the cluster that you created for this tutorial. -1. Click **Delete**. Click **Yes**. +1. In the **Search** box at the top, enter **HDInsight**. +1. Under **Services**, select **HDInsight clusters**. +1. In the list of HDInsight clusters that appears, select the **...** next to the cluster that you created for this tutorial. +1. Select **Delete** > **Yes**. ## Next steps |
hdinsight | Apache Domain Joined Run Hive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/apache-domain-joined-run-hive.md | Last updated 04/11/2023 # Configure Apache Hive policies in HDInsight with Enterprise Security Package -Learn how to configure Apache Ranger policies for Apache Hive. In this article, you create two Ranger policies to restrict access to the hivesampletable. The hivesampletable comes with HDInsight clusters. After you've configured the policies, you use Excel and ODBC driver to connect to Hive tables in HDInsight. +In this article, you learn how to configure Apache Ranger policies for Apache Hive. You create two Ranger policies to restrict access to the `hivesampletable`. The `hivesampletable` comes with HDInsight clusters. After you configure the policies, you use Excel and Open Database Connectivity (ODBC) driver to connect to Hive tables in HDInsight. ## Prerequisites -* A HDInsight cluster with Enterprise Security Package. See [Configure HDInsight clusters with ESP](./apache-domain-joined-configure-using-azure-adds.md). +* An HDInsight cluster with Enterprise Security Package (ESP). For more information, see [Configure HDInsight clusters with ESP](./apache-domain-joined-configure-using-azure-adds.md). * A workstation with Microsoft 365 apps for enterprise, Office 2016, Office 2013 Professional Plus, Excel 2013 Standalone, or Office 2010 Professional Plus. -## Connect to Apache Ranger Admin UI -**To connect to Ranger Admin UI** +## Connect to the Apache Ranger Admin UI -1. From a browser, navigate to the Ranger Admin UI at `https://CLUSTERNAME.azurehdinsight.net/Ranger/` where CLUSTERNAME is the name of your cluster. +To connect to the Ranger Admin user interface (UI): - > [!NOTE] - > Ranger uses different credentials than Apache Hadoop cluster. To prevent browsers using cached Hadoop credentials, use new InPrivate browser window to connect to the Ranger Admin UI. +1. From a browser, go to the Ranger Admin UI at `https://CLUSTERNAME.azurehdinsight.net/Ranger/` where `CLUSTERNAME` is the name of your cluster. -2. Log in using the cluster administrator domain user name and password: + > [!NOTE] + > Ranger uses different credentials than Apache Hadoop cluster. To prevent browsers by using cached Hadoop credentials, use a new InPrivate browser window to connect to the Ranger Admin UI. - :::image type="content" source="./media/apache-domain-joined-run-hive/hdinsight-domain-joined-ranger-home-page.png" alt-text="HDInsight ESP Ranger home page" border="true"::: +1. Sign in by using the cluster administrator domain username and password: ++ :::image type="content" source="./media/apache-domain-joined-run-hive/hdinsight-domain-joined-ranger-home-page.png" alt-text="Screenshot that shows the HDInsight ESP Ranger home page." border="true"::: Currently, Ranger only works with Yarn and Hive. -## Create Domain users +## Create domain users -See [Create a HDInsight cluster with ESP](apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp), for information on how to create hiveruser1 and hiveuser2. You use the two user accounts in this article. +For information on how to create `hiveruser1` and `hiveuser2`, see [Create an HDInsight cluster with ESP](apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp). You use the two user accounts in this article. ## Create Ranger policies -In this section, you create two Ranger policies for accessing hivesampletable. You give select permission on different set of columns. Both users were created using [Create a HDInsight cluster with ESP](apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp). In the next section, you'll test the two policies in Excel. +In this section, you create two Ranger policies for accessing `hivesampletable`. You give select permission on different sets of columns. Both users were created by using [Create a HDInsight cluster with ESP](apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp). In the next section, you test the two policies in Excel. -**To create Ranger policies** +To create Ranger policies: -1. Open Ranger Admin UI. See Connect to Apache Ranger Admin UI. -2. Select **CLUSTERNAME_Hive**, under **Hive**. You shall see two pre-configure policies. -3. Select **Add New Policy**, and then enter the following values: +1. Open the Ranger Admin UI. See the preceding section, **Connect to Apache Ranger Admin UI**. +1. Under **Hive**, select **CLUSTERNAME_Hive**. You see two preconfigured policies. +1. Select **Add New Policy** and then enter the following values: |Property |Value | ||| In this section, you create two Ranger policies for accessing hivesampletable. Y |Select User|hiveuser1| |Permissions|select| - :::image type="content" source="./media/apache-domain-joined-run-hive/hdinsight-domain-joined-configure-ranger-policy.png" alt-text="HDInsight ESP Ranger Hive policies configure" border="true":::. + :::image type="content" source="./media/apache-domain-joined-run-hive/hdinsight-domain-joined-configure-ranger-policy.png" alt-text="Screenshot that shows the HDInsight ESP Ranger Hive policies to configure." border="true":::. - > [!NOTE] - > If a domain user is not populated in Select User, wait a few moments for Ranger to sync with AAD. + > [!NOTE] + > If a domain user isn't populated in **Select User**, wait a few moments for Ranger to sync with Microsoft Entra ID. -4. Select **Add** to save the policy. +1. Select **Add** to save the policy. -5. Repeat the last two steps to create another policy with the following properties: +1. Repeat the last two steps to create another policy with the following properties: |Property |Value | ||| In this section, you create two Ranger policies for accessing hivesampletable. Y |Select User|hiveuser2| |Permissions|select| -## Create Hive ODBC data source +## Create a Hive ODBC data source -The instructions can be found in [Create Hive ODBC data source](../hadoop/apache-hadoop-connect-excel-hive-odbc-driver.md). +For instructions on how to create a Hive ODBC data source, see [Create a Hive ODBC data source](../hadoop/apache-hadoop-connect-excel-hive-odbc-driver.md). | Property |Description | | | |- | Data Source Name | Give a name to your data source | - | Host | Enter CLUSTERNAME.azurehdinsight.net. For example, myHDICluster.azurehdinsight.net | - | Port | Use **443**. (This port has been changed from 563 to 443.) | + | Data Source Name | Give a name to your data source. | + | Host | Enter **CLUSTERNAME.azurehdinsight.net**. For example, use **myHDICluster.azurehdinsight.net**. | + | Port | Use **443**. (This port changed from 563 to 443.) | | Database | Use **Default**. |- | Hive Server Type | Select **Hive Server 2** | - | Mechanism | Select **Azure HDInsight Service** | + | Hive Server Type | Select **Hive Server 2**. | + | Mechanism | Select **Azure HDInsight Service**. | | HTTP Path | Leave it blank. |- | User Name | Enter hiveuser1@contoso158.onmicrosoft.com. Update the domain name if it's different. | - | Password | Enter the password for hiveuser1. | + | User Name | Enter `hiveuser1@contoso158.onmicrosoft.com`. Update the domain name if it's different. | + | Password | Enter the password for `hiveuser1`. | -Make sure to click **Test** before saving the data source. +Select **Test** before you save the data source. ## Import data into Excel from HDInsight -In the last section, you've configured two policies. hiveuser1 has the select permission on all the columns, and hiveuser2 has the select permission on two columns. In this section, you impersonate the two users to import data into Excel. +In the last section, you configured two policies: `hiveuser1` has the select permission on all the columns, and `hiveuser2` has the select permission on two columns. In this section, you impersonate the two users to import data into Excel. 1. Open a new or existing workbook in Excel. -1. From the **Data** tab, navigate to **Get Data** > **From Other Sources** > **From ODBC** to launch the **From ODBC** window. +1. On the **Data** tab, go to **Get Data** > **From Other Sources** > **From ODBC** to open the **From ODBC** window. - :::image type="content" source="./media/apache-domain-joined-run-hive/simbahiveodbc-excel-dataconnection1.png" alt-text="Open data connection wizard" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-hive/simbahiveodbc-excel-dataconnection1.png" alt-text="Screenshot that shows the Open data connection wizard." border="true"::: -1. From the drop-down list, select the data source name that you created in the last section and then select **OK**. +1. From the dropdown list, select the data source name that you created in the last section and then select **OK**. -1. For the first use, an **ODBC driver** dialog will open. Select **Windows** from the left menu. Then select **Connect** to open the **Navigator** window. +1. For the first use, an **ODBC driver** dialog opens. Select **Windows** from the left menu. Then select **Connect** to open the **Navigator** window. -1. Wait for the **Select Database and Table** dialog to open. This can take a few seconds. +1. Wait for the **Select Database and Table** dialog to open. This step can take a few seconds. -1. Select **hivesampletable**, and then select **Next**. +1. Select **hivesampletable** > **Next**. 1. Select **Finish**. -1. In the **Import Data** dialog, you can change or specify the query. To do so, select **Properties**. This can take a few seconds. +1. In the **Import Data** dialog, you can change or specify the query. To do so, select **Properties**. This step can take a few seconds. 1. Select the **Definition** tab. The command text is: In the last section, you've configured two policies. hiveuser1 has the select p SELECT * FROM "HIVE"."default"."hivesampletable"` ``` - By the Ranger policies you defined, hiveuser1 has select permission on all the columns. So this query works with hiveuser1's credentials, but this query doesn't work with hiveuser2's credentials. + By the Ranger policies you defined, `hiveuser1` has select permission on all the columns. This query works with the credentials for `hiveuser1`, but this query doesn't work with the credentials for `hiveuser2`. -1. Select **OK** to close the Connection Properties dialog. +1. Select **OK** to close the **Connection Properties** dialog. -1. Select **OK** to close the **Import Data** dialog. +1. Select **OK** to close the **Import Data** dialog. -1. Reenter the password for hiveuser1, and then click **OK**. It takes a few seconds before data gets imported to Excel. When it's done, you shall see 11 columns of data. +1. Reenter the password for `hiveuser1` and then select **OK**. It takes a few seconds before the data gets imported to Excel. When it's finished, you see 11 columns of data. -To test the second policy (read-hivesampletable-devicemake), you created in the last section +To test the second policy (read-hivesampletable-devicemake) that you created in the last section: 1. Add a new sheet in Excel.-2. Follow the last procedure to import the data. The only change you make is to use hiveuser2's credentials instead of hiveuser1's. This fails because hiveuser2 only has permission to see two columns. You shall get the following error: +1. Follow the last procedure to import the data. The only change you make is to use the credentials for `hiveuser2` instead of `hiveuser1`. This action fails because `hiveuser2` has permission to see only two columns. You see the following error: ```output [Microsoft][HiveODBC] (35) Error from Hive: error code: '40000' error message: 'Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hiveuser2] does not have [SELECT] privilege on [default/hivesampletable/clientid,country ...]'. ``` -3. Follow the same procedure to import data. This time, use hiveuser2's credentials, and also modify the select statement from: +1. Follow the same procedure to import data. This time, use the credentials for `hiveuser2` and also modify the select statement from: ```sql SELECT * FROM "HIVE"."default"."hivesampletable" ``` - to: + To: ```sql SELECT clientid, devicemake FROM "HIVE"."default"."hivesampletable" ``` - When it's done, you shall see two columns of data imported. + When it's finished, you see two columns of imported data. ## Next steps -* For configuring a HDInsight cluster with Enterprise Security Package, see [Configure HDInsight clusters with ESP](./apache-domain-joined-configure-using-azure-adds.md). -* For managing a HDInsight cluster with ESP, see [Manage HDInsight clusters with ESP](apache-domain-joined-manage.md). -* For running Hive queries using SSH on HDInsight clusters with ESP, see [Use SSH with HDInsight](../hdinsight-hadoop-linux-use-ssh-unix.md#authentication-domain-joined-hdinsight). -* For Connecting Hive using Hive JDBC, see [Connect to Apache Hive on Azure HDInsight using the Hive JDBC driver](../hadoop/apache-hadoop-connect-hive-jdbc-driver.md) -* For connecting Excel to Hadoop using Hive ODBC, see [Connect Excel to Apache Hadoop with the Microsoft Hive ODBC drive](../hadoop/apache-hadoop-connect-excel-hive-odbc-driver.md) -* For connecting Excel to Hadoop using Power Query, see [Connect Excel to Apache Hadoop by using Power Query](../hadoop/apache-hadoop-connect-excel-power-query.md) +* To configure an HDInsight cluster with ESP, see [Configure HDInsight clusters with ESP](./apache-domain-joined-configure-using-azure-adds.md). +* To manage an HDInsight cluster with ESP, see [Manage HDInsight clusters with ESP](apache-domain-joined-manage.md). +* To run Hive queries by using Secure Shell (SSH) on HDInsight clusters with ESP, see [Use SSH with HDInsight](../hdinsight-hadoop-linux-use-ssh-unix.md#authentication-domain-joined-hdinsight). +* To connect Hive by using Hive Java Database Connectivity (JDBC), see [Connect to Apache Hive on Azure HDInsight by using the Hive JDBC driver](../hadoop/apache-hadoop-connect-hive-jdbc-driver.md). +* To connect Excel to Hadoop by using Hive ODBC, see [Connect Excel to Apache Hadoop with the Microsoft Hive ODBC drive](../hadoop/apache-hadoop-connect-excel-hive-odbc-driver.md). +* To connect Excel to Hadoop by using Power Query, see [Connect Excel to Apache Hadoop by using Power Query](../hadoop/apache-hadoop-connect-excel-power-query.md). |
hdinsight | Apache Domain Joined Run Kafka | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/apache-domain-joined-run-kafka.md | Title: Tutorial - Apache Kafka & Enterprise Security - Azure HDInsight + Title: Tutorial - Apache Kafka & Enterprise Security Package - Azure HDInsight description: Tutorial - Learn how to configure Apache Ranger policies for Kafka in Azure HDInsight with Enterprise Security Package. Learn how to configure Apache Ranger policies for Enterprise Security Package (E In this tutorial, you learn how to: > [!div class="checklist"]-> * Create domain users -> * Create Ranger policies -> * Create topics in a Kafka cluster -> * Test Ranger policies +> * Create domain users. +> * Create Ranger policies. +> * Create topics in a Kafka cluster. +> * Test Ranger policies. ## Prerequisite -A [HDInsight Kafka cluster with Enterprise Security Package](./apache-domain-joined-configure-using-azure-adds.md). +An [HDInsight Kafka cluster with Enterprise Security Package](./apache-domain-joined-configure-using-azure-adds.md). ## Connect to Apache Ranger Admin UI -1. From a browser, connect to the Ranger Admin user interface using the URL `https://ClusterName.azurehdinsight.net/Ranger/`. Remember to change `ClusterName` to the name of your Kafka cluster. Ranger credentials are not the same as Hadoop cluster credentials. To prevent browsers from using cached Hadoop credentials, use a new InPrivate browser window to connect to the Ranger Admin UI. +1. From a browser, connect to the Ranger Admin user interface (UI) by using the URL `https://ClusterName.azurehdinsight.net/Ranger/`. Remember to change `ClusterName` to the name of your Kafka cluster. Ranger credentials aren't the same as Hadoop cluster credentials. To prevent browsers from using cached Hadoop credentials, use a new InPrivate browser window to connect to the Ranger Admin UI. -2. Sign in using your Microsoft Entra admin credentials. The Microsoft Entra admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node SSH credentials. +1. Sign in by using your Microsoft Entra admin credentials. The Microsoft Entra admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node SSH credentials. - :::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-login.png" alt-text="HDInsight Apache Ranger Admin UI" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-login.png" alt-text="Screenshot that shows the HDInsight Apache Ranger Admin UI." border="true"::: ## Create domain users -Visit [Create a HDInsight cluster with Enterprise Security Package](./apache-domain-joined-configure-using-azure-adds.md), to learn how to create the **sales_user** and **marketing_user** domain users. In a production scenario, domain users come from your Active Directory tenant. +To learn how to create the **sales_user** and **marketing_user** domain users, see [Create a HDInsight cluster with Enterprise Security Package](./apache-domain-joined-configure-using-azure-adds.md). In a production scenario, domain users come from your Microsoft Entra ID tenant. -## Create Ranger policy +## Create a Ranger policy Create a Ranger policy for **sales_user** and **marketing_user**. 1. Open the **Ranger Admin UI**. -2. Select **\<ClusterName>_kafka** under **Kafka**. One pre-configured policy may be listed. +1. Under **Kafka**, select **\<ClusterName>_kafka**. One preconfigured policy might be listed. -3. Select **Add New Policy** and enter the following values: +1. Select **Add New Policy** and enter the following values: |Setting |Suggested value | ||| Create a Ranger policy for **sales_user** and **marketing_user**. The following wildcards can be included in the topic name: - * ΓÇÖ*ΓÇÖ indicates zero or more occurrences of characters. - * ΓÇÖ?ΓÇÿ indicates single character. + * `*` indicates zero or more occurrences of characters. + * `?` indicates single character. - :::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-create-policy.png" alt-text="Apache Ranger Admin UI Create Policy1" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-create-policy.png" alt-text="Screenshot that shows the Apache Ranger Admin UI Create Policy1." border="true"::: - Wait a few moments for Ranger to sync with Microsoft Entra ID if a domain user is not automatically populated for **Select User**. + Wait a few moments for Ranger to sync with Microsoft Entra ID if a domain user isn't automatically populated for **Select User**. -4. Select **Add** to save the policy. +1. Select **Add** to save the policy. -5. Select **Add New Policy** and then enter the following values: +1. Select **Add New Policy** and then enter the following values: |Setting |Suggested value | ||| Create a Ranger policy for **sales_user** and **marketing_user**. |Select User | marketing_user1 | |Permissions | publish, consume, create | - :::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-create-policy-2.png" alt-text="Apache Ranger Admin UI Create Policy2" border="true"::: + :::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-create-policy-2.png" alt-text="Screenshot that shows the Apache Ranger Admin UI Create Policy2." border="true"::: -6. Select **Add** to save the policy. +1. Select **Add** to save the policy. ## Create topics in a Kafka cluster with ESP To create two topics, `salesevents` and `marketingspend`: -1. Use the following command to open an SSH connection to the cluster: +1. Use the following command to open a Secure Shell (SSH) connection to the cluster: ```cmd ssh DOMAINADMIN@CLUSTERNAME-ssh.azurehdinsight.net ``` - Replace `DOMAINADMIN` with the admin user for your cluster configured during [cluster creation](./apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp), and replace `CLUSTERNAME` with the name of your cluster. If prompted, enter the password for the admin user account. For more information on using `SSH` with HDInsight, see [Use SSH with HDInsight](../../hdinsight/hdinsight-hadoop-linux-use-ssh-unix.md). + Replace `DOMAINADMIN` with the admin user for your cluster configured during [cluster creation](./apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp). Replace `CLUSTERNAME` with the name of your cluster. If prompted, enter the password for the admin user account. For more information on using `SSH` with HDInsight, see [Use SSH with HDInsight](../../hdinsight/hdinsight-hadoop-linux-use-ssh-unix.md). -2. Use the following commands to save the cluster name to a variable and install a JSON parsing utility `jq`. When prompted, enter the Kafka cluster name. +1. Use the following commands to save the cluster name to a variable and install a JSON parsing utility `jq`. When prompted, enter the Kafka cluster name. ```bash sudo apt -y install jq read -p 'Enter your Kafka cluster name:' CLUSTERNAME ``` -3. Use the following commands to get the Kafka broker hosts. When prompted, enter the password for the cluster admin account. +1. Use the following commands to get the Kafka broker hosts. When prompted, enter the password for the cluster admin account. ```bash export KAFKABROKERS=`curl -sS -u admin -G https://$CLUSTERNAME.azurehdinsight.net/api/v1/clusters/$CLUSTERNAME/services/KAFKA/components/KAFKA_BROKER | jq -r '["\(.host_components[].HostRoles.host_name):9092"] | join(",")' | cut -d',' -f1,2`; \ ``` - Before proceeding, you may need to set up your development environment if you have not already done so. You will need components such as the Java JDK, Apache Maven, and an SSH client with scp. For more information, see [setup instructions](https://github.com/Azure-Samples/hdinsight-kafka-java-get-started/tree/master/DomainJoined-Producer-Consumer). + Before you proceeding, you might need to set up your development environment if you haven't already done so. You need components such as the Java JDK, Apache Maven, and an SSH client with Secure Copy (SCP). For more information, see [Setup instructions](https://github.com/Azure-Samples/hdinsight-kafka-java-get-started/tree/master/DomainJoined-Producer-Consumer). 1. Download the [Apache Kafka domain-joined producer consumer examples](https://github.com/Azure-Samples/hdinsight-kafka-java-get-started/tree/master/DomainJoined-Producer-Consumer). -1. Follow Steps 2 and 3 under **Build and deploy the example** in [Tutorial: Use the Apache Kafka Producer and Consumer APIs](../kafk#build-and-deploy-the-example) - > [!NOTE] - > For this tutorial, please use the kafka-producer-consumer.jar under "DomainJoined-Producer-Consumer" project (not the one under Producer-Consumer project, which is for non domain joined scenarios). +1. Follow steps 2 and 3 under **Build and deploy the example** in [Tutorial: Use the Apache Kafka Producer and Consumer APIs](../kafk#build-and-deploy-the-example). + > [!NOTE] + > For this tutorial, use `kafka-producer-consumer.jar` under the `DomainJoined-Producer-Consumer` project. Don't use the one under the `Producer-Consumer` project, which is for non-domain-joined scenarios. 1. Run the following commands: To create two topics, `salesevents` and `marketingspend`: ## Test the Ranger policies -Based on the Ranger policies configured, **sales_user** can produce/consume topic `salesevents` but not topic `marketingspend`. Conversely, **marketing_user** can produce/consume topic `marketingspend` but not topic `salesevents`. +Based on the Ranger policies configured, **sales_user** can produce/consume the topic `salesevents` but not the topic `marketingspend`. Conversely, **marketing_user** can produce/consume the topic `marketingspend` but not the topic `salesevents`. 1. Open a new SSH connection to the cluster. Use the following command to sign in as **sales_user1**: Based on the Ranger policies configured, **sales_user** can produce/consume topi ssh sales_user1@CLUSTERNAME-ssh.azurehdinsight.net ``` -2. Use the broker names from the previous section to set the following environment variable: +1. Use the broker names from the previous section to set the following environment variable: ```bash export KAFKABROKERS=<brokerlist>:9092 Based on the Ranger policies configured, **sales_user** can produce/consume topi Example: `export KAFKABROKERS=<brokername1>.contoso.com:9092,<brokername2>.contoso.com:9092` -3. Follow Step 3 under **Build and deploy the example** in [Tutorial: Use the Apache Kafka Producer and Consumer APIs](../kafk#build-and-deploy-the-example) to ensure that the `kafka-producer-consumer.jar` is also available to **sales_user**. +1. Follow step 3 under **Build and deploy the example** in [Tutorial: Use the Apache Kafka Producer and Consumer APIs](../kafk#build-and-deploy-the-example) to ensure that `kafka-producer-consumer.jar` is also available to **sales_user**. - > [!NOTE] - > For this tutorial, please use the kafka-producer-consumer.jar under "DomainJoined-Producer-Consumer" project (not the one under Producer-Consumer project, which is for non domain joined scenarios). + > [!NOTE] + > For this tutorial, use `kafka-producer-consumer.jar` under the "DomainJoined-Producer-Consumer" project. Don't use the one under the "Producer-Consumer" project, which is for non-domain-joined scenarios. -4. Verify that **sales_user1** can produce to topic `salesevents` by executing the following command: +1. Verify that **sales_user1** can produce to topic `salesevents` by running the following command: ```bash java -jar -Djava.security.auth.login.config=/usr/hdp/current/kafka-broker/conf/kafka_client_jaas.conf kafka-producer-consumer.jar producer salesevents $KAFKABROKERS ``` -5. Execute the following command to consume from topic `salesevents`: +1. Run the following command to consume from the topic `salesevents`: ```bash java -jar -Djava.security.auth.login.config=/usr/hdp/current/kafka-broker/conf/kafka_client_jaas.conf kafka-producer-consumer.jar consumer salesevents $KAFKABROKERS ``` - Verify that you're able to read the messages. + Verify that you can read the messages. -6. Verify that the **sales_user1** can't produce to topic `marketingspend` by executing the following in the same ssh window: +1. Verify that the **sales_user1** can't produce to the topic `marketingspend` by running the following command in the same SSH window: ```bash java -jar -Djava.security.auth.login.config=/usr/hdp/current/kafka-broker/conf/kafka_client_jaas.conf kafka-producer-consumer.jar producer marketingspend $KAFKABROKERS Based on the Ranger policies configured, **sales_user** can produce/consume topi An authorization error occurs and can be ignored. -7. Notice that **marketing_user1** can't consume from topic `salesevents`. +1. Notice that **marketing_user1** can't consume from the topic `salesevents`. - Repeat steps 1-3 above, but this time as **marketing_user1**. + Repeat the preceding steps 1 to 3, but this time as **marketing_user1**. - Execute the following command to consume from topic `salesevents`: + Run the following command to consume from the topic `salesevents`: ```bash java -jar -Djava.security.auth.login.config=/usr/hdp/current/kafka-broker/conf/kafka_client_jaas.conf kafka-producer-consumer.jar consumer salesevents $KAFKABROKERS Based on the Ranger policies configured, **sales_user** can produce/consume topi Previous messages can't be seen. -8. View the audit access events from the Ranger UI. +1. View the audit access events from the Ranger UI. ++ :::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-audit.png" alt-text="Screenshot that shows the Ranger UI policy audit access events." border="true"::: - :::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-audit.png" alt-text="Ranger UI policy audit access events " border="true"::: - ## Produce and consume topics in ESP Kafka by using the console > [!NOTE] To produce and consume topics in ESP Kafka by using the console: kinit sales_user1 ``` -2. Set environment variables: +1. Set environment variables: ```bash export KAFKA_OPTS="-Djava.security.auth.login.config=/usr/hdp/current/kafka-broker/conf/kafka_client_jaas.conf" export KAFKABROKERS=<brokerlist>:9092 ``` -3. Produce messages to topic `salesevents`: +1. Produce messages to the topic `salesevents`: ```bash /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --topic salesevents --broker-list $KAFKABROKERS --producer-property security.protocol=SASL_PLAINTEXT ``` -4. Consume messages from topic `salesevents`: +1. Consume messages from the topic `salesevents`: ```bash /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh --topic salesevents --from-beginning --bootstrap-server $KAFKABROKERS --consumer-property security.protocol=SASL_PLAINTEXT ``` -## Produce and consume topics for long running session in ESP Kafka +## Produce and consume topics for a long-running session in ESP Kafka ++The Kerberos ticket cache has an expiration limitation. For a long-running session, use a keytab instead of renewing the ticket cache manually. ++To use a keytab in a long-running session without `kinit`: ++1. Create a new keytab for your domain user: -Kerberos ticket cache has an expiration limitation. For long running session, we'd better to use keytab instead of renewing ticket cache manually. -To use keytab in long running session without `kinit`: -1. Create a new keytab for your domain user ```bash ktutil addent -password -p <user@domain> -k 1 -e RC4-HMAC To use keytab in long running session without `kinit`: q ```-2. Create `/home/sshuser/kafka_client_jaas.conf` and it should have the following lines: +1. Create `/home/sshuser/kafka_client_jaas.conf`. It should have the following lines: + ``` KafkaClient { com.sun.security.auth.module.Krb5LoginModule required To use keytab in long running session without `kinit`: principal="<user@domain>"; }; ```-3. Replace `java.security.auth.login.config` with `/home/sshuser/kafka_client_jaas.conf` and produce or consume topic using console or API ++1. Replace `java.security.auth.login.config` with `/home/sshuser/kafka_client_jaas.conf` and produce or consume the topic by using the console or API: + ``` export KAFKABROKERS=<brokerlist>:9092 To use keytab in long running session without `kinit`: ## Clean up resources -If you're not going to continue to use this application, delete the Kafka cluster that you created with the following steps: +If you aren't going to continue to use this application, delete the Kafka cluster that you created: 1. Sign in to the [Azure portal](https://portal.azure.com/).-1. In the **Search** box at the top, type **HDInsight**. -1. Select **HDInsight clusters** under **Services**. -1. In the list of HDInsight clusters that appears, click the **...** next to the cluster that you created for this tutorial. -1. Click **Delete**. Click **Yes**. +1. In the **Search** box at the top, enter **HDInsight**. +1. Under **Services**, select **HDInsight clusters**. +1. In the list of HDInsight clusters that appears, select the **...** next to the cluster that you created for this tutorial. +1. Select **Delete** > **Yes**. ## Troubleshooting-If kafka-producer-consumer.jar does not work in a domain joined cluster, please make sure you are using the kafka-producer-consumer.jar under "DomainJoined-Producer-Consumer" project (not the one under Producer-Consumer project, which is for non domain joined scenarios). ++If `kafka-producer-consumer.jar` doesn't work in a domain-joined cluster, make sure that you're using `kafka-producer-consumer.jar` under the `DomainJoined-Producer-Consumer` project. Don't use the one under the `Producer-Consumer` project, which is for non-domain-joined scenarios. ## Next steps |
hdinsight | Hdinsight Known Issues Conda Version Regression | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-known-issues-conda-version-regression.md | + + Title: Conda Version Regression in a recent HDInsight release +description: Known issue affecting image version 5.1.3000.0.2308052231 ++ Last updated : 02/22/2024+++# Conda version regression in a recent HDInsight release ++**Issue published date**: October 13, 2023 ++In the latest Azure HDInsight release, the conda version was mistakenly downgraded to 4.2.9. This regression is fixed in an upcoming release, but currently it can affect Spark job execution and result in script action failures. Conda 4.3.30 is the expected version in 5.0 and 5.1 clusters, so follow the steps to mitigate the issue. ++> [!IMPORTANT] +> This issue affects clusters with image version 5.1.3000.0.2308052231. Learn how to [view the image version of an HDInsight cluster](./view-hindsight-cluster-image-version.md). ++## Recommended steps ++1. Use Secure Shell (SSH) to connect to any virtual machine (VM) in the cluster. +2. Switch to the root user: `sudo su`. +3. Check the conda version: `/usr/bin/anaconda/bin/conda info`. +4. If the version is 4.2.9, run the following [script action](/azure/hdinsight/hdinsight-hadoop-customize-cluster-linux#script-action-to-a-running-cluster) on all nodes to upgrade the cluster to conda version 4.3.30: ++ `https://hdiconfigactions2.blob.core.windows.net/hdi-sre-workspace/conda_update_4_3_30_patch.sh` ++## Resources ++- [Script action to a running cluster](/azure/hdinsight/hdinsight-hadoop-customize-cluster-linux#script-action-to-a-running-cluster) +- [Safely manage a Python environment on Azure HDInsight by using script actions](/azure/hdinsight/spark/apache-spark-python-package-installation) +- [Supported HDInsight versions](/azure/hdinsight/hdinsight-component-versioning#supported-hdinsight-versions) |
hdinsight | Hdinsight Known Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-known-issues.md | Azure HDInsight has the following known issues: | HDInsight component | Issue description | ||-| | Kafka | [Kafka 2.4.1 validation error in ARM templates](#kafka-241-validation-error-in-arm-templates) |-| Spark | [Conda version regression in a recent HDInsight release](#conda-version-regression-in-a-recent-hdinsight-release)| | Platform | [Cluster reliability issue with older images in HDInsight clusters](#cluster-reliability-issue-with-older-images-in-hdinsight-clusters)| ### Kafka 2.4.1 validation error in ARM templates When you're using [templates or automation tools](/azure/hdinsight/hdinsight-had - [Supported HDInsight versions](/azure/hdinsight/hdinsight-component-versioning#supported-hdinsight-versions) - [HDInsight Kafka cluster](/azure/hdinsight/kafka/apache-kafka-introduction) -### Conda version regression in a recent HDInsight release --**Issue published date**: October 13, 2023 --In the latest Azure HDInsight release, the conda version was mistakenly downgraded to 4.2.9. This regression is fixed in an upcoming release, but currently it can affect Spark job execution and result in script action failures. Conda 4.3.30 is the expected version in 5.0 and 5.1 clusters, so follow the steps to mitigate the issue. --#### Recommended steps --1. Use Secure Shell (SSH) to connect to any virtual machine (VM) in the cluster. -2. Switch to the root user: `sudo su`. -3. Check the conda version: `/usr/bin/anaconda/bin/conda info`. -4. If the version is 4.2.9, run the following [script action](/azure/hdinsight/hdinsight-hadoop-customize-cluster-linux#script-action-to-a-running-cluster) on all nodes to upgrade the cluster to conda version 4.3.30: -- `https://hdiconfigactions2.blob.core.windows.net/hdi-sre-workspace/conda_update_4_3_30_patch.sh` --#### Resources --- [Script action to a running cluster](/azure/hdinsight/hdinsight-hadoop-customize-cluster-linux#script-action-to-a-running-cluster)-- [Safely manage a Python environment on Azure HDInsight by using script actions](/azure/hdinsight/spark/apache-spark-python-package-installation)-- [Supported HDInsight versions](/azure/hdinsight/hdinsight-component-versioning#supported-hdinsight-versions) ### Cluster reliability issue with older images in HDInsight clusters Select the title to view more information about that specific known issue. Fixed | Issue ID | Area |Title | Issue publish date| Status | |||-|-|-|-|Not applicable|Not applicable|Not applicable|Not applicable|Not applicable| +|Not applicable|Spark|Conda Version Regression in a recent HDInsight release|October 13, 2023|Closed| ## Next steps |
hdinsight | Ranger Policies For Spark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/spark/ranger-policies-for-spark.md | Title: Configure Apache Ranger policies for Spark SQL in HDInsight with Enterprise security package. -description: This article describes how to configure Ranger policies for Spark SQL with Enterprise security package. + Title: Configure Apache Ranger policies for Spark SQL in HDInsight with Enterprise Security Package. +description: This article describes how to configure Ranger policies for Spark SQL with Enterprise Security Package. Last updated 02/12/2024 -# Configure Apache Ranger policies for Spark SQL in HDInsight with Enterprise security package +# Configure Apache Ranger policies for Spark SQL in HDInsight with Enterprise Security Package -This article describes how to configure Ranger policies for Spark SQL with Enterprise security package in HDInsight. +This article describes how to configure Apache Ranger policies for Spark SQL with Enterprise Security Package in HDInsight. -In this tutorial, you'll learn how to, -- Create Apache Ranger policies -- Verify the applied Ranger policies -- Guideline for setting Apache Ranger for Spark SQL +In this article, you learn how to: -## Prerequisites +- Create Apache Ranger policies. +- Verify the applied Ranger policies. +- Apply guidelines for setting Apache Ranger for Spark SQL. -An Apache Spark cluster in HDInsight version 5.1 with [Enterprise security package](../domain-joined/apache-domain-joined-configure-using-azure-adds.md). +## Prerequisites -## Connect to Apache Ranger Admin UI +- An Apache Spark cluster in HDInsight version 5.1 with [Enterprise Security Package](../domain-joined/apache-domain-joined-configure-using-azure-adds.md) -1. From a browser, connect to the Ranger Admin user interface using the URL `https://ClusterName.azurehdinsight.net/Ranger/`. +## Connect to the Apache Ranger admin UI ++1. From a browser, connect to the Ranger admin user interface by using the URL `https://ClusterName.azurehdinsight.net/Ranger/`. - Remember to change `ClusterName` to the name of your Spark cluster. - -1. Sign in using your Microsoft Entra admin credentials. The Microsoft Entra admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node SSH credentials. + Change `ClusterName` to the name of your Spark cluster. ++1. Sign in by using your Microsoft Entra admin credentials. The Microsoft Entra admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node Secure Shell (SSH) credentials. ++ :::image type="content" source="./media/ranger-policies-for-spark/ranger-spark.png" alt-text="Screenshot that shows the Service Manager page in the Ranger user interface." lightbox="./media/ranger-policies-for-spark/ranger-spark.png"::: - :::image type="content" source="./media/ranger-policies-for-spark/ranger-spark.png" alt-text="Screenshot shows the create alert notification dialog box." lightbox="./media/ranger-policies-for-spark/ranger-spark.png"::: +## Create domain users -## Create Domain users +For information on how to create **sparkuser** domain users, see [Create an HDInsight cluster with ESP](../domain-joined/apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp). In a production scenario, domain users come from your Microsoft Entra tenant. -See [Create an HDInsight cluster with ESP](../domain-joined/apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp), for information on how to create **sparkuser** domain users. In a production scenario, domain users come from your Active Directory tenant. +## Create a Ranger policy -## Create Ranger policy +In this section, you create two Ranger policies: -In this section, you create two Ranger policies; +- An access policy for accessing `hivesampletable` from Spark SQL +- A masking policy for obfuscating the columns in `hivesampletable` -- [Access policy for accessing ΓÇ£hivesampletableΓÇ¥ from spark-sql](./ranger-policies-for-spark.md#create-ranger-access-policies)-- [Masking policy for obfuscating the columns in hivesampletable](./ranger-policies-for-spark.md#create-ranger-masking-policy)+### Create a Ranger access policy -### Create Ranger Access policies +1. Open the Ranger admin UI. -1. Open Ranger Admin UI. +1. Under **HADOOP SQL**, select **hive_and_spark**. -1. Select **hive_and_spark**, under **Hadoop SQL**. + :::image type="content" source="./media/ranger-policies-for-spark/ranger-spark.png" alt-text="Screenshot that shows the selection of Hive and Spark." lightbox="./media/ranger-policies-for-spark/ranger-spark.png"::: - :::image type="content" source="./media/ranger-policies-for-spark/ranger-spark.png" alt-text="Screenshot shows select hive and spark." lightbox="./media/ranger-policies-for-spark/ranger-spark.png"::: +1. On the **Access** tab, select **Add New Policy**. -1. Select **Add New Policy** under **Access** tab, and then enter the following values: + :::image type="content" source="./media/ranger-policies-for-spark/add-new-policy-screenshot.png" alt-text="Screenshot that shows the button for adding a new access policy." lightbox="./media/ranger-policies-for-spark/add-new-policy-screenshot.png"::: - :::image type="content" source="./media/ranger-policies-for-spark/add-new-policy-screenshot.png" alt-text="Screenshot shows select hive." lightbox="./media/ranger-policies-for-spark/add-new-policy-screenshot.png"::: +1. Enter the following values: - | Property | Value | - ||| - | Policy Name | read-hivesampletable-all | - | Hive Database | default | - | table | hivesampletable | - | Hive Column | * | - | Select User | sparkuser | - | Permissions | select | + | Property | Value | + ||| + | Policy Name | read-hivesampletable-all | + | database | default | + | table | hivesampletable | + | column | * | + | Select User | sparkuser | + | Permissions | select | - :::image type="content" source="./media/ranger-policies-for-spark/sample-policy-details.png" alt-text="Screenshot shows sample policy details." lightbox="./media/ranger-policies-for-spark/sample-policy-details.png"::: + :::image type="content" source="./media/ranger-policies-for-spark/sample-policy-details.png" alt-text="Screenshot that shows sample details for an access policy." lightbox="./media/ranger-policies-for-spark/sample-policy-details.png"::: - Wait a few moments for Ranger to sync with Microsoft Entra ID if a domain user is not automatically populated for Select User. + If a domain user isn't automatically populated for **Select User**, wait a few moments for Ranger to sync with Microsoft Entra ID. -1. Select **Add** to save the policy. +1. Select **Add** to save the policy. ++1. Open a Zeppelin notebook and run the following command to verify the policy: -1. Open Zeppelin notebook and run the following command to verify the policy. - ``` %sql select * from hivesampletable limit 10; ``` - Result before policy was saved: - - :::image type="content" source="./media/ranger-policies-for-spark/result-before-access-policy.png" alt-text="Screenshot shows result before access policy." lightbox="./media/ranger-policies-for-spark/result-before-access-policy.png"::: + Here's the result before a policy is applied: ++ :::image type="content" source="./media/ranger-policies-for-spark/result-before-access-policy.png" alt-text="Screenshot that shows the result before an access policy." lightbox="./media/ranger-policies-for-spark/result-before-access-policy.png"::: - Result after policy is applied: + Here's the result after a policy is applied: - :::image type="content" source="./media/ranger-policies-for-spark/result-after-access-policy.png" alt-text="Screenshot shows result after access policy." lightbox="./media/ranger-policies-for-spark/result-after-access-policy.png"::: + :::image type="content" source="./media/ranger-policies-for-spark/result-after-access-policy.png" alt-text="Screenshot that shows the result after an access policy." lightbox="./media/ranger-policies-for-spark/result-after-access-policy.png"::: -#### Create Ranger masking policy - +### Create a Ranger masking policy -The following example explains how to create a policy to mask a column. +The following example shows how to create a policy to mask a column: -1. Create another policy under **Masking** tab with the following properties using Ranger Admin UI +1. On the **Masking** tab, select **Add New Policy**. - :::image type="content" source="./media/ranger-policies-for-spark/add-new-masking-policy-screenshot.png" alt-text="Screenshot shows add new masking policy screenshot." lightbox="./media/ranger-policies-for-spark/add-new-masking-policy-screenshot.png"::: - + :::image type="content" source="./media/ranger-policies-for-spark/add-new-masking-policy-screenshot.png" alt-text="Screenshot that shows the button for adding a new masking policy." lightbox="./media/ranger-policies-for-spark/add-new-masking-policy-screenshot.png"::: - |Property |Value | - ||| - |Policy Name| mask-hivesampletable | - |Hive Database|default| - |Hive table| hivesampletable| - |Hive column|devicemake| - |Select User|sparkuser| - |Permissions|select| - |Masking options|hash| +1. Enter the following values: - + |Property |Value | + ||| + |Policy Name| mask-hivesampletable | + |Hive Database|default| + |Hive Table| hivesampletable| + |Hive Column|devicemake| + |Select User|sparkuser| + |Access Types|select| + |Select Masking Option|Hash| - :::image type="content" source="./media/ranger-policies-for-spark/masking-policy-details.png" alt-text="Screenshot shows masking policy details." lightbox="./media/ranger-policies-for-spark/masking-policy-details.png"::: - + :::image type="content" source="./media/ranger-policies-for-spark/masking-policy-details.png" alt-text="Screenshot shows masking policy details." lightbox="./media/ranger-policies-for-spark/masking-policy-details.png"::: -1. Select **Save** to save the policy. +1. Select **Save** to save the policy. -1. Open Zeppelin notebook and run the following command to verify the policy. +1. Open a Zeppelin notebook and run the following command to verify the policy: - ``` + ``` %sql select clientId, deviceMake from hivesampletable; ```- :::image type="content" source="./media/ranger-policies-for-spark/open-zipline-notebook.png" alt-text="Screenshot shows open zeppelin notebook." lightbox="./media/ranger-policies-for-spark/open-zipline-notebook.png"::: - + :::image type="content" source="./media/ranger-policies-for-spark/open-zipline-notebook.png" alt-text="Screenshot that shows an open Zeppelin notebook." lightbox="./media/ranger-policies-for-spark/open-zipline-notebook.png"::: -> [!NOTE] -> By default, the policies for hive and spark-sql will be common in Ranger. +> [!NOTE] +> By default, the policies for Hive and Spark SQL are common in Ranger. +## Apply guidelines for setting up Apache Ranger for Spark SQL - -## Guideline for setting up Apache Ranger for Spark-sql - -**Scenario 1**: Using new Ranger database while creating HDInsight 5.1 Spark cluster. - -When the cluster is created, the relevant Ranger repo containing the Hive and Spark Ranger policies are created under the name <hive_and_spark> in the Hadoop SQL service on the Ranger DB. - +The following scenarios explore guidelines for creating an HDInsight 5.1 Spark cluster by using a new Ranger database and by using an existing Ranger database. ++### Scenario 1: Use a new Ranger database while creating an HDInsight 5.1 Spark cluster ++When you use a new Ranger database to create a cluster, the relevant Ranger repo that contains the Ranger policies for Hive and Spark is created under the name **hive_and_spark** in the Hadoop SQL service on the Ranger database. +++If you edit the policies, they're applied to both Hive and Spark. ++Consider these points: ++- If you have two metastore databases with the same name used for both Hive (for example, **DB1**) and Spark (for example, **DB1**) catalogs: ++ - If Spark uses the Spark catalog (`metastore.catalog.default=spark`), the policies are applied to the **DB1** database of the Spark catalog. + - If Spark uses the Hive catalog (`metastore.catalog.default=hive`), the policies are applied to the **DB1** database of the Hive catalog. ++ From the perspective of Ranger, there's no way to differentiate between **DB1** of the Hive and Spark catalogs. ++ In such cases, we recommend that you either: ++ - Use the Hive catalog for both Hive and Spark. + - Maintain different database, table, and column names for both Hive and Spark catalogs so that the policies are not applied to databases across catalogs. ++- If you use the Hive catalog for both Hive and Spark, consider the following example. - + Let's say that you create a table named **table1** through Hive with the current **xyz** user. It creates a Hadoop Distributed File System (HDFS) file named **table1.db** whose owner is the **xyz** user. -You can edit the policies and these policies gets applied to both Hive and Spark. - -Points to consider: + Now imagine that you use the user **abc** to start the Spark SQL session. In this session of user **abc**, if you try to write anything to **table1**, it's bound to fail because the table owner is **xyz**. -1. In case you have two metastore databases with the same name used for both hive (for example, DB1) and spark (for example, DB1) catalogs. - - If spark uses spark catalog (metastore.catalog.default=spark), the policy applies to the DB1 of the spark catalog. - - If spark uses hive catalog (metastore.catalog.default=hive), the policies get applied to the DB1 of the hive catalog. - - There is no way of differentiating between DB1 of hive and spark catalog from the perspective of Ranger. - - - In such cases, it is recommended to either use ΓÇÿhiveΓÇÖ catalog for both Hive and Spark or maintain different database, table and column names for both Hive and Spark catalogs so that the policies are not applied to databases across catalogs. - + In such a case, we recommend that you use the same user in Hive and Spark SQL for updating the table. That user should have sufficient privileges to perform update operations. -1. In case you use ΓÇÿhiveΓÇÖ catalog for both Hive and Spark. +### Scenario 2: Use an existing Ranger database (with existing policies) while creating an HDInsight 5.1 Spark cluster - LetΓÇÖs say you create a table **table1** through Hive with current ΓÇÿxyzΓÇÖ user. It creates an HDFS file called **table1.db** whose owner is ΓÇÿxyzΓÇÖ user. - - - Now consider, the user ΓÇÿabcΓÇÖ is used while launching the Spark Sql session. In this session of user ΓÇÿabcΓÇÖ, if you try to write anything to **table1**, it is bound to fail since the table owner is ΓÇÿxyzΓÇÖ. - - In such case, it is recommended to use the same user in Hive and Spark SQL for updating the table and that user should have sufficient privileges to perform update operations. +When you create an HDInsight 5.1 cluster by using an existing Ranger database, a new Ranger repo is created again on this database with the name of the new cluster in this format: **hive_and_spark**. -**Scenario 2**: Using existing Ranger database (with existing policies) while creating HDInsight 5.1 Spark cluster. - - In this case when the HDI 5.1 cluster is created using existing Ranger database then, new Ranger repo gets created again on this database with the name of the new cluster in this format - <hive_and_spark>. +Let's say that you have the policies defined in the Ranger repo already under the name **oldclustername_hive** on the existing Ranger database inside the Hadoop SQL service. You want to share the same policies in the new HDInsight 5.1 Spark cluster. To achieve this goal, use the following steps. +> [!NOTE] +> A user who has Ambari admin privileges can perform configuration updates. - :::image type="content" source="./media/ranger-policies-for-spark/new-repo-old-ranger-database.png" alt-text="Screenshot shows new repo old ranger database." lightbox="./media/ranger-policies-for-spark/new-repo-old-ranger-database.png"::: +1. Open the Ambari UI from your new HDInsight 5.1 cluster. - LetΓÇÖs say you have the policies defined in the Ranger repo already under the name <oldclustername_hive> on the existing Ranger database inside Hadoop SQL service and you want to share the same policies in the new HDInsight 5.1 Spark cluster. To achieve this, follow the steps given below: - -> [!NOTE] -> Config updates can be performed by the user with Ambari admin privileges. +1. Go to the **Spark3** service, and then go to **Configs**. -1. Open Ambari UI from your new HDInsight 5.1 cluster. +1. Open the **Advanced ranger-spark-security** configuration. -1. Go to Spark 3 service -> Configs. + :::image type="content" source="./media/ranger-policies-for-spark/ambari-config-ranger-security.png" alt-text="Screenshot shows Ambari config ranger security." lightbox="./media/ranger-policies-for-spark/ambari-config-ranger-security.png"::: -1. Open ΓÇ£ranger-spark-securityΓÇ¥ security config. + You can also open this configuration in **/etc/spark3/conf** by using SSH. - +1. Edit two configurations (**ranger.plugin.spark.service.name** and **ranger.plugin.spark.policy.cache.dir**) to point to the old policy repo **oldclustername_hive**, and then save the configurations. - Or Open ΓÇ£ranger-spark-securityΓÇ¥ security config in /etc/spark3/conf using SSH. - - :::image type="content" source="./media/ranger-policies-for-spark/ambari-config-ranger-security.png" alt-text="Screenshot shows Ambari config ranger security." lightbox="./media/ranger-policies-for-spark/ambari-config-ranger-security.png"::: + Ambari: - + :::image type="content" source="./media/ranger-policies-for-spark/config-update-service-name-ambari.png" alt-text="Screenshot that shows a configuration update for service name in Ambari." lightbox="./media/ranger-policies-for-spark/config-update-service-name-ambari.png"::: -1. Edit two configurations ΓÇ£ranger.plugin.spark.service.nameΓÇ£ and ΓÇ£ranger.plugin.spark.policy.cache.dir" to point to old policy repo ΓÇ£oldclustername_hiveΓÇ¥ and ΓÇ£SaveΓÇ¥ the configurations. + XML file: - Ambari: - - :::image type="content" source="./media/ranger-policies-for-spark/config-update-service-name-ambari.png" alt-text="Screenshot shows config update service name Ambari." lightbox="./media/ranger-policies-for-spark/config-update-service-name-ambari.png"::: - - XML file: + :::image type="content" source="./media/ranger-policies-for-spark/config-update-xml.png" alt-text="Screenshot that shows a configuration update for service name in XML." lightbox="./media/ranger-policies-for-spark/config-update-xml.png"::: - :::image type="content" source="./media/ranger-policies-for-spark/config-update-xml.png" alt-text="Screenshot shows config update xml." lightbox="./media/ranger-policies-for-spark/config-update-xml.png"::: - - +1. Restart the Ranger and Spark services from Ambari. -1. Restart Ranger and Spark services from Ambari. +The policies are applied on databases in the Spark catalog. If you want to access the databases in the Hive catalog: - The policies get applied on databases in the spark catalog. If you want to access the databases under hive catalog, go to Ambari -> SPARK3 -> Configs -> Change ΓÇ£metastore.catalog.defaultΓÇ¥ from spark to hive. - - :::image type="content" source="./media/ranger-policies-for-spark/change-metastore-config.png" alt-text="Screenshot shows change metastore config." lightbox="./media/ranger-policies-for-spark/change-metastore-config.png"::: +1. In Ambari, go to **Spark3** > **Configs**. +1. Change **metastore.catalog.default** from **spark** to **hive**. + :::image type="content" source="./media/ranger-policies-for-spark/change-metastore-config.png" alt-text="Screenshot that shows changing a metastore configuration." lightbox="./media/ranger-policies-for-spark/change-metastore-config.png"::: -### Known issues - -- Apache Ranger Spark-sql integration not works if Ranger admin is down. -- Ranger DB could be overloaded if >20 spark sessions are launched concurrently because of continuous policy pulls. -- In Ranger Audit logs, ΓÇ£ResourceΓÇ¥ column, on hover, doesnΓÇÖt show the entire query which got executed. - +## Known issues - - +- Apache Ranger integration with Spark SQL doesn't work if the Ranger admin is down. +- The Ranger database can be overloaded if more than 20 Spark sessions are started concurrently because of continuous policy pulls. +- In Ranger audit logs, when you hover over the **Resource** column, it doesn't show the entire query that you ran. |
healthcare-apis | Selectable Search Parameters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/selectable-search-parameters.md | A reindex job can be executed against the entire FHIR service database or agains ## Frequently Asked Questions -**What is the behavior if the query is includes a search parameter with status 'Supported'?** +**What is the behavior if the query includes a search parameter with status 'Supported'?** The search parameter in the 'Supported' state needs to be reindexed. Until then, the search parameter is not activated. In case a query is executed on a non-active search parameter, the FHIR service will render a response without considering that search parameter. In the response, there will be a warning message indicating that the search parameter was not indexed and therefore not used in the query. To render an error in such situations, use the 'Prefer: handling' header with the value 'strict'. By setting this header, warnings will be reported as errors. |
iot-central | Howto Connect Rigado Cascade 500 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-connect-rigado-cascade-500.md | This article describes how you can connect a Rigado Cascade 500 gateway device t Cascade 500 IoT gateway is a hardware offering from Rigado that's part of their Cascade Edge-as-a-Service solution. It provides commercial IoT project and product teams with flexible edge computing power, a robust containerized application environment, and a wide variety of wireless device connectivity options such as Bluetooth 5, LTE, and Wi-Fi. -Cascade 500 is certified for Azure IoT Plug and Play and enables you to easily onboard the device into your end-to-end solutions. The Cascade gateway lets you wirelessly connect to various condition monitoring sensors that are in close proximity to the gateway device. You can use the gateway device to onboard these sensors into IoT Central. +The Cascade gateway lets you wirelessly connect to various condition monitoring sensors that are in close proximity to the gateway device. You can use the gateway device to onboard these sensors into IoT Central. ## Prerequisites |
iot-central | Howto Set Up Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-set-up-template.md | To learn how to manage device templates by using the IoT Central REST API, see [ You have several options to create device templates: - Design the device template in the IoT Central GUI.-- Import a device template from the [Azure Certified for IoT device catalog](https://aka.ms/iotdevcat). Optionally, customize the device template to your requirements in IoT Central.+- Import a device template from the device catalog. Optionally, customize the device template to your requirements in IoT Central. - When the device connects to IoT Central, have it send the model ID of the model it implements. IoT Central uses the model ID to retrieve the model from the model repository and to create a device template. Add any cloud properties and views your IoT Central application needs to the device template. - When the device connects to IoT Central, let IoT Central [autogenerate a device template](#autogenerate-a-device-template) definition from the data the device sends. - Author a device model using the [Digital Twin Definition Language (DTDL) V2](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md) and [IoT Central DTDL extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md). Manually import the device model into your IoT Central application. Then add the cloud properties and views your IoT Central application needs. To create a device model, you can: - Use IoT Central to create a custom model from scratch. - Import a DTDL model from a JSON file. A device builder might have used Visual Studio Code to author a device model for your application.-- Select one of the devices from the Device Catalog. This option imports the device model that the manufacturer has published for this device. A device model imported like this is automatically published.+- Select one of the devices from the device catalog. This option imports the device model that the manufacturer has published for this device. A device model imported like this is automatically published. 1. To view the model ID, select the root interface in the model and select **Edit identity**: |
iot-central | Tutorial Connected Waste Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/government/tutorial-connected-waste-management.md | If you made any changes, remember to publish the device template. ### Create a new device template -To create a new device template, select **+ New**, and follow the steps. You can create a custom device template from scratch, or you can choose a device template from the Azure device catalog. +To create a new device template, select **+ New**, and follow the steps. You can create a custom device template from scratch, or you can choose a device template from the device catalog. ### Explore simulated devices |
iot-central | Tutorial Water Consumption Monitoring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/government/tutorial-water-consumption-monitoring.md | To learn more, see [How to publish templates](../core/howto-set-up-template.md#p ### Create a new device template -Select **+ New** to create a new device template and follow the creation process. You can create a custom device template from scratch or you can choose a device template from the Azure Device Catalog. +Select **+ New** to create a new device template and follow the creation process. You can create a custom device template from scratch or you can choose a device template from the device catalog. To learn more, see [How to add device templates](../core/howto-set-up-template.md). |
iot-central | Tutorial Water Quality Monitoring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/government/tutorial-water-quality-monitoring.md | If you make any changes, be sure to select **Publish** to publish the device tem ### Create a new device template 1. On the **Device templates** page, select **+ New** to create a new device template and follow the creation process.-1. Create a custom device template or choose a device template from the Azure IoT device catalog. +1. Create a custom device template or choose a device template from the device catalog. ## Explore simulated devices |
iot-central | Tutorial In Store Analytics Create App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/retail/tutorial-in-store-analytics-create-app.md | To update the application image: ### Create the device templates -By creating device templates, you and the application operators can configure and manage devices. You can build a custom template, import an existing template file, or import a template from the Azure IoT device catalog. After you create and customize a device template, use it to connect real devices to your application. +By creating device templates, you and the application operators can configure and manage devices. You can build a custom template, import an existing template file, or import a template from the device catalog. After you create and customize a device template, use it to connect real devices to your application. Optionally, you can use a device template to generate simulated devices for testing. In this section, you add a device template for RuuviTag sensors to your applicat 1. Select **New** to create a new device template. -1. Search for and then select the **RuuviTag Multisensor** device template in the Azure IoT device catalog. +1. Search for and then select the **RuuviTag Multisensor** device template in the device catalog. 1. Select **Next: Review**. |
iot-hub | Iot Concepts And Iot Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-concepts-and-iot-hub.md | Title: IoT concepts and Azure IoT Hub | Microsoft Docs -description: This article discusses the basic concepts for new users of Azure IoT Hub + Title: What is Azure IoT Hub? ++description: This article discusses the basic concepts of how Azure IoT Hub helps users connect IoT applications and their attached devices. Previously updated : 02/23/2022 Last updated : 02/22/2024 #Customer intent: As a developer new to IoT Hub, learn the basic concepts. -# IoT concepts and Azure IoT Hub +# What is Azure IoT Hub? The Internet of Things (IoT) is a network of physical devices that connect to and exchange data with other devices and services over the Internet or other network. There are currently over ten billion connected devices in the world and more are added every year. Anything that can be embedded with the necessary sensors and software can be connected over the internet. Azure IoT Hub is a managed service hosted in the cloud that acts as a central message hub for communication between an IoT application and its attached devices. You can connect millions of devices and their backend solutions reliably and securely. Almost any device can be connected to an IoT hub. -Several messaging patterns are supported, including device-to-cloud telemetry, uploading files from devices, and request-reply methods to control your devices from the cloud. IoT Hub also supports monitoring to help you track device creation, device connections, and device failures. +Several messaging patterns are supported, including device-to-cloud messages, uploading files from devices, and request-reply methods to control your devices from the cloud. IoT Hub also supports monitoring to help you track device creation, device connections, and device failures. -IoT Hub scales to millions of simultaneously connected devices and millions of events per second to support your IoT workloads. For more information about scaling your IoT Hub, see [IoT Hub scaling](iot-hub-scaling.md). To learn more about the tiers of service offered by IoT Hub, check out the [pricing page](https://azure.microsoft.com/pricing/details/iot-hub/). +IoT Hub scales to millions of simultaneously connected devices and millions of events per second to support your IoT workloads. You can integrate IoT Hub with other Azure services to build complete, end-to-end solutions. For example, use: You can integrate IoT Hub with other Azure services to build complete, end-to-en - [Azure Stream Analytics](../stream-analytics/index.yml) to run real-time analytic computations on the data streaming from your devices. -[IoT Central](../iot-central/core/overview-iot-central.md) applications use multiple IoT hubs as part of their scalable and resilient infrastructure. --Each Azure subscription has default quota limits in place to prevent service abuse. These limits could impact the scope of your IoT solution. The current limit on a per-subscription basis is 50 IoT hubs per subscription. You can request quota increases by contacting support. For more information, see [IoT Hub quotas and throttling](iot-hub-devguide-quotas-throttling.md). For more information on quota limits, see one of the following articles: --- [Azure subscription service limits](../azure-resource-manager/management/azure-subscription-service-limits.md)--- [IoT Hub throttling and you](https://azure.microsoft.com/blog/iot-hub-throttling-and-you/)- ## IoT devices IoT devices differ from other clients such as browsers and mobile apps. Specifically, IoT devices: Every IoT hub has an identity registry that stores information about the devices We support two methods of authentication between the device and the IoT hub. You can use SAS token-based authentication or X.509 certificate authentication. -The SAS token method provides authentication for each call made by the device to IoT Hub by associating the symmetric key to each call. X.509 authentication allows authentication of an IoT device at the physical layer as part of the Transport Layer Security (TLS) standard connection establishment. The choice between the two methods is primarily dictated by how secure the device authentication needs to be, and availability of secure storage on the device (to store the private key securely). +The SAS token method provides authentication for each call made by the device to IoT Hub by associating the symmetric key to each call. X.509 authentication allows authentication of an IoT device at the physical layer as part of the Transport Layer Security (TLS) standard connection establishment. The choice between the two methods depends on how secure the device authentication needs to be, and ability to store the private key securely on the device. You can set up and provision many devices at a time using the [IoT Hub Device Provisioning Service](../iot-dps/index.yml). +For more information, see [Device management and control](../iot/iot-overview-device-management.md). + ## Device communication -After selecting your authentication method, the internet connection between the IoT device and IoT Hub is secured using the Transport Layer Security (TLS) standard. Azure IoT supports TLS 1.2, TLS 1.1, and TLS 1.0, in that order. Support for TLS 1.0 is provided for backward compatibility only. Check TLS support in IoT Hub to see how to configure your hub to use TLS 1.2, which provides the most security. +The internet connection between the IoT device and IoT Hub is secured using the Transport Layer Security (TLS) standard. Azure IoT supports TLS 1.2, TLS 1.1, and TLS 1.0, in that order. Support for TLS 1.0 is provided for backward compatibility only. Check TLS support in IoT Hub to see how to configure your hub to use TLS 1.2, which provides the most security. -Typically, IoT devices send telemetry from the sensors to back-end services in the cloud. However, other types of communication are possible, such as a back-end service sending commands to your devices. Some examples of different types of communication include the following: +Typically, IoT devices send data from the sensors to back-end services in the cloud. However, other types of communication are possible, such as a back-end service sending commands to your devices. For example: - A refrigeration truck sending temperature every 5 minutes to an IoT hub.-- A back-end service sending a command to a device to change the frequency at which it sends telemetry to help diagnose a problem.+- A back-end service sending a command to a device to change the frequency at which it sends data to help diagnose a problem. - A device monitoring a batch reactor in a chemical plant, sending an alert when the temperature exceeds a certain value. +For more information, see [Device infrastructure and connectivity](../iot/iot-overview-device-connectivity.md). + ## Device telemetry -Examples of telemetry received from a device can include sensor data such as speed or temperature, an error message such as missed event, or an information message to indicate the device is in good health. IoT devices send events to an application to gain insights. Applications may require specific subsets of events for processing or storage at different endpoints. +Examples of telemetry received from a device can include sensor data such as speed or temperature, an error message such as missed event, or an information message to indicate the device is in good health. IoT devices send events to an application to gain insights. Applications might require specific subsets of events for processing or storage at different endpoints. ## Device properties Properties can be read or set from the IoT hub and can be used to send notificat You can enable properties in IoT Hub using [Device twins](iot-hub-devguide-device-twins.md) or [Plug and Play](../iot/overview-iot-plug-and-play.md). -To learn more about the differences between device twins and Plug and Play, see [Plug and Play](../iot/concepts-digital-twin.md#device-twins-and-digital-twins). - ## Device commands An example of a command is rebooting a device. IoT Hub implements commands by allowing you to invoke direct methods on devices. [Direct methods](iot-hub-devguide-direct-methods.md) represent a request-reply interaction with a device similar to an HTTP call in that they succeed or fail immediately (after a user-specified timeout). This approach is useful for scenarios where the course of immediate action is different depending on whether the device was able to respond. IoT Hub gives you the ability to unlock the value of your device data with other ### Built-in endpoint collects device data by default -A built-in endpoint collects data from your device by default. The data is collected using a request-response pattern over dedicated IoT device endpoints, is available for a maximum duration of seven days, and can be used to take actions on a device. Here is the data accepted by the device endpoint: +A built-in endpoint collects data from your device by default. The data is collected using a request-response pattern over dedicated IoT device endpoints, is available for a maximum duration of seven days, and can be used to take actions on a device. Data accepted by the device endpoint includes: - Send device-to-cloud messages. - Receive cloud-to-device messages. A built-in endpoint collects data from your device by default. The data is colle - Retrieve and update device twin properties. - Receive direct method requests. -For more information about IoT Hub endpoints, see [IoT Hub Dev Guide Endpoints]( -iot-hub-devguide-endpoints.md#list-of-built-in-iot-hub-endpoints) +For more information about IoT Hub endpoints, see [IoT Hub endpoints](iot-hub-devguide-endpoints.md). ### Message routing sends data to other endpoints -Data can also be routed to different services for further processing. As the IoT solution scales out, the number of devices, volume of events, variety of events, and different services also varies. A flexible, scalable, consistent, and reliable method to route events is necessary to serve this pattern. Once a message route has been created, data stops flowing to the built-in-endpoint unless a fallback route has been configured. For a tutorial showing multiple uses of message routing, see the [Routing Tutorial](tutorial-routing.md). +Data can also be routed to different services for further processing. As the IoT solution scales out, the number of devices, volume of events, variety of events, and different services also varies. A flexible, scalable, consistent, and reliable method to route events is necessary to serve this pattern. For a tutorial showing multiple uses of message routing, see [Tutorial: Send device data to Azure Storage using IoT Hub message routing](tutorial-routing.md). ++IoT Hub supports setting up custom endpoints for Azure services including Storage containers, Event Hubs, Service Bus queues, Service Bus topics, and Cosmos DB. Once the endpoint has been set up, you can route your IoT data to any of these endpoints to perform downstream data operations. -IoT Hub supports setting up custom endpoints for various existing Azure services like Storage containers, Event Hubs, Service Bus queues, Service Bus topics, and Cosmos DB. Once the endpoint has been set up, you can route your IoT data to any of these endpoints to perform downstream data operations. +IoT Hub also integrates with Event Grid, which enables you to fan out data to multiple subscribers. Event Grid is a fully managed event service that enables you to easily manage events across many different Azure services and applications. Event Grid simplifies building event-driven applications and serverless architectures. -IoT Hub also integrates with Event Grid, which enables you to fan out data to multiple subscribers. Event Grid is a fully managed event service that enables you to easily manage events across many different Azure services and applications. Made for performance and scale, it simplifies building event-driven applications and serverless architectures. The differences between message routing and using Event Grid are explained in the [Message Routing and Event Grid Comparison](iot-hub-event-grid-routing-comparison.md) +For more information, see [Compare message routing and Event Grid for IoT Hub](iot-hub-event-grid-routing-comparison.md). ## Next steps To try out an end-to-end IoT solution, check out the IoT Hub quickstarts: To learn more about the ways you can build and deploy IoT solutions with Azure IoT, visit: -- [What is Azure IoT device and application development](../iot-develop/about-iot-develop.md)-- [Fundamentals: Azure IoT technologies and solutions](../iot/iot-services-and-technologies.md)+- [What is Azure Internet of Things?](../iot/iot-introduction.md) +- [What is Azure IoT device and application development?](../iot-develop/about-iot-develop.md) |
iot-hub | Iot Hub Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-customer-managed-keys.md | - Title: Encryption of Azure IoT Hub data at rest using customer-managed keys| Microsoft Docs -description: Encryption of Azure IoT Hub data at rest using customer-managed keys ---- Previously updated : 11/03/2022-----# Encryption of Azure Iot Hub data at rest using customer-managed keys (preview) --IoT Hub supports encryption of data at rest using customer-managed keys (CMK), also known as Bring your own key (BYOK). Azure IoT Hub provides encryption of data at rest and in-transit as it's written in our datacenters; the data is encrypted when read and decrypted when written. -->[!NOTE] ->The customer-managed keys feature is in private preview, and is not currently accepting new customers. --By default, IoT Hub uses Microsoft-managed keys to encrypt the data. With CMK, you can get another layer of encryption on top of default encryption and can choose to encrypt data at rest with a key encryption key, managed through your [Azure Key Vault](https://azure.microsoft.com/services/key-vault/). This gives you the flexibility to create, rotate, disable, and revoke access controls. If BYOK is configured for your IoT Hub, we also provide double encryption, which offers a second layer of protection, while still allowing you to control the encryption key through your Azure Key Vault. --This capability requires the creation of a new IoT Hub (basic or standard tier). To try this capability, contact us through [Microsoft support](https://azure.microsoft.com/support/create-ticket/). Share your company name and subscription ID when contacting Microsoft support. --## Next steps --* [What is IoT Hub?](./about-iot-hub.md) --* [Learn more about Azure Key Vault](../key-vault/general/overview.md) |
iot-hub | Iot Hub Devguide Device Twins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-devguide-device-twins.md | Title: Understand Azure IoT Hub device twins -description: This article describes how to use device twins to synchronize state and configuration data between IoT Hub and your devices ++description: This article describes how to use device twins to synchronize state and configuration data between IoT Hub and your devices. Previously updated : 04/27/2022 Last updated : 02/22/2024 # Understand and use device twins in IoT Hub -*Device twins* are JSON documents that store device state information including metadata, configurations, and conditions. Azure IoT Hub maintains a device twin for each device that you connect to IoT Hub. +*Device twins* are JSON documents that store device state information including metadata, configurations, and conditions. Azure IoT Hub maintains a device twin for each device that you connect to IoT Hub. [!INCLUDE [iot-hub-basic](../../includes/iot-hub-basic-whole.md)] This article describes: -* The structure of the device twin: *tags*, *desired* and *reported properties*. -* The operations that device apps and back ends can perform on device twins. +* The structure of the device twin: *tags*, *desired properties*, and *reported properties*. +* The operations that device and back-end applications can perform on device twins. Use device twins to: -* Store device-specific metadata in the cloud. For example, the deployment location of a vending machine. +* Store device-specific metadata in the cloud. For example, the location of a vending machine. * Report current state information such as available capabilities and conditions from your device app. For example, whether a device is connected to your IoT hub over cellular or WiFi. Use device twins to: * Query your device metadata, configuration, or state. -Refer to [Device-to-cloud communication guidance](iot-hub-devguide-d2c-guidance.md) for guidance on using reported properties, device-to-cloud messages, or file upload. +For more information about using reported properties, device-to-cloud messages, or file upload, see [Device-to-cloud communication guidance](iot-hub-devguide-d2c-guidance.md). -Refer to [Cloud-to-device communication guidance](iot-hub-devguide-c2d-guidance.md) for guidance on using desired properties, direct methods, or cloud-to-device messages. +For more information about using desired properties, direct methods, or cloud-to-device messages, see [Cloud-to-device communication guidance](iot-hub-devguide-c2d-guidance.md). To learn how device twins relate to the device model used by an Azure IoT Plug and Play device, see [Understand IoT Plug and Play digital twins](../iot/concepts-digital-twin.md). Device twins store device-related information that: * The solution back end can use to query and target long-running operations. -The lifecycle of a device twin is linked to the corresponding [device identity](iot-hub-devguide-identity-registry.md). Device twins are implicitly created and deleted when a device identity is created or deleted in IoT Hub. +The lifecycle of a device twin is linked to its corresponding [device identity](iot-hub-devguide-identity-registry.md). Device twins are implicitly created and deleted when a device identity is created or deleted in IoT Hub. A device twin is a JSON document that includes: -* **Tags**. A section of the JSON document that the solution back end can read from and write to. Tags are not visible to device apps. +* **Tags**. A section of the JSON document that the solution back end can read from and write to. Tags aren't visible to device apps. * **Desired properties**. Used along with reported properties to synchronize device configuration or conditions. The solution back end can set desired properties, and the device app can read them. The device app can also receive notifications of changes in the desired properties. * **Reported properties**. Used along with desired properties to synchronize device configuration or conditions. The device app can set reported properties, and the solution back end can read and query them. -* **Device identity properties**. The root of the device twin JSON document contains the read-only properties from the corresponding device identity stored in the [identity registry](iot-hub-devguide-identity-registry.md). Properties `connectionStateUpdatedTime` and `generationId` will not be included. +* **Device identity properties**. The root of the device twin JSON document contains the read-only properties from the corresponding device identity stored in the [identity registry](iot-hub-devguide-identity-registry.md). Properties `connectionStateUpdatedTime` and `generationId` won't be included. -![Screenshot of device twin properties](./media/iot-hub-devguide-device-twins/twin.png) +![Diagram that shows which applications interact with which device twin properties.](./media/iot-hub-devguide-device-twins/twin.png) The following example shows a device twin JSON document: The following example shows a device twin JSON document: } ``` -In the root object are the device identity properties, and container objects for `tags` and both `reported` and `desired` properties. The `properties` container contains some read-only elements (`$metadata` and `$version`) described in the [Device twin metadata](iot-hub-devguide-device-twins.md#device-twin-metadata) and [Optimistic concurrency](iot-hub-devguide-device-twins.md#optimistic-concurrency) sections. +The root object contains the device identity properties, and container objects for `tags` and both `reported` and `desired` properties. The `properties` container contains some read-only elements (`$metadata` and `$version`) described in the [Device twin metadata](iot-hub-devguide-device-twins.md#device-twin-metadata) and [Optimistic concurrency](iot-hub-devguide-device-twins.md#optimistic-concurrency) sections. ### Reported property example In the previous example, the device twin contains a `batteryLevel` property that In the previous example, the `telemetryConfig` device twin desired and reported properties are used by the solution back end and the device app to synchronize the telemetry configuration for this device. For example: -1. The solution back end sets the desired property with the desired configuration value. Here is the portion of the document with the desired property set: +1. The solution back end sets the desired property with the desired configuration value. Here's the portion of the document with the desired property set: ```json "desired": { The solution back end operates on the device twin using the following atomic ope * **Replace tags**. This operation enables the solution back end to completely overwrite all existing tags and substitute a new JSON document for `tags`. -* **Receive twin notifications**. This operation allows the solution back end to be notified when the twin is modified. To do so, your IoT solution needs to create a route and to set the Data Source equal to *twinChangeEvents*. By default, no such route exists, so no twin notifications are sent. If the rate of change is too high, or for other reasons such as internal failures, the IoT Hub might send only one notification that contains all changes. Therefore, if your application needs reliable auditing and logging of all intermediate states, you should use device-to-cloud messages. To learn more about the properties and body returned in the twin notification message, see [Non-telemetry event schemas](iot-hub-non-telemetry-event-schema.md). +* **Receive twin notifications**. This operation allows the solution back end to be notified when the twin is modified. To do so, your IoT solution needs to create a route and to set the Data Source equal to *twinChangeEvents*. By default, no such route exists, so no twin notifications are sent. If the rate of change is too high, or for other reasons such as internal failures, the IoT Hub might send only one notification that contains all changes. Therefore, if your application needs reliable auditing and logging of all intermediate states, you should use device-to-cloud messages. To learn more about the properties and body returned in the twin notification message, see [Nontelemetry event schemas](iot-hub-non-telemetry-event-schema.md). All the preceding operations support [Optimistic concurrency](iot-hub-devguide-device-twins.md#optimistic-concurrency) and require the **ServiceConnect** permission, as defined in [Control access to IoT Hub](iot-hub-dev-guide-sas.md). In addition to these operations, the solution back end can: The device app operates on the device twin using the following atomic operations: -* **Retrieve device twin**. This operation returns the device twin document (including desired and reported system properties) for the currently connected device. (Tags are not visible to device apps.) +* **Retrieve device twin**. This operation returns the device twin document (including desired and reported system properties) for the currently connected device. (Tags aren't visible to device apps.) * **Partially update reported properties**. This operation enables the partial update of the reported properties of the currently connected device. This operation uses the same JSON update format that the solution back end uses for a partial update of desired properties. Tags, desired properties, and reported properties are JSON objects with the foll * **Values**: All values in JSON objects can be of the following JSON types: boolean, number, string, object. Arrays are also supported. - * Integers can have a minimum value of -4503599627370496 and a maximum value of 4503599627370495. + * Integers can have a minimum value of -4503599627370496 and a maximum value of 4503599627370495. - * String values are UTF-8 encoded and can have a maximum length of 4 KB. + * String values are UTF-8 encoded and can have a maximum length of 4 KB. * **Depth**: The maximum depth of JSON objects in tags, desired properties, and reported properties is 10. For example, the following object is valid: Tags, desired properties, and reported properties are JSON objects with the foll ## Device twin size -IoT Hub enforces an 8 KB size limit on the value of `tags`, and a 32 KB size limit each on the value of `properties/desired` and `properties/reported`. These totals are exclusive of read-only elements like `$version` and `$metadata/$lastUpdated`. +IoT Hub enforces an 8-KB size limit on the value of `tags`, and a 32-KB size limit each on the value of `properties/desired` and `properties/reported`. These totals are exclusive of read-only elements like `$version` and `$metadata/$lastUpdated`. Twin size is computed as follows: Versions are also useful when an observing agent (such as the device app observi ## Device reconnection flow -IoT Hub does not preserve desired properties update notifications for disconnected devices. It follows that a device that is connecting must retrieve the full desired properties document, in addition to subscribing for update notifications. Given the possibility of races between update notifications and full retrieval, the following flow must be ensured: +IoT Hub doesn't preserve desired properties update notifications for disconnected devices. It follows that a device that is connecting must retrieve the full desired properties document, in addition to subscribing for update notifications. Given the possibility of races between update notifications and full retrieval, the following flow must be ensured: 1. Device app connects to an IoT hub. 2. Device app subscribes for desired properties update notifications. IoT Hub does not preserve desired properties update notifications for disconnect The device app can ignore all notifications with `$version` less or equal than the version of the full retrieved document. This approach is possible because IoT Hub guarantees that versions always increment. -## Additional reference material --Other reference topics in the IoT Hub developer guide include: --* The [IoT Hub endpoints](iot-hub-devguide-endpoints.md) article describes the various endpoints that each IoT hub exposes for run-time and management operations. --* The [Throttling and quotas](iot-hub-devguide-quotas-throttling.md) article describes the quotas that apply to the IoT Hub service and the throttling behavior to expect when you use the service. --* The [Azure IoT device and service SDKs](iot-hub-devguide-sdks.md) article lists the various language SDKs you can use when you develop both device and service apps that interact with IoT Hub. --* The [IoT Hub query language for device twins, jobs, and message routing](iot-hub-devguide-query-language.md) article describes the IoT Hub query language you can use to retrieve information from IoT Hub about your device twins and jobs. --* The [IoT Hub MQTT support](../iot/iot-mqtt-connect-to-iot-hub.md) article provides more information about IoT Hub support for the MQTT protocol. - ## Next steps Now you have learned about device twins, you may be interested in the following IoT Hub developer guide topics: |
iot-hub | Iot Hub Devguide Sdks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-devguide-sdks.md | Learn more about the IoT Hub embedded device SDKs in the [IoT device development [!INCLUDE [iot-hub-sdks-management](../../includes/iot-hub-sdks-management.md)] -## SDK and hardware compatibility --For more information about device SDK compatibility with specific hardware devices, see the [Azure Certified Device catalog](https://devicecatalog.azure.com/) or individual repository. - [!INCLUDE [iot-hub-basic](../../includes/iot-hub-basic-partial.md)] ## SDKs for related Azure IoT services |
iot-hub | Iot Hub Ip Filter Classic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-ip-filter-classic.md | - Title: Azure IoT Hub classic IP filter (deprecated) -description: How to upgrade from classic IP filter and what are the benefits ----- Previously updated : 10/16/2020----# IoT Hub classic IP filter and how to upgrade --The upgraded IP filter for IoT Hub protects the built-in endpoint and is secure by default. While we strive to never make breaking changes, the enhanced security model of the upgraded IP filter is incompatible with classic IP filter, so we announce its retirement. To learn more about the new upgraded IP filter, see [What's new](#whats-new) and [IoT hub IP filters](iot-hub-ip-filtering.md). --To avoid service disruption, you must perform the guided upgrade before the migration deadline, at which point the upgrade will be performed automatically. To learn more about the migration timeline, see [Azure update](https://aka.ms/ipfilterv2azupdate). --## How to upgrade --1. Visit Azure portal -2. Navigate to your IoT hub. -3. Select **Networking** from the left-side menu. -4. You should see a banner prompting you to upgrade your IP Filter to the new model. Select **Yes** to continue. - :::image type="content" source="media/iot-hub-ip-filter-classic/ip-filter-upgrade-banner.png" alt-text="Image showing the banner prompt to upgrade from classic IP filter"::: -5. Since the new IP Filter blocks all IP by default, the upgrade removes your individual deny rules but gives you a chance to review them before saving. Carefully review the rules to make sure they work for you. -6. Follow prompts to finish upgrading. --## What's new --### Secure by default --Classic IP filter implicitly allows all IP addresses to connect to the IoT Hub by default, which doesn't align well with the most common network security scenarios. Typically, you would want only trusted IP addresses to be able to connect to your IoT hub and reject everything else. To achieve this goal with classic IP filter, it's a multi-step process. For example, if you want to only accept traffic from `192.168.100.0/22`, you must --1. Configure a single *allow* rule for `192.168.100.0/22`. -1. Configure a different *block* rule for `0.0.0.0/0` (the "block all" rule) -1. Make sure the rules are ordered correctly, with the allow rule ordered above the block rule. --In practice, this multi-step process causes confusion. Users didn't configure the "block all" rule or didn't order the rules correctly, resulting in unintended exposure. --The new IP filter blocks all IP addresses by default. Only the IP ranges that you explicitly add are allowed to connect to IoT Hub. In the above example, steps 2 and 3 aren't needed anymore. This new behavior simplifies configuration and abides by the [secure by default principle](https://wikipedia.org/wiki/Secure_by_default). --### Protect the built-in Event Hub compatible endpoint --Classic IP filter cannot be applied to the built-in endpoint. This limitation means that, event with a block all rule (block `0.0.0.0/0`) configured, the built-in endpoint is still accessible from any IP address. --The new IP filter provides an option to apply rules to the built-in endpoint, which reduces exposure to network security threats. ---> [!NOTE] -> This option isn't available to free (F1) IoT hubs. To apply IP filter rules to the built-in endpoint, use a paid IoT hub. --### API impact --The upgraded IP filter is available in IoT Hub resource API from `2020-08-31` (as well as `2020-08-31-preview`) and onwards. Classic IP filter is still available in all API versions, but will be removed in a future API version near the migration deadline. To learn more about the migration timeline, see [Azure update](https://aka.ms/ipfilterv2azupdate). --## Tip: try the changes before they apply --Since the new IP filter blocks all IP address by default, individual block rules are no longer compatible. So, the guided upgrade process removes these individual block rules. --To try to the change in with classic IP filter: --1. Visit the **Networking** tab in your IoT hub -1. Note down your existing IP filter (classic) configuration, in case you want to roll back -1. Next to rules with **Block**, Select the trash icon to remove them -1. Add another rule at the bottom with `0.0.0.0/0`, and choose **Block** -1. Select **Save** --This configuration mimics how the new IP filter behaves after upgrading from classic. One exception is the built-in endpoint protection, which is not possible to try using classic IP filter. However, that feature is optional, so you don't have to use it if you think it might break something. --## Tip: check diagnostic logs for all IP connections to your IoT hub --To ensure a smooth transition, check your diagnostic logs under the Connections category. Look for the `maskedIpAddress` property to see if the ranges are as you expect. Remember: the new IP filter will block all IP addresses that haven't been explicitly added. --## IoT Hub classic IP filter documentation (retired) --> [!IMPORTANT] -> Below is the original documentation for classic IP filter, which is being retired. --Security is an important aspect of any IoT solution based on Azure IoT Hub. Sometimes you need to explicitly specify the IP addresses from which devices can connect as part of your security configuration. The *IP filter* feature enables you to configure rules for rejecting or accepting traffic from specific IPv4 addresses. --### When to use --There are two specific use-cases when it is useful to block the IoT Hub endpoints for certain IP addresses: --* Your IoT hub should receive traffic only from a specified range of IP addresses and reject everything else. For example, you are using your IoT hub with [Azure Express Route](../expressroute/expressroute-faqs.md#supported-services) to create private connections between an IoT hub and your on-premises infrastructure. --* You need to reject traffic from IP addresses that have been identified as suspicious by the IoT hub administrator. --### How filter rules are applied --The IP filter rules are applied at the IoT Hub service level. Therefore, the IP filter rules apply to all connections from devices and back-end apps using any supported protocol. However, clients reading directly from the [built-in Event Hub compatible endpoint](iot-hub-devguide-messages-read-builtin.md) (not via the IoT Hub connection string) are not bound to the IP filter rules. --Any connection attempt from an IP address that matches a rejecting IP rule in your IoT hub receives an unauthorized 401 status code and description. The response message does not mention the IP rule. Rejecting IP addresses can prevent other Azure services such as Azure Stream Analytics, Azure Virtual Machines, or the Device Explorer in Azure portal from interacting with the IoT hub. --> [!NOTE] -> If you must use Azure Stream Analytics (ASA) to read messages from an IoT hub with IP filter enabled, use the event hub-compatible name and endpoint of your IoT hub to manually add an [Event Hubs stream input](../stream-analytics/stream-analytics-define-inputs.md#stream-data-from-event-hubs) in the ASA. --### Default setting --By default, the **IP Filter** grid in the portal for an IoT hub is empty. This default setting means that your hub accepts connections from any IP address. This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range. --To get to the IP Filter settings page, select **Networking**, **Public access**, then choose **Selected IP Ranges**: ---### Add or edit an IP filter rule --To add an IP filter rule, select **+ Add IP Filter Rule**. ---After selecting **Add IP Filter Rule**, fill in the fields. ---* Provide a **name** for the IP Filter rule. This must be a unique, case-insensitive, alphanumeric string up to 128 characters long. Only the ASCII 7-bit alphanumeric characters plus `{'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''}` are accepted. --* Provide a single IPv4 address or a block of IP addresses in CIDR notation. For example, in CIDR notation 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255. --* Select **Allow** or **Block** as the **action** for the IP filter rule. --After filling in the fields, select **Save** to save the rule. You see an alert notifying you that the update is in progress. ---The **Add** option is disabled when you reach the maximum of 10 IP filter rules. --To edit an existing rule, select the data you want to change, make the change, then select **Save** to save your edit. --### Delete an IP filter rule --To delete an IP filter rule, select the trash can icon on that row and then select **Save**. The rule is removed and the change is saved. ---### Retrieve and update IP filters using Azure CLI --Your IoT Hub's IP filters can be retrieved and updated through [Azure CLI](/cli/azure/). --To retrieve current IP filters of your IoT Hub, run: --```azurecli-interactive -az resource show -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs -``` --This will return a JSON object where your existing IP filters are listed under the `properties.ipFilterRules` key: --```json -{ -... - "properties": { - "ipFilterRules": [ - { - "action": "Reject", - "filterName": "MaliciousIP", - "ipMask": "6.6.6.6/6" - }, - { - "action": "Allow", - "filterName": "GoodIP", - "ipMask": "131.107.160.200" - }, - ... - ], - }, -... -} -``` --To add a new IP filter for your IoT Hub, run: --```azurecli-interactive -az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --add properties.ipFilterRules "{\"action\":\"Reject\",\"filterName\":\"MaliciousIP\",\"ipMask\":\"6.6.6.6/6\"}" -``` --To remove an existing IP filter in your IoT Hub, run: --```azurecli-interactive -az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --add properties.ipFilterRules <ipFilterIndexToRemove> -``` --Note that `<ipFilterIndexToRemove>` must correspond to the ordering of IP filters in your IoT Hub's `properties.ipFilterRules`. --### Retrieve and update IP filters using Azure PowerShell ---Your IoT Hub's IP filters can be retrieved and set through [Azure PowerShell](/powershell/azure/). --```powershell -# Get your IoT Hub resource using its name and its resource group name -$iothubResource = Get-AzResource -ResourceGroupName <resourceGroupNmae> -ResourceName <iotHubName> -ExpandProperties --# Access existing IP filter rules -$iothubResource.Properties.ipFilterRules |% { Write-host $_ } --# Construct a new IP filter -$filter = @{'filterName'='MaliciousIP'; 'action'='Reject'; 'ipMask'='6.6.6.6/6'} --# Add your new IP filter rule -$iothubResource.Properties.ipFilterRules += $filter --# Remove an existing IP filter rule using its name, e.g., 'GoodIP' -$iothubResource.Properties.ipFilterRules = @($iothubResource.Properties.ipFilterRules | Where 'filterName' -ne 'GoodIP') --# Update your IoT Hub resource with your updated IP filters -$iothubResource | Set-AzResource -Force -``` --### Update IP filter rules using REST --You may also retrieve and modify your IoT Hub's IP filter using Azure resource Provider's REST endpoint. See `properties.ipFilterRules` in [createorupdate method](/rest/api/iothub/iothubresource/createorupdate). --### IP filter rule evaluation --IP filter rules are applied in order and the first rule that matches the IP address determines the accept or reject action. --For example, if you want to accept addresses in the range 192.168.100.0/22 and reject everything else, the first rule in the grid should accept the address range 192.168.100.0/22. The next rule should reject all addresses by using the range 0.0.0.0/0. --You can change the order of your IP filter rules in the grid by clicking the three vertical dots at the start of a row and using drag and drop. --To save your new IP filter rule order, click **Save**. ---## Next steps --To further explore the capabilities of IoT Hub, see: --* [Use IP filters](iot-hub-ip-filtering.md) |
iot-hub | Iot Hub Live Data Visualization In Power Bi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-live-data-visualization-in-power-bi.md | If you don't have an Azure subscription, [create a free account](https://azure.m Before you begin this tutorial, have the following prerequisites in place: -* Complete one of the [Send telemetry](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json) quickstarts in the development language of your choice. Alternatively, you can use any device app that sends temperature telemetry; for example, the [Raspberry Pi online simulator](iot-hub-raspberry-pi-web-simulator-get-started.md) or one of the [Embedded device](../iot-develop/quickstart-devkit-mxchip-az3166.md) quickstarts. These articles cover the following requirements: +* Complete one of the [Send telemetry](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json) quickstarts in the development language of your choice. Alternatively, you can use any device app that sends temperature telemetry; for example, the [Raspberry Pi online simulator](raspberry-pi-get-started.md) or one of the [Embedded device](../iot-develop/quickstart-devkit-mxchip-az3166.md) quickstarts. These articles cover the following requirements: * An active Azure subscription. * An Azure IoT hub in your subscription. |
iot-hub | Iot Hub Live Data Visualization In Web Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-live-data-visualization-in-web-apps.md | The web application sample for this tutorial is written in Node.js. The steps in * A device registered in your IoT hub. If you haven't registered a device yet, register one in the [Azure portal](iot-hub-create-through-portal.md#register-a-new-device-in-the-iot-hub). -* A simulated device that sends telemetry messages to your IoT hub. Use the [Raspberry Pi online simulator](iot-hub-raspberry-pi-web-simulator-get-started.md) to get a simulated device that sends temperature data to IoT Hub. +* A simulated device that sends telemetry messages to your IoT hub. Use the [Raspberry Pi online simulator](raspberry-pi-get-started.md) to get a simulated device that sends temperature data to IoT Hub. * [Node.js](https://nodejs.org) version 14 or later. To check your node version run `node --version`. |
iot-hub | Iot Hub Monitoring Notifications With Azure Logic Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-monitoring-notifications-with-azure-logic-apps.md | Prepare the following prerequisites before beginning this tutorial. * Java SDK: [send-event](https://github.com/Azure/azure-iot-sdk-jav) * Node.js SDK: [simple_sample_device](https://github.com/Azure/azure-iot-sdk-node/blob/main/device/samples/javascript/simple_sample_device.js) * C SDK: [iothub_II_client_shared_sample](https://github.com/Azure/azure-iot-sdk-c/blob/main/iothub_client/samples/iothub_ll_client_shared_sample/iothub_ll_client_shared_sample.c)- * Codeless: [Raspberry Pi online simulator](iot-hub-raspberry-pi-web-simulator-get-started.md) + * Codeless: [Raspberry Pi online simulator](raspberry-pi-get-started.md) ## Create Service Bus namespace and queue |
iot-hub | Iot Hub Raspberry Pi Kit C Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-raspberry-pi-kit-c-get-started.md | - Title: Connect Raspberry Pi to Azure IoT Hub using C -description: Learn how to setup and connect Raspberry Pi to Azure IoT Hub for Raspberry Pi to send data to the Azure cloud platform ----- Previously updated : 06/14/2021----# Connect Raspberry Pi to Azure IoT Hub (C) ---In this article, you learn the basics of working with Raspberry Pi that's running Raspberry Pi OS. You then learn how to connect your devices to the cloud by using [Azure IoT Hub](about-iot-hub.md). For Windows 10 IoT Core samples, go to the [Windows Dev Center](https://www.windowsondevices.com/). --Don't have a kit yet? Try [Raspberry Pi online simulator](iot-hub-raspberry-pi-web-simulator-get-started.md). Or buy a new kit [here](https://azure.microsoft.com/develop/iot/starter-kits). --## What you do --* Create an IoT hub. --* Register a device for Pi in your IoT hub. --* Setup Raspberry Pi. --* Run a sample application on Pi to send sensor data to your IoT hub. --Connect Raspberry Pi to an IoT hub that you create. Then you run a sample application on Pi to collect temperature and humidity data from a BME280 sensor. Finally, you send the sensor data to your IoT hub. --## What you learn --* How to create an Azure IoT hub and get your new device connection string. --* How to connect Pi with a BME280 sensor. --* How to collect sensor data by running a sample application on Pi. --* How to send sensor data to your IoT hub. --## What you need --![What you need](./media/iot-hub-raspberry-pi-kit-c-get-started/0-starter-kit.png) --* The Raspberry Pi 2 or Raspberry Pi 3 board. --* An active Azure subscription. If you don't have an Azure account, [create a free Azure trial account](https://azure.microsoft.com/free/) in just a few minutes. --* A monitor, a USB keyboard, and mouse that connect to Pi. --* A Mac or a PC that is running Windows or Linux. --* An Internet connection. --* A 16 GB or above microSD card. --* A USB-SD adapter or microSD card to burn the operating system image onto the microSD card. --* A 5-volt 2-amp power supply with the 6-foot micro USB cable. --The following items are optional: --* An assembled Adafruit BME280 temperature, pressure, and humidity sensor. --* A breadboard. --* 6 F/M jumper wires. --* A diffused 10-mm LED. --> [!NOTE] -> These items are optional because the code sample supports simulated sensor data. -> --## Create an IoT hub ---## Register a new device in the IoT hub ---## Set up Raspberry Pi --Now set up the Raspberry Pi. --### Install the Raspberry Pi OS --Prepare the microSD card for installation of the Raspberry Pi OS image. --1. Download Raspberry Pi OS. -- 1. [Download Raspberry Pi OS with Desktop](https://www.raspberrypi.org/software/) (the .zip file). -- 2. Extract the image to a folder on your computer. --2. Install Raspberry Pi OS to the microSD card. -- 1. [Download and install the Etcher SD card burner utility](https://etcher.io/). -- 2. Run Etcher and select the Raspberry Pi OS image that you extracted in step 1. -- 3. Select the microSD card drive. Note that Etcher may have already selected the correct drive. -- 4. Click Flash to install Raspberry Pi OS to the microSD card. -- 5. Remove the microSD card from your computer when installation is complete. It's safe to remove the microSD card directly because Etcher automatically ejects or unmounts the microSD card upon completion. -- 6. Insert the microSD card into Pi. --### Enable SSH and SPI --1. Connect Pi to the monitor, keyboard and mouse, start Pi and then sign in to Raspberry Pi OS by using `pi` as the user name and `raspberry` as the password. - -2. Click the Raspberry icon > **Preferences** > **Raspberry Pi Configuration**. -- ![The Raspberry Pi OS Preferences menu](./media/iot-hub-raspberry-pi-kit-c-get-started/1-raspbian-preferences-menu.png) --3. On the **Interfaces** tab, set **SPI** and **SSH** to **Enable**, and then click **OK**. If you don't have physical sensors and want to use simulated sensor data, this step is optional. -- ![Enable SPI and SSH on Raspberry Pi](./media/iot-hub-raspberry-pi-kit-c-get-started/2-enable-spi-ssh-on-raspberry-pi.png) --> [!NOTE] -> To enable SSH and SPI, you can find more reference documents on [raspberrypi.org](https://www.raspberrypi.org/documentation/remote-access/ssh/) and [RASPI-CONFIG](https://www.raspberrypi.org/documentation/configuration/raspi-config.md). -> --### Connect the sensor to Pi --Use the breadboard and jumper wires to connect an LED and a BME280 to Pi as follows. If you donΓÇÖt have the sensor, [skip this section](#connect-pi-to-the-network). --![The Raspberry Pi and sensor connection](./media/iot-hub-raspberry-pi-kit-c-get-started/3-raspberry-pi-sensor-connection.png) --The BME280 sensor can collect temperature and humidity data. And the LED will blink if there is a communication between device and the cloud. --For sensor pins, use the following wiring: --| Start (Sensor & LED) | End (Board) | Cable Color | -| -- | - | : | -| LED VDD (Pin 5G) | GPIO 4 (Pin 7) | White cable | -| LED GND (Pin 6G) | GND (Pin 6) | Black cable | -| VDD (Pin 18F) | 3.3V PWR (Pin 17) | White cable | -| GND (Pin 20F) | GND (Pin 20) | Black cable | -| SCK (Pin 21F) | SPI0 SCLK (Pin 23) | Orange cable | -| SDO (Pin 22F) | SPI0 MISO (Pin 21) | Yellow cable | -| SDI (Pin 23F) | SPI0 MOSI (Pin 19) | Green cable | -| CS (Pin 24F) | SPI0 CS (Pin 24) | Blue cable | --Click to view [Raspberry Pi 2 & 3 Pin mappings](/windows/iot-core/learn-about-hardware/pinmappings/pinmappingsrpi) for your reference. --After you've successfully connected BME280 to your Raspberry Pi, it should be like below image. --![Connected Pi and BME280](./media/iot-hub-raspberry-pi-kit-c-get-started/4-connected-pi.png) --### Connect Pi to the network --Turn on Pi by using the micro USB cable and the power supply. Use the Ethernet cable to connect Pi to your wired network or follow the [instructions from the Raspberry Pi Foundation](https://www.raspberrypi.org/documentation/configuration/wireless/) to connect Pi to your wireless network. After your Pi has been successfully connected to the network, you need to take a note of the [IP address of your Pi](https://www.raspberrypi.org/documentation/remote-access/ip-address.md). --![Connected to wired network](./media/iot-hub-raspberry-pi-kit-c-get-started/5-power-on-pi.png) --## Run a sample application on Pi --### Sign into your Raspberry Pi --1. Use one of the following SSH clients from your host computer to connect to your Raspberry Pi. - - **Windows Users** - 1. Download and install [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) for Windows. - 1. Copy the IP address of your Pi into the Host name (or IP address) section and select SSH as the connection type. - - ![PuTTy](./media/iot-hub-raspberry-pi-kit-node-get-started/7-putty-windows.png) -- **Mac and Ubuntu Users** -- Use the built-in SSH client on Ubuntu or macOS. You might need to run `ssh pi@<ip address of pi>` to connect Pi via SSH. - > [!NOTE] - > The default username is `pi` , and the password is `raspberry`. ---### Configure the sample application --1. Clone the sample application by running the following command: -- ```bash - git clone https://github.com/Azure-Samples/iot-hub-c-raspberrypi-client-app.git - ``` --2. A setup script is provided with the sample to prepare the development environment, and build the sample. Run setup script: -- ```bash - cd ./iot-hub-c-raspberrypi-client-app - sudo chmod u+x setup.sh - sudo ./setup.sh - ``` -- > [!NOTE] - > If you **don't have a physical BME280**, you can use '--simulated-data' as command line parameter to simulate temperature&humidity data. `sudo ./setup.sh --simulated-data` - > --### Build and run the sample application --1. The setup script should have already built the sample. However, if you make changes and need to rebuild the sample application, run the following command: -- ```bash - cmake . && make - ``` - - ![Build output](./media/iot-hub-raspberry-pi-kit-c-get-started/7-build-output.png) --1. Run the sample application by running the following command: -- ```bash - sudo ./app '<DEVICE CONNECTION STRING>' - ``` -- > [!NOTE] - > Make sure you copy-paste the device connection string into the single quotes. - > --You should see the following output that shows the sensor data and the messages that are sent to your IoT hub. --![Output - sensor data sent from Raspberry Pi to your IoT hub](./media/iot-hub-raspberry-pi-kit-c-get-started/8-run-output.png) --## Read the messages received by your hub --One way to monitor messages received by your IoT hub from your device is to use the Azure IoT Hub extension for Visual Studio Code. To learn more, see [Use the Azure IoT Hub extension for Visual Studio Code to send and receive messages between your device and IoT Hub](iot-hub-vscode-iot-toolkit-cloud-device-messaging.md). --For more ways to process data sent by your device, continue on to the next section. --## Clean up resources --You can use the resources created in this topic with other tutorials and quickstarts in this document set. If you plan to continue on to work with other quickstarts or with the tutorials, do not clean up the resources created in this topic. If you do not plan to continue, use the following steps to delete all resources created by this topic in the Azure portal. --1. From the left-hand menu in the Azure portal, select **All resources** and then select the IoT Hub you created. -1. At the top of the IoT Hub overview pane, click **Delete**. -1. Enter your hub name and click **Delete** again to confirm permanently deleting the IoT hub. ---## Next steps --YouΓÇÖve run a sample application to collect sensor data and send it to your IoT hub. - |
iot-hub | Iot Hub Raspberry Pi Kit Node Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-raspberry-pi-kit-node-get-started.md | - Title: Connect Raspberry Pi to Azure IoT Hub in the cloud (Node.js) -description: Learn how to set up and connect Raspberry Pi to Azure IoT Hub for Raspberry Pi to send data to the Azure cloud platform in this tutorial. ----- Previously updated : 02/22/2022----# Connect Raspberry Pi to Azure IoT Hub (Node.js) ---In this article, you learn the basics of working with Raspberry Pi that's running Raspberry Pi OS. You then learn how to seamlessly connect your devices to the cloud by using [Azure IoT Hub](about-iot-hub.md). For Windows 10 IoT Core samples, go to the [Windows Dev Center](https://www.windowsondevices.com/). --Don't have a kit yet? Try [Raspberry Pi online simulator](iot-hub-raspberry-pi-web-simulator-get-started.md). Or buy a new kit [here](https://azure.microsoft.com/develop/iot/starter-kits). --## What you do --* Create an IoT hub. --* Register a device for Pi in your IoT hub. --* Set up Raspberry Pi. --* Run a sample application on Pi to send sensor data to your IoT hub. --## What you learn --* How to create an Azure IoT hub and get your new device connection string. --* How to connect Pi with a BME280 sensor. --* How to collect sensor data by running a sample application on Pi. --* How to send sensor data to your IoT hub. --## What you need --![What you need](./media/iot-hub-raspberry-pi-kit-node-get-started/0-starter-kit.png) --* A Raspberry Pi 2 or Raspberry Pi 3 board. --* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. --* A monitor, a USB keyboard, and mouse that connects to Pi. --* A Mac or PC that is running Windows or Linux. --* An internet connection. --* A 16 GB or above microSD card. --* A USB-SD adapter or microSD card to burn the operating system image onto the microSD card. --* A 5-volt 2-amp power supply with the 6-foot micro USB cable. --The following items are optional: --* An assembled Adafruit BME280 temperature, pressure, and humidity sensor. --* A breadboard. --* 6 F/M jumper wires. --* A diffused 10-mm LED. --> [!NOTE] -> If you don't have the optional items, you can use simulated sensor data. --## Create an IoT hub ---## Register a new device in the IoT hub ---## Set up Raspberry Pi --### Install the Raspberry Pi OS --Prepare the microSD card for installation of the Raspberry Pi OS image. --1. Download Raspberry Pi OS with desktop. -- a. [Raspberry Pi OS with desktop](https://www.raspberrypi.org/software/) (the .zip file). -- b. Extract the Raspberry Pi OS with desktop image to a folder on your computer. --2. Install Raspberry Pi OS with desktop to the microSD card. -- a. [Download and install the Etcher SD card burner utility](https://etcher.io/). -- b. Run Etcher and select the Raspberry Pi OS with desktop image that you extracted in step 1. -- c. Select the microSD card drive. Etcher may have already selected the correct drive. -- d. Select Flash to install Raspberry Pi OS with desktop to the microSD card. -- e. Remove the microSD card from your computer when installation is complete. It's safe to remove the microSD card directly because Etcher automatically ejects or unmounts the microSD card upon completion. -- f. Insert the microSD card into Pi. --### Enable SSH and I2C --1. Connect Pi to the monitor, keyboard, and mouse. --2. Start Pi and then sign into Raspberry Pi OS by using `pi` as the user name and `raspberry` as the password. --3. Select the Raspberry icon > **Preferences** > **Raspberry Pi Configuration**. -- ![The Raspberry Pi OS with Preferences menu](./media/iot-hub-raspberry-pi-kit-node-get-started/1-raspbian-preferences-menu.png) --4. On the **Interfaces** tab, set **SSH** and **I2C** to **Enable**, and then select **OK**. - - | Interface | Description | - | | -- | - | *SSH* | Secure Shell (SSH) is used to remote into the Raspberry Pi with a remote command-line. This is the preferred method for issuing the commands to your Raspberry Pi remotely in this document. | - | *I2C* | Inter-integrated Circuit (I2C) is a communications protocol used to interface with hardware such as sensors. This interface is required for interfacing with physical sensors in this article.| -- If you don't have physical sensors and want to use simulated sensor data from your Raspberry Pi device, you can leave **I2C** disabled. -- ![Enable I2C and SSH on Raspberry Pi](./media/iot-hub-raspberry-pi-kit-node-get-started/2-enable-i2c-ssh-on-raspberry-pi.png) --> [!NOTE] -> To enable SSH and I2C, you can find more reference documents on [raspberrypi.org](https://www.raspberrypi.org/documentation/remote-access/ssh/) and [Adafruit.com](https://learn.adafruit.com/adafruits-raspberry-pi-lesson-4-gpio-setup/configuring-i2c). --### Connect the sensor to Pi --Use the breadboard and jumper wires to connect an LED and a BME280 to Pi as follows. If you don't have the sensor, [skip this section](#connect-pi-to-the-network). --![The Raspberry Pi and sensor connection](./media/iot-hub-raspberry-pi-kit-node-get-started/3-raspberry-pi-sensor-connection.png) --The BME280 sensor can collect temperature and humidity data. The LED blinks when the device sends a message to the cloud. --For sensor pins, use the following wiring: --| Start (Sensor & LED) | End (Board) | Cable Color | -| -- | - | : | -| VDD (Pin 5G) | 3.3 V PWR (Pin 1) | White cable | -| GND (Pin 7G) | GND (Pin 6) | Brown cable | -| SDI (Pin 10G) | I2C1 SDA (Pin 3) | Red cable | -| SCK (Pin 8G) | I2C1 SCL (Pin 5) | Orange cable | -| LED VDD (Pin 18F) | GPIO 24 (Pin 18) | White cable | -| LED GND (Pin 17F) | GND (Pin 20) | Black cable | --For more information, see [Raspberry Pi 2 & 3 pin mappings](/windows/iot-core/learn-about-hardware/pinmappings/pinmappingsrpi). --After you've successfully connected BME280 to your Raspberry Pi, it should be like below image. --![Connected Pi and BME280](./media/iot-hub-raspberry-pi-kit-node-get-started/4-connected-pi.png) --### Connect Pi to the network --Turn on Pi by using the micro USB cable and the power supply. Use the Ethernet cable to connect Pi to your wired network or follow the [instructions from the Raspberry Pi Foundation](https://www.raspberrypi.org/documentation/configuration/wireless/) to connect Pi to your wireless network. After your Pi has been successfully connected to the network, you need to take a note of the [IP address of your Pi](https://www.raspberrypi.org/documentation/remote-access/ip-address.md). --> [!NOTE] -> Make sure that Pi is connected to the same network as your computer. For example, if your computer is connected to a wireless network while Pi is connected to a wired network, you might not see the IP address in the devdisco output. --## Run a sample application on Pi --### Clone sample application and install the prerequisite packages --1. Connect to your Raspberry Pi with one of the following SSH clients from your host computer: -- **Windows Users** -- a. Download and install [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) for Windows. -- b. Copy the IP address of your Pi into the Host name (or IP address) section and select SSH as the connection type. -- ![PuTTy](./media/iot-hub-raspberry-pi-kit-node-get-started/7-putty-windows.png) -- **Mac and Ubuntu Users** -- Use the built-in SSH client on Ubuntu or macOS. You might need to run `ssh pi@<ip address of pi>` to connect Pi via SSH. -- > [!NOTE] - > The default username is `pi` and the password is `raspberry`. --2. Install Node.js and npm to your Pi. -- First check your Node.js version. -- ```bash - node -v - ``` -- If the version is lower than 10.x, or if Node.js isn't on your Pi, install the latest version. -- ```bash - curl -sSL https://deb.nodesource.com/setup_16.x | sudo -E bash - sudo apt-get -y install nodejs - ``` --3. Clone the sample application. -- ```bash - git clone https://github.com/Azure-Samples/azure-iot-samples-node.git - ``` --4. Install all packages for the sample. The installation includes Azure IoT device SDK, BME280 Sensor library, and Wiring Pi library. -- ```bash - cd azure-iot-samples-node/iot-hub/Tutorials/RaspberryPiApp - npm install - ``` -- > [!NOTE] - >It might take several minutes to finish this installation process depending on your network connection. --### Configure the sample application --1. Open the config file by running the following commands: -- ```bash - nano config.json - ``` -- ![Config file](./media/iot-hub-raspberry-pi-kit-node-get-started/6-config-file.png) -- There are two items in this file you can configure. The first one is `interval`, which defines the time interval (in milliseconds) between messages sent to the cloud. The second one is `simulatedData`, which is a Boolean value for whether to use simulated sensor data or not. -- If you **don't have the sensor**, set the `simulatedData` value to `true` to make the sample application create and use simulated sensor data. -- *Note: The i2c address used in this tutorial is 0x77 by default. Depending on your configuration it might also be 0x76: if you encounter an i2c error, try to change the value to 118 and see if that works better. To see what address is used by your sensor, run `sudo i2cdetect -y 1` in a shell on the raspberry pi* --2. Save and exit by typing Control-O > Enter > Control-X. --### Run the sample application --Run the sample application by running the following command: -- ```bash - sudo node index.js '<YOUR AZURE IOT HUB DEVICE CONNECTION STRING>' - ``` -- > [!NOTE] - > Make sure you copy-paste the device connection string into the single quotes. --You should see the following output that shows the sensor data and the messages that are sent to your IoT hub. --![Output - sensor data sent from Raspberry Pi to your IoT hub](./media/iot-hub-raspberry-pi-kit-node-get-started/8-run-output.png) --## Read the messages received by your hub --One way to monitor messages received by your IoT hub from your device is to use the Azure IoT Hub extension for Visual Studio Code. To learn more, see [Use the Azure IoT Hub extension for Visual Studio Code to send and receive messages between your device and IoT Hub](iot-hub-vscode-iot-toolkit-cloud-device-messaging.md). --For more ways to process data sent by your device, continue on to the next section. --## Clean up resources --You can use the resources created in this article with other tutorials and quickstarts in this document set. If you plan to continue on to work with other quickstarts or with the tutorials, don't clean up the resources created in this article. If you don't plan to continue, use the following steps to delete all resources created by this article in the Azure portal. --1. From the left-hand menu in the Azure portal, select **All resources** and then select the IoT Hub you created. -1. At the top of the IoT Hub overview pane, select **Delete**. -1. Enter your hub name and select **Delete** again to confirm permanently deleting the IoT hub. --## Next steps --In this article, you ran a sample application to collect sensor data and send it to your IoT hub. - |
iot-hub | Iot Hub Raspberry Pi Web Simulator Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-raspberry-pi-web-simulator-get-started.md | - Title: Connect Raspberry Pi web simulator to Azure IoT Hub (Node.js) -description: Connect Raspberry Pi web simulator to Azure IoT Hub for Raspberry Pi to send data to the Azure cloud. ----- Previously updated : 11/22/2022----# Connect Raspberry Pi online simulator to Azure IoT Hub (Node.js) ---In this article, you learn the basics of working with Raspberry Pi online simulator. You then learn how to seamlessly connect the Pi simulator to the cloud by using [Azure IoT Hub](about-iot-hub.md). ---[:::image type="content" source="media/iot-hub-raspberry-pi-web-simulator/6-button-default.png" alt-text="Start Raspberry Pi simulator":::](https://azure-samples.github.io/raspberry-pi-web-simulator/#getstarted) ---If you have physical devices, visit [Connect Raspberry Pi to Azure IoT Hub](iot-hub-raspberry-pi-kit-node-get-started.md) to get started. --## What you do --* Learn the basics of Raspberry Pi online simulator. --* Create an IoT hub. --* Register a device for Pi in your IoT hub. --* Run a sample application on Pi to send simulated sensor data to your IoT hub. --You first connect the simulated Raspberry Pi to an IoT hub that you create. You then run a sample application with the simulated Pi to generate sensor data. Finally, you send the sensor data to your IoT hub. --## What you learn --* How to create an Azure IoT hub and get your new device connection string. If you don't have an Azure account, [create a free Azure trial account](https://azure.microsoft.com/free/) in just a few minutes. --* How to work with Raspberry Pi online simulator. --* How to send sensor data to your IoT hub. --## Overview of Raspberry Pi web simulator --Select the following button to start Raspberry Pi online simulator. --> [!div class="button"] -> <a href="https://azure-samples.github.io/raspberry-pi-web-simulator/#GetStarted" target="_blank">Start Raspberry Pi Simulator</a> --There are three areas in the web simulator. --1. Assembly area - A graphic depiction of the Pi simulator, and any simulated devices and connections. -- By default, the assembly area simulates connections from the Pi to two devices: - * A BME280 humidity sensor connected to I2C.1 - * An LED connected to GPIO 4 -- The assembly area is locked in this preview version, so you currently can't customize the assembly. --2. Coding area - An online code editor for you to code with Raspberry Pi. The default sample application helps to collect sensor data from the simulated BME280 sensor and sends that data to your IoT hub. The application is fully compatible with real Pi devices. --3. Integrated console window - A window that shows the output of your code. At the top of this window, there are three buttons. -- * **Run** - Run the application in the coding area. -- * **Reset** - Reset the coding area to the default sample application. -- * **Collapse/Expand** - On the right side, there's a button for you to collapse or expand the console window. --> [!NOTE] -> The Raspberry Pi web simulator is currently available in a preview version. We'd like to hear your voice in the [Gitter Chatroom](https://gitter.im/Microsoft/raspberry-pi-web-simulator). The source code is public on [GitHub](https://github.com/Azure-Samples/raspberry-pi-web-simulator). --![Overview of Pi online simulator](media/iot-hub-raspberry-pi-web-simulator/0-overview.png) --## Create an IoT hub ---## Register a new device in the IoT hub ---## Run a sample application on Pi web simulator --1. In the coding area, make sure you're working with the default sample application. Replace the placeholder in line 15 with the Azure IoT hub device connection string. - - ![Replace the device connection string](media/iot-hub-raspberry-pi-web-simulator/1-connectionstring.png) --2. Select **Run** or type `npm start` in the integrated console window to run the application. --You should see the following output that shows the sensor data and the messages that are sent to your IoT hub -![Output - sensor data sent from Raspberry Pi to your IoT hub](media/iot-hub-raspberry-pi-web-simulator/2-run-application.png) --## Read the messages received by your hub --One way to monitor messages received by your IoT hub from the simulated device is to use the Azure IoT Hub extension for Visual Studio Code. To learn more, see [Use the Azure IoT Hub extension for Visual Studio Code to send and receive messages between your device and IoT Hub](iot-hub-vscode-iot-toolkit-cloud-device-messaging.md). --For more ways to process data sent by your device, continue on to the next section. --## Next steps --You've run a sample application to collect sensor data and send it to your IoT hub. - |
iot-hub | Raspberry Pi Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/raspberry-pi-get-started.md | + + Title: Connect Raspberry Pi to Azure IoT Hub ++description: Connect a Raspberry Pi to Azure IoT Hub and test sample scenarios that send data to the Azure cloud. +++++ Last updated : 02/22/2024+++# Connect Raspberry Pi to Azure IoT Hub ++This article provides basic steps for getting starting with connecting a Raspberry Pi that's running Raspberry Pi OS to the cloud by using [Azure IoT Hub](about-iot-hub.md). You can use a physical Raspberry Pi device or an online device emulator. ++## Prerequisites ++Have the following prerequisites prepared before starting this article: ++* An Azure subscription. +* An IoT hub with a device registered to it. If you don't have a hub with a registered device already, see [Create an IoT hub using the Azure portal](./iot-hub-create-through-portal.md). ++## Use the online simulator ++Select the following button to start Raspberry Pi online simulator. ++> [!div class="button"] +> <a href="https://azure-samples.github.io/raspberry-pi-web-simulator/#GetStarted" target="_blank">Start Raspberry Pi Simulator</a> ++There are three areas in the web simulator. ++![Screenshot that shows an overview of Pi online simulator.](media/raspberry-pi-get-started/simulator-overview.png) ++1. Assembly area - A graphic depiction of the Pi simulator, including connections between the Pi and two devices: ++ * A BME280 humidity sensor connected to I2C.1 + * An LED connected to GPIO 4 ++2. Coding area - An online code editor for you to code with Raspberry Pi. The default sample application collects sensor data from the simulated BME280 sensor and sends that data to your IoT hub. The application is fully compatible with real Pi devices. ++3. Integrated console window - A window that shows the output of your code. At the top of this window, there are three buttons. ++ * **Run** - Run the application in the coding area. ++ * **Reset** - Reset the coding area to the default sample application. ++ * **Collapse/Expand** - On the right side, there's a button for you to collapse or expand the console window. ++> [!NOTE] +> The Raspberry Pi web simulator is currently archived and no longer being actively maintained. The source code is public on GitHub: [raspberry-pi-web-simulator](https://github.com/Azure-Samples/raspberry-pi-web-simulator). ++### Run a sample application on the Pi web simulator ++1. In the coding area, make sure you're working with the default sample application. Replace the placeholder in line 15 with a device connection string from your IoT hub. ++ ![Screenshot that shows replacing the device connection string placeholder.](media/raspberry-pi-get-started/simulator-connection-string.png) ++2. Select **Run** or type `npm start` in the integrated console window to run the application. ++You should see the following output that shows the sensor data and the messages that are sent to your IoT hub: ++![Screenshot that shows output sensor data sent from Raspberry Pi to your IoT hub.](media/raspberry-pi-get-started/simulator-run-application.png) ++## Use a physical device ++The following sections walk through setting up a Raspberry Pi solution, including: ++* A Raspberry Pi device ++ >[!NOTE] + >The steps in this article have been tested on Raspberry Pi 2 and Raspberry Pi 3 boards. ++* A monitor, a USB keyboard, and mouse that connects to Pi. ++* A Mac or PC that is running Windows or Linux. ++* An internet connection. ++* A 16 GB or larger microSD card. ++* A USB-SD adapter or microSD card to burn the operating system image onto the microSD card. ++* A 5-volt 2-amp power supply with the 6-foot micro USB cable. ++### Install the Raspberry Pi OS ++Prepare the microSD card for installation of the Raspberry Pi OS image. ++1. Download Raspberry Pi OS with desktop. ++ a. [Raspberry Pi OS with desktop](https://www.raspberrypi.org/software/) (the .zip file). ++ b. Extract the Raspberry Pi OS with desktop image to a folder on your computer. ++2. Install Raspberry Pi OS with desktop to the microSD card. ++ a. [Download and install the Etcher SD card burner utility](https://etcher.io/). ++ b. Run Etcher and select the Raspberry Pi OS with desktop image that you extracted in step 1. ++ c. Select the microSD card drive if it isn't selected already. ++ d. Select Flash to install Raspberry Pi OS with desktop to the microSD card. ++ e. Remove the microSD card from your computer when installation is complete. It's safe to remove the microSD card directly because Etcher automatically ejects or unmounts the microSD card upon completion. ++ f. Insert the microSD card into Pi. ++### Enable SSH and I2C ++1. Connect Pi to the monitor, keyboard, and mouse. ++2. Start Pi and then sign into Raspberry Pi OS by using `pi` as the user name and `raspberry` as the password. ++3. Select the Raspberry icon > **Preferences** > **Raspberry Pi Configuration**. ++ ![Screenshot that shows the Raspberry Pi OS with Preferences menu.](./media/raspberry-pi-get-started/pi-preferences-menu.png) ++4. On the **Interfaces** tab, set **SSH** and **I2C** to **Enable**, and then select **OK**. ++ | Interface | Description | + | | -- | + | *SSH* | Secure Shell (SSH) is used to remote into the Raspberry Pi with a remote command-line. SSH is the preferred method for issuing the commands to your Raspberry Pi remotely in this document. | + | *I2C* | Inter-integrated Circuit (I2C) is a communications protocol used to interface with hardware such as sensors. This interface is required for interfacing with physical sensors in this article.| ++ If you don't have physical sensors and want to use simulated sensor data from your Raspberry Pi device, you can leave **I2C** disabled. ++ ![Screenshot that shows the configuration to enable I2C and SSH on Raspberry Pi.](./media/raspberry-pi-get-started/pi-enable-i2c-ssh.png) ++> [!NOTE] +> To enable SSH and I2C, you can find more reference documents on [raspberrypi.org](https://www.raspberrypi.org/documentation/remote-access/ssh/) and [Adafruit.com](https://learn.adafruit.com/adafruits-raspberry-pi-lesson-4-gpio-setup/configuring-i2c). ++### Connect Pi to the network ++Turn on Pi by using the micro USB cable and the power supply. Use the Ethernet cable to connect Pi to your wired network or follow the [instructions from the Raspberry Pi Foundation](https://www.raspberrypi.org/documentation/configuration/wireless/) to connect Pi to your wireless network. After your Pi is connected to the network, you need to take a note of the [IP address of your Pi](https://www.raspberrypi.org/documentation/remote-access/ip-address.md). ++> [!NOTE] +> Make sure that Pi is connected to the same network as your computer. For example, if your computer is connected to a wireless network while Pi is connected to a wired network, you might not see the IP address in the devdisco output. ++### Run a sample application on the Pi ++The following samples collect sensor data from a BME280 sensor (or can simulate the data if you don't have that hardware available) and send it to your IoT hub. ++| SDK | Sample | +| | | +| Python | [iot-hub-python-raspberrypi-client-app](https://github.com/Azure-Samples/iot-hub-python-raspberrypi-client-app) | +| C | [iot-hub-c-raspberrypi-client-app](https://github.com/Azure-Samples/iot-hub-c-raspberrypi-client-app) | +| Node | [RaspberryPiApp](https://github.com/Azure-Samples/azure-iot-samples-node/tree/master/iot-hub/Tutorials/RaspberryPiApp) | ++> [!NOTE] +> These samples are currently archived and no longer being actively maintained. |
iot | Iot Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot/iot-glossary.md | Casing rules: Always lowercase. Applies to: Iot Hub -### Azure Certified Device program --Azure Certified [Device](#device) is a free program that enables you to differentiate, certify, and promote your IoT devices built to run on Azure. --[Learn more](../certification/overview.md) --Casing rules: Always capitalize as *Azure Certified Device*. --Applies to: Iot Hub, IoT Central - ### Azure Digital Twins A platform as a service (PaaS) offering for creating digital representations of real-world things, places, business processes, and people. Build twin graphs that represent entire environments, and use them to gain insights to drive better products, optimize operations and costs, and create breakthrough customer experiences. Applies to: Iot Hub ### Device -In the context of IoT, a device is typically a small-scale, standalone computing device that may collect data or control other devices. For example, a device might be an environmental monitoring device, or a controller for the watering and ventilation systems in a greenhouse. The device catalog provides a list of certified devices. +In the context of IoT, a device is typically a small-scale, standalone computing device that may collect data or control other devices. For example, a device might be an environmental monitoring device, or a controller for the watering and ventilation systems in a greenhouse. Casing rules: Always lowercase. |
iot | Iot Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot/iot-introduction.md | An IoT device is typically made up of a circuit board with sensors attached that * An accelerometer in an elevator. * Presence sensors in a room. -There's a wide variety of devices available from different manufacturers to build your solution. For a list of devices certified to work with Azure IoT Hub, see the [Azure Certified for IoT device catalog](https://devicecatalog.azure.com). For prototyping a microprocessor device, you can use a device such as a [Raspberry Pi](https://www.raspberrypi.org/). The Raspberry Pi lets you attach many different types of sensor. For prototyping a microcontroller device, you can use devices such as the [ESPRESSIF ESP32](../iot-develop/quickstart-devkit-espressif-esp32-freertos-iot-hub.md), [STMicroelectronics B-U585I-IOT02A Discovery kit](../iot-develop/quickstart-devkit-stm-b-u585i-iot-hub.md), [STMicroelectronics B-L4S5I-IOT01A Discovery kit](../iot-develop/quickstart-devkit-stm-b-l4s5i-iot-hub.md), or [NXP MIMXRT1060-EVK Evaluation kit](../iot-develop/quickstart-devkit-nxp-mimxrt1060-evk-iot-hub.md). These boards typically have built-in sensors, such as temperature and accelerometer sensors. +There's a wide variety of devices available from different manufacturers to build your solution. For prototyping a microprocessor device, you can use a device such as a [Raspberry Pi](https://www.raspberrypi.org/). The Raspberry Pi lets you attach many different types of sensor. For prototyping a microcontroller device, you can use devices such as the [ESPRESSIF ESP32](../iot-develop/quickstart-devkit-espressif-esp32-freertos-iot-hub.md), [STMicroelectronics B-U585I-IOT02A Discovery kit](../iot-develop/quickstart-devkit-stm-b-u585i-iot-hub.md), [STMicroelectronics B-L4S5I-IOT01A Discovery kit](../iot-develop/quickstart-devkit-stm-b-l4s5i-iot-hub.md), or [NXP MIMXRT1060-EVK Evaluation kit](../iot-develop/quickstart-devkit-nxp-mimxrt1060-evk-iot-hub.md). These boards typically have built-in sensors, such as temperature and accelerometer sensors. Microsoft provides open-source [Device SDKs](../iot-hub/iot-hub-devguide-sdks.md) that you can use to build the apps that run on your devices. |
iot | Iot Mqtt Connect To Iot Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot/iot-mqtt-connect-to-iot-hub.md | To learn more about using IoT device SDKS, see: To learn more about planning your IoT Hub deployment, see: -* [Azure Certified Device Catalog](https://devicecatalog.azure.com/) * [How an IoT Edge device can be used as a gateway](../iot-edge/iot-edge-as-gateway.md) * [Connecting IoT Devices to Azure: IoT Hub and Event Hubs](../iot-hub/iot-hub-compare-event-hubs.md) * [Choose the right IoT Hub tier for your solution](../iot-hub/iot-hub-scaling.md) |
iot | Iot Services And Technologies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot/iot-services-and-technologies.md | Azure IoT technologies and services provide you with options to create a wide va ## Devices and device SDKs -You can choose a device to use from the [Azure Certified for IoT device catalog](https://devicecatalog.azure.com). You can implement your own embedded code using the open-source [device SDKs](./iot-sdks.md). The device SDKs support multiple operating systems, such as Linux, Windows, and real-time operating systems. There are SDKs for multiple programming languages, such as [C](https://github.com/Azure/azure-iot-sdk-c), [Node.js](https://github.com/Azure/azure-iot-sdk-node), [Java](https://github.com/Azure/azure-iot-sdk-java), [.NET](https://github.com/Azure/azure-iot-sdk-csharp), and [Python](https://github.com/Azure/azure-iot-sdk-python). +You can implement your own embedded code using the open-source [device SDKs](./iot-sdks.md). The device SDKs support multiple operating systems, such as Linux, Windows, and real-time operating systems. There are SDKs for multiple programming languages, such as [C](https://github.com/Azure/azure-iot-sdk-c), [Node.js](https://github.com/Azure/azure-iot-sdk-node), [Java](https://github.com/Azure/azure-iot-sdk-java), [.NET](https://github.com/Azure/azure-iot-sdk-csharp), and [Python](https://github.com/Azure/azure-iot-sdk-python). You can further simplify how you create the embedded code for your devices by following the [IoT Plug and Play](../iot/overview-iot-plug-and-play.md) conventions. IoT Plug and Play enables solution developers to integrate devices with their solutions without writing any embedded code. At the core of IoT Plug and Play, is a _device capability model_ schema that describes device capabilities. Use the device capability model to configure a cloud-based solution such as an IoT Central application. |
iot | Overview Iot Plug And Play | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot/overview-iot-plug-and-play.md | As a device builder, you can develop an IoT hardware product that supports IoT P 1. Ensure the device announces the model ID as part of the MQTT connection. The Azure IoT SDKs include constructs to provide the model ID at connection time. -## Device certification --The [IoT Plug and Play device certification program](../certification/program-requirements-pnp.md) verifies that a device meets the IoT Plug and Play certification requirements. You can add a certified device to the public [Certified for Azure IoT device catalog](https://aka.ms/devicecatalog) where it's discoverable by other solution builders. - ## Next steps Now that you have an overview of IoT Plug and Play, the suggested next step is to try out one of the quickstarts: |
key-vault | Quick Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/quick-create-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure key vault and key using Terraform |
key-vault | Disaster Recovery Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/disaster-recovery-guide.md | Here are the steps of the disaster recovery procedure: 4. Take a backup of the new HSM. A backup is required before any restore, even when the HSM is empty. Backups allow for easy roll-back. 5. Restore the recent HSM backup from the source HSM. -These steps will enable you to manually replicate contents of the HSM to another region. The HSM name (and the service endpoint URI) will be different, so you may have to change your application configuration to make use of these keys from a different location. +These steps will enable you to manually replicate contents of the HSM to another region. The HSM name (and the service endpoint URI) will be different, so you will have to change your application configuration to make use of these keys from a different location. ## Create a new Managed HSM |
load-balancer | Ipv6 Configure Template Json | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/basic/ipv6-configure-template-json.md | -This article provides a list of IPv6 configuration tasks with the portion of the Azure Resource Manager VM template that applies to. Use the template described in this article to deploy a dual stack (IPv4 + IPv6) application with Basic Load Balancer that includes a dual stack virtual network with IPv4 and IPv6 subnets, a Basic Load Balancer with dual (IPv4 + IPv6) front-end configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. +This article provides a list of IPv6 configuration tasks with the portion of the Azure Resource Manager VM template that applies to. Use the template described in this article to deploy a dual stack (IPv4 + IPv6) application with Basic Load Balancer that includes a dual stack virtual network with IPv4 and IPv6 subnets, a Basic Load Balancer with dual (IPv4 + IPv6) frontend configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. To deploy a dual stack (IPV4 + IPv6) application using Standard Load Balancer, see [Deploy an IPv6 dual stack application with Standard Load Balancer - Template](../ipv6-configure-standard-load-balancer-template-json.md). If you're using a network virtual appliance, add IPv6 routes in the Route Table. } ``` -### IPv6 Back-end address pool for Load Balancer +### IPv6 Backend address pool for Load Balancer ```JSON "backendAddressPool": { |
load-balancer | Quickstart Basic Internal Load Balancer Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/basic/quickstart-basic-internal-load-balancer-cli.md | To create a network security group rule, use [az network nsg rule create](/cli/a --priority 200 ``` -## Create back-end servers +## Create backend servers In this section, you create: |
load-balancer | Quickstart Basic Internal Load Balancer Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/basic/quickstart-basic-internal-load-balancer-powershell.md | New-AzNetworkSecurityGroup @nsg This section details how you can create and configure the following components of the load balancer: -* Create a front-end IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig) for the frontend IP pool. This IP receives the incoming traffic on the load balancer +* Create a frontend IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig) for the frontend IP pool. This IP receives the incoming traffic on the load balancer -* Create a back-end address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig) for traffic sent from the frontend of the load balancer +* Create a backend address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig) for traffic sent from the frontend of the load balancer * Create a health probe with [Add-AzLoadBalancerProbeConfig](/powershell/module/az.network/add-azloadbalancerprobeconfig) that determines the health of the backend VM instances |
load-balancer | Quickstart Basic Public Load Balancer Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/basic/quickstart-basic-public-load-balancer-powershell.md | New-AzPublicIpAddress @publicip This section details how you can create and configure the following components of the load balancer: -* Create a front-end IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig) for the frontend IP pool. This IP receives the incoming traffic on the load balancer +* Create a frontend IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig) for the frontend IP pool. This IP receives the incoming traffic on the load balancer -* Create a back-end address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig) for traffic sent from the frontend of the load balancer. This pool is where your backend virtual machines are deployed +* Create a backend address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig) for traffic sent from the frontend of the load balancer. This pool is where your backend virtual machines are deployed * Create a health probe with [Add-AzLoadBalancerProbeConfig](/powershell/module/az.network/add-azloadbalancerprobeconfig) that determines the health of the backend VM instances |
load-balancer | Virtual Network Ipv4 Ipv6 Dual Stack Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/basic/virtual-network-ipv4-ipv6-dual-stack-cli.md | -This article shows you how to deploy a dual stack (IPv4 + IPv6) application with Basic Load Balancer using Azure CLI that includes a dual stack virtual network with a dual stack subnet, a Basic Load Balancer with dual (IPv4 + IPv6) front-end configurations, VMs with NICs that have a dual IP configuration, dual network security group rules, and dual public IPs. +This article shows you how to deploy a dual stack (IPv4 + IPv6) application with Basic Load Balancer using Azure CLI that includes a dual stack virtual network with a dual stack subnet, a Basic Load Balancer with dual (IPv4 + IPv6) frontend configurations, VMs with NICs that have a dual IP configuration, dual network security group rules, and dual public IPs. To deploy a dual stack (IPV4 + IPv6) application using Standard Load Balancer, see [Deploy an IPv6 dual stack application with Standard Load Balancer using Azure CLI](../virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-cli.md). az network public-ip create \ ## Create Basic Load Balancer -In this section, you configure dual frontend IP (IPv4 and IPv6) and the back-end address pool for the load balancer and then create a Basic Load Balancer. +In this section, you configure dual frontend IP (IPv4 and IPv6) and the backend address pool for the load balancer and then create a Basic Load Balancer. ### Create load balancer az network lb frontend-ip create \ ``` -### Configure IPv6 back-end address pool +### Configure IPv6 backend address pool -Create a IPv6 back-end address pools with [az network lb address-pool create](/cli/azure/network/lb/address-pool#az-network-lb-address-pool-create). The following example creates back-end address pool named *dsLbBackEndPool_v6* to include VMs with IPv6 NIC configurations: +Create a IPv6 backend address pools with [az network lb address-pool create](/cli/azure/network/lb/address-pool#az-network-lb-address-pool-create). The following example creates backend address pool named *dsLbBackEndPool_v6* to include VMs with IPv6 NIC configurations: ```azurecli-interactive az network lb address-pool create \ When no longer needed, you can use the [az group delete](/cli/azure/group#az-gro ## Next steps -In this article, you created a Basic Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the back-end pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../../virtual-network/ip-services/ipv6-overview.md) +In this article, you created a Basic Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the backend pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../../virtual-network/ip-services/ipv6-overview.md) |
load-balancer | Virtual Network Ipv4 Ipv6 Dual Stack Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/basic/virtual-network-ipv4-ipv6-dual-stack-powershell.md | -This article shows you how to deploy a dual stack (IPv4 + IPv6) application with Basic Load Balancer using Azure PowerShell that includes a dual stack virtual network and subnet, a Basic Load Balancer with dual (IPv4 + IPv6) front-end configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. +This article shows you how to deploy a dual stack (IPv4 + IPv6) application with Basic Load Balancer using Azure PowerShell that includes a dual stack virtual network and subnet, a Basic Load Balancer with dual (IPv4 + IPv6) frontend configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. To deploy a dual stack (IPV4 + IPv6) application using Standard Load Balancer, see [Deploy an IPv6 dual stack application with Standard Load Balancer using Azure PowerShell](../virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-powershell.md). To access your virtual machines using a RDP connection, create a IPV4 public IP ## Create Basic Load Balancer -In this section, you configure dual frontend IP (IPv4 and IPv6) and the back-end address pool for the load balancer and then create a Basic Load Balancer. +In this section, you configure dual frontend IP (IPv4 and IPv6) and the backend address pool for the load balancer and then create a Basic Load Balancer. -### Create front-end IP +### Create frontend IP -Create a front-end IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig). The following example creates IPv4 and IPv6 frontend IP configurations named *dsLbFrontEnd_v4* and *dsLbFrontEnd_v6*: +Create a frontend IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig). The following example creates IPv4 and IPv6 frontend IP configurations named *dsLbFrontEnd_v4* and *dsLbFrontEnd_v6*: ```azurepowershell-interactive $frontendIPv4 = New-AzLoadBalancerFrontendIpConfig ` $frontendIPv6 = New-AzLoadBalancerFrontendIpConfig ` ``` -### Configure back-end address pool +### Configure backend address pool -Create a back-end address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig). The VMs attach to this back-end pool in the remaining steps. The following example creates back-end address pools named *dsLbBackEndPool_v4* and *dsLbBackEndPool_v6* to include VMs with both IPV4 and IPv6 NIC configurations: +Create a backend address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig). The VMs attach to this backend pool in the remaining steps. The following example creates backend address pools named *dsLbBackEndPool_v4* and *dsLbBackEndPool_v6* to include VMs with both IPV4 and IPv6 NIC configurations: ```azurepowershell-interactive $backendPoolv4 = New-AzLoadBalancerBackendAddressPoolConfig ` Remove-AzResourceGroup -Name dsRG1 ## Next steps -In this article, you created a Basic Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the back-end pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../../virtual-network/ip-services/ipv6-overview.md) +In this article, you created a Basic Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the backend pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../../virtual-network/ip-services/ipv6-overview.md) |
load-balancer | Components | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/components.md | The nature of the IP address determines the **type** of load balancer created. P | | **Public load balancer** | **Internal load balancer** | | - | - | - | | **Frontend IP configuration**| Public IP address | Private IP address|-| **Description** | A public load balancer maps the public IP and port of incoming traffic to the private IP and port of the VM. Load balancer maps traffic the other way around for the response traffic from the VM. You can distribute specific types of traffic across multiple VMs or services by applying load-balancing rules. For example, you can spread the load of web request traffic across multiple web servers.| An internal load balancer distributes traffic to resources that are inside a virtual network. Azure restricts access to the frontend IP addresses of a virtual network that are load balanced. Front-end IP addresses and virtual networks are never directly exposed to an internet endpoint, meaning an internal load balancer can't accept incoming traffic from the internet. Internal line-of-business applications run in Azure and are accessed from within Azure or from on-premises resources. | +| **Description** | A public load balancer maps the public IP and port of incoming traffic to the private IP and port of the VM. Load balancer maps traffic the other way around for the response traffic from the VM. You can distribute specific types of traffic across multiple VMs or services by applying load-balancing rules. For example, you can spread the load of web request traffic across multiple web servers.| An internal load balancer distributes traffic to resources that are inside a virtual network. Azure restricts access to the frontend IP addresses of a virtual network that are load balanced. Frontend IP addresses and virtual networks are never directly exposed to an internet endpoint, meaning an internal load balancer can't accept incoming traffic from the internet. Internal line-of-business applications run in Azure and are accessed from within Azure or from on-premises resources. | | **SKUs supported** | Basic, Standard | Basic, Standard | ![Tiered load balancer example](./media/load-balancer-overview/load-balancer.png) |
load-balancer | Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/concepts.md | Azure Load Balancer uses a tuple-based hashing as the load-balancing algorithm. ## Load balancing algorithm -By creating a load balancer rule, you can distribute inbound traffic flows from a load balancer's frontend to its backend pools. Azure Load Balancer uses a five-tuple hashing algorithm for the distribution of inbound flows (not bytes). Load balancer rewrites the headers of TCP/UDP headers flows when directing traffic to the backend pool instances (load balancer doesn't rewrite HTTP/HTTPS headers). When the load balancer's health probe indicates a healthy back-end endpoint, backend instances are available to receive new traffic flows. +By creating a load balancer rule, you can distribute inbound traffic flows from a load balancer's frontend to its backend pools. Azure Load Balancer uses a five-tuple hashing algorithm for the distribution of inbound flows (not bytes). Load balancer rewrites the headers of TCP/UDP headers flows when directing traffic to the backend pool instances (load balancer doesn't rewrite HTTP/HTTPS headers). When the load balancer's health probe indicates a healthy backend endpoint, backend instances are available to receive new traffic flows. By default, Azure Load Balancer uses a five-tuple hash. You can also use session affinity [distribution mode](distribution-mode-concepts Azure Load Balancer supports any TCP/UDP application scenario and doesn't close or originate flows. Load balancer also doesn't interact with the payload of any flow. Application payloads are transparent to the load balancer. Any UDP or TCP application can be supported. -Load balancer operates on layer 4 and doesn't provide application layer gateway functionality. Protocol handshakes always occur directly between the client and the back-end pool instance. Because the load balancer doesn't interact with the TCP payload nor does it provide TLS offload, you can build comprehensive encrypted scenarios. Using load balancer gains large scale-out for TLS applications by ending the TLS connection on the VM itself. For example, your TLS session keying capacity is only limited by the type and number of VMs you add to the back-end pool. +Load balancer operates on layer 4 and doesn't provide application layer gateway functionality. Protocol handshakes always occur directly between the client and the backend pool instance. Because the load balancer doesn't interact with the TCP payload nor does it provide TLS offload, you can build comprehensive encrypted scenarios. Using load balancer gains large scale-out for TLS applications by ending the TLS connection on the VM itself. For example, your TLS session keying capacity is only limited by the type and number of VMs you add to the backend pool. -A response to an inbound flow is always a response from a virtual machine. When the flow arrives on the virtual machine, the original source IP address is also preserved. Every endpoint is answered by a VM. For example, a TCP handshake occurs between the client and the selected back-end VM. A response to a request to a front end is a response generated by a back-end VM. When you successfully validate connectivity to a front end, you're validating the connectivity throughout to at least one back-end virtual machine. +A response to an inbound flow is always a response from a virtual machine. When the flow arrives on the virtual machine, the original source IP address is also preserved. Every endpoint is answered by a VM. For example, a TCP handshake occurs between the client and the selected backend VM. A response to a request to a front end is a response generated by a backend VM. When you successfully validate connectivity to a front end, you're validating the connectivity throughout to at least one backend virtual machine. ## Next steps |
load-balancer | Configure Inbound NAT Rules Vm Scale Set | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/configure-inbound-NAT-rules-vm-scale-set.md | In this article, you'll learn how to configure, update, and delete inbound NAT R - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). ## Add inbound NAT rules -Individual inbound NAT rules can't be added to a Virtual Machine Scale Set. However, you can add a set of inbound NAT rules with a defined front-end port range and back-end port for all instances in the Virtual Machine Scale Set. +Individual inbound NAT rules can't be added to a Virtual Machine Scale Set. However, you can add a set of inbound NAT rules with a defined frontend port range and backend port for all instances in the Virtual Machine Scale Set. To add a set of inbound NAT rules for the Virtual Machine Scale Sets, you create a set of inbound NAT rules in the load balancer that targets a backend pool using [az network lb inbound-nat-rule create](/cli/azure/network/lb/inbound-nat-rule#az-network-lb-inbound-nat-rule-create) as follows: To add a set of inbound NAT rules for the Virtual Machine Scale Sets, you create ``` -The new inbound NAT rule can't have an overlapping front-end port range with existing inbound NAT rules. To view existing inbound NAT rules that are set up, use [az network lb inbound-nat-rule show](/cli/azure/network/lb/inbound-nat-rule#az-network-lb-inbound-nat-rule-show) as follows: +The new inbound NAT rule can't have an overlapping frontend port range with existing inbound NAT rules. To view existing inbound NAT rules that are set up, use [az network lb inbound-nat-rule show](/cli/azure/network/lb/inbound-nat-rule#az-network-lb-inbound-nat-rule-show) as follows: ```azurecli |
load-balancer | Gateway Deploy Dual Stack Load Balancer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/gateway-deploy-dual-stack-load-balancer.md | You learn to: Along with the Gateway Load Balancer, this scenario includes the following already-deployed resources: - A dual stack virtual network and subnet.-- A standard Load Balancer with dual (IPv4 + IPv6) front-end configurations.+- A standard Load Balancer with dual (IPv4 + IPv6) frontend configurations. - A Gateway Load Balancer with IPv4 only. - A network interface with a dual-stack IP configuration, a network security group attached, and public IPv4 & IPv6 addresses. |
load-balancer | Ipv6 Configure Standard Load Balancer Template Json | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/ipv6-configure-standard-load-balancer-template-json.md | -This article provides a list of IPv6 configuration tasks with the portion of the Azure Resource Manager VM template that applies to. Use the template described in this article to deploy a dual stack (IPv4 + IPv6) application using Standard Load Balancer in Azure that includes a dual stack virtual network with IPv4 and IPv6 subnets, a Standard Load Balancer with dual (IPv4 + IPv6) front-end configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. +This article provides a list of IPv6 configuration tasks with the portion of the Azure Resource Manager VM template that applies to. Use the template described in this article to deploy a dual stack (IPv4 + IPv6) application using Standard Load Balancer in Azure that includes a dual stack virtual network with IPv4 and IPv6 subnets, a Standard Load Balancer with dual (IPv4 + IPv6) frontend configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. ## Required configurations If you're using a network virtual appliance, add IPv6 routes in the Route Table. } ``` -### IPv6 Back-end address pool for Load Balancer +### IPv6 Backend address pool for Load Balancer ```JSON "backendAddressPool": { |
load-balancer | Ipv6 Dual Stack Standard Internal Load Balancer Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/ipv6-dual-stack-standard-internal-load-balancer-powershell.md | -This article shows you how to deploy a dual stack (IPv4 + IPv6) application in Azure that includes a dual stack virtual network and subnet, a Standard Internal Load Balancer with dual (IPv4 + IPv6) front-end configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. +This article shows you how to deploy a dual stack (IPv4 + IPv6) application in Azure that includes a dual stack virtual network and subnet, a Standard Internal Load Balancer with dual (IPv4 + IPv6) frontend configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. -The procedure to create an IPv6-capable Internal Load Balancer is nearly identical to the process for creating an Internet-facing IPv6 Load Balancer described [here](virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-powershell.md). The only differences for creating an internal load balancer are in the front-end configuration as illustrated in the PowerShell example below: +The procedure to create an IPv6-capable Internal Load Balancer is nearly identical to the process for creating an Internet-facing IPv6 Load Balancer described [here](virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-powershell.md). The only differences for creating an internal load balancer are in the frontend configuration as illustrated in the PowerShell example below: ```azurepowershell $frontendIPv6 = New-AzLoadBalancerFrontendIpConfig ` The procedure to create an IPv6-capable Internal Load Balancer is nearly identic -Subnet $DsSubnet ``` -The changes that make the above an internal load balancer front-end configuration are: +The changes that make the above an internal load balancer frontend configuration are: - The `PrivateIpAddressVersion` is specified as ΓÇ£IPv6ΓÇ¥ - The `-PublicIpAddress` argument has been either omitted or replaced with `-PrivateIpAddress`. Note that the private address must be in the range of the Subnet IP space in which the internal load balancer will be deployed. If a static `-PrivateIpAddress` is omitted, the next free IPv6 address will be selected from the subnet in which the internal load Balancer is deployed. - The dual stack subnet in which the internal load balancer will be deployed is specified with either a `-Subnet` or `-SubnetId` argument. $DsSubnet = get-AzVirtualNetworkSubnetconfig -name dsSubnet -VirtualNetwork $vne ``` ## Create Standard Load Balancer -In this section, you configure dual frontend IP (IPv4 and IPv6) and the back-end address pool for the load balancer and then create a Standard Load Balancer. +In this section, you configure dual frontend IP (IPv4 and IPv6) and the backend address pool for the load balancer and then create a Standard Load Balancer. -### Create front-end IP +### Create frontend IP -Create a front-end IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig). The following example creates IPv4 and IPv6 frontend IP configurations named *dsLbFrontEnd_v4* and *dsLbFrontEnd_v6*: +Create a frontend IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig). The following example creates IPv4 and IPv6 frontend IP configurations named *dsLbFrontEnd_v4* and *dsLbFrontEnd_v6*: ```azurepowershell $frontendIPv4 = New-AzLoadBalancerFrontendIpConfig ` $frontendIPv6 = New-AzLoadBalancerFrontendIpConfig ` ``` -### Configure back-end address pool +### Configure backend address pool -Create a back-end address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig). The VMs attach to this back-end pool in the remaining steps. The following example creates back-end address pools named *dsLbBackEndPool_v4* and *dsLbBackEndPool_v6* to include VMs with both IPV4 and IPv6 NIC configurations: +Create a backend address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig). The VMs attach to this backend pool in the remaining steps. The following example creates backend address pools named *dsLbBackEndPool_v4* and *dsLbBackEndPool_v6* to include VMs with both IPV4 and IPv6 NIC configurations: ```azurepowershell $backendPoolv4 = New-AzLoadBalancerBackendAddressPoolConfig -Name "dsLbBackEndPool_v4" Remove-AzResourceGroup -Name dsStd_ILB_RG ## Next steps -In this article, you created a Standard Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the back-end pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../virtual-network/ip-services/ipv6-overview.md) +In this article, you created a Standard Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the backend pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../virtual-network/ip-services/ipv6-overview.md) |
load-balancer | Load Balancer Ha Ports Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ha-ports-overview.md | High availability (HA) ports are a type of load balancing rule that provides an The HA ports load-balancing rules help you with critical scenarios, such as high availability and scale for network virtual appliances (NVAs) inside virtual networks. The feature can also help when a large number of ports must be load-balanced. -The HA ports load-balancing rules are configured when you set the front-end and back-end ports to **0** and the protocol to **All**. The internal load balancer resource then balances all TCP and UDP flows, regardless of port number +The HA ports load-balancing rules are configured when you set the frontend and backend ports to **0** and the protocol to **All**. The internal load balancer resource then balances all TCP and UDP flows, regardless of port number ## Why use HA ports? This configuration is a basic HA ports configuration. Use the following steps to 2. For **Floating IP**, select **Disabled**. -This configuration doesn't allow any other load-balancing rule configuration on the current load balancer resource. It also allows no other internal load balancer resource configuration for the given set of back-end instances. +This configuration doesn't allow any other load-balancing rule configuration on the current load balancer resource. It also allows no other internal load balancer resource configuration for the given set of backend instances. -However, you can configure a public Standard Load Balancer for the back-end instances in addition to this HA ports rule. +However, you can configure a public Standard Load Balancer for the backend instances in addition to this HA ports rule. ### A single, floating IP (Direct Server Return) HA-ports configuration on an internal standard load balancer With this configuration, you can add more floating IP load-balancing rules and/o To configure more than one HA port frontend for the same backend pool, use the following steps: -- Configure more than one front-end private IP address for a single internal standard load balancer resource.+- Configure more than one frontend private IP address for a single internal standard load balancer resource. -- Configure multiple load-balancing rules, where each rule has a single unique front-end IP address selected.+- Configure multiple load-balancing rules, where each rule has a single unique frontend IP address selected. - Select the **HA ports** option, and then set **Floating IP** to **Enabled** for all the load-balancing rules. You can configure **one** public standard load balancer resource for the backend - HA ports load-balancing rules are available only for an internal standard load balancer. -- The combining of an HA ports load-balancing rule and a non-HA ports load-balancing rule pointing to the same backend **ipconfiguration(s)** isn't supported on a single front-end IP configuration unless both have Floating IP enabled.+- The combining of an HA ports load-balancing rule and a non-HA ports load-balancing rule pointing to the same backend **ipconfiguration(s)** isn't supported on a single frontend IP configuration unless both have Floating IP enabled. - IP fragmenting isn't supported. |
load-balancer | Load Balancer Ipv6 Internet Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ipv6-internet-cli.md | The following steps show how to create a public load balancer by using Azure CLI To deploy a load balancer, create and configure the following objects: -* **Front-end IP configuration**: Contains public IP addresses for incoming network traffic. -* **Back-end address pool**: Contains network interfaces (NICs) for the virtual machines to receive network traffic from the load balancer. -* **Load balancing rules**: Contains rules that map a public port on the load balancer to a port in the back-end address pool. -* **Inbound NAT rules**: Contains network address translation (NAT) rules that map a public port on the load balancer to a port for a specific virtual machine in the back-end address pool. -* **Probes**: Contains health probes that are used to check the availability of virtual machine instances in the back-end address pool. +* **Frontend IP configuration**: Contains public IP addresses for incoming network traffic. +* **Backend address pool**: Contains network interfaces (NICs) for the virtual machines to receive network traffic from the load balancer. +* **Load balancing rules**: Contains rules that map a public port on the load balancer to a port in the backend address pool. +* **Inbound NAT rules**: Contains network address translation (NAT) rules that map a public port on the load balancer to a port for a specific virtual machine in the backend address pool. +* **Probes**: Contains health probes that are used to check the availability of virtual machine instances in the backend address pool. ## Set up Azure CLI In this example, you run the Azure CLI tools in a PowerShell command window. To $subnet2 = az network vnet subnet create --resource-group $rgname --name $subnet2Name --address-prefix $subnet2Prefix --vnet-name $vnetName ``` -## Create public IP addresses for the front-end pool +## Create public IP addresses for the frontend pool 1. Set up the PowerShell variables: In this example, you run the Azure CLI tools in a PowerShell command window. To $publicIpv6Name = "myIPv6Vip" ``` -2. Create a public IP address for the front-end IP pool: +2. Create a public IP address for the frontend IP pool: ```azurecli $publicipV4 = az network public-ip create --resource-group $rgname --name $publicIpv4Name --location $location --version IPv4 --allocation-method Dynamic --dns-name $dnsLabel In this example, you run the Azure CLI tools in a PowerShell command window. To > > In this example, the FQDN is *contoso09152016.southcentralus.cloudapp.azure.com*. -## Create front-end and back-end pools +## Create frontend and backend pools In this section, you create the following IP pools:-* The front-end IP pool that receives the incoming network traffic on the load balancer. -* The back-end IP pool where the front-end pool sends the load-balanced network traffic. +* The frontend IP pool that receives the incoming network traffic on the load balancer. +* The backend IP pool where the frontend pool sends the load-balanced network traffic. 1. Set up the PowerShell variables: In this section, you create the following IP pools: $backendAddressPoolV6Name = "BackendPoolIPv6" ``` -2. Create a front-end IP pool, and associate it with the public IP that you created in the previous step and the load balancer. +2. Create a frontend IP pool, and associate it with the public IP that you created in the previous step and the load balancer. ```azurecli $frontendV4 = az network lb frontend-ip create --resource-group $rgname --name $frontendV4Name --public-ip-address $publicIpv4Name --lb-name $lbName This example creates the following items: * A probe rule to check for connectivity to TCP port 80. * A NAT rule to translate all incoming traffic on port 3389 to port 3389 for RDP.\* * A NAT rule to translate all incoming traffic on port 3391 to port 3389 for remote desktop protocol (RDP).\*-* A load balancer rule to balance all incoming traffic on port 80 to port 80 on the addresses in the back-end pool. +* A load balancer rule to balance all incoming traffic on port 80 to port 80 on the addresses in the backend pool. \* NAT rules are associated with a specific virtual-machine instance behind the load balancer. The network traffic that arrives on port 3389 is sent to the specific virtual machine and port that's associated with the NAT rule. You must specify a protocol (UDP or TCP) for a NAT rule. You can't assign both protocols to the same port. This example creates the following items: 2. Create the probe. - The following example creates a TCP probe that checks for connectivity to the back-end TCP port 80 every 15 seconds. After two consecutive failures, it marks the back-end resource as unavailable. + The following example creates a TCP probe that checks for connectivity to the backend TCP port 80 every 15 seconds. After two consecutive failures, it marks the backend resource as unavailable. ```azurecli $probeV4V6 = az network lb probe create --resource-group $rgname --name $probeV4V6Name --protocol tcp --port 80 --interval 15 --threshold 2 --lb-name $lbName ``` -3. Create inbound NAT rules that allow RDP connections to the back-end resources: +3. Create inbound NAT rules that allow RDP connections to the backend resources: ```azurecli $inboundNatRuleRdp1 = az network lb inbound-nat-rule create --resource-group $rgname --name $natRule1V4Name --frontend-ip-name $frontendV4Name --protocol Tcp --frontend-port 3389 --backend-port 3389 --lb-name $lbName $inboundNatRuleRdp2 = az network lb inbound-nat-rule create --resource-group $rgname --name $natRule2V4Name --frontend-ip-name $frontendV4Name --protocol Tcp --frontend-port 3391 --backend-port 3389 --lb-name $lbName ``` -4. Create load balancer rules that send traffic to different back-end ports, depending on the front end that received the request. +4. Create load balancer rules that send traffic to different backend ports, depending on the front end that received the request. ```azurecli $lbruleIPv4 = az network lb rule create --resource-group $rgname --name $lbRule1V4Name --frontend-ip-name $frontendV4Name --backend-pool-name $backendAddressPoolV4Name --probe-name $probeV4V6Name --protocol Tcp --frontend-port 80 --backend-port 80 --lb-name $lbName Create NICs and associate them with NAT rules, load balancer rules, and probes. $nic2IPv6 = az network nic ip-config create --resource-group $rgname --name "IPv6IPConfig" --private-ip-address-version "IPv6" --lb-address-pools $backendAddressPoolV6Id --nic-name $nic2Name ``` -## Create the back-end VM resources, and attach each NIC +## Create the backend VM resources, and attach each NIC To create VMs, you must have a storage account. For load balancing, the VMs need to be members of an availability set. For more information about creating VMs, see [Create an Azure VM by using PowerShell](../virtual-machines/windows/quick-create-powershell.md?toc=%2fazure%2fload-balancer%2ftoc.json). |
load-balancer | Load Balancer Ipv6 Internet Ps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ipv6-internet-ps.md | To deploy a load balancer, you create and configure the following objects: * Frontend IP configuration - contains public IP addresses for incoming network traffic. * Backend address pool - contains network interfaces (NICs) for the virtual machines to receive network traffic from the load balancer.-* Load balancing rules - contains rules mapping a public port on the load balancer to port in the back-end address pool. -* Inbound NAT rules - contains rules mapping a public port on the load balancer to a port for a specific virtual machine in the back-end address pool. -* Probes - contains health probes used to check availability of virtual machines instances in the back-end address pool. +* Load balancing rules - contains rules mapping a public port on the load balancer to port in the backend address pool. +* Inbound NAT rules - contains rules mapping a public port on the load balancer to a port for a specific virtual machine in the backend address pool. +* Probes - contains health probes used to check availability of virtual machines instances in the backend address pool. For more information, see [Azure Load Balancer components](./components.md). Make sure you have the latest production version of the Azure Resource Manager m New-AzResourceGroup -Name NRP-RG -location "West US" ``` -## Create a virtual network and a public IP address for the front-end IP pool +## Create a virtual network and a public IP address for the frontend IP pool 1. Create a virtual network with a subnet. Make sure you have the latest production version of the Azure Resource Manager m $vnet = New-AzvirtualNetwork -Name VNet -ResourceGroupName NRP-RG -Location 'West US' -AddressPrefix 10.0.0.0/16 -Subnet $backendSubnet ``` -2. Create Azure Public IP address (PIP) resources for the front-end IP address pool. Be sure to change the value for `-DomainNameLabel` before running the following commands. The value must be unique within the Azure region. +2. Create Azure Public IP address (PIP) resources for the frontend IP address pool. Be sure to change the value for `-DomainNameLabel` before running the following commands. The value must be unique within the Azure region. ```azurepowershell-interactive $publicIPv4 = New-AzPublicIpAddress -Name 'pub-ipv4' -ResourceGroupName NRP-RG -Location 'West US' -AllocationMethod Static -IpAddressVersion IPv4 -DomainNameLabel lbnrpipv4 Make sure you have the latest production version of the Azure Resource Manager m > [!IMPORTANT] > The load balancer uses the domain label of the public IP as prefix for its FQDN. In this example, the FQDNs are *lbnrpipv4.westus.cloudapp.azure.com* and *lbnrpipv6.westus.cloudapp.azure.com*. -## Create a Front-End IP configurations and a Back-End Address Pool +## Create a Frontend IP configurations and a Backend Address Pool -1. Create front-end address configuration that uses the Public IP addresses you created. +1. Create frontend address configuration that uses the Public IP addresses you created. ```azurepowershell-interactive $FEIPConfigv4 = New-AzLoadBalancerFrontendIpConfig -Name "LB-Frontendv4" -PublicIpAddress $publicIPv4 $FEIPConfigv6 = New-AzLoadBalancerFrontendIpConfig -Name "LB-Frontendv6" -PublicIpAddress $publicIPv6 ``` -2. Create back-end address pools. +2. Create backend address pools. ```azurepowershell-interactive $backendpoolipv4 = New-AzLoadBalancerBackendAddressPoolConfig -Name "BackendPoolIPv4" Make sure you have the latest production version of the Azure Resource Manager m This example creates the following items: * a NAT rule to translate all incoming traffic on port 443 to port 4443-* a load balancer rule to balance all incoming traffic on port 80 to port 80 on the addresses in the back-end pool. +* a load balancer rule to balance all incoming traffic on port 80 to port 80 on the addresses in the backend pool. * a load balancer rule to allow RDP connection to the VMs on port 3389. * a probe rule to check the health status on a page named *HealthProbe.aspx* or a service on port 8080 * a load balancer that uses all these objects This example creates the following items: $NRPLB = New-AzLoadBalancer -ResourceGroupName NRP-RG -Name 'myNrpIPv6LB' -Location 'West US' -FrontendIpConfiguration $FEIPConfigv4,$FEIPConfigv6 -InboundNatRule $inboundNATRule1v6,$inboundNATRule1v4 -BackendAddressPool $backendpoolipv4,$backendpoolipv6 -Probe $healthProbe,$RDPprobe -LoadBalancingRule $lbrule1v4,$lbrule1v6,$RDPrule ``` -## Create NICs for the back-end VMs +## Create NICs for the backend VMs 1. Get the Virtual Network and Virtual Network Subnet, where the NICs need to be created. |
load-balancer | Load Balancer Ipv6 Internet Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ipv6-internet-template.md | When the template has deployed successfully, you can validate connectivity by co 4. From each VM, initiate an outbound connection to an IPv6 or IPv4-connected Internet device. In both cases, the source IP seen by the destination device is the public IPv4 or IPv6 address of the load balancer. > [!NOTE]-> To test connectivity for both an IPv4 and an IPv6 frontend of a Load Balancer, an ICMP ping can be sent to the frontend of the Load Balancer. Note that the IP addresses shown in the diagram are examples of values that you might see. Since the IPv6 addresses are assigned dynamically, the addresses you receive will differ and can vary by region. Also, it is common for the public IPv6 address on the load balancer to start with a different prefix than the private IPv6 addresses in the back-end pool. +> To test connectivity for both an IPv4 and an IPv6 frontend of a Load Balancer, an ICMP ping can be sent to the frontend of the Load Balancer. Note that the IP addresses shown in the diagram are examples of values that you might see. Since the IPv6 addresses are assigned dynamically, the addresses you receive will differ and can vary by region. Also, it is common for the public IPv6 address on the load balancer to start with a different prefix than the private IPv6 addresses in the backend pool. ## Template parameters and variables |
load-balancer | Load Balancer Ipv6 Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ipv6-overview.md | Limitations * Changing the loadDistributionMethod parameter for IPv6 is **currently not supported**. * IPv6 for Basic Load Balancer is locked to a **Dynamic** SKU. IPv6 for a Standard Load Balancer is locked to a **Static** SKU. * NAT64 (translation of IPv6 to IPv4) is not supported.-* Attaching a secondary NIC that refers to an IPv6 subnet to a back-end pool is **not supported** for Basic Load Balancer. +* Attaching a secondary NIC that refers to an IPv6 subnet to a backend pool is **not supported** for Basic Load Balancer. ## Next steps |
load-balancer | Load Balancer Standard Diagnostics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-standard-diagnostics.md | To get the data path availability for your standard load balancer resources: 1. In the **Aggregation** drop-down list, select **Avg**. -1. Additionally, add a filter on the frontend IP address or frontend port as the dimension with the required front-end IP address or front-end port. Then group them by the selected dimension. +1. Additionally, add a filter on the frontend IP address or frontend port as the dimension with the required frontend IP address or frontend port. Then group them by the selected dimension. :::image type="content" source="./media/load-balancer-standard-diagnostics/lbmetrics-vipprobing.png" alt-text="Load balancer frontend probing details."::: To get the data path availability for your standard load balancer resources: The metric is generated by an active, in-band measurement. A probing service within the region originates traffic for the measurement. The service is activated as soon as you create a deployment with a public front end, and it continues until you remove the front end. -A packet matching your deployment's front end and rule is generated periodically. It traverses the region from the source to the host where a VM in the back-end pool is located. The load balancer infrastructure performs the same load balancing and translation operations as it does for all other traffic. This probe is in-band on your load-balanced endpoint. After the probe arrives on the compute host, where a healthy VM in the back-end pool is located, the compute host generates a response to the probing service. Your VM doesnΓÇÖt see this traffic. +A packet matching your deployment's front end and rule is generated periodically. It traverses the region from the source to the host where a VM in the backend pool is located. The load balancer infrastructure performs the same load balancing and translation operations as it does for all other traffic. This probe is in-band on your load-balanced endpoint. After the probe arrives on the compute host, where a healthy VM in the backend pool is located, the compute host generates a response to the probing service. Your VM doesnΓÇÖt see this traffic. Data path availability fails for the following reasons: -- Your deployment has no healthy VMs remaining in the back-end pool. +- Your deployment has no healthy VMs remaining in the backend pool. - An infrastructure outage has occurred. To get the health probe status for your standard load balancer resources: Health probes fail for the following reasons: -- You configure a health probe to a port that isnΓÇÖt listening or not responding or is using the wrong protocol. If your service is using direct server return or floating IP rules, verify the service is listening on the IP address of the NIC's IP configuration and the loopback that's configured with the front-end IP address.+- You configure a health probe to a port that isnΓÇÖt listening or not responding or is using the wrong protocol. If your service is using direct server return or floating IP rules, verify the service is listening on the IP address of the NIC's IP configuration and the loopback that's configured with the frontend IP address. - Your Network Security Group, the VM's guest OS firewall, or the application layer filters don't allow the health probe traffic. Use **Sum** as the aggregation for most scenarios. <summary>Expand</summary> -The bytes and packet counters metric describes the volume of bytes and packets that are sent or received by your service on a per-front-end basis. +The bytes and packet counters metric describes the volume of bytes and packets that are sent or received by your service on a per-frontend basis. Use **Sum** as the aggregation for most scenarios. To get byte or packet count statistics: 2. Do either of the following: - * Apply a filter on a specific front-end IP, front-end port, back-end IP, or back-end port. + * Apply a filter on a specific frontend IP, frontend port, backend IP, or backend port. * Get overall statistics for your load balancer resource without any filtering. |
load-balancer | Load Balancer Standard Virtual Machine Scale Sets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-standard-virtual-machine-scale-sets.md | When you work with Virtual Machine Scale Sets and Azure Load Balancer, consider ## Port forwarding and inbound NAT rules -After the scale set has been created, the back-end port can't be modified for a load-balancing rule used by a health probe of the load balancer. To change the port, remove the health probe by updating the virtual machine scale set and updating the port. Then configure the health probe again. +After the scale set has been created, the backend port can't be modified for a load-balancing rule used by a health probe of the load balancer. To change the port, remove the health probe by updating the virtual machine scale set and updating the port. Then configure the health probe again. -When you use the Virtual Machine Scale Set in the back-end pool of the load balancer, the default inbound NAT rules are created automatically. +When you use the Virtual Machine Scale Set in the backend pool of the load balancer, the default inbound NAT rules are created automatically. ## Load-balancing rules -When you use the Virtual Machine Scale Set in the back-end pool of the load balancer, the default load-balancing rule is created automatically. +When you use the Virtual Machine Scale Set in the backend pool of the load balancer, the default load-balancing rule is created automatically. ## Virtual Machine Scale Set instance-level IPs When Virtual Machine Scale Sets with [public IPs per instance](../virtual-machin ## Outbound rules -To create an outbound rule for a back-end pool that's already referenced by a load-balancing rule, select **No** under **Create implicit outbound rules** in the Azure portal when the inbound load-balancing rule is created. +To create an outbound rule for a backend pool that's already referenced by a load-balancing rule, select **No** under **Create implicit outbound rules** in the Azure portal when the inbound load-balancing rule is created. :::image type="content" source="./media/vm-scale-sets/load-balancer-and-vm-scale-sets.png" alt-text="Screenshot that shows load-balancing rule creation." border="true"::: |
load-balancer | Load Balancer Troubleshoot Backend Traffic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-troubleshoot-backend-traffic.md | If you suspect backend pool members are receiving traffic, it could be due to th Azure Load Balancer doesn't support true round robin load balancing but supports a hash based [distribution mode](distribution-mode-concepts.md). -## Cause 1: You have session persistence configured +### Cause 1: You have session persistence configured Using source persistence distribution mode can cause an uneven distribution of traffic. If this distribution isn't desired, update session persistence to be **None** so traffic is distributed across all healthy instances in the backend pool. Learn more about [distribution modes for Azure Load Balancer](distribution-mode-concepts.md). -## Cause 2: You have a proxy configured +### Cause 2: You have a proxy configured Clients that run behind proxies might be seen as one unique client application from the load balancer's point of view. If a backend pool VM is listed as healthy and responds to the health probes, but * Accessing the Internet load balancer frontend from the participating load balancer backend pool VM -## Cause 1: A load balancer backend pool VM isn't listening on the data port +### Cause 1: A load balancer backend pool VM isn't listening on the data port If a VM doesn't respond to the data traffic, it may be because either the target port isn't open on the participating VM, or, the VM isn't listening on that port. If a VM doesn't respond to the data traffic, it may be because either the target 4. If the port is marked as **LISTENING**, then check the target application on that port for any possible issues. -## Cause 2: A network security group is blocking the port on the load balancer backend pool VM  +### Cause 2: A network security group is blocking the port on the load balancer backend pool VM  If one or more network security groups configured on the subnet or on the VM, is blocking the source IP or port, then the VM is unable to respond. For the public load balancer, the IP address of the Internet clients will be use 4. Test if the VM has now started to respond to the health probes. -## Cause 3: Access of the internal load balancer from the same VM and network interface +### Cause 3: Access of the internal load balancer from the same VM and network interface If your application hosted in the backend VM of an internal load balancer is trying to access another application hosted in the same backend VM over the same network interface, it's an unsupported scenario and will fail. You can resolve this issue via one of the following methods: * Configure the application in dual NIC VMs so each application was using its own network interface and IP address. -## Cause 4: Access of the internal load balancer frontend from the participating load balancer backend pool VM +### Cause 4: Access of the internal load balancer frontend from the participating load balancer backend pool VM If an internal load balancer is configured inside a virtual network, and one of the participant backend VMs is trying to access the internal load balancer frontend, failures can occur when the flow is mapped to the originating VM. This scenario isn't supported. There are several ways to unblock this scenario, including using a proxy. Evalua Internal load balancers don't translate outbound originated connections to the front end of an internal load balancer because both are in private IP address space. Public load balancers provide [outbound connections](load-balancer-outbound-connections.md) from private IP addresses inside the virtual network to public IP addresses. For internal load balancers, this approach avoids potential SNAT port exhaustion inside a unique internal IP address space, where translation isn't required. -A side effect is that if an outbound flow from a VM in the back-end pool attempts a flow to front end of the internal load balancer in its pool _and_ is mapped back to itself, the two legs of the flow don't match. Because they don't match, the flow fails. The flow succeeds if the flow didn't map back to the same VM in the back-end pool that created the flow to the front end. +A side effect is that if an outbound flow from a VM in the backend pool attempts a flow to front end of the internal load balancer in its pool _and_ is mapped back to itself, the two legs of the flow don't match. Because they don't match, the flow fails. The flow succeeds if the flow didn't map back to the same VM in the backend pool that created the flow to the front end. -When the flow maps back to itself, the outbound flow appears to originate from the VM to the front end, and the corresponding inbound flow appears to originate from the VM to itself. From the guest operating system's point of view, the inbound and outbound parts of the same flow don't match inside the virtual machine. The TCP stack won't recognize these halves of the same flow as being part of the same flow. The source and destination don't match. When the flow maps to any other VM in the back-end pool, the halves of the flow do match and the VM can respond to the flow. +When the flow maps back to itself, the outbound flow appears to originate from the VM to the front end, and the corresponding inbound flow appears to originate from the VM to itself. From the guest operating system's point of view, the inbound and outbound parts of the same flow don't match inside the virtual machine. The TCP stack won't recognize these halves of the same flow as being part of the same flow. The source and destination don't match. When the flow maps to any other VM in the backend pool, the halves of the flow do match and the VM can respond to the flow. The symptom for this scenario is intermittent connection timeouts when the flow returns to the same backend that originated the flow. Common workarounds include insertion of a proxy layer behind the internal load balancer and using Direct Server Return (DSR) style rules. For more information, see [Multiple frontends for Azure Load Balancer](load-balancer-multivip-overview.md). |
load-balancer | Quickstart Load Balancer Standard Internal Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/quickstart-load-balancer-standard-internal-cli.md | To create a network security group rule, use [az network nsg rule create](/cli/a --priority 200 ``` -## Create back-end servers +## Create backend servers In this section, you create: |
load-balancer | Quickstart Load Balancer Standard Internal Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/quickstart-load-balancer-standard-internal-powershell.md | New-AzNetworkSecurityGroup @nsg This section details how you can create and configure the following components of the load balancer: -* Create a front-end IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig) for the frontend IP pool. This IP receives the incoming traffic on the load balancer +* Create a frontend IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig) for the frontend IP pool. This IP receives the incoming traffic on the load balancer -* Create a back-end address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig) for traffic sent from the frontend of the load balancer +* Create a backend address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig) for traffic sent from the frontend of the load balancer * Create a health probe with [Add-AzLoadBalancerProbeConfig](/powershell/module/az.network/add-azloadbalancerprobeconfig) that determines the health of the backend VM instances |
load-balancer | Quickstart Load Balancer Standard Public Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/quickstart-load-balancer-standard-public-powershell.md | New-AzPublicIpAddress @publicip This section details how you can create and configure the following components of the load balancer: -* Create a front-end IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig) for the frontend IP pool. This IP receives the incoming traffic on the load balancer +* Create a frontend IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig) for the frontend IP pool. This IP receives the incoming traffic on the load balancer -* Create a back-end address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig) for traffic sent from the frontend of the load balancer. This pool is where your backend virtual machines are deployed +* Create a backend address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig) for traffic sent from the frontend of the load balancer. This pool is where your backend virtual machines are deployed * Create a health probe with [Add-AzLoadBalancerProbeConfig](/powershell/module/az.network/add-azloadbalancerprobeconfig) that determines the health of the backend VM instances |
load-balancer | Tutorial Cross Region Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/tutorial-cross-region-powershell.md | A global standard sku public IP is used for the frontend of the cross-region loa * Use [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress) to create the public IP address. -* Create a front-end IP configuration with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig). +* Create a frontend IP configuration with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig). -* Create a back-end address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig). +* Create a backend address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig). * Create a load balancer rule with [Add-AzLoadBalancerRuleConfig](/powershell/module/az.network/add-azloadbalancerruleconfig). $fe = @{ } $feip = New-AzLoadBalancerFrontendIpConfig @fe -## Create back-end address pool ## +## Create backend address pool ## $be = @{ Name = 'myBackEndPool-CR' } $region2 = @{ } $R2 = Get-AzLoadBalancer @region2 -## Place the region one load balancer front-end configuration in a variable ## +## Place the region one load balancer frontend configuration in a variable ## $region1fe = @{ Name = 'MyFrontEnd-R1' LoadBalancer = $R1 } $R1FE = Get-AzLoadBalancerFrontendIpConfig @region1fe -## Place the region two load balancer front-end configuration in a variable ## +## Place the region two load balancer frontend configuration in a variable ## $region2fe = @{ Name = 'MyFrontEnd-R2' LoadBalancer = $R2 |
load-balancer | Virtual Network Ipv4 Ipv6 Dual Stack Standard Load Balancer Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-cli.md | -This article shows you how to deploy a dual stack (IPv4 + IPv6) application using Standard Load Balancer in Azure that includes a dual stack virtual network with a dual stack subnet, a Standard Load Balancer with dual (IPv4 + IPv6) front-end configurations, VMs with NICs that have a dual IP configuration, dual network security group rules, and dual public IPs. +This article shows you how to deploy a dual stack (IPv4 + IPv6) application using Standard Load Balancer in Azure that includes a dual stack virtual network with a dual stack subnet, a Standard Load Balancer with dual (IPv4 + IPv6) frontend configurations, VMs with NICs that have a dual IP configuration, dual network security group rules, and dual public IPs. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] az network public-ip create \ ## Create Standard Load Balancer -In this section, you configure dual frontend IP (IPv4 and IPv6) and the back-end address pool for the load balancer and then create a Standard Load Balancer. +In this section, you configure dual frontend IP (IPv4 and IPv6) and the backend address pool for the load balancer and then create a Standard Load Balancer. ### Create load balancer az network lb frontend-ip create \ ``` -### Configure IPv6 back-end address pool +### Configure IPv6 backend address pool -Create a IPv6 back-end address pools with [az network lb address-pool create](/cli/azure/network/lb/address-pool#az-network-lb-address-pool-create). The following example creates back-end address pool named *dsLbBackEndPool_v6* to include VMs with IPv6 NIC configurations: +Create a IPv6 backend address pools with [az network lb address-pool create](/cli/azure/network/lb/address-pool#az-network-lb-address-pool-create). The following example creates backend address pool named *dsLbBackEndPool_v6* to include VMs with IPv6 NIC configurations: ```azurecli-interactive az network lb address-pool create \ When no longer needed, you can use the [az group delete](/cli/azure/group#az-gro ## Next steps -In this article, you created a Standard Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the back-end pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../virtual-network/ip-services/ipv6-overview.md) +In this article, you created a Standard Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the backend pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../virtual-network/ip-services/ipv6-overview.md) |
load-balancer | Virtual Network Ipv4 Ipv6 Dual Stack Standard Load Balancer Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-powershell.md | -This article shows you how to deploy a dual stack (IPv4 + IPv6) application using Standard Load Balancer in Azure that includes a dual stack virtual network and subnet, a Standard Load Balancer with dual (IPv4 + IPv6) front-end configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. +This article shows you how to deploy a dual stack (IPv4 + IPv6) application using Standard Load Balancer in Azure that includes a dual stack virtual network and subnet, a Standard Load Balancer with dual (IPv4 + IPv6) frontend configurations, VMs with NICs that have a dual IP configuration, network security group, and public IPs. [!INCLUDE [cloud-shell-try-it.md](../../includes/cloud-shell-try-it.md)] To access your virtual machines using a RDP connection, create an IPV4 public IP ## Create Standard Load Balancer -In this section, you configure dual frontend IP (IPv4 and IPv6) and the back-end address pool for the load balancer and then create a Standard Load Balancer. +In this section, you configure dual frontend IP (IPv4 and IPv6) and the backend address pool for the load balancer and then create a Standard Load Balancer. -### Create front-end IP +### Create frontend IP -Create a front-end IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig). The following example creates IPv4 and IPv6 frontend IP configurations named *dsLbFrontEnd_v4* and *dsLbFrontEnd_v6*: +Create a frontend IP with [New-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/new-azloadbalancerfrontendipconfig). The following example creates IPv4 and IPv6 frontend IP configurations named *dsLbFrontEnd_v4* and *dsLbFrontEnd_v6*: ```azurepowershell-interactive $frontendIPv4 = New-AzLoadBalancerFrontendIpConfig ` $frontendIPv6 = New-AzLoadBalancerFrontendIpConfig ` ``` -### Configure back-end address pool +### Configure backend address pool -Create a back-end address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig). The VMs attach to this back-end pool in the remaining steps. The following example creates back-end address pools named *dsLbBackEndPool_v4* and *dsLbBackEndPool_v6* to include VMs with both IPV4 and IPv6 NIC configurations: +Create a backend address pool with [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/az.network/new-azloadbalancerbackendaddresspoolconfig). The VMs attach to this backend pool in the remaining steps. The following example creates backend address pools named *dsLbBackEndPool_v4* and *dsLbBackEndPool_v6* to include VMs with both IPV4 and IPv6 NIC configurations: ```azurepowershell-interactive $backendPoolv4 = New-AzLoadBalancerBackendAddressPoolConfig ` Remove-AzResourceGroup -Name dsRG1 ## Next steps -In this article, you created a Standard Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the back-end pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../virtual-network/ip-services/ipv6-overview.md) +In this article, you created a Standard Load Balancer with a dual frontend IP configuration (IPv4 and IPv6). You also created a two virtual machines that included NICs with dual IP configurations (IPV4 + IPv6) that were added to the backend pool of the load balancer. To learn more about IPv6 support in Azure virtual networks, see [What is IPv6 for Azure Virtual Network?](../virtual-network/ip-services/ipv6-overview.md) |
machine-learning | How To Train With Ui | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-train-with-ui.md | Last updated 02/04/2024 -# Submit a training job in Studio +# Submit a training job in studio There are many ways to create a training job with Azure Machine Learning. You can use the CLI (see [Train models (create jobs)](how-to-train-model.md)), the REST API (see [Train models with REST (preview)](how-to-train-with-rest.md)), or you can use the UI to directly create a training job. In this article, you learn how to use your own data and code to train a machine learning model with a guided experience for submitting training jobs in Azure Machine Learning studio. |
machine-learning | How To Data Prep Synapse Spark Pool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-data-prep-synapse-spark-pool.md | -# Data wrangling with Apache Spark pools (deprecated) +# Data wrangling with Apache Spark pools (deprecated) [!INCLUDE [sdk v1](../includes/machine-learning-sdk-v1.md)] > [!WARNING]-> The Azure Synapse Analytics integration with Azure Machine Learning available in Python SDK v1 is deprecated. Users can continue using Synapse workspace registered with Azure Machine Learning as a linked service. However, a new Synapse workspace can no longer be registered with Azure Machine Learning as a linked service. We recommend using Managed (Automatic) Synapse compute and attached Synapse Spark pools available in CLI v2 and Python SDK v2. Please see [https://aka.ms/aml-spark](https://aka.ms/aml-spark) for more details. +> The Azure Synapse Analytics integration with Azure Machine Learning, available in Python SDK v1, is deprecated. Users can still use Synapse workspace, registered with Azure Machine Learning, as a linked service. However, a new Synapse workspace can no longer be registered with Azure Machine Learning as a linked service. We recommend use of serverless Spark compute and attached Synapse Spark pools, available in CLI v2 and Python SDK v2. For more information, visit [https://aka.ms/aml-spark](https://aka.ms/aml-spark). -In this article, you learn how to perform data wrangling tasks interactively within a dedicated Synapse session, powered by [Azure Synapse Analytics](../../synapse-analytics/overview-what-is.md), in a Jupyter notebook using the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/). --If you prefer to use Azure Machine Learning pipelines, see [How to use Apache Spark (powered by Azure Synapse Analytics) in your machine learning pipeline (preview)](how-to-use-synapsesparkstep.md). --For guidance on how to use Azure Synapse Analytics with a Synapse workspace, see the [Azure Synapse Analytics get started series](../../synapse-analytics/get-started.md). +In this article, you learn how to interactively perform data wrangling tasks within a dedicated Synapse session, powered by [Azure Synapse Analytics](../../synapse-analytics/overview-what-is.md), in a Jupyter notebook. These tasks rely on the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/). For more information about Azure Machine Learning pipelines, visit [How to use Apache Spark (powered by Azure Synapse Analytics) in your machine learning pipeline (preview)](how-to-use-synapsesparkstep.md). For more information about how to use Azure Synapse Analytics with a Synapse workspace, visit the [Azure Synapse Analytics get started series](../../synapse-analytics/get-started.md). ## Azure Machine Learning and Azure Synapse Analytics integration -The Azure Synapse Analytics integration with Azure Machine Learning (preview) allows you to attach an Apache Spark pool backed by Azure Synapse for interactive data exploration and preparation. With this integration, you can have a dedicated compute for data wrangling at scale, all within the same Python notebook you use for training your machine learning models. +With the Azure Synapse Analytics integration with Azure Machine Learning (preview), you can attach an Apache Spark pool, backed by Azure Synapse, for interactive data exploration and preparation. With this integration, you can have a dedicated compute resource for data wrangling at scale, all within the same Python notebook you use to train your machine learning models. ## Prerequisites -* The [Azure Machine Learning Python SDK installed](/python/api/overview/azure/ml/install). +* [Create an Azure Machine Learning workspace](../quickstart-create-resources.md) -* [Create an Azure Machine Learning workspace](../quickstart-create-resources.md). +* [Configure your development environment](how-to-configure-environment.md) to install the Azure Machine Learning SDK, or use an [Azure Machine Learning compute instance](../concept-compute-instance.md#create) with the SDK already installed -* [Create an Azure Synapse Analytics workspace in Azure portal](../../synapse-analytics/quickstart-create-workspace.md). +* Install the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/install) -* [Create Apache Spark pool using Azure portal, web tools, or Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-portal.md). +* [Create a Synapse workspace in Azure portal](../../synapse-analytics/quickstart-create-workspace.md) -* [Configure your development environment](how-to-configure-environment.md) to install the Azure Machine Learning SDK, or use an [Azure Machine Learning compute instance](../concept-compute-instance.md#create) with the SDK already installed. +* [Create an Apache Spark pool using Azure portal, web tools, or Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-portal.md) -* Install the `azureml-synapse` package (preview) with the following code: +* Install the `azureml-synapse` package (preview) with this code: ```python pip install azureml-synapse ``` -* Link your Azure Machine Learning workspace and Azure Synapse Analytics workspace with the [Azure Machine Learning Python SDK](how-to-link-synapse-ml-workspaces.md#link-sdk) or via the [Azure Machine Learning studio](how-to-link-synapse-ml-workspaces.md#link-studio) +* Link your Azure Machine Learning workspace and Azure Synapse Analytics workspace with the [Azure Machine Learning Python SDK](how-to-link-synapse-ml-workspaces.md#link-workspaces-with-the-python-sdk) or with the [Azure Machine Learning studio](how-to-link-synapse-ml-workspaces.md#link-workspaces-via-studio) -* [Attach a Synapse Spark pool](how-to-link-synapse-ml-workspaces.md#attach-synapse-spark-pool-as-a-compute) as a compute target. +* [Attach a Synapse Spark pool](how-to-link-synapse-ml-workspaces.md#attach-synapse-spark-pool-as-a-compute) as a compute target ## Launch Synapse Spark pool for data wrangling tasks -To begin data preparation with the Apache Spark pool, specify the attached Spark Synapse compute name. This name can be found via the Azure Machine Learning studio under the **Attached computes** tab. +To start the data preparation with the Apache Spark pool, specify the attached Spark Synapse compute name. You can find this name with the Azure Machine Learning studio under the **Attached computes** tab. ![get attached compute name](media/how-to-data-prep-synapse-spark-pool/attached-compute.png) > [!IMPORTANT]-> To continue use of the Apache Spark pool you must indicate which compute resource to use throughout your data wrangling tasks with `%synapse` for single lines of code and `%%synapse` for multiple lines. +> To continue use of Apache Spark pool, you must indicate which compute resource to use throughout your data wrangling tasks. Use `%synapse` for single lines of code, and `%%synapse` for multiple lines: ```python %synapse start -c SynapseSparkPoolAlias ``` -After the session starts, you can check the session's metadata. +After the session starts, you can check the session's metadata: ```python %synapse meta ``` -You can specify an [Azure Machine Learning environment](../concept-environments.md) to use during your Apache Spark session. Only Conda dependencies specified in the environment will take effect. Docker image isn't supported. +You can specify an [Azure Machine Learning environment](../concept-environments.md) to use during your Apache Spark session. Only Conda dependencies specified in the environment will take effect. Docker images aren't supported. >[!WARNING]-> Python dependencies specified in environment Conda dependencies are not supported in Apache Spark pools. Currently, only fixed Python versions are supported. -> Check your Python version by including `sys.version_info` in your script. +> Python dependencies specified in environment Conda dependencies are not supported in Apache Spark pools. Currently, only fixed Python versions are supported +> Include `sys.version_info` in your script to check your Python version -The following code, creates the environment, `myenv`, which installs `azureml-core` version 1.20.0 and `numpy` version 1.17.0 before the session begins. You can then include this environment in your Apache Spark session `start` statement. +This code creates the`myenv` environment variable, to install `azureml-core` version 1.20.0 and `numpy` version 1.17.0 before the session starts. You can then include this environment in your Apache Spark session `start` statement. ```python env.python.conda_dependencies.add_conda_package("numpy==1.17.0") env.register(workspace=ws) ``` -To begin data preparation with the Apache Spark pool and your custom environment, specify the Apache Spark pool name and which environment to use during the Apache Spark session. Furthermore, you can provide your subscription ID, the machine learning workspace resource group, and the name of the machine learning workspace. +To start data preparation with the Apache Spark pool in your custom environment, specify both the Apache Spark pool name and the environment to use during the Apache Spark session. You can provide your subscription ID, the machine learning workspace resource group, and the name of the machine learning workspace. >[!IMPORTANT]-> Make sure to [Allow session level packages](../../synapse-analytics/spark/apache-spark-manage-session-packages.md#session-scoped-python-packages) is enabled in the linked Synapse workspace. +> Be sure to enable [Allow session level packages](../../synapse-analytics/spark/apache-spark-manage-session-packages.md#session-scoped-python-packages) in the linked Synapse workspace. > >![enable session level packages](media/how-to-data-prep-synapse-spark-pool/enable-session-level-package.png) To begin data preparation with the Apache Spark pool and your custom environment ## Load data from storage -Once your Apache Spark session starts, read in the data that you wish to prepare. Data loading is supported for Azure Blob storage and Azure Data Lake Storage Generations 1 and 2. +After the Apache Spark session starts, read in the data that you wish to prepare. Data loading is supported for Azure Blob storage and Azure Data Lake Storage Generations 1 and 2. -There are two ways to load data from these storage +You have two options to load data from these storage -* Directly load data from storage using its Hadoop Distributed Files System (HDFS) path. +* Directly load data from storage with its Hadoop Distributed Files System (HDFS) path -* Read in data from an existing [Azure Machine Learning dataset](how-to-create-register-datasets.md). +* Read in data from an existing [Azure Machine Learning dataset](how-to-create-register-datasets.md) -To access these storage services, you need **Storage Blob Data Reader** permissions. If you plan to write data back to these storage services, you need **Storage Blob Data Contributor** permissions. [Learn more about storage permissions and roles](../../storage/blobs/assign-azure-role-data-access.md). +To access these storage services, you need **Storage Blob Data Reader** permissions. To write data back to these storage services, you need **Storage Blob Data Contributor** permissions. [Learn more about storage permissions and roles](../../storage/blobs/assign-azure-role-data-access.md). ### Load data with Hadoop Distributed Files System (HDFS) path -To load and read data in from storage with the corresponding HDFS path, you need to have your data access authentication credentials readily available. These credentials differ depending on your storage type. --The following code demonstrates how to read data from an **Azure Blob storage** into a Spark dataframe with either your shared access signature (SAS) token or access key. +To load and read data from storage with the corresponding HDFS path, you need your data access authentication credentials available. These credentials differ depending on your storage type. This code sample shows how to read data from an **Azure Blob storage** into a Spark dataframe with either your shared access signature (SAS) token or access key: ```python %%synapse sc._jsc.hadoopConfiguration().set("fs.azure.sas.<container name>.<storage accoun df = spark.read.option("header", "true").csv("wasbs://demo@dprepdata.blob.core.windows.net/Titanic.csv") ``` -The following code demonstrates how to read data in from **Azure Data Lake Storage Generation 1 (ADLS Gen 1)** with your service principal credentials. +This code sample shows how to read data from **Azure Data Lake Storage Generation 1 (ADLS Gen 1)** with your service principal credentials: ```python %%synapse df = spark.read.csv("adl://<storage account name>.azuredatalakestore.net/<path>" ``` -The following code demonstrates how to read data in from **Azure Data Lake Storage Generation 2 (ADLS Gen 2)** with your service principal credentials. +This code sample shows how to read data in from **Azure Data Lake Storage Generation 2 (ADLS Gen 2)** with your service principal credentials: ```python %%synapse df = spark.read.csv("abfss://<container name>@<storage account>.dfs.core.windows ### Read in data from registered datasets -You can also get an existing registered dataset in your workspace and perform data preparation on it by converting it into a spark dataframe. --The following example authenticates to the workspace, gets a registered TabularDataset, `blob_dset`, that references files in blob storage, and converts it into a spark dataframe. When you convert your datasets into a spark dataframe, you can use `pyspark` data exploration and preparation libraries. +You can also place an existing registered dataset in your workspace, and perform data preparation on it, if you convert it into a spark dataframe. This example authenticates to the workspace, obtains a registered TabularDataset -`blob_dset` - that references files in blob storage, and converts that TabularDataset to a Spark dataframe. When you convert your datasets to Spark dataframeS, you can use `pyspark` data exploration and preparation libraries. ``` python %%synapse spark_df = dset.to_spark_dataframe() ## Perform data wrangling tasks -After you've retrieved and explored your data, you can perform data wrangling tasks. --The following code, expands upon the HDFS example in the previous section and filters the data in spark dataframe, `df`, based on the **Survivor** column and groups that list by **Age** +After you retrieve and explore your data, you can perform data wrangling tasks. This code sample expands upon the HDFS example in the previous section. Based on the **Survivor** column, it filters the data in spark dataframe `df` and groups that list by **Age**: ```python %%synapse df.show() ## Save data to storage and stop spark session -Once your data exploration and preparation is complete, store your prepared data for later use in your storage account on Azure. --In the following example, the prepared data is written back to Azure Blob storage and overwrites the original `Titanic.csv` file in the `training_data` directory. To write back to storage, you need **Storage Blob Data Contributor** permissions. [Learn more about storage permissions and roles](../../storage/blobs/assign-azure-role-data-access.md). +Once your data exploration and preparation is complete, store your prepared data for later use in your storage account on Azure. In this code sample, the prepared data is written back to Azure Blob storage, overwriting the original `Titanic.csv` file in the `training_data` directory. To write back to storage, you need **Storage Blob Data Contributor** permissions. For more information, visit [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). ```python %% synapse In the following example, the prepared data is written back to Azure Blob storag df.write.format("csv").mode("overwrite").save("wasbs://demo@dprepdata.blob.core.windows.net/training_data/Titanic.csv") ``` -When you've completed data preparation and saved your prepared data to storage, stop using your Apache Spark pool with the following command. +After you complete the data preparation, and you save your prepared data to storage, end the use of your Apache Spark pool with this command: ```python %synapse stop ``` -## Create dataset to represent prepared data +## Create a dataset, to represent prepared data -When you're ready to consume your prepared data for model training, connect to your storage with an [Azure Machine Learning datastore](how-to-access-data.md), and specify which file(s) you want to use with an [Azure Machine Learning dataset](how-to-create-register-datasets.md). +When you're ready to consume your prepared data for model training, connect to your storage with an [Azure Machine Learning datastore](how-to-access-data.md), and specify the file or file you want to use with an [Azure Machine Learning dataset](how-to-create-register-datasets.md). -The following code example, +This code example -* Assumes you already created a datastore that connects to the storage service where you saved your prepared data. -* Gets that existing datastore, `mydatastore`, from the workspace, `ws` with the get() method. -* Creates a [FileDataset](how-to-create-register-datasets.md#filedataset), `train_ds`, that references the prepared data files located in the `training_data` directory in `mydatastore`. -* Creates the variable `input1`, which can be used at a later time to make the data files of the `train_ds` dataset available to a compute target for your training tasks. +* Assumes you already created a datastore that connects to the storage service where you saved your prepared data +* Retrieves that existing datastore - `mydatastore` - from workspace `ws` with the get() method. +* Creates a [FileDataset](how-to-create-register-datasets.md#filedataset), `train_ds`, to reference the prepared data files located in the `mydatastore` `training_data` directory +* Creates variable `input1`. At a later time, this variable can make the data files of the `train_ds` dataset available to a compute target for your training tasks. ```python from azureml.core import Datastore, Dataset input1 = train_ds.as_mount() ## Use a `ScriptRunConfig` to submit an experiment run to a Synapse Spark pool -If you're ready to automate and productionize your data wrangling tasks, you can submit an experiment run to [an attached Synapse Spark pool](how-to-link-synapse-ml-workspaces.md#attach-a-pool-with-the-python-sdk) with the [ScriptRunConfig](/python/api/azureml-core/azureml.core.scriptrunconfig) object. --Similarly, if you have an Azure Machine Learning pipeline, you can use the [SynapseSparkStep to specify your Synapse Spark pool as the compute target](how-to-use-synapsesparkstep.md) for the data preparation step in your pipeline. --Making your data available to the Synapse Spark pool depends on your dataset type. +If you're ready to automate and productionize your data wrangling tasks, you can submit an experiment run to [an attached Synapse Spark pool](how-to-link-synapse-ml-workspaces.md#attach-a-pool-with-the-python-sdk) with the [ScriptRunConfig](/python/api/azureml-core/azureml.core.scriptrunconfig) object. In a similar way, if you have an Azure Machine Learning pipeline, you can use the [SynapseSparkStep to specify your Synapse Spark pool as the compute target](how-to-use-synapsesparkstep.md) for the data preparation step in your pipeline. Availability of your data to the Synapse Spark pool depends on your dataset type. -* For a FileDataset, you can use the [`as_hdfs()`](/python/api/azureml-core/azureml.data.filedataset#as-hdfs--) method. When the run is submitted, the dataset is made available to the Synapse Spark pool as a Hadoop distributed file system (HFDS). -* For a [TabularDataset](how-to-create-register-datasets.md#tabulardataset), you can use the [`as_named_input()`](/python/api/azureml-core/azureml.data.abstract_dataset.abstractdataset#as-named-input-name-) method. +* For a FileDataset, you can use the [`as_hdfs()`](/python/api/azureml-core/azureml.data.filedataset#as-hdfs--) method. When the run is submitted, the dataset is made available to the Synapse Spark pool as a Hadoop distributed file system (HFDS) +* For a [TabularDataset](how-to-create-register-datasets.md#tabulardataset), you can use the [`as_named_input()`](/python/api/azureml-core/azureml.data.abstract_dataset.abstractdataset#as-named-input-name-) method -The following code, +The following code sample -* Creates the variable `input2` from the FileDataset `train_ds` that was created in the previous code example. -* Creates the variable `output` with the HDFSOutputDatasetConfiguration class. After the run is complete, this class allows us to save the output of the run as the dataset, `test` in the datastore, `mydatastore`. In the Azure Machine Learning workspace, the `test` dataset is registered under the name `registered_dataset`. -* Configures settings the run should use in order to perform on the Synapse Spark pool. -* Defines the ScriptRunConfig parameters to, - * Use the `dataprep.py`, for the run. - * Specify which data to use as input and how to make it available to the Synapse Spark pool. - * Specify where to store output data, `output`. +* Creates variable `input2` from the FileDataset `train_ds`, itself created in the previous code example +* Creates variable `output` with the `HDFSOutputDatasetConfiguration` class. After the run is complete, this class allows us to save the output of the run as the dataset, `test` in the `mydatastore` datastore. In the Azure Machine Learning workspace, the `test` dataset is registered under the name `registered_dataset` +* Configures settings the run should use to perform on the Synapse Spark pool +* Defines the ScriptRunConfig parameters to + * Use the `dataprep.py` script for the run + * Specify the data to use as input, and how to make that data available to the Synapse Spark pool + * Specify where to store the `output` output data ```Python from azureml.core import Dataset, HDFSOutputDatasetConfig script_run_config = ScriptRunConfig(source_directory = './code', run_config = run_config) ``` -For more information about `run_config.spark.configuration` and general Spark configuration, see [SparkConfiguration Class](/python/api/azureml-core/azureml.core.runconfig.sparkconfiguration) and [Apache Spark's configuration documentation](https://spark.apache.org/docs/latest/configuration.html). +For more information about `run_config.spark.configuration` and general Spark configuration, visit [SparkConfiguration Class](/python/api/azureml-core/azureml.core.runconfig.sparkconfiguration) and [Apache Spark's configuration documentation](https://spark.apache.org/docs/latest/configuration.html). -Once your `ScriptRunConfig` object is set up, you can submit the run. +Once you set up your `ScriptRunConfig` object, you can submit the run. ```python from azureml.core import Experiment run = exp.submit(config=script_run_config) run ``` -For more details, like the `dataprep.py` script used in this example, see the [example notebook](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/azure-synapse/spark_job_on_synapse_spark_pool.ipynb). +For more information, including information about the `dataprep.py` script used in this example, see the [example notebook](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/azure-synapse/spark_job_on_synapse_spark_pool.ipynb). -After your data is prepared, you can then use it as input for your training jobs. In the aforementioned code example, the `registered_dataset` is what you would specify as your input data for training jobs. +After you prepare your data, you can use it as input for your training jobs. In the code example above, you would specify the `registered_dataset` as your input data for training jobs. ## Example notebooks -See the example notebooks for more concepts and demonstrations of the Azure Synapse Analytics and Azure Machine Learning integration capabilities. +Review these example notebooks for more concepts and demonstrations of the Azure Synapse Analytics and Azure Machine Learning integration capabilities: * [Run an interactive Spark session from a notebook in your Azure Machine Learning workspace](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/azure-synapse/spark_session_on_synapse_spark_pool.ipynb). * [Submit an Azure Machine Learning experiment run with a Synapse Spark pool as your compute target](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/azure-synapse/spark_job_on_synapse_spark_pool.ipynb). ## Next steps * [Train a model](how-to-set-up-training-targets.md).-* [Train with Azure Machine Learning dataset](how-to-train-with-datasets.md). +* [Train with Azure Machine Learning dataset](how-to-train-with-datasets.md). |
machine-learning | How To Link Synapse Ml Workspaces | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-link-synapse-ml-workspaces.md | -> The Azure Synapse Analytics integration with Azure Machine Learning available in Python SDK v1 is deprecated. Users can continue using Synapse workspace registered with Azure Machine Learning as a linked service. However, a new Synapse workspace can no longer be registered with Azure Machine Learning as a linked service. We recommend using Managed (Automatic) Synapse compute and attached Synapse Spark pools available in CLI v2 and Python SDK v2. Please see [https://aka.ms/aml-spark](https://aka.ms/aml-spark) for more details. +> The Azure Synapse Analytics integration with Azure Machine Learning, available in Python SDK v1, is deprecated. Users can still use Synapse workspace, registered with Azure Machine Learning, as a linked service. However, a new Synapse workspace can no longer be registered with Azure Machine Learning as a linked service. We recommend use of serverless Spark compute and attached Synapse Spark pools, available in CLI v2 and Python SDK v2. For more information, visit [https://aka.ms/aml-spark](https://aka.ms/aml-spark). -In this article, you learn how to create a linked service that links your [Azure Synapse Analytics](../../synapse-analytics/overview-what-is.md) workspace and [Azure Machine Learning workspace](../concept-workspace.md). +In this article, you learn how to create a linked service that links your [Azure Synapse Analytics](../../synapse-analytics/overview-what-is.md) workspace and [Azure Machine Learning workspace](../concept-workspace.md). -With your Azure Machine Learning workspace linked with your Azure Synapse workspace, you can attach an Apache Spark pool, powered by Azure Synapse Analytics, as a dedicated compute for data wrangling at scale or conduct model training all from the same Python notebook. +With an Azure Machine Learning workspace, linked with an Azure Synapse workspace, you can attach an Apache Spark pool, powered by Azure Synapse Analytics, as a dedicated compute resource. You can use this resource for data wrangling at scale, or you can conduct model training - all from the same Python notebook. -You can link your ML workspace and Synapse workspace via the [Python SDK](#link-sdk) or the [Azure Machine Learning studio](#link-studio). --You can also link workspaces and attach a Synapse Spark pool with a single [Azure Resource Manager (ARM) template](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/machine-learning-linkedservice-create/azuredeploy.json). +You can link your ML workspace and Synapse workspace with the [Python SDK](#link-workspaces-with-the-python-sdk) or the [Azure Machine Learning studio](#link-workspaces-via-studio). You can also link workspaces, and attach a Synapse Spark pool, with a single [Azure Resource Manager (ARM) template](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/machine-learning-linkedservice-create/azuredeploy.json). ## Prerequisites -* [Create an Azure Machine Learning workspace](../quickstart-create-resources.md). +* [Create an Azure Machine Learning workspace](../quickstart-create-resources.md) -* [Create a Synapse workspace in Azure portal](../../synapse-analytics/quickstart-create-workspace.md). +* Install the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/intro) -* [Create Apache Spark pool using Azure portal, web tools, or Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-studio.md) +* [Create a Synapse workspace in Azure portal](../../synapse-analytics/quickstart-create-workspace.md) -* Install the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/intro) +* [Create an Apache Spark pool using Azure portal, web tools, or Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-studio.md) -* Access to the [Azure Machine Learning studio](https://ml.azure.com/). +* Access to the [Azure Machine Learning studio](https://ml.azure.com/) -<a name="link-sdk"></a> ## Link workspaces with the Python SDK > [!IMPORTANT]-> To link to the Synapse workspace successfully, you must be granted the **Owner** role of the Synapse workspace. Check your access in the [Azure portal](https://portal.azure.com/). +> To successfully link to the Synapse workspace, you must be granted the **Owner** role of the Synapse workspace. Check your access in the [Azure portal](https://portal.azure.com/). >-> If you are not an **Owner** and are only a **Contributor** to the Synapse workspace, you can only use existing linked services. See how to [Retrieve and use an existing linked service](#get-an-existing-linked-service). +> If you are only a **Contributor** to the Synapse workspace, and you don't have an **Owner** for that Synapse workspace, you can only use existing linked services. For more information, visit [Retrieve and use an existing linked service](#get-an-existing-linked-service). -The following code employs the [`LinkedService`](/python/api/azureml-core/azureml.core.linked_service.linkedservice) and [`SynapseWorkspaceLinkedServiceConfiguration`](/python/api/azureml-core/azureml.core.linked_service.synapseworkspacelinkedserviceconfiguration) classes to, +This code employs the [`LinkedService`](/python/api/azureml-core/azureml.core.linked_service.linkedservice) and [`SynapseWorkspaceLinkedServiceConfiguration`](/python/api/azureml-core/azureml.core.linked_service.synapseworkspacelinkedserviceconfiguration) classes, to -* Link your machine learning workspace, `ws` with your Azure Synapse workspace. -* Register your Synapse workspace with Azure Machine Learning as a linked service. +* Link your machine learning workspace `ws` with your Azure Synapse workspace +* Register your Synapse workspace with Azure Machine Learning as a linked service ``` python import datetime linked_service = LinkedService.register(workspace = ws, linked_service_config = synapse_link_config) ``` -> [!IMPORTANT] -> A managed identity, `system_assigned_identity_principal_id`, is created for each linked service. This managed identity must be granted the **Synapse Apache Spark Administrator** role of the Synapse workspace before you start your Synapse session. [Assign the Synapse Apache Spark Administrator role to the managed identity in the Synapse Studio](../../synapse-analytics/security/how-to-manage-synapse-rbac-role-assignments.md). +> [!IMPORTANT] +> Managed identity `system_assigned_identity_principal_id` is created for each linked service. You must grant this managed identity the **Synapse Apache Spark Administrator** role of the Synapse workspace before you start your Synapse session. For more information, visit [How to manage Azure Synapse RBAC assignments in Synapse Studio](../../synapse-analytics/security/how-to-manage-synapse-rbac-role-assignments.md). > > To find the `system_assigned_identity_principal_id` of a specific linked service, use `LinkedService.get('<your-mlworkspace-name>', '<linked-service-name>')`. ### Manage linked services -View all the linked services associated with your machine learning workspace. +View all the linked services associated with your machine learning workspace: ```python LinkedService.list(ws) ``` -To unlink your workspaces, use the `unregister()` method +To unlink your workspaces, use the `unregister()` method: ``` python linked_service.unregister() ``` -<a name="link-studio"></a> ## Link workspaces via studio -Link your machine learning workspace and Synapse workspace via the Azure Machine Learning studio with the following steps: +Link your machine learning workspace and Synapse workspace via the Azure Machine Learning studio: -1. Sign in to the [Azure Machine Learning studio](https://ml.azure.com/). -1. Select **Linked Services** in the **Manage** section of the left pane. -1. Select **Add integration**. +1. Sign in to the [Azure Machine Learning studio](https://ml.azure.com/) +1. Select **Linked Services** in the **Manage** section of the left pane +1. Select **Add integration** 1. On the **Link workspace** form, populate the fields |Field| Description ||- |Name| Provide a name for your linked service. This name is what will be used to reference to this particular linked service. - |Subscription name | Select the name of your subscription that's associated with your machine learning workspace. - |Synapse workspace | Select the Synapse workspace you want to link to. + |Name| Provide a name for your linked service. References to this specific linked service use this name + |Subscription name | Select the name of your subscription associated with your machine learning workspace + |Synapse workspace | Select the Synapse workspace to which you want to link 1. Select **Next** to open the **Select Spark pools (optional)** form. On this form, you select which Synapse Spark pool to attach to your workspace -1. Select **Next** to open the **Review** form and check your selections. -1. Select **Create** to complete the linked service creation process. +1. Select **Next** to open the **Review** form, and check your selections +1. Select **Create** to complete the linked service creation process ## Get an existing linked service -Before you can attach a dedicated compute for data wrangling, you must have an ML workspace that's linked to an Azure Synapse Analytics workspace, this is referred to as a linked service. +Before you can attach a dedicated compute for data wrangling, you must have a machine learning workspace linked to an Azure Synapse Analytics workspace. We refer to this workspace as a linked service. Retrieval and use of an existing linked service requires **User or Contributor** permissions to the **Azure Synapse Analytics workspace**. -To retrieve and use an existing linked service, requires **User or Contributor** permissions to the **Azure Synapse Analytics workspace**. +This example retrieves an existing linked service - `synapselink1` - from the workspace `ws`, with the [`get()`](/python/api/azureml-core/azureml.core.linkedservice#azureml-core-linkservice-get) method: -This example retrieves an existing linked service, `synapselink1`, from the workspace, `ws`, with the [`get()`](/python/api/azureml-core/azureml.core.linkedservice#get-workspace--name-) method. ```python from azureml.core import LinkedService linked_service = LinkedService.get(ws, 'synapselink1') ## Attach Synapse Spark pool as a compute -Once you retrieve the linked service, attach a Synapse Apache Spark pool as a dedicated compute resource for your data wrangling tasks. +Once you retrieve the linked service, attach a Synapse Apache Spark pool as a dedicated compute resource for your data wrangling tasks. You can attach Apache Spark pools with -You can attach Apache Spark pools via, * Azure Machine Learning studio * [Azure Resource Manager (ARM) templates](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/machine-learning-linkedservice-create/azuredeploy.json)-* The Azure Machine Learning Python SDK +* The Azure Machine Learning Python SDK ### Attach a pool via the studio-Follow these steps: --1. Sign in to the [Azure Machine Learning studio](https://ml.azure.com/). -1. Select **Linked Services** in the **Manage** section of the left pane. -1. Select your Synapse workspace. -1. Select **Attached Spark pools** on the top left. -1. Select **Attach**. -1. Select your Apache Spark pool from the list and provide a name. - 1. This list identifies the available Synapse Spark pools that can be attached to your compute. - 1. To create a new Synapse Spark pool, see [Create Apache Spark pool with the Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-portal.md) -1. Select **Attach selected**. -### Attach a pool with the Python SDK --You can also employ the **Python SDK** to attach an Apache Spark pool. +1. Sign in to the [Azure Machine Learning studio](https://ml.azure.com/) +1. Select **Linked Services** in the **Manage** section of the left pane +1. Select your Synapse workspace +1. Select **Attached Spark pools** on the top left +1. Select **Attach** +1. Select your Apache Spark pool from the list and provide a name + 1. This list identifies the available Synapse Spark pools that can be attached to your compute + 1. To create a new Synapse Spark pool, see [Quickstart: Create a new serverless Apache Spark pool using the Azure portal](../../synapse-analytics/quickstart-create-apache-spark-pool-portal.md) +1. Select **Attach selected** -The follow code, -1. Configures the [`SynapseCompute`](/python/api/azureml-core/azureml.core.compute.synapsecompute) with, +### Attach a pool with the Python SDK - 1. The [`LinkedService`](/python/api/azureml-core/azureml.core.linkedservice), `linked_service` that you either created or retrieved in the previous step. - 1. The type of compute target you want to attach, `SynapseSpark` - 1. The name of the Apache Spark pool. This must match an existing Apache Spark pool that is in your Azure Synapse Analytics workspace. - -1. Creates a machine learning [`ComputeTarget`](/python/api/azureml-core/azureml.core.computetarget) by passing in, - 1. The machine learning workspace you want to use, `ws` - 1. The name you'd like to refer to the compute within the Azure Machine Learning workspace. - 1. The attach_configuration you specified when configuring your Synapse Compute. - 1. The call to ComputeTarget.attach() is asynchronous, so the sample blocks until the call completes. +You can also employ the **Python SDK** to attach an Apache Spark pool, as shown in this code example: ```python from azureml.core.compute import SynapseCompute, ComputeTarget Verify the Apache Spark pool is attached. ws.compute_targets['Synapse Spark pool alias'] ``` +This code ++1. Configures the [`SynapseCompute`](/python/api/azureml-core/azureml.core.compute.synapsecompute) with ++ 1. The [`LinkedService`](/python/api/azureml-core/azureml.core.linkedservice), `linked_service` that you either created or retrieved in the previous step + 1. The type of compute target you want to attach - in this case, `SynapseSpark` + 1. The name of the Apache Spark pool. The name must match an existing Apache Spark pool that exists in your Azure Synapse Analytics workspace + +1. Creates a machine learning [`ComputeTarget`](/python/api/azureml-core/azureml.core.computetarget) by passing in + 1. The machine learning workspace you want to use, `ws` + 1. The name you'd like to use to refer to the compute within the Azure Machine Learning workspace + 1. The attach_configuration you specified when you configured your Synapse Compute + 1. The call to ComputeTarget.attach() is asynchronous, so the sample execution is blocked until the call completes + ## Next steps -* [How to data wrangle with Azure Synapse (preview)](how-to-data-prep-synapse-spark-pool.md). -* [How to use Apache Spark in your machine learning pipeline with Azure Synapse (preview)](how-to-use-synapsesparkstep.md) -* [Train a model](how-to-set-up-training-targets.md). -* [How to securely integrate Azure Synapse and Azure Machine Learning workspaces](../how-to-private-endpoint-integration-synapse.md). +* [Data wrangling with Apache Spark pools (deprecated)](how-to-data-prep-synapse-spark-pool.md). +* [How to use Apache Spark (powered by Azure Synapse Analytics) in your machine learning pipeline (deprecated)](how-to-use-synapsesparkstep.md) +* [Configure and submit training jobs](how-to-set-up-training-targets.md). +* [How to securely integrate Azure Machine Learning and Azure Synapse](../how-to-private-endpoint-integration-synapse.md) |
machine-learning | How To Use Synapsesparkstep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-use-synapsesparkstep.md | Title: Use Apache Spark in a machine learning pipeline (deprecated) -description: Link your Azure Synapse Analytics workspace to your Azure Machine Learning pipeline to use Apache Spark for data manipulation. +description: Link your Azure Synapse Analytics workspace to your Azure Machine Learning pipeline, to use Apache Spark for data manipulation. Previously updated : 02/20/2024 Last updated : 02/22/2024 #Customer intent: As a user of both Azure Machine Learning pipelines and Azure Synapse Analytics, I'd like to use Apache Spark for the data preparation of my pipeline-> The Azure Synapse Analytics integration with Azure Machine Learning available in Python SDK v1 is deprecated. Users can still use Synapse workspace registered with Azure Machine Learning as a linked service. However, a new Synapse workspace can no longer be registered with Azure Machine Learning as a linked service. We recommend use of Managed (Automatic) Synapse compute and attached Synapse Spark pools available in CLI v2 and Python SDK v2. Visit [https://aka.ms/aml-spark](https://aka.ms/aml-spark) for more information. +> The Azure Synapse Analytics integration with Azure Machine Learning, available in Python SDK v1, is deprecated. Users can still use Synapse workspace, registered with Azure Machine Learning, as a linked service. However, a new Synapse workspace can no longer be registered with Azure Machine Learning as a linked service. We recommend use of serverless Spark compute and attached Synapse Spark pools, available in CLI v2 and Python SDK v2. For more information, visit [https://aka.ms/aml-spark](https://aka.ms/aml-spark). -In this article, you learn how to use Apache Spark pools, powered by Azure Synapse Analytics, as the compute target for a data preparation step in an Azure Machine Learning pipeline. You learn how a single pipeline can use compute resources suited for the specific step - for example, data preparation or training. You'll see how data is prepared for the Spark step and how it passes to the next step. +In this article, you learn how to use Apache Spark pools powered by Azure Synapse Analytics as the compute target for a data preparation step in an Azure Machine Learning pipeline. You learn how a single pipeline can use compute resources suited for the specific step - for example, data preparation or training. You'll also learn how data is prepared for the Spark step and how it passes to the next step. ## Prerequisites In this article, you learn how to use Apache Spark pools, powered by Azure Synap * [Configure your development environment](how-to-configure-environment.md) to install the Azure Machine Learning SDK, or use an [Azure Machine Learning compute instance](../concept-compute-instance.md) with the SDK already installed -* Create an Azure Synapse Analytics workspace and Apache Spark pool (see [Quickstart: Create a serverless Apache Spark pool using Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-studio.md)) +* Create an Azure Synapse Analytics workspace and Apache Spark pool. For more information, visit [Quickstart: Create a serverless Apache Spark pool using Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-studio.md) ## Link your Azure Machine Learning workspace and Azure Synapse Analytics workspace -You create and administer your Apache Spark pools in an Azure Synapse Analytics workspace. To integrate an Apache Spark pool with an Azure Machine Learning workspace, you must [link to the Azure Synapse Analytics workspace](how-to-link-synapse-ml-workspaces.md). --Once you link your Azure Machine Learning workspace and your Azure Synapse Analytics workspaces, you can attach an Apache Spark pool with +You create and administer your Apache Spark pools in an Azure Synapse Analytics workspace. To integrate an Apache Spark pool with an Azure Machine Learning workspace, you must [link to the Azure Synapse Analytics workspace](how-to-link-synapse-ml-workspaces.md). Once you link your Azure Machine Learning workspace and your Azure Synapse Analytics workspaces, you can attach an Apache Spark pool with * [Azure Machine Learning studio](how-to-link-synapse-ml-workspaces.md#attach-a-pool-via-the-studio)-* Python SDK ([as explained later](#attach-your-apache-spark-pool-as-a-compute-target-for-azure-machine-learning)) -* Azure Resource Manager (ARM) template (see this [Example ARM template](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/machine-learning-linkedservice-create/azuredeploy.json)). - * You can use the command line to follow the ARM template, add the linked service, and attach the Apache Spark pool with this code: +* [Python SDK](#attach-your-apache-spark-pool-as-a-compute-target-for-azure-machine-learning), as explained later +* Azure Resource Manager (ARM) template. For more information, visit [Example ARM template](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/machine-learning-linkedservice-create/azuredeploy.json) + * You can use the command line to follow the ARM template, add the linked service, and attach the Apache Spark pool with this code sample: ```azurecli az deployment group create --name --resource-group <rg_name> --template-file "azuredeploy.json" --parameters @"azuredeploy.parameters.json" ``` > [!Important]-> To successfully link to the Azure Synapse Analytics workspace, you must have the Owner role in the Azure Synapse Analytics workspace resource. Check your access in the Azure portal. +> To successfully link to the Synapse workspace, you must be granted the **Owner** role of the Synapse workspace. Check your access in the [Azure portal](https://portal.azure.com/). > > The linked service will get a system-assigned managed identity (SAI) at creation time. You must assign this link service SAI the "Synapse Apache Spark administrator" role from Synapse Studio, so that it can submit the Spark job (see [How to manage Synapse RBAC role assignments in Synapse Studio](../../synapse-analytics/security/how-to-manage-synapse-rbac-role-assignments.md)). > Once you link your Azure Machine Learning workspace and your Azure Synapse Analy ## Retrieve the link between your Azure Synapse Analytics workspace and your Azure Machine Learning workspace -This code shows hot to retrieve linked services in your workspace: +This code shows how to retrieve linked services in your workspace: ```python from azureml.core import Workspace, LinkedService, SynapseWorkspaceLinkedServiceConfiguration for service in LinkedService.list(ws) : linked_service = LinkedService.get(ws, 'synapselink1') ``` -First, `Workspace.from_config()` accesses your Azure Machine Learning workspace with the configuration in `config.json` (see [Create a workspace configuration file](how-to-configure-environment.md)). Then, the code prints all of the linked services available in the workspace. Finally, `LinkedService.get()` retrieves a linked service named `'synapselink1'`. +First, `Workspace.from_config()` accesses your Azure Machine Learning workspace with the configuration in the `config.json` file. (For more information, visit [Create a workspace configuration file](how-to-configure-environment.md)). Then, the code prints all of the linked services available in the workspace. Finally, `LinkedService.get()` retrieves a linked service named `'synapselink1'`. ## Attach your Apache spark pool as a compute target for Azure Machine Learning -To use your Apache spark pool to power a step in your machine learning pipeline, you must attach it as a `ComputeTarget` for the pipeline step, as shown in this code. +To use your Apache spark pool to power a step in your machine learning pipeline, you must attach it as a `ComputeTarget` for the pipeline step, as shown in this code sample: ```python from azureml.core.compute import SynapseCompute, ComputeTarget synapse_compute=ComputeTarget.attach( synapse_compute.wait_for_completion() ``` -The first step configures the `SynapseCompute`. The `linked_service` argument is the `LinkedService` object you created or retrieved in the previous step. The `type` argument must be `SynapseSpark`. The `pool_name` argument in `SynapseCompute.attach_configuration()` must match that of an existing pool in your Azure Synapse Analytics workspace. For more information about creation of an Apache spark pool in the Azure Synapse Analytics workspace, see [Quickstart: Create a serverless Apache Spark pool using Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-studio.md). The `attach_config` type is `ComputeTargetAttachConfiguration`. +The code first configures the `SynapseCompute`. The `linked_service` argument is the `LinkedService` object you created or retrieved in the previous step. The `type` argument must be `SynapseSpark`. The `pool_name` argument in `SynapseCompute.attach_configuration()` must match that of an existing pool in your Azure Synapse Analytics workspace. For more information about creation of an Apache spark pool in the Azure Synapse Analytics workspace, visit [Quickstart: Create a serverless Apache Spark pool using Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-studio.md). The `attach_config` type is `ComputeTargetAttachConfiguration`. -After creation of the configuration, create a machine learning `ComputeTarget` by passing in the `Workspace`, `ComputeTargetAttachConfiguration`, and the name by which you'd like to refer to the compute within the machine learning workspace. The call to `ComputeTarget.attach()` is asynchronous, so the sample is blocked until the call completes. +After creation of the configuration, create a machine learning `ComputeTarget` by passing in the `Workspace` and `ComputeTargetAttachConfiguration` values, and the name by which you'd like to refer to the compute within the machine learning workspace. The call to `ComputeTarget.attach()` is asynchronous, so the sample is blocked until the call completes. ## Create a `SynapseSparkStep` that uses the linked Apache Spark pool -The sample notebook [Spark job on Apache spark pool](https://github.com/azure/machinelearningnotebooks/blob/master/how-to-use-azureml/azure-synapse/spark_job_on_synapse_spark_pool.ipynb) defines a simple machine learning pipeline. First, the notebook defines a data preparation step, powered by the `synapse_compute` defined in the previous step. Then, the notebook defines a training step powered by a compute target more appropriate for training. The sample notebook uses the Titanic survival database to show data input and output; it doesn't actually clean the data or make a predictive model. Since this sample doesn't really involve training, the training step uses an inexpensive, CPU-based compute resource. +The sample notebook [Spark job on Apache spark pool](https://github.com/azure/machinelearningnotebooks/blob/master/how-to-use-azureml/azure-synapse/spark_job_on_synapse_spark_pool.ipynb) defines a simple machine learning pipeline. First, the notebook defines a data preparation step, powered by the `synapse_compute` defined in the previous step. Then, the notebook defines a training step powered by a compute target more appropriate for training. The sample notebook uses the Titanic survival database to show data input and output. It doesn't actually clean the data or make a predictive model. Since this sample doesn't really involve training, the training step uses an inexpensive, CPU-based compute resource. -Data flows into a machine learning pipeline through `DatasetConsumptionConfig` objects, which can hold tabular data or sets of files. The data often comes from files in blob storage in a workspace datastore. This code shows typical code that creates input for a machine learning pipeline: +Data flows into a machine learning pipeline through `DatasetConsumptionConfig` objects, which can hold tabular data or sets of files. The data often comes from files in blob storage in a workspace datastore. This code sample shows typical code that creates input for a machine learning pipeline: ```python from azureml.core import Dataset titanic_file_dataset = Dataset.File.from_files(path=[(datastore, file_name)]) step1_input2 = titanic_file_dataset.as_named_input("file_input").as_hdfs() ``` -That code assumes that the file `Titanic.csv` is in blob storage. The code shows how to read the file as a `TabularDataset` and as a `FileDataset`. This code is for demonstration purposes only, because it would become confusing to duplicate inputs or to interpret a single data source as both a table-containing resource and strictly as a file. +The code sample assumes that the file `Titanic.csv` is in blob storage. The code shows how to read the file both as a `TabularDataset` and as a `FileDataset`. This code is for demonstration purposes only, because it would become confusing to duplicate inputs or to interpret a single data source as both a table-containing resource, and strictly as a file. > [!IMPORTANT]-> To use a `FileDataset` as input, your `azureml-core` version must be at least `1.20.0`. You can specify this with the `Environment` class, as discussed later. --When a step completes, you can choose to store the output data, as shown in this code sample: +> To use a `FileDataset` as input, you need an `azureml-core` version of at least `1.20.0`. You can specify this with the `Environment` class, as discussed later. When a step completes, you can store the output data, as shown in this code sample: ```python from azureml.data import HDFSOutputDatasetConfig step1_output = HDFSOutputDatasetConfig(destination=(datastore,"test")).register_on_complete(name="registered_dataset") ``` -Here, the `datastore` would store the data in a file named `test`. The data would be available within the machine learning workspace as a `Dataset` with the name `registered_dataset`. +In this code sample, the `datastore` would store the data in a file named `test`. The data would be available within the machine learning workspace as a `Dataset`, with the name `registered_dataset`. -In addition to data, a pipeline step can have per-step Python dependencies. Individual `SynapseSparkStep` objects can specify their precise Azure Synapse Apache Spark configuration as well. To show this, the following code sample specifies that the `azureml-core` package version must be at least `1.20.0`. As mentioned previously, this requirement for `azureml-core` is needed to use a `FileDataset` as an input. +In addition to data, a pipeline step can have per-step Python dependencies. Additionally, individual `SynapseSparkStep` objects can specify their precise Azure Synapse Apache Spark configuration. To show this, the following code sample specifies that the `azureml-core` package version must be at least `1.20.0`. As mentioned previously, this requirement for the `azureml-core` package is needed to use a `FileDataset` as an input. ```python from azureml.core.environment import Environment step_1 = SynapseSparkStep(name = 'synapse-spark', This code specifies a single step in the Azure Machine Learning pipeline. The `environment` value of this code sets a specific `azureml-core` version, and the code can add other conda or pip dependencies as needed. -The `SynapseSparkStep` zips and uploads the `./code` subdirectory from the local computer. That directory is recreated on the compute server, and the step runs the file `dataprep.py` from that directory. The `inputs` and `outputs` of that step are the `step1_input1`, `step1_input2`, and `step1_output` objects discussed earlier. The easiest way to access those values within the `dataprep.py` script is to associate them with named `arguments`. +The `SynapseSparkStep` zips and uploads the `./code` subdirectory from the local computer. That directory is recreated on the compute server, and the step runs the `dataprep.py` script from that directory. The `inputs` and `outputs` of that step are the `step1_input1`, `step1_input2`, and `step1_output` objects discussed earlier. The easiest way to access those values within the `dataprep.py` script is to associate them with named `arguments`. -The next set of arguments to the `SynapseSparkStep` constructor control Apache Spark. The `compute_target` is the `'link1-spark01'` that we attached as a compute target previously. The other parameters specify the memory and cores we'd like to use. +The next set of arguments to the `SynapseSparkStep` constructor controls Apache Spark. The `compute_target` is the `'link1-spark01'` that we attached as a compute target previously. The other parameters specify the memory and cores we'd like to use. The sample notebook uses this code for `dataprep.py`: This "data preparation" script doesn't do any real data transformation, but it s ## Use the `SynapseSparkStep` in a pipeline -The next example uses the output from the `SynapseSparkStep` created in the [previous section](#create-a-synapsesparkstep-that-uses-the-linked-apache-spark-pool). Other steps in the pipeline might have their own unique environments and run on different compute resources appropriate to the task at hand. The sample notebook runs the "training step" on a small CPU cluster: +The next example uses the output from the `SynapseSparkStep` created in the [previous section](#create-a-synapsesparkstep-that-uses-the-linked-apache-spark-pool). Other steps in the pipeline might have their own unique environments, and might run on different compute resources appropriate to the task at hand. The sample notebook runs the "training step" on a small CPU cluster: ```python from azureml.core.compute import AmlCompute step_2 = PythonScriptStep(script_name="train.py", allow_reuse=False) ``` -This code creates the new compute resource if necessary. Then, the `step1_output` result is converted to input for the training step. The `as_download()` option means that the data is moved onto the compute resource, resulting in faster access. If the data was so large that it wouldn't fit on the local compute hard drive, you'd need to use the `as_mount()` option to stream the data with the FUSE filesystem. The `compute_target` of this second step is `'cpucluster'`, not the `'link1-spark01'` resource you used in the data preparation step. This step uses a simple program `train.py` instead of the `dataprep.py` you used in the previous step. You can see the details of `train.py` in the sample notebook. +This code creates the new compute resource if necessary. Then, it converts the `step1_output` result to input for the training step. The `as_download()` option means that the data is moved onto the compute resource, resulting in faster access. If the data was so large that it wouldn't fit on the local compute hard drive, you must use the `as_mount()` option to stream the data with the `FUSE` filesystem. The `compute_target` of this second step is `'cpucluster'`, not the `'link1-spark01'` resource you used in the data preparation step. This step uses a simple `train.py` script instead of the `dataprep.py` script you used in the previous step. The sample notebook has details of the `train.py` script. After you define all of your steps, you can create and run your pipeline. pipeline = Pipeline(workspace=ws, steps=[step_1, step_2]) pipeline_run = pipeline.submit('synapse-pipeline', regenerate_outputs=True) ``` -This code creates a pipeline consisting of the data preparation step on Apache Spark pools, powered by Azure Synapse Analytics (`step_1`) and the training step (`step_2`). Azure examines the data dependencies between the steps to calculate the execution graph. In this case, there's only a straightforward dependency that `step2_input` necessarily requires `step1_output`. +This code creates a pipeline consisting of the data preparation step on Apache Spark pools, powered by Azure Synapse Analytics (`step_1`) and the training step (`step_2`). Azure examines the data dependencies between the steps to calculate the execution graph. In this case, there's only one straightforward dependency. Here, `step2_input` necessarily requires `step1_output`. The `pipeline.submit` call creates, if necessary, an Experiment named `synapse-pipeline`, and asynchronously starts a Job within it. Individual steps within the pipeline run as Child Jobs of this main job, and the Experiments page of Studio can monitor and review those steps. |
migrate | Tutorial Migrate Aws Virtual Machines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-migrate-aws-virtual-machines.md | A Mobility service agent must be preinstalled on the source AWS VMs to be migrat - [Install Mobility agent for Windows](../site-recovery/vmware-physical-mobility-service-overview.md#install-the-mobility-service-using-command-prompt-classic) - [Install Mobility agent for Linux](../site-recovery/vmware-physical-mobility-service-overview.md#linux-machine-1) +1. Extract the contents of the installer tarball to a local folder (for example, /tmp/MobSvcInstaller) on the AWS VM, as follows: ++ ``` + mkdir /tmp/MobSvcInstaller + tar -C /tmp/MobSvcInstaller -xvf <Installer tarball> + cd /tmp/MobSvcInstaller + ``` ++1. Run the installer script: ++ ``` + sudo ./install -r MS -v VmWare -q -c CSLegacy + ``` ++1. Register the agent with the replication appliance: ++ ``` + /usr/local/ASR/Vx/bin/UnifiedAgentConfigurator.sh -i <replication appliance IP address> -P <Passphrase File Path> + ``` + ## Enable replication for AWS VMs > [!NOTE] |
migrate | Tutorial Migrate Vmware | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-migrate-vmware.md | Enable replication as follows: ## Track and monitor 1. Track job status in the portal notifications.-2. Monitor replication status by clicking on **Replicating servers** in **Migration and modernization**. +2. Monitor replication status by clicking on the numerical value next to **Azure VM** in **Migration and modernization**. ![Monitor replication](./media/tutorial-migrate-vmware/replicating-servers.png) When delta replication begins, you can run a test migration for the VMs, before Do a test migration as follows: -1. In **Migration goals** > **Servers, databases and web apps** > **Migration and modernization**, select **Test migrated servers**. +1. In **Migration goals** > **Servers, databases and web apps** > **Migration and modernization**, select the numerical value next to **Azure VM**. :::image type="content" source="./media/tutorial-migrate-vmware/test-migrated-servers.png" alt-text="Screenshot of Test migrated servers."::: Do a test migration as follows: After you've verified that the test migration works as expected, you can migrate the on-premises machines. -1. In the Azure Migrate project > **Servers, databases and web apps** > **Migration and modernization**, select **Replicating servers**. +1. In the Azure Migrate project > **Servers, databases and web apps** > **Migration and modernization**, select numerical value next to **Azure VM**. ![Replicating servers](./media/tutorial-migrate-vmware/replicate-servers.png) |
mysql | Concepts Maintenance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-maintenance.md | Be aware of the following when using this feature: - **Demand Constraints:** Your rescheduled maintenance might be canceled due to a high number of maintenance activities occurring simultaneously in the same region. - **Lock-in Period:** Rescheduling is unavailable 15 minutes prior to the initially scheduled maintenance time to maintain the reliability of the service. +There's no limitation on how many times a maintenance can be rescheduled, as long as the maintenance hasn't entered into the "In preparation" state, you can always reschedule your maintenance to another time. + > [!NOTE] > We recommend monitoring notifications closely during the preview stage to accommodate potential adjustments. |
mysql | How To Maintenance Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/how-to-maintenance-portal.md | Be aware of the following when using this feature: - **Demand Constraints:** Your rescheduled maintenance might be canceled due to a high number of maintenance activities occurring simultaneously in the same region. - **Lock-in Period:** Rescheduling is unavailable 15 minutes prior to the initially scheduled maintenance time to maintain the reliability of the service. +There's no limitation on how many times a maintenance can be rescheduled, as long as the maintenance hasn't entered into the "In preparation" state, you can always reschedule your maintenance to another time. + ## Notifications about scheduled maintenance events You can use Azure Service Health to [view notifications](../../service-health/service-notifications.md) about upcoming and performed scheduled maintenance on your Azure Database for MySQL flexible server instance. You can also [set up](../../service-health/resource-health-alert-monitor-guide.md) alerts in Azure Service Health to get notifications about maintenance events. |
network-watcher | Connection Monitor Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/connection-monitor-overview.md | Last updated 10/31/2023 # Connection monitor overview > [!IMPORTANT]-> As of July 1, 2021, you can no longer add new tests in an existing workspace or enable a new workspace in Network Performance Monitor (NPM). You're also no longer able to add new connection monitors in Connection Monitor (Classic). You can continue to use the tests and connection monitors that you've created prior to July 1, 2021. +> As of July 1, 2021, you can no longer add new tests in an existing workspace or enable a new workspace in Network Performance Monitor (NPM). You're also no longer able to add new connection monitors in Connection monitor (Classic). You can continue to use the tests and connection monitors that you've created prior to July 1, 2021. > -> To minimize service disruption to your current workloads, [migrate your tests from Network Performance Monitor](migrate-to-connection-monitor-from-network-performance-monitor.md), or [migrate from Connection Monitor (Classic)](migrate-to-connection-monitor-from-connection-monitor-classic.md) to the new Connection Monitor in Azure Network Watcher before February 29, 2024. +> To minimize service disruption to your current workloads, [migrate your tests from Network Performance Monitor](migrate-to-connection-monitor-from-network-performance-monitor.md), or [migrate from Connection monitor (Classic)](migrate-to-connection-monitor-from-connection-monitor-classic.md) to the new Connection monitor in Azure Network Watcher before February 29, 2024. -Connection Monitor provides unified, end-to-end connection monitoring in Azure Network Watcher. The Connection Monitor feature supports hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related metrics for your Azure deployments. +Connection monitor provides unified, end-to-end connection monitoring in Network Watcher. The Connection monitor feature supports hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related metrics for your Azure deployments. -Here are some use cases for Connection Monitor: +Here are some use cases for Connection monitor: - Your front-end web server virtual machine (VM) or virtual machine scale set communicates with a database server VM in a multi-tier application. You want to check network connectivity between the two VM/or scale sets. - You want VMs/scale sets in, for example, the East US region to ping VMs/scale sets in the Central US region, and you want to compare cross-region network latencies. Here are some use cases for Connection Monitor: - You want to check the connectivity between your on-premises setups and the Azure VMs/virtual machine scale sets that host your cloud application. - You want to check the connectivity from single or multiple instances of an Azure Virtual Machine Scale Set to your Azure or Non-Azure multi-tier application. -Here are some benefits of Connection Monitor: +Here are some benefits of Connection monitor: * Unified, intuitive experience for Azure and hybrid monitoring needs * Cross-region, cross-workspace connectivity monitoring Here are some benefits of Connection Monitor: * Support for connectivity checks that are based on HTTP, Transmission Control Protocol (TCP), and Internet Control Message Protocol (ICMP) * Metrics and Log Analytics support for both Azure and non-Azure test setups -To start using Connection Monitor for monitoring, follow these steps: +To start using Connection monitor for monitoring, follow these steps: 1. [Install monitoring agents](#install-monitoring-agents). 1. [Enable Network Watcher on your subscription](#enable-network-watcher-on-your-subscription). The following sections provide details for these steps. ## Install monitoring agents > [!NOTE]- > Connection Monitor now supports auto enablement of monitoring extensions for Azure & Non-Azure endpoints, thus eliminating the need for manual installation of monitoring solutions during the creation of Connection Monitor. + > Connection monitor now supports auto enablement of monitoring extensions for Azure & Non-Azure endpoints, thus eliminating the need for manual installation of monitoring solutions during the creation of Connection monitor. -Connection Monitor relies on lightweight executable files to run connectivity checks. It supports connectivity checks from both Azure environments and on-premises environments. The executable file that you use depends on whether your VM is hosted on Azure or on-premises. +Connection monitor relies on lightweight executable files to run connectivity checks. It supports connectivity checks from both Azure environments and on-premises environments. The executable file that you use depends on whether your VM is hosted on Azure or on-premises. -### Agents for Azure Virtual Machines and virtual machine scale sets +### Agents for Azure virtual machines and virtual machine scale sets -To make Connection Monitor recognize your Azure VMs or virtual machine scale sets as monitoring sources, install the Network Watcher Agent virtual machine extension on them. This extension is also known as the *Network Watcher extension*. Azure Virtual Machines and scale sets require the extension to trigger end-to-end monitoring and other advanced functionality. +To make Connection monitor recognize your Azure VMs or virtual machine scale sets as monitoring sources, install the Network Watcher Agent virtual machine extension on them. This extension is also known as the *Network Watcher extension*. Azure virtual machines and scale sets require the extension to trigger end-to-end monitoring and other advanced functionality. You can install the Network Watcher extension when you create a virtual machine or a scale set. You can also separately install, configure, and troubleshoot the Network Watcher extension for [Linux](../virtual-machines/extensions/network-watcher-linux.md) and [Windows](../virtual-machines/extensions/network-watcher-windows.md). -Rules for a network security group (NSG) or firewall can block communication between the source and destination. Connection Monitor detects this issue and shows it as a diagnostics message in the topology. To enable connection monitoring, ensure that the NSG and firewall rules allow packets over TCP or ICMP between the source and destination. +Rules for a network security group (NSG) or firewall can block communication between the source and destination. Connection monitor detects this issue and shows it as a diagnostics message in the topology. To enable connection monitoring, ensure that the NSG and firewall rules allow packets over TCP or ICMP between the source and destination. -If you wish to escape the installation process for enabling the Network Watcher extension, you can proceed with the creation of Connection Monitor and allow auto enablement of Network Watcher extensions on your Azure VMs and scale sets. +If you wish to escape the installation process for enabling the Network Watcher extension, you can proceed with the creation of Connection monitor and allow auto enablement of Network Watcher extensions on your Azure VMs and scale sets. > [!NOTE] > If the Automatic Extension Upgrade isn't enabled on the virtual machine scale sets, then you have to manually upgrade the Network Watcher extension whenever a new version is released. > -> As Connection Monitor now supports unified auto enablement of monitoring extensions, user can consent to auto upgrade of the virtual machine scale set with auto enablement of Network Watcher extension during the creation of Connection Monitor for virtual machine scale sets with manual upgrade. +> As Connection monitor now supports unified auto enablement of monitoring extensions, user can consent to auto upgrade of the virtual machine scale set with auto enablement of Network Watcher extension during the creation of Connection monitor for virtual machine scale sets with manual upgrade. ### Agents for on-premises machines -To make Connection Monitor recognize your on-premises machines as sources for monitoring, install the Log Analytics agent on the machines. Then, enable the [Network Performance Monitor solution](../network-watcher/connection-monitor-overview.md#enable-the-network-performance-monitor-solution-for-on-premises-machines). These agents are linked to Log Analytics workspaces, so you need to set up the workspace ID and primary key before the agents can start monitoring. +To make Connection monitor recognize your on-premises machines as sources for monitoring, install the Log Analytics agent on the machines. Then, enable the [Network Performance Monitor solution](../network-watcher/connection-monitor-overview.md#enable-the-network-performance-monitor-solution-for-on-premises-machines). These agents are linked to Log Analytics workspaces, so you need to set up the workspace ID and primary key before the agents can start monitoring. To install the Log Analytics agent for Windows machines, see [Install Log Analytics agent on Windows](../azure-monitor/agents/agent-windows.md). The Log Analytics Windows agent can be multi-homed to send data to multiple work #### Enable the Network Performance Monitor solution for on-premises machines -To enable the Network Performance Monitor solution for on-premises machines, do the following: +To enable the Network Performance Monitor solution for on-premises machines, follow these steps: 1. In the Azure portal, go to **Network Watcher**. 1. On the left pane, under **Monitoring**, select **Network Performance Monitor**. To enable the Network Performance Monitor solution for on-premises machines, do Unlike Log Analytics agents, the Network Performance Monitor solution can be configured to send data only to a single Log Analytics workspace. -If you wish to escape the installation process for enabling the Network Watcher extension, you can proceed with the creation of Connection Monitor and allow auto enablement of monitoring solution on your on-premises machines. +If you wish to escape the installation process for enabling the Network Watcher extension, you can proceed with the creation of Connection monitor and allow auto enablement of monitoring solution on your on-premises machines. ## Enable Network Watcher on your subscription Make sure that Network Watcher is [available for your region](https://azure.micr ## Create a connection monitor -Connection Monitor monitors communication at regular intervals. It informs you of changes in reachability and latency. You can also check the current and historical network topology between source agents and destination endpoints. +Connection monitor monitors communication at regular intervals. It informs you of changes in reachability and latency. You can also check the current and historical network topology between source agents and destination endpoints. Sources can be Azure VMs/ scale sets or on-premises machines that have an installed monitoring agent. Destination endpoints can be Microsoft 365 URLs, Dynamics 365 URLs, custom URLs, Azure VM resource IDs, IPv4, IPv6, FQDN, or any domain name. -### Access Connection Monitor +### Access Connection monitor 1. In the Azure portal, go to **Network Watcher**.-1. On the left pane, under **Monitoring**, select **Connection Monitor**. +1. On the left pane, under **Monitoring**, select **Connection monitor**. - All the connection monitors that were created in Connection Monitor are displayed. To view the connection monitors that were created in the classic experience of Connection Monitor, select the **Connection Monitor** tab. + All the connection monitors that were created in Connection monitor are displayed. To view the connection monitors that were created in the classic experience of Connection monitor, select the **Connection monitor** tab. - :::image type="content" source="./media/connection-monitor-2-preview/cm-resource-view.png" alt-text="Screenshot showing the connection monitors that were created in Connection Monitor." lightbox="./media/connection-monitor-2-preview/cm-resource-view.png"::: + :::image type="content" source="./media/connection-monitor-2-preview/cm-resource-view.png" alt-text="Screenshot showing the connection monitors that were created in Connection monitor." lightbox="./media/connection-monitor-2-preview/cm-resource-view.png"::: ### Create a connection monitor -In connection monitors that you create in Connection Monitor, you can add both on-premises machines and Azure VMs/ scale sets as sources. These connection monitors can also monitor connectivity to endpoints. The endpoints can be on Azure or any other URL or IP address. +In connection monitors that you create in Connection monitor, you can add both on-premises machines and Azure VMs/ scale sets as sources. These connection monitors can also monitor connectivity to endpoints. The endpoints can be on Azure or any other URL or IP address. -Connection Monitor includes the following entities: +Connection monitor includes the following entities: * **Connection monitor resource**: A region-specific Azure resource. All the following entities are properties of a connection monitor resource. * **Endpoint**: A source or destination that participates in connectivity checks. Examples of endpoints include Azure VMs/ scale sets, on-premises agents, URLs, and IP addresses. Connection monitors have the following scale limits: * Maximum sources and destinations per connection monitor: 100 * Maximum test configurations per connection monitor: 20 -Monitoring coverage for Azure and Non Azure Resources: +Monitoring coverage for Azure and Non-Azure Resources: -Connection Monitor now provides 5 different coverage levels for monitoring compound resources i.e. VNets, SubNets, and virtual machine scale sets. The coverage level is defined as the % of instances of a compound resource actually included in monitoring those resources as sources or destinations. -Users can manually select a coverage level from Low, Below Average, Average, Above Average, and Full to define an approximate % of instances to be included in monitoring the particular resource as an endpoint +Connection monitor provides five different coverage levels for monitoring compound resources, that is, virtual networks, subnets, and scale sets. The coverage level is defined as the % of instances of a compound resource actually included in monitoring those resources as sources or destinations. +Users can manually select a coverage level from Low, Below Average, Average, Above Average, and Full to define an approximate % of instances to be included in monitoring the particular resource as an endpoint. ## Analyze monitoring data and set alerts After you create a connection monitor, sources check connectivity to destinations based on your test configuration. -While monitoring endpoints, Connection Monitor re-evaluates the status of endpoints once every 24 hours. Hence, in case a VM gets deallocated or is turned-off during a 24-hour cycle, Connection Monitor would report an indeterminate state due to absence of data in the network path till the end of the 24-hour cycle before re-evaluating the status of the VM and reporting the VM status as deallocated. +While monitoring endpoints, Connection monitor reevaluates the status of endpoints once every 24 hours. Hence, in case a VM gets deallocated or is turned-off during a 24-hour cycle, Connection monitor would report an indeterminate state due to absence of data in the network path until the end of the 24-hour cycle before reevaluating the status of the VM and reporting the VM status as deallocated. > [!NOTE]- > In case of monitoring an Azure Virtual Machine Scale Set, instances of a particular scale set selected for monitoring (either by the user or picked up by default as part of the coverage level selected) might get deallocated or scaled down in the middle of the 24-hour cycle. In this particular time period, Connection Monitor will not be able to recognize this action and thus end-up reporting an indeterminate state due to the absence of data. - > Users are advised to allow random selection of virtual machine scale sets instances within coverage levels instead of selecting particular instances of scale sets for monitoring, to minimize the risks of non-discoverability of deallocated or scaled down virtual machine scale sets instances in a 24 hours cycle and lead to an indeterminate state of connection monitor. + > In case of monitoring a Virtual Machine Scale Set, instances of a particular scale set selected for monitoring (either by the user or picked up by default as part of the coverage level selected) might get deallocated or scaled down in the middle of the 24-hour cycle. In this particular time period, Connection monitor will not be able to recognize this action and thus end-up reporting an indeterminate state due to the absence of data. + > Users are advised to allow random selection of virtual machine scale sets instances within coverage levels instead of selecting particular instances of scale sets for monitoring, to minimize the risks of non-discoverability of deallocated or scaled down virtual machine scale sets instances in a 24-hour cycle and lead to an indeterminate state of connection monitor. ### Checks in a test -Depending on the protocol that you select in the test configuration, Connection Monitor runs a series of checks for the source-destination pair. The checks run according to the test frequency that you select. +Depending on the protocol that you select in the test configuration, Connection monitor runs a series of checks for the source-destination pair. The checks run according to the test frequency that you select. If you use HTTP, the service calculates the number of HTTP responses that returned a valid response code. You can set valid response codes by using PowerShell and Azure CLI. The result determines the percentage of failed checks. To calculate RTT, the service measures the time between an HTTP call and the response. -If you use TCP or ICMP, the service calculates the packet-loss percentage to determine the percentage of failed checks. To calculate RTT, the service measures the time taken to receive the acknowledgment (ACK) for the packets that were sent. If you've enabled traceroute data for your network tests, you can view the hop-by-hop loss and latency for your on-premises network. +If you use TCP or ICMP, the service calculates the packet-loss percentage to determine the percentage of failed checks. To calculate RTT, the service measures the time taken to receive the acknowledgment (ACK) for the packets that were sent. If you enabled traceroute data for your network tests, you can view the hop-by-hop loss and latency for your on-premises network. ### States of a test Depending on the data that the checks return, tests can have the following state * **Pass**: Actual values for the percentage of failed checks and RTT are within the specified thresholds. * **Fail**: Actual values for the percentage of failed checks or RTT exceeded the specified thresholds. If no threshold is specified, a test reaches the *Fail* state when the percentage of failed checks is 100. * **Warning**: - * If a threshold is specified and Connection Monitor observes a checks-failed percentage that's more than 80 percent of the threshold, the test is marked as *Warning*. - * In the absence of specified thresholds, Connection Monitor automatically assigns a threshold. When that threshold is exceeded, the test status changes to *Warning*. For round-trip time in TCP or ICMP tests, the threshold is 750 milliseconds (ms). For the checks-failed percentage, the threshold is 10 percent. + * If a threshold is specified and Connection monitor observes a checks-failed percentage that's more than 80 percent of the threshold, the test is marked as *Warning*. + * In the absence of specified thresholds, Connection monitor automatically assigns a threshold. When that threshold is exceeded, the test status changes to *Warning*. For round-trip time in TCP or ICMP tests, the threshold is 750 milliseconds (ms). For the checks-failed percentage, the threshold is 10 percent. * **Indeterminate**: No data in the Log Analytics workspace. Check the metrics. * **Not Running**: Disabled by disabling the test group.  ### Data collection, analysis, and alerts -The data that Connection Monitor collects is stored in the Log Analytics workspace. You set up this workspace when you created the connection monitor. +The data that Connection monitor collects is stored in the Log Analytics workspace. You set up this workspace when you created the connection monitor. Monitoring data is also available in Azure Monitor Metrics. You can use Log Analytics to keep your monitoring data for as long as you want. Azure Monitor stores metrics for only 30 days by default. You can [set metric-based alerts on the data](https://azure.microsoft.com/blog/m On the monitoring dashboards, you can view a list of the connection monitors that you can access for your subscriptions, regions, time stamps, sources, and destination types. -When you go to Connection Monitor from Network Watcher, you can view data by: +When you go to Connection monitor from Network Watcher, you can view data by: * **Connection monitor**: A list of all connection monitors that were created for your subscriptions, regions, time stamps, sources, and destination types. This view is the default. * **Test groups**: A list of all test groups that were created for your subscriptions, regions, time stamps, sources, and destination types. These test groups aren't filtered by connection monitors. On the dashboard, you can expand each connection monitor to view its test groups You can filter a list based on: -* **Top-level filters**: Search the list by text, entity type (Connection Monitor, test group, or test) timestamp, and scope. Scope includes subscriptions, regions, sources, and destination types. See box 1 in the following image. +* **Top-level filters**: Search the list by text, entity type (Connection monitor, test group, or test) timestamp, and scope. Scope includes subscriptions, regions, sources, and destination types. See box 1 in the following image. * **State-based filters**: Filter by the state of the connection monitor, test group, or test. See box 2 in the following image. * **Alert-based filter**: Filter by alerts that are fired on the connection monitor resource. See box 3 in the following image. - :::image type="content" source="./media/connection-monitor-2-preview/cm-view.png" alt-text="Screenshot showing how to filter views of connection monitors, test groups, and tests in Connection Monitor." lightbox="./media/connection-monitor-2-preview/cm-view.png"::: + :::image type="content" source="./media/connection-monitor-2-preview/cm-view.png" alt-text="Screenshot showing how to filter views of connection monitors, test groups, and tests in Connection monitor." lightbox="./media/connection-monitor-2-preview/cm-view.png"::: -For example, to view all tests in Connection Monitor, where the source IP is 10.192.64.56, do the following: +For example, to view all tests in Connection monitor, where the source IP is 10.192.64.56, follow these steps: 1. Change the view to **Test**. 1. In the **Search** box, enter **10.192.64.56**. 1. Under **Scope**, in the top-level filter, select **Sources**. -To show only failed tests in Connection Monitor, where the source IP is 10.192.64.56, do the following: +To show only failed tests in Connection monitor, where the source IP is 10.192.64.56, follow these steps: 1. Change the view to **Test**. 1. For the state-based filter, select **Fail**. 1. In the **Search** box, enter **10.192.64.56**. 1. Under **Scope**, in the top-level filter, select **Sources**. -To show only failed tests in Connection Monitor, where the destination is outlook.office365.com, do the following: +To show only failed tests in Connection monitor, where the destination is outlook.office365.com, follow these steps: 1. Change the view to **Test**. 1. For the state-based filter, select **Fail**. 1. In the **Search** box, enter **office.live.com**. To view the trends in RTT and the percentage of failed checks for a connection m * Select a test group, test configuration, source, or destination to view all tests in the entity. -To view the trends in RTT and the percentage of failed checks for a test group, do the following: +To view the trends in RTT and the percentage of failed checks for a test group, select the test group that you want to investigate. -* Select the test group that you want to investigate. +You can view and navigate between them as you would in the connection monitor: essentials, summary, table for test groups, sources, destinations, and test configurations. - You can view and navigate between them as you would in the connection monitor: essentials, summary, table for test groups, sources, destinations, and test configurations. --To view the trends in RTT and the percentage of failed checks for a test, do the following: +To view the trends in RTT and the percentage of failed checks for a test, follow these steps: 1. Select the test that you want to investigate. You can view the network topology and the end-to-end trend charts for checks-failed percentage and round-trip time. To view the trends in RTT and the percentage of failed checks for a test, do the Use Log Analytics to create custom views of your monitoring data. All displayed data is from Log Analytics. You can interactively analyze data in the repository. Correlate the data from Agent Health or other solutions that are based on Log Analytics. Export the data to Excel or Power BI, or create a shareable link. -#### Network topology in Connection Monitor +#### Network topology in Connection monitor -You usually build Connection Monitor topology by using the result of a traceroute command that's performed by the agent. The traceroute command basically gets all the hops from source to destination. +You usually build Connection monitor topology by using the result of a traceroute command that's performed by the agent. The traceroute command basically gets all the hops from source to destination. However, in instances where either the source or destination lies within Azure boundaries, you build the topology by merging the results of two distinct operations. The first operation is the result of the traceroute command. The second operation is the result of an internal command that identifies a logical route based on (customer) network configuration within Azure boundaries. This internal command is similar to the Network Watcher next hop diagnostics tool. Because the second operation is logical and the first operation doesn't usually #### Metrics in Azure Monitor -In connection monitors that were created before the Connection Monitor experience, all four metrics are available: % Probes Failed, AverageRoundtripMs, ChecksFailedPercent, and RoundTripTimeMs. +In connection monitors that were created before the Connection monitor experience, all four metrics are available: % Probes Failed, AverageRoundtripMs, ChecksFailedPercent, and RoundTripTimeMs. -In connection monitors that were created in the Connection Monitor experience, data is available only for ChecksFailedPercent, RoundTripTimeMs, and Test Result metrics. +In connection monitors that were created in the Connection monitor experience, data is available only for ChecksFailedPercent, RoundTripTimeMs, and Test Result metrics. -Metrics are generated according to monitoring frequency, and they describe aspects of a connection monitor at a particular time. Connection Monitor metrics also have multiple dimensions, such as SourceName, DestinationName, TestConfiguration, and TestGroup. You can use these dimensions to visualize specific data and target it while defining alerts. +Metrics are generated according to monitoring frequency, and they describe aspects of a connection monitor at a particular time. Connection monitor metrics also have multiple dimensions, such as SourceName, DestinationName, TestConfiguration, and TestGroup. You can use these dimensions to visualize specific data and target it while defining alerts. -Azure metrics currently allow a minimum granularity of 1 minute. If the frequency is less than 1 minute, aggregated results will be displayed. +Azure metrics currently allow a minimum granularity of 1 minute. If the frequency is less than 1 minute, aggregated results are displayed. - :::image type="content" source="./media/connection-monitor-2-preview/monitor-metrics.png" alt-text="Screenshot showing metrics in Connection Monitor." lightbox="./media/connection-monitor-2-preview/monitor-metrics.png"::: + :::image type="content" source="./media/connection-monitor-2-preview/monitor-metrics.png" alt-text="Screenshot showing metrics in Connection monitor." lightbox="./media/connection-monitor-2-preview/monitor-metrics.png"::: When you use metrics, set the resource type as **Microsoft.Network/networkWatchers/connectionMonitors**. | Metric | Display name | Unit | Aggregation type | Description | Dimensions | | | | | | | |-| ProbesFailedPercent (classic) | % Probes Failed (classic) | Percentage | Average | Percentage of connectivity monitoring probes failed.<br>This metric is available only for Connection Monitor (Classic). | No dimensions | -| AverageRoundtripMs (classic) | Avg. round-trip time (ms) (classic) | Milliseconds | Average | Average network RTT for connectivity monitoring probes sent between source and destination.<br>This metric is available only for Connection Monitor (Classic). | No dimensions | +| ProbesFailedPercent (classic) | % Probes Failed (classic) | Percentage | Average | Percentage of connectivity monitoring probes failed.<br>This metric is available only for Connection monitor (Classic). | No dimensions | +| AverageRoundtripMs (classic) | Avg. round-trip time (ms) (classic) | Milliseconds | Average | Average network RTT for connectivity monitoring probes sent between source and destination.<br>This metric is available only for Connection monitor (Classic). | No dimensions | | ChecksFailedPercent | % Checks Failed | Percentage | Average | Percentage of failed checks for a test. | ConnectionMonitorResourceId <br>SourceAddress <br>SourceName <br>SourceResourceId <br>SourceType <br>Protocol <br>DestinationAddress <br>DestinationName <br>DestinationResourceId <br>DestinationType <br>DestinationPort <br>TestGroupName <br>TestConfigurationName <br>Region <br>SourceIP <br>DestinationIP <br>SourceSubnet <br>DestinationSubnet | | RoundTripTimeMs | Round-trip time (ms) | Milliseconds | Average | RTT for checks sent between source and destination. This value isn't averaged. | ConnectionMonitorResourceId <br>SourceAddress <br>SourceName <br>SourceResourceId <br>SourceType <br>Protocol <br>DestinationAddress <br>DestinationName <br>DestinationResourceId <br>DestinationType <br>DestinationPort <br>TestGroupName <br>TestConfigurationName <br>Region <br>SourceIP <br>DestinationIP <br>SourceSubnet <br>DestinationSubnet | | TestResult | Test Result | Count | Average | Connection monitor test results. <br>Interpretation of result values: <br>0- Indeterminate <br>1- Pass <br>2- Warning <br>3- Fail| SourceAddress <br>SourceName <br>SourceResourceId <br>SourceType <br>Protocol <br>DestinationAddress <br>DestinationName <br>DestinationResourceId <br>DestinationType <br>DestinationPort <br>TestGroupName <br>TestConfigurationName <br>SourceIP <br>DestinationIP <br>SourceSubnet <br>DestinationSubnet | -#### Metric-based alerts for Connection Monitor +#### Metric-based alerts for Connection monitor You can create metric alerts on connection monitors by using the following methods: -* From Connection Monitor, create metric alerts during the creation of connection monitors by using [the Azure portal](connection-monitor-preview-create-using-portal.md#). -* From Connection Monitor, create metric alerts by using **Configure Alerts** in the dashboard. -* From Azure Monitor, create metric alerts by doing the following: +* From Connection monitor, create metric alerts during the creation of connection monitors using [the Azure portal](connection-monitor-preview-create-using-portal.md#). +* From Connection monitor, create metric alerts by using **Configure Alerts** in the dashboard. +* From Azure monitor, create metric alerts by following these steps: - 1. Select the connection monitor resource that you created in Connection Monitor. + 1. Select the connection monitor resource that you created in Connection monitor. 1. Ensure that **Metric** is selected as the signal type for the connection monitor. 1. In **Add Condition**, for the **Signal Name**, select **ChecksFailedPercent** or **RoundTripTimeMs**. 1. For **Signal Type**, select **Metrics**. For example, select **ChecksFailedPercent**. You can create metric alerts on connection monitors by using the following metho 1. In **Alert Logic**, enter the following values: * **Condition Type**: **Static**. * **Condition** and **Threshold**.- * **Aggregation Granularity and Frequency of Evaluation**: Connection Monitor updates data every minute. + * **Aggregation Granularity and Frequency of Evaluation**: Connection monitor updates data every minute. 1. In **Actions**, select your action group. 1. Provide alert details. 1. Create the alert rule. You can create metric alerts on connection monitors by using the following metho ## Diagnose issues in your network -Connection Monitor helps you diagnose issues in your connection monitor and your network. Issues in your hybrid network are detected by the Log Analytics agents that you installed earlier. Issues in Azure are detected by the Network Watcher extension. +Connection monitor helps you diagnose issues in your connection monitor and your network. Issues in your hybrid network are detected by the Log Analytics agents that you installed earlier. Issues in Azure are detected by the Network Watcher extension. You can view issues in the Azure network in the network topology. For networks whose sources are Azure VMs, the following issues can be detected: * Agent stopped. * Failed DNS resolution. * No application or listener listening on the destination port.- * Socket could not be opened. + * Socket couldn't be opened. * VM state issues: * Starting * Stopping For networks whose sources are Azure VMs, the following issues can be detected: * No peering info was found. > [!NOTE]- > If there are two connected gateways and one of them isn't in the same region as the source endpoint, Connection Monitor identifies it as a 'no route learned' for the topology view. Connectivity is unaffected. This is a known issue, and we're in the process of fixing it. + > If there are two connected gateways and one of them isn't in the same region as the source endpoint, Connection monitor identifies it as a 'no route learned' for the topology view. Connectivity is unaffected. This is a known issue, and we're in the process of fixing it. * The route was missing in Microsoft Edge. * Traffic stopped because of system routes or user-defined route (UDR). For networks whose sources are Azure VMs, the following issues can be detected: ## Compare Azure connectivity-monitoring support types -You can migrate tests from Network Performance Monitor and Connection Monitor (Classic) to the latest Connection Monitor with a single click and with zero downtime. +You can migrate tests from Network Performance Monitor and Connection monitor (Classic) to the latest Connection monitor with a single click and with zero downtime. The migration helps produce the following results: * Agents and firewall settings work as is. No changes are required. -* Existing connection monitors are mapped to Connection Monitor > Test Group > Test format. By selecting **Edit**, you can view and modify the properties of the latest Connection Monitor, download a template to make changes to Connection Monitor, and submit it via Azure Resource Manager. -* Azure Virtual Machines with the Network Watcher extension send data to both the workspace and the metrics. Connection Monitor makes the data available through the new metrics (ChecksFailedPercent and RoundTripTimeMs) instead of the old metrics (ProbesFailedPercent and AverageRoundtripMs). The old metrics will get migrated to new metrics as ProbesFailedPercent > ChecksFailedPercent and AverageRoundtripMs > RoundTripTimeMs. +* Existing connection monitors are mapped to Connection monitor > Test Group > Test format. By selecting **Edit**, you can view and modify the properties of the latest Connection monitor, download a template to make changes to Connection monitor, and submit it via Azure Resource Manager. +* Azure virtual machines with the Network Watcher extension send data to both the workspace and the metrics. Connection monitor makes the data available through the new metrics (ChecksFailedPercent and RoundTripTimeMs) instead of the old metrics (ProbesFailedPercent and AverageRoundtripMs). The old metrics get migrated to new metrics as ProbesFailedPercent > ChecksFailedPercent and AverageRoundtripMs > RoundTripTimeMs. * Data monitoring: * **Alerts**: Migrated automatically to the new metrics. * **Dashboards and integrations**: Requires manual editing of the metrics set. -There are several reasons to migrate from Network Performance Monitor and Connection Monitor (Classic) to Connection Monitor. The following table lists a few use cases that show how the latest Connection Monitor performs against Network Performance Monitor and Connection Monitor (Classic). +There are several reasons to migrate from Network Performance Monitor and Connection monitor (Classic) to Connection monitor. The following table lists a few use cases that show how the latest Connection monitor performs against Network Performance Monitor and Connection monitor (Classic). -| Feature | Network Performance Monitor | Connection Monitor (Classic) | Connection Monitor | +| Feature | Network Performance Monitor | Connection monitor (Classic) | Connection monitor | | - | | -- | | | Unified experience for Azure and hybrid monitoring | Not available | Not available | Available | | Cross-subscription, cross-region, and cross-workspace monitoring | Allows cross-subscription and cross-region monitoring, but doesn’t allow cross-workspace monitoring. | Not available | Allows cross-subscription and cross-workspace monitoring; cross-workspaces have a regional boundary. | | Centralized workspace support | Not available | Not available | Available |-| Multiple sources can ping multiple destinations | Performance monitoring allows multiple sources to ping multiple destinations. Service connectivity monitoring allows multiple sources to ping a single service or URL. Express Route allows multiple sources to ping multiple destinations. | Not available | Available | +| Multiple sources can ping multiple destinations | Performance monitoring allows multiple sources to ping multiple destinations. Service connectivity monitoring allows multiple sources to ping a single service or URL. ExpressRoute allows multiple sources to ping multiple destinations. | Not available | Available | | Unified topology across on-premises, internet hops, and Azure | Not available | Not available | Available | | HTTP status code checks | Not available | Not available | Available | | Connectivity diagnostics | Not available | Available | Available |-| Compound resources - Virtual networks, subnets, and on-premises custom networks | Performance monitoring supports subnets, on-premises networks, and logical network groups. Service connectivity monitoring and Express Route support only on-premises and cross-workspace monitoring. | Not available | Available | +| Compound resources - Virtual networks, subnets, and on-premises custom networks | Performance monitoring supports subnets, on-premises networks, and logical network groups. Service connectivity monitoring and ExpressRoute support only on-premises and cross-workspace monitoring. | Not available | Available | | Connectivity metrics and dimensions measurements | Not available | Loss, latency, and RTT. | Available | | Automation – PowerShell, the Azure CLI, Terraform | Not available | Available | Available |-| Support for Linux | Performance monitoring supports Linux. Service Connectivity Monitor and Express Route do not support Linux. | Available | Available | +| Support for Linux | Performance monitoring supports Linux. Service Connectivity Monitor and ExpressRoute don't support Linux. | Available | Available | | Support for public, government, Mooncake, and air-gapped cloud | Available | Available | Available| ## Related content - To learn how to create a connection monitor, see [Monitor network communication between two virtual machines using the Azure portal](monitor-vm-communication.md). - To find answers to the most frequently asked questions, see [Connection monitor FAQ](frequently-asked-questions.yml#connection-monitor).-- To learn how to migrate to Connection monitor, see [Migrate to Connection Monitor from Connection Monitor (Classic)](migrate-to-connection-monitor-from-connection-monitor-classic.md).+- To learn how to migrate to Connection monitor, see [Migrate from Connection monitor (Classic)](migrate-to-connection-monitor-from-connection-monitor-classic.md) and [migrate your tests from Network Performance Monitor](migrate-to-connection-monitor-from-network-performance-monitor.md). +- To learn about Connection monitor schema fields, see [Connection monitor schema](connection-monitor-schema.md). |
network-watcher | Connection Monitor Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/connection-monitor-schema.md | Title: Connection monitor schemas -description: Understand the tests data schema and the path data schema of Azure Network Watcher connection monitor. -+description: Learn about the available tests data and path data schemas in Azure Network Watcher connection monitor. -- Previously updated : 08/14/2021 ----# Azure Network Watcher Connection Monitor schemas --Connection Monitor provides unified end-to-end connection monitoring in Azure Network Watcher. The Connection Monitor feature supports hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related metrics for your Azure deployments. ++ Last updated : 02/23/2024 -Here are some use cases for Connection Monitor: +#CustomerIntent: As an Azure administrator, I want to learn about the available fields in connection monitor schemas so that I can understand the output of Log Analytics queries. + -- Your front-end web server virtual machine (VM) communicates with a database server VM in a multiple-tier application. You want to check network connectivity between the two VMs.-- You want VMs in the East US region to ping VMs in the Central US region, and you want to compare cross-region network latencies.-- You have multiple on-premises office sites in Seattle, Washington, and in Ashburn, Virginia. Your office sites connect to Microsoft 365 URLs. For your users of Microsoft 365 URLs, compare the latencies between Seattle and Ashburn.-- Your hybrid application needs connectivity to an Azure Storage endpoint. Your on-premises site and your Azure application connect to the same Azure Storage endpoint. You want to compare the latencies of the on-premises site to the latencies of the Azure application.-- You want to check the connectivity between your on-premises setups and the Azure VMs that host your cloud application.+# Connection monitor schemas -Here are some benefits of Connection Monitor: +Connection monitor stores the data it collects in a Log Analytics workspace. There are two types of logs or data ingested into Log Analytics from connection monitor: -* Unified, intuitive experience for Azure and hybrid monitoring needs -* Cross-region, cross-workspace connectivity monitoring -* Higher probing frequencies and better visibility into network performance -* Faster alerting for your hybrid deployments -* Support for connectivity checks that are based on HTTP, TCP, and ICMP -* Metrics and Log Analytics support for both Azure and non-Azure test setups +- The test data (`NWConnectionMonitorTestResult` query), which is updated based on the monitoring frequency of a particular test group. +- The path data (`NWConnectionMonitorPathResult` query), which is updated when there's a significant change in loss percentage or round-trip time. -There are two types of logs or data ingested into Log Analytics. The test data (NWConnectionMonitorTestResult query) is updated based on the monitoring frequency of a particular test group. The path data (NWConnectionMonitorPathResult query) is updated when there is a significant change in loss percentage or round-trip time. For some time durations, test data might keep getting updated while path data is not frequently updated because both are independent. +For some time durations, test data might keep getting updated while path data isn't frequently updated because both are independent. -## Connection Monitor Tests schema +In this article, you learn about the available fields in the connection monitor tests data and path data schemas. -The following table lists the fields in the Connection Monitor Tests data schema and what they signify. +## Connection monitor tests schema -| Field | Description | -||| -| TimeGenerated | The timestamp (UTC) of when the log was generated | -| RecordId | The record ID for unique identification of the test result record | -| ConnectionMonitorResourceId | The Connection Monitor resource ID of the test | -| TestGroupName | The test group name to which the test belongs | -| TestConfigurationName | The test configuration name to which the test belongs | -| SourceType | The type of the source machine configured for the test | -| SourceResourceId | The resource ID of the source machine | -| SourceAddress | The address of the source configured for the test | -| SourceSubnet | The subnet of the source | -| SourceIP | The IP address of the source | -| SourceName | The source endpoint name | -| SourceAgentId | The source agent ID | -| DestinationPort | The destination port configured for the test | -| DestinationType | The type of the destination machine configured for the test | -| DestinationResourceId | The resource ID of the destination machine | -| DestinationAddress | The address of the destination configured for the test | -| DestinationSubnet | If applicable, the subnet of the destination | -| DestinationIP | The IP address of the destination | -| DestinationName | The destination endpoint name | -| DestinationAgentId | The destination agent ID | -| Protocol | The protocol of the test | -| ChecksTotal | The total number of checks done under the test | -| ChecksFailed | The total number of checks failed under the test | -| TestResult | The result of the test | -| TestResultCriterion | The result criterion of the test | -| ChecksFailedPercentThreshold | The checks failed percent threshold set for the test | -| RoundTripTimeMsThreshold | The round-trip threshold (in milliseconds) set for the test | -| MinRoundTripTimeMs | The minimum round-trip time (in milliseconds) for the test | -| MaxRoundTripTimeMs | The maximum round-trip time for the test | -| AvgRoundTripTimeMs | The average round-trip time for the test | -| JitterMs | The mean deviation round-trip time for the test | -| AdditionalData | The additional data for the test | +The following table lists the fields in the connection monitor tests data schema and what they signify: +| Field | Description | +| -- | -- | +| TimeGenerated | The timestamp (UTC) of when the log was generated. | +| RecordId | The record ID for unique identification of the test result record. | +| ConnectionMonitorResourceId | The connection monitor resource ID of the test. | +| TestGroupName | The test group name to which the test belongs. | +| TestConfigurationName | The test configuration name to which the test belongs. | +| SourceType | The type of the source machine configured for the test. | +| SourceResourceId | The resource ID of the source machine. | +| SourceAddress | The address of the source configured for the test. | +| SourceSubnet | The subnet of the source. | +| SourceIP | The IP address of the source. | +| SourceName | The source endpoint name. | +| SourceAgentId | The source agent ID. | +| DestinationPort | The destination port configured for the test. | +| DestinationType | The type of the destination machine configured for the test. | +| DestinationResourceId | The resource ID of the destination machine. | +| DestinationAddress | The address of the destination configured for the test. | +| DestinationSubnet | If applicable, the subnet of the destination. | +| DestinationIP | The IP address of the destination. | +| DestinationName | The destination endpoint name. | +| DestinationAgentId | The destination agent ID. | +| Protocol | The protocol of the test. | +| ChecksTotal | The total number of checks done under the test. | +| ChecksFailed | The total number of checks failed under the test. | +| TestResult | The result of the test. | +| TestResultCriterion | The result criterion of the test. | +| ChecksFailedPercentThreshold | The checks failed percent threshold set for the test. | +| RoundTripTimeMsThreshold | The round-trip threshold (in milliseconds) set for the test. | +| MinRoundTripTimeMs | The minimum round-trip time (in milliseconds) for the test. | +| MaxRoundTripTimeMs | The maximum round-trip time for the test. | +| AvgRoundTripTimeMs | The average round-trip time for the test. | +| JitterMs | The mean deviation round-trip time for the test. | +| AdditionalData | Other data for the test. | -## Connection Monitor Path schema +## Connection monitor path schema -The following table lists the fields in the Connection Monitor Path data schema and what they signify. +The following table lists the fields in the connection monitor path data schema and what they signify: -| Field | Description | -||| -| TimeGenerated | The timestamp (UTC) of when the log was generated | -| RecordId | The record ID for unique identification of the test result record | -| TopologyId | The topology ID of the path record | -| ConnectionMonitorResourceId | The Connection Monitor resource ID of the test | -| TestGroupName | The test group name to which the test belongs | -| TestConfigurationName | The test configuration name to which the test belongs | -| SourceType | The type of the source machine configured for the test | -| SourceResourceId | The resource ID of the source machine | -| SourceAddress | The address of the source configured for the test | -| SourceSubnet | The subnet of the source | -| SourceIP | The IP address of the source | -| SourceName | The source endpoint name | -| SourceAgentId | The source agent ID | -| DestinationPort | The destination port configured for the test | -| DestinationType | The type of the destination machine configured for the test | -| DestinationResourceId | The resource ID of the destination machine | -| DestinationAddress | The address of the destination configured for the test | -| DestinationSubnet | If applicable, the subnet of the destination | -| DestinationIP | The IP address of the destination | -| DestinationName | The destination endpoint name | -| DestinationAgentId | The destination agent ID | -| Protocol | The protocol of the test | -| ChecksTotal | The total number of checks done under the test | -| ChecksFailed | The total number of checks failed under the test | -| PathTestResult | The result of the test | -| PathResultCriterion | The result criterion of the test | -| ChecksFailedPercentThreshold | The checks failed percent threshold set for the test | -| RoundTripTimeMsThreshold | The round-trip threshold (in milliseconds) set for the test | -| MinRoundTripTimeMs | The minimum round-trip time (in milliseconds) for the test | -| MaxRoundTripTimeMs | The maximum round-trip time for the test | -| AvgRoundTripTimeMs | The average round-trip time for the test | -| JitterMs | The mean deviation round-trip time for the test | -| HopAddresses | The hop addresses identified for the test | -| HopTypes | The hop types identified for the test | -| HopLinkTypes | The hop link types identified for the test | -| HopResourceIds | The hop resource IDs identified for the test | -| Issues | The issues identified for the test | -| Hops | The hops identified for the test | -| AdditionalData | The additional data for the test | +| Field | Description | +| -- | -- | +| TimeGenerated | The timestamp (UTC) of when the log was generated. | +| RecordId | The record ID for unique identification of the test result record. | +| TopologyId | The topology ID of the path record. | +| ConnectionMonitorResourceId | The connection monitor resource ID of the test. | +| TestGroupName | The test group name to which the test belongs. | +| TestConfigurationName | The test configuration name to which the test belongs. | +| SourceType | The type of the source machine configured for the test. | +| SourceResourceId | The resource ID of the source machine. | +| SourceAddress | The address of the source configured for the test. | +| SourceSubnet | The subnet of the source. | +| SourceIP | The IP address of the source. | +| SourceName | The source endpoint name. | +| SourceAgentId | The source agent ID. | +| DestinationPort | The destination port configured for the test. | +| DestinationType | The type of the destination machine configured for the test. | +| DestinationResourceId | The resource ID of the destination machine. | +| DestinationAddress | The address of the destination configured for the test. | +| DestinationSubnet | If applicable, the subnet of the destination. | +| DestinationIP | The IP address of the destination. | +| DestinationName | The destination endpoint name. | +| DestinationAgentId | The destination agent ID. | +| Protocol | The protocol of the test. | +| ChecksTotal | The total number of checks done under the test. | +| ChecksFailed | The total number of checks failed under the test. | +| PathTestResult | The result of the test. | +| PathResultCriterion | The result criterion of the test. | +| ChecksFailedPercentThreshold | The checks failed percent threshold set for the test. | +| RoundTripTimeMsThreshold | The round-trip threshold (in milliseconds) set for the test. | +| MinRoundTripTimeMs | The minimum round-trip time (in milliseconds) for the test. | +| MaxRoundTripTimeMs | The maximum round-trip time for the test. | +| AvgRoundTripTimeMs | The average round-trip time for the test. | +| JitterMs | The mean deviation round-trip time for the test. | +| HopAddresses | The hop addresses identified for the test. | +| HopTypes | The hop types identified for the test. | +| HopLinkTypes | The hop link types identified for the test. | +| HopResourceIds | The hop resource IDs identified for the test. | +| Issues | The issues identified for the test. | +| Hops | The hops identified for the test. | +| AdditionalData | Other data for the test. | |
network-watcher | Network Watcher Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-overview.md | Network Watcher offers seven network diagnostic tools that help troubleshoot and ### Packet capture -**Packet capture** allows you to remotely create packet capture sessions to track traffic to and from a virtual machine (VM) or a virtual machine scale set. For more information, see [packet capture](network-watcher-packet-capture-overview.md) and [Manage packet captures for virtual machines](packet-capture-vm-portal.md). +**Packet capture** allows you to remotely create packet capture sessions to track traffic to and from a virtual machine (VM) or a virtual machine scale set. For more information, see [packet capture](packet-capture-overview.md) and [Manage packet captures for virtual machines](packet-capture-vm-portal.md). ### VPN troubleshoot |
network-watcher | Network Watcher Packet Capture Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-packet-capture-overview.md | - Title: Packet capture overview- -description: Learn about Azure Network Watcher packet capture capability. ---- Previously updated : 03/22/2023-----# Packet capture overview --Azure Network Watcher packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine (VM) or a scale set. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more. --Packet capture is an extension that is remotely started through Network Watcher. This capability eases the burden of running a packet capture manually on the desired virtual machine or virtual machine scale set instance(s), which saves valuable time. Packet capture can be triggered through the portal, PowerShell, Azure CLI, or REST API. One example of how packet capture can be triggered is with virtual machine alerts. Filters are provided for the capture session to ensure you capture traffic you want to monitor. Filters are based on 5-tuple (protocol, local IP address, remote IP address, local port, and remote port) information. The captured data can be stored in the local disk or a storage blob. --> [!IMPORTANT] -> Packet capture requires a virtual machine extension `AzureNetworkWatcherExtension`. -> - To install the extension on a Windows virtual machine, see [Network Watcher Agent VM extension for Windows](../virtual-machines/extensions/network-watcher-windows.md). -> - To install the extension on a Linux virtual machine, see [Network Watcher Agent VM extension for Linux](../virtual-machines/extensions/network-watcher-linux.md). --To control the size of captured data and only capture required information, use the following options: --#### Capture configuration --|Property|Description| -||| -|**Maximum bytes per packet (bytes)** | The number of bytes from each packet. All bytes are captured if left blank. Enter 34 if you only need to capture IPv4 header.| -|**Maximum bytes per session (bytes)** | Total number of bytes that are captured, once the value is reached the session ends.| -|**Time limit (seconds)** | Packet capture session time limit, once the value is reached the session ends. The default value is 18000 seconds (5 hours).| --#### Filtering (optional) --|Property|Description| -||| -|**Protocol** | The protocol to filter for the packet capture. The available values are TCP, UDP, and All.| -|**Local IP address** | This value filters the packet capture to packets where the local IP address matches this filter value.| -|**Local port** | This value filters the packet capture to packets where the local port matches this filter value.| -|**Remote IP address** | This value filters the packet capture to packets where the remote IP matches this filter value.| -|**Remote port** | This value filters the packet capture to packets where the remote port matches this filter value.| ---## Considerations --There's a limit of 10,000 parallel packet capture sessions per region per subscription. This limit applies only to the sessions and doesn't apply to the saved packet capture files either locally on the VM or in a storage account. See the [Network Watcher service limits page](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-network-watcher-limits) for a full list of limits. --## Next steps --- To learn how to manage packet captures using the Azure portal, see [Manage packet captures for virtual machines using the Azure portal](packet-capture-vm-portal.md) and [Manage packet captures for Virtual Machine Scale Sets using the Azure portal](network-watcher-packet-capture-manage-portal-vmss.md).-- To learn how to manage packet captures using Azure PowerShell, see [Manage packet captures for virtual machines using PowerShell](packet-capture-vm-powershell.md) and [Manage packet captures for Virtual Machine Scale Sets using PowerShell](network-watcher-packet-capture-manage-powershell-vmss.md).-- To learn how to create proactive packet captures based on virtual machine alerts, see [Create an alert triggered packet capture](network-watcher-alert-triggered-packet-capture.md). |
network-watcher | Packet Capture Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/packet-capture-overview.md | + + Title: Packet capture overview ++description: Learn about Azure Network Watcher packet capture tool, supported resources, available configurations, limits, and considerations. ++++ Last updated : 02/23/2024++#CustomerIntent: As an administrator, I want to learn about Azure Network Watcher packet capture tool so that I can use it to capture IP packets to and from virtual machines (VMs) and scale sets to diagnose and solve network problems. +++# Packet capture overview ++Azure Network Watcher packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine (VM) or a scale set. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, debugging client-server communications and more. ++Packet capture is an extension that is remotely started through Network Watcher. This capability saves time and eases the burden of running a packet capture manually on the desired virtual machine or virtual machine scale set instances. ++You can trigger packet captures through the portal, PowerShell, Azure CLI, or REST API. You can also use virtual machine alerts to trigger packet captures. You can choose to save captured data in the local disk or in Azure storage blob. ++> [!IMPORTANT] +> Packet capture requires the Network Watcher agent VM extension `AzureNetworkWatcherExtension`. For more information, see: +> - [Network Watcher Agent VM extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=/azure/network-watcher/toc.json). +> - [Network Watcher Agent VM extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=/azure/network-watcher/toc.json). +> - [Update Network Watcher extension to the latest version](../virtual-machines/extensions/network-watcher-update.md?toc=/azure/network-watcher/toc.json). ++## Capture configuration ++To control the size of captured data, use the following options: ++| Property | Description | +| -- | -- | +| **Maximum bytes per packet (bytes)** | The number of bytes from each packet. All bytes are captured if left blank. Enter 34 if you only need to capture IPv4 header. | +| **Maximum bytes per session (bytes)** | Total number of bytes that are captured, once the value is reached the session ends. | +| **Time limit (seconds)** | Packet capture session time limit, once the value is reached the session ends. The default value is 18000 seconds (5 hours). | ++## Filtering (optional) ++Use filters to capture only the traffic that you want to monitor. Filters are based on 5-tuple (protocol, local IP address, remote IP address, local port, and remote port) information: ++| Property | Description | +| -- | -- | +| **Protocol** | The protocol to filter for the packet capture. The available values are TCP, UDP, and All. | +| **Local IP address** | This value filters the packet capture to packets where the local IP address matches this filter value. | +| **Local port** | This value filters the packet capture to packets where the local port matches this filter value. | +| **Remote IP address** | This value filters the packet capture to packets where the remote IP matches this filter value. | +| **Remote port** | This value filters the packet capture to packets where the remote port matches this filter value. | ++## Considerations ++There's a limit of 10,000 parallel packet capture sessions per region per subscription. This limit applies only to the sessions and doesn't apply to the saved packet capture files either locally on the VM or in a storage account. See the [Network Watcher service limits page](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-network-watcher-limits) for a full list of limits. ++## Related content ++- To learn how to manage packet captures in virtual machines, see [the Azure portal](packet-capture-vm-portal.md), [PowerShell](packet-capture-vm-powershell.md), or [the Azure CLI](packet-capture-vm-cli.md) guides. +- To learn how to manage packet captures in scale sets, see [the Azure portal](network-watcher-packet-capture-manage-portal-vmss.md) or [PowerShell](network-watcher-packet-capture-manage-powershell-vmss.md) guides. +- To learn how to create proactive packet captures based on virtual machine alerts, see [Create an alert triggered packet capture](network-watcher-alert-triggered-packet-capture.md). |
network-watcher | Vnet Flow Logs Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/vnet-flow-logs-overview.md | Currently, VNet flow logs aren't billed. However, the following costs apply: ## Availability -VNet flow logs are available in the following regions during the preview: --- Central US EUAP<sup>1</sup>-- East US<sup>1</sup>-- East US 2<sup>1</sup>-- East US 2 EUAP<sup>1</sup>+VNet flow logs can be directly enabled with no access restrictions during the preview in the following regions: - Swiss North - UK South - West Central US-- West US<sup>1</sup>-- West US 2<sup>1</sup> -<sup>1</sup> Requires signing up for access to the preview. Fill out the [VNet flow logs preview sign-up form](https://aka.ms/VNetflowlogspreviewsignup) to access the preview. +However, you must fill out the [VNet flow logs preview sign-up form](https://aka.ms/VNetflowlogspreviewsignup) to sign up for access to the preview in the following regions: +- Central US EUAP +- East US +- East US 2 +- East US 2 EUAP +- West US +- West US 2 ## Related content |
notification-hubs | Create Notification Hub Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/create-notification-hub-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure notification hub using Terraform |
operator-insights | Concept Data Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-insights/concept-data-types.md | Title: Data types - Azure Operator Insights -description: This article provides an overview of the data types used by Azure Operator Insights Data Products +description: This article provides an overview of the data types used by Azure Operator Insights Data Products. Last updated 10/25/2023 A Data Product ingests data from one or more sources, digests and enriches this data, and presents this data to provide domain-specific insights and to support further data analysis. -A data type is used to refer to an individual data source. Data types can be from outside the Data Product, such as from a network element. Data types can also be created within the Data Product itself by aggregating or enriching information from other data types. +A data type is used to refer to an individual data source. Data types can be from outside the Data Product, such as from a network element. Data types can also be created within the Data Product itself by aggregating or enriching information from other data types. Data Product operators can choose the data retention period for each data type. Data Product operators can choose the data retention period for each data type. Each data type contains data from a specific source. The primary source for a data type might be a network element within the subject domain. Some data types are derived by aggregating or enriching information from other data types. -- The **Quality of Experience ΓÇô Affirmed MCC** Data Product includes the *edr* data type that handles Event Data Records from the MCC. -- The **Quality of Experience ΓÇô Affirmed MCC** Data Product also includes a derived *edr-sanitized* data type. This data type contains the same information as *edr* but with personal data suppressed to support operators' compliance with privacy legislation.-- The **Monitoring ΓÇô Affirmed MCC** Data Product includes the *pmstats* data type that contains performance management statistics from the MCC EMS.+- The **Quality of Experience ΓÇô Affirmed MCC** Data Product includes the following data types. + - `edr`: This data type handles Event Data Records (EDRs) from the MCC. + - `edr-sanitized`: This data type contains the same information as `edr` but with personal data suppressed to support operators' compliance with privacy legislation. + - `edr-validation`: This data type contains a subset of performance management statistics and provides you with the ability to optionally ingest a minimum number of PMstats tables for a data quality check. + - `device`: This optional data type contains device data (for example, device model, make and capabilities) that the Data Product can use to enrich the MCC Event Data Records. To use this data type, you must upload the device reference data in a CSV file. The CSV must conform to the [Device reference schema for the Quality of Experience Affirmed MCC Data Product](device-reference-schema.md). + - `enrichment`: This data type holds the enriched Event Data Records and covers multiple sub data types for precomputed aggregations targeted to accelerate specific dashboards, granularities, and queries. These multiple sub data types include: + - `agg-enrichment-5m`: contains enriched Event Data Records aggregated over five-minute intervals. + - `agg-enrichment-1h`: contains enriched Event Data Records aggregated over one-hour intervals. + - `enriched-flow-dcount`: contains precomputed counts used to report the unique IMSIs, MCCs, and Applications over time. + - `location`: This optional data type contains data enriched with location information, if you have a source of location data. This covers the following sub data types. + - `agg-location-1h`: contains enriched location data aggregated over one-hour intervals. + - `enriched-loc-dcount`: contains precomputed counts used to report location data over time. + +- The **Monitoring ΓÇô Affirmed MCC** Data Product includes the `pmstats` datatype. This data type contains performance management statistics from the MCC EMS. ## Data type settings |
operator-insights | Concept Mcc Data Product | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-insights/concept-mcc-data-product.md | Title: Quality of Experience - Affirmed MCC Data Products - Azure Operator Insights -description: This article gives an overview of the Azure Operator Insights Data Products provided to monitor the Quality of Experience for the Affirmed Mobile Content Cloud (MCC) +description: This article gives an overview of the Azure Operator Insights Data Products provided to monitor the Quality of Experience for the Affirmed Mobile Content Cloud (MCC). Last updated 10/25/2023 # Quality of Experience - Affirmed MCC Data Product overview -The *Quality of Experience - Affirmed MCC* Data Products support data analysis and insight for operators of the Affirmed Networks Mobile Content Cloud (MCC). They ingest Event Data Records (EDRs) from MCC network elements, and then digest and enrich this data to provide a range of visualizations for the operator. Operator data scientists have access to the underlying enriched data to support further data analysis. +The *Quality of Experience - Affirmed MCC* Data Products support data analysis and insight for operators of the Affirmed Networks Mobile Content Cloud (MCC). They ingest Event Data Records (EDRs) from MCC network elements, and then digest and enrich this data to provide a range of visualizations for the operator. Operator data scientists have access to the underlying enriched data to support further data analysis. ## Background The Affirmed Networks Mobile Content Cloud (MCC) is a virtualized Evolved Packet - Serving GPRS support node and MME (SGSN/MME) is responsible for the delivery of data packets to and from the mobile stations within its geographical service area. - Control and User Plane Separation (CUPS), an LTE enhancement that separates control and user plane function to allow independent scaling of functions. -The data produced by the MCC varies according to the functionality. This variation affects the enrichments and visualizations that are relevant. Azure Operator Insights provides the following Quality of Experience Data Products to support specific MCC functions. +The data produced by the MCC varies according to the functionality. This variation affects the enrichments and visualizations that are relevant. Azure Operator Insights provides the following Quality of Experience Data Products to support specific MCC functions. - **Quality of Experience - Affirmed MCC GIGW** - **Quality of Experience - Affirmed MCC PGW/GGSN** The data produced by the MCC varies according to the functionality. This variat The following data types are provided for all Quality of Experience - Affirmed MCC Data Products. -- *edr* contains data from the Event Data Records (EDRs) written by the MCC network elements. EDRs record each significant event arising during calls or sessions handled by the MCC. They provide a comprehensive record of what happened, allowing operators to explore both individual problems and more general patterns.-- *edr-sanitized* contains data from the *edr* data type but with personal data suppressed. Sanitized data types can be used to support data analysis while also enforcing subscriber privacy.+- `edr`: This data type handles EDRs from the MCC. +- `edr-sanitized`: This data type contains the same information as `edr` but with personal data suppressed to support operators' compliance with privacy legislation. +- `edr-validation`: This data type contains a subset of performance management statistics and provides you with the ability to optionally ingest a minimum number of PMstats tables for a data quality check. +- `device`: This optional data type contains device data (for example, device model, make and capabilities) that the Data Product can use to enrich the MCC Event Data Records. To use this data type, you must upload the device reference data in a CSV file. The CSV must conform to the [Device reference schema for the Quality of Experience Affirmed MCC Data Product](device-reference-schema.md). +- `enrichment`: This data type holds the enriched Event Data Records and covers multiple sub data types for precomputed aggregations targeted to accelerate specific dashboards, granularities, and queries. These multiple sub data types include: + - `agg-enrichment-5m`: contains enriched Event Data Records aggregated over five-minute intervals. + - `agg-enrichment-1h`: contains enriched Event Data Records aggregated over one-hour intervals. + - `enriched-flow-dcount`: contains precomputed counts used to report the unique IMSIs, MCCs, and Applications over time. +- `location`: This optional data type contains data enriched with location information, if you have a source of location data. This covers the following sub data types. + - `agg-location-1h`: contains enriched location data aggregated over one-hour intervals. + - `enriched-loc-dcount`: contains precomputed counts used to report location data over time. ## Setup To use the Quality of Experience - Affirmed MCC Data Product: - [Monitoring - Affirmed MCC Data Product](concept-monitoring-mcc-data-product.md) - [Affirmed Networks MCC documentation](https://manuals.metaswitch.com/MCC) - > [!NOTE] - > Affirmed Networks login credentials are required to access the MCC product documentation. +> [!NOTE] +> Affirmed Networks login credentials are required to access the MCC product documentation. |
operator-insights | Device Reference Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-insights/device-reference-schema.md | + + Title: Device schema for the Azure Operator Insights QoE MCC Data Product +description: Learn about the schema needed to implement the Device data type in the Quality of Experience ΓÇô Affirmed MCC Data Product for Azure Operator Insights. +++++ Last updated : 01/31/2024+++<!-- #CustomerIntent: As a Data Product user, I want to add the ability to add device reference data to further enrich the MCC Event Data Records--> ++# Device reference schema for the Quality of Experience Affirmed MCC Data Product ++You can enrich Event Data Record (EDR) data in the Quality of Experience Affirmed MCC Data Product with information about the devices involved in the session. You must provide this device data in the `device` data type. Prepare CSV files that conform to the following schema and upload the files into the input Azure Data Lake Storage. For more information about data types, including the `device` data type, see [Data types](concept-data-types.md). ++## Schema for device reference information ++| Source field name | Type | Description | +| | | | +| `TAC` | String | Type Allocation Code (TAC): a unique identifier assigned to mobile devices. Typically first eight digits of IMEI number. Can have leading zeros if TAC is six or seven digits. Matched against the IMEI in the session EDRs | +| `Make` | String | The manufacturer or brand of the mobile device. | +| `Model` | String | The specific model or version of the mobile device. | +| `DeviceType` | String | Categorizes the mobile device based on its primary function (for example, handheld or feature phone). | +| `PlatformType` | String | Identifies the underlying operating system or platform running on the mobile device. | +| `IsOwnedDevice` | String | Indicates if the device model was ranged by the operator. A value of `Y`/`1` signifies it is, while `N`/`0` indicates it isn't. | +| `Is3G` | String | Indicates whether the mobile device supports 3G. A value of `Y`/`E`/`1` signifies 3G capability, while `N`/`0` indicates its absence. | +| `IsLTE` | String | Indicates whether the mobile device supports Long-Term Evolution (LTE) technology. A value of `Y`/`E`/`1` signifies LTE capability, while `N`/`0` indicates its absence | +| `IsVoLTE` | String | Indicates whether the mobile device supports Voice over LTE. A value of `Y`/`E`/`1` signifies VoLTE capability, while `N`/`0` indicates its absence. | +| `Is5G` | String | Indicates whether the mobile device supports 5G. A value of `Y`/`E`/`1` signifies 5G capability, while `N`/`0` indicates its absence. | |
operator-nexus | Concepts Nexus Network Packet Broker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/concepts-nexus-network-packet-broker.md | + + Title: "Azure Operator Nexus Network Packet Broker Overview" +description: Overview of Network Packet Broker for Azure Operator Nexus. ++++ Last updated : 02/16/2024++++# Network Packet Broker Overview ++The Network Packet Broker (NPB) allows operators to monitor service traffic flows by tapping into the network and sending copies of the network packets to special probe applications. These applications provide the operations team with network-level visibility to help with service planning and troubleshooting. ++NPB enables packet filtering and forwarding based on user-defined rules. NPB can perform various actions on the matched packets, such as dropping, counting, redirecting, mirroring, and logging. NPB supports both static and dynamic match conditions, which can be based on various L2/L3 parameters, such as VLAN, IP, port, protocol, or encapsulation type. NPB also supports GTPv1 encapsulation for matching packets in mobile networks. ++## Key benefits of the Network Packet Broker ++- **Improved Network Visibility:** NPB provides a centralized management interface for configuring and controlling the flow of network traffic to monitoring tools (vProbes). It provides visibility into network traffic, allowing operators to monitor, analyze, troubleshoot, and identify potential security threats.  ++- **Improved Network Troubleshooting:** NPB facilitates network troubleshooting by capturing and presenting packet-level data for analysis. Operators can use an NPB to inspect packets in detail and identify the source of the problem quickly.  ++- **Network Performance Optimization:** NPB provides insights into network traffic patterns and performance metrics, helping to identify network bottlenecks and congestion points, and to design better networks. ++- **Filtering and Packet Manipulation:** NPB can filter out irrelevant or redundant traffic, reducing the volume of data sent to monitoring tools. It can also manipulate packets, enabling actions like packet slicing and timestamping, which further enhance the efficiency of monitoring and analysis.  ++- **Compliance and Regulatory Requirements:** NPB helps organizations meet compliance and regulatory requirements by ensuring proper monitoring of network activities and data traffic.  ++## Key capabilities of the Network Packet Broker ++- **Mirroring & Aggregation** ++ - Mirroring network traffic from multiple distributed applications in the Azure Operator Network (AON) instance.  ++ - Processing the entire network traffic of the AON instance.  ++ - Providing designated endpoint definitions via scalable resource models.  ++- **Filtering & Forwarding** ++ - Advanced matching and filtering capabilities based on L3 parameters.  ++ - On demand changes to filtering and forwarding criteria. ++ - Secure and scalable forwarding of filtered traffic to designated external and internal networks and devices.   ++## Resources ++To use NPB, you need to create and manage the following resources: ++- **Network TAP Rule**: A set of matching configurations and actions that define the packet brokering logic. You can create a network TAP rule either inline or via a file. The inline method allows you to enter the values using AzCli, Resource Manager, or the portal. The file-based method allows you to upload a file that contains the network TAP rule content from a storage URL. The file can be updated periodically using a pull or push mechanism. ++- **Neighbor Group**: A logical grouping of destinations where you want to send the network traffic. A neighbor group can include network interfaces, load balancers, or network virtual appliances. ++- **Network TAP**: A resource that references the network TAP rule and the neighbor group that you created. A network TAP also specifies the source network interface from which the traffic is captured. You can create a network TAP using AzCli, Resource Manager, or the portal. You can also enable or disable a network TAP to start or stop the packet brokering process. +++## Using an NPB ++This section describes the steps you need to follow to use an NPB. ++First, create the prerequisite resources: ++- A bootstrapped Network Fabric Instance. ++- A Layer 3 isolation domain and an internal network with the NPB extension flag set (only required if the isolation domain is being used to reach vProbes). ++Then follow these steps: ++1. Create a network TAP rule that defines the match configuration for the network traffic that you want to capture and forward. You can use the `az networkfabric taprule` command to create, update, delete, or show a network TAP rule. ++1. Create a neighbor group that defines the destinations for the network traffic that you want to send to. You can use the `az networkfabric neighborgroup` command to create, update, delete, or show a neighbor group. ++1. Create a network TAP that references the network TAP rule and the neighbor group that you created. A network TAP also specifies the source network interface from which the traffic is captured. You can use the `az networkfabric tap` command to create, update, delete, or show a network TAP. ++1. Enable the network TAP to start the packet brokering process. You can use the `az networkfabric tap update-admin-state` command to enable or disable a network TAP. |
operator-nexus | Reference Neighbor Group Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/reference-neighbor-group-configuration.md | + + Title: Azure Operator Nexus neighbor group configuration +description: Configuration details and examples for Azure Operator Nexus neighbor groups. ++++ Last updated : 02/19/2024++++# Neighbor Group Configuration Overview ++A neighbor group allows you to group endpoints (either IPv4 or IPv6) under a single logical resource. A neighbor group can be used to send load-balanced filtered traffic across different probe endpoints. You can use the same Neighbor group across different Network TAPs & Network Tap rules. ++## Parameters for a Neighbor Group ++| Parameter | Description | Example | Required | +|--|--|--|--| +| resource-group | The resource group that contains the neighbor group. | ResourceGroupName | True | +| resource-name | The name of the neighbor group. | example-Neighbor | True | +| location | The Azure region that contains the neighbor group. | eastus | True | +| destination | List of Ipv4 or Ipv6 destinations to forward traffic. | 10.10.10.10 | True | ++## Creating a Neighbor Group ++The following command creates a neighbor group: ++```azurecli +az networkfabric neighborgroup create \ + --resource-group "example-rg" \ + --location "westus3" \ + --resource-name "example-neighborgroup" \ + --destination "{ipv4Addresses:['10.10.10.10']}" +``` ++Expected output: ++``` +{ + "properties": { + "networkTapIds": [ + ], + "networkTapRuleIds": [ + ], + "destination": { + "ipv4Addresses": [ + "10.10.10.10", + ] + }, + "provisioningState": "Succeeded", + "annotation": "annotation" + }, + "tags": { + "keyID": "KeyValue" + }, + "location": "eastus", + "id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup", + "name": "example-neighborGroup", + "type": "microsoft.managednetworkfabric/neighborGroups", + "systemData": { + "createdBy": "user@mail.com", + "createdByType": "User", + "createdAt": "2023-05-23T05:49:59.193Z", + "lastModifiedBy": "email@address.com", + "lastModifiedByType": "User", + "lastModifiedAt": "2023-05-23T05:49:59.194Z" + } +} +``` +++## Show a Neighbor Group ++This command displays an IP extended community resource: ++```azcli +az networkfabric neighborgroup show \ + --resource-group "example-rg" \ + --resource-name "example-neighborgroup" +``` ++Expected output: ++``` +{ + "properties": { + "networkTapIds": [ + ], + "networkTapRuleIds": [ + ], + "destination": { + "ipv4Addresses": [ + "10.10.10.10", + ] + }, + "provisioningState": "Succeeded", + "annotation": "annotation" + }, + "tags": { + "keyID": "KeyValue" + }, + "location": "eastus", + "id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup", + "name": "example-neighborGroup", + "type": "microsoft.managednetworkfabric/neighborGroups", + "systemData": { + "createdBy": "user@mail.com", + "createdByType": "User", + "createdAt": "2023-05-23T05:49:59.193Z", + "lastModifiedBy": "email@address.com", + "lastModifiedByType": "User", + "lastModifiedAt": "2023-05-23T05:49:59.194Z" + } +} +``` |
operator-service-manager | Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-service-manager/glossary.md | +ai-usage: ai-assisted # Glossary: Azure Operator Service Manager |
postgresql | Concepts Networking Ssl Tls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-networking-ssl-tls.md | For testing, you can also use the **openssl** command directly, for example: ```bash openssl s_client -connect localhost:5432 -starttls postgres ```-This prints out a lot of low-level protocol information, including the TLS version, cipher, and so on. Note that you must use the option -starttls postgres, or otherwise this command reports that no SSL is in use. This requires at least OpenSSL 1.1.1. +This command prints numerous low-level protocol information, including the TLS version, cipher, and so on. You must use the option -starttls postgres, or otherwise this command reports that no SSL is in use. Using this command requires at least OpenSSL 1.1.1. > [!NOTE] > To enforce **latest, most secure TLS version** for connectivity protection from client to Azure Database for PostgreSQL flexible server set **ssl_min_protocol_version** to **1.3**. That would **require** clients connecting to your Azure Database for PostgreSQL flexible server instance to use **this version of the protocol only** to securely communicate. However, older clients, since they don't support this version, may not be able to communicate with the server. +## Configuring SSL on the Client ++By default, PostgreSQL doesn't perform any verification of the server certificate. This means that it's possible to spoof the server identity (for example by modifying a DNS record or by taking over the server IP address) without the client knowing. All SSL options carry overhead in the form of encryption and key-exchange, so there's a trade-off that has to be made between performance and security. +In order to prevent spoofing, SSL certificate verification on the client must be used. +There are many connection parameters for configuring the client for SSL. Few important to us are: +1. **ssl**. Connect using SSL. This property doesn't need a value associated with it. The mere presence of it specifies a SSL connection. However, for compatibility with future versions, the value "true" is preferred. In this mode, when establishing an SSL connection the client driver validates the server's identity preventing "man in the middle" attacks. It does this by checking that the server certificate is signed by a trusted authority, and that the host you're connecting to is the same as the hostname in the certificate. +2. **sslmode**. If you require encryption and want the connection to fail if it can't be encrypted then set **sslmode=require**. This ensures that the server is configured to accept SSL connections for this Host/IP address and that the server recognizes the client certificate. In other words if the server doesn't accept SSL connections or the client certificate isn't recognized the connection will fail. Table below list values for this setting: ++| SSL Mode | Explanation | +|-|-| +|disable | Encryption isn't used| +|allow | Encryption is used if f server settings require\enforce it| +|prefer | Encryption is used if server settings allow for it| +|require | Encryption is used. This ensures that the server is configured to accept SSL connections for this Host IP address and that the server recognizes the client certificate.| +|verify-ca| Encryption is used. Moreover, verify the server certificate signature against certificate stored on the client| +|verify-full| Encryption is used. Moreover, verify server certificate signature and host name against certificate stored on the client| ++3. **sslcert**, **sslkey** and **sslrootcert**. These parameters can override default location of the client certificate, the PKCS-8 client key and root certificate. These defaults to /defaultdir/postgresql.crt, /defaultdir/postgresql.pk8, and /defaultdir/root.crt respectively where defaultdir is ${user.home}/.postgresql/ in *nix systems and %appdata%/postgresql/ on windows. ++> [!NOTE] +> Using verify-ca and verify-full **sslmode** configuration settings can also be known as **[certificate pinning](../../security/fundamentals/certificate-pinning.md#how-to-address-certificate-pinning-in-your-application)**. Important to remember, you might periodically need to update client stored certificates when Certificate Authorities change or expire on PostgreSQL server certificates. ++For more on SSL\TLS configuration on the client, see [PostgreSQL documentation](https://www.postgresql.org/docs/current/ssl-tcp.html#SSL-CLIENT-CERTIFICATES). ## Cipher Suites A **cipher suite** is a set of cryptographic algorithms. TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information. -A cipher suite is displayed as a long string of seemingly random information ΓÇö but each segment of that string contains essential information. Generally, this data string is made up of several key components: +A cipher suite is displayed as a long string of seemingly random informationΓÇöbut each segment of that string contains essential information. Generally, this data string is made up of several key components: - Protocol (that is, TLS 1.2 or TLS 1.3) - Key exchange or agreement algorithm - Digital signature (authentication) algorithm |
postgresql | How To Resolve Capacity Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/how-to-resolve-capacity-errors.md | Title: Resolve capacity errors description: This article describes how to resolve possible capacity errors when attempting to deploy or scale Azure Database for PostgreSQL Flexible Server. ---+++ Last updated 01/25/2024 |
private-link | Create Private Endpoint Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-link/create-private-endpoint-terraform.md | + + Title: 'Quickstart: Create a private endpoint - Terraform' +description: In this quickstart, you learn how to create a private endpoint using Terraform. + Last updated : 02/22/2024+++++content_well_notification: + - AI-contribution +#Customer intent: As someone who has a basic network background but is new to Azure, I want to create a private endpoint by using Terraform. +++# Quickstart: Create a private endpoint by using Terraform ++In this quickstart, you use Terraform to create a private endpoint. The private endpoint connects to an Azure SQL Database. The private endpoint is associated with a virtual network and a private Domain Name System (DNS) zone. The private DNS zone resolves the private endpoint IP address. The virtual network contains a virtual machine that you use to test the connection of the private endpoint to the instance of the SQL Database. ++The script generates a random password for the SQL server and a random SSH key for the virtual machine. The names of the created resources are output when the script is run. +++## Prerequisites ++- You need an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). ++- [Install and configure Terraform](/azure/developer/terraform/quickstart-configure). ++## Implement the Terraform code ++> [!NOTE] +> The sample code for this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/201-private-link-sql-database). You can view the log file containing the [test results from current and previous versions of Terraform](https://github.com/Azure/terraform/tree/master/quickstart/201-private-link-sql-database/TestRecord.md). +> +> See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform) ++1. Create a directory in which to test and run the sample Terraform code and make it the current directory. ++1. Create a file named `main.tf` and insert the following code: ++ :::code language="Terraform" source="~/terraform_samples/quickstart/201-private-link-sql-database/main.tf"::: ++1. Create a file named `outputs.tf` and insert the following code: ++ :::code language="Terraform" source="~/terraform_samples/quickstart/201-private-link-sql-database/outputs.tf"::: ++1. Create a file named `provider.tf` and insert the following code: ++ :::code language="Terraform" source="~/terraform_samples/quickstart/201-private-link-sql-database/provider.tf"::: ++1. Create a file named `ssh.tf` and insert the following code: ++ :::code language="Terraform" source="~/terraform_samples/quickstart/201-private-link-sql-database/ssh.tf"::: ++1. Create a file named `variables.tf` and insert the following code: ++ :::code language="Terraform" source="~/terraform_samples/quickstart/201-private-link-sql-database/variables.tf"::: +++## Initialize Terraform +++## Create a Terraform execution plan +++## Apply a Terraform execution plan +++## Verify the results ++#### [Azure CLI](#tab/azure-cli) ++1. Get the Azure resource group name. ++ ```console + resource_group_name=$(terraform output -raw resource_group_name) + ``` ++1. Get the SQL Server name. ++ ```console + sql_server=$(terraform output -raw sql_server) + ``` ++1. Run [az sql server show](/cli/azure/sql/server#az-sql-server-show) to display the details about the SQL Server private endpoint. ++ ```azurecli + az sql server show \ + --resource-group $resource_group_name \ + --name $sql_server --query privateEndpointConnections \ + --output tsv + ``` ++#### [Azure PowerShell](#tab/azure-powershell) ++1. Get the Azure resource group name. ++ ```console + $resource_group_name=$(terraform output -raw resource_group_name) + ``` ++1. Get the SQL Server name. ++ ```console + $sql_server=$(terraform output -raw sql_server_name) + ``` ++1. Run [Get-AzPrivateEndpoint](/powershell/module/az.network/get-azprivateendpoint) to display the details about the SQL Server private endpoint. ++ ```azurepowershell + $sql = @{ + ResourceGroupName = $resource_group_name + } + Get-AzPrivateEndpoint @sql + ``` ++++## Clean up resources +++## Troubleshoot Terraform on Azure ++[Troubleshoot common problems when using Terraform on Azure.](/azure/developer/terraform/troubleshoot) ++## Next steps ++> [!div class="nextstepaction"] +> [Learn more about using Terraform in Azure](/azure/terraform) |
private-link | Private Link Service Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-link/private-link-service-overview.md | The following are the known limitations when using the Private Link service: - Private Link Service has an idle timeout of ~5 minutes (300 seconds). To avoid hitting this limit, applications connecting through Private Link Service must use TCP Keepalives lower than that time. +- For an Inbound NAT rule with type set to *backend pool* to operate with Azure Private Link Service, a load balancing rule must be configured. + ## Next steps - [Create a private link service using Azure PowerShell](create-private-link-service-powershell.md) |
role-based-access-control | Built In Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles.md | Title: Azure built-in roles - Azure RBAC description: This article describes the Azure built-in roles for Azure role-based access control (Azure RBAC). It lists Actions, NotActions, DataActions, and NotDataActions.- -[Azure role-based access control (Azure RBAC)](overview.md) has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don't meet the specific needs of your organization, you can create your own [Azure custom roles](custom-roles.md). For information about how to assign roles, see [Steps to assign an Azure role](role-assignments-steps.md). +[Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don't meet the specific needs of your organization, you can create your own [Azure custom roles](/azure/role-based-access-control/custom-roles). For information about how to assign roles, see [Steps to assign an Azure role](/azure/role-based-access-control/role-assignments-steps). This article lists the Azure built-in roles. If you are looking for administrator roles for Microsoft Entra ID, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference). -The following table provides a brief description of each built-in role. Click the role name to see the list of `Actions`, `NotActions`, `DataActions`, and `NotDataActions` for each role. For information about what these actions mean and how they apply to the control and data planes, see [Understand Azure role definitions](role-definitions.md). --## All --> [!div class="mx-tableFixed"] -> | Built-in role | Description | ID | -> | | | | -> | **General** | | | -> | [Contributor](#contributor) | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | b24988ac-6180-42a0-ab88-20f7382dd24c | -> | [Owner](#owner) | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 | -> | [Reader](#reader) | View all resources, but does not allow you to make any changes. | acdd72a7-3385-48ef-bd42-f606fba81ae7 | -> | [Role Based Access Control Administrator](#role-based-access-control-administrator) | Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. | f58310d9-a9f6-439a-9e8d-f62e7b41a168 | -> | [User Access Administrator](#user-access-administrator) | Lets you manage user access to Azure resources. | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 | -> | **Compute** | | | -> | [Classic Virtual Machine Contributor](#classic-virtual-machine-contributor) | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | d73bb868-a0df-4d4d-bd69-98a00b01fccb | -> | [Data Operator for Managed Disks](#data-operator-for-managed-disks) | Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. | 959f8984-c045-4866-89c7-12bf9737be2e | -> | [Disk Backup Reader](#disk-backup-reader) | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 | -> | [Disk Pool Operator](#disk-pool-operator) | Provide permission to StoragePool Resource Provider to manage disks added to a disk pool. | 60fc6e62-5479-42d4-8bf4-67625fcc2840 | -> | [Disk Restore Operator](#disk-restore-operator) | Provides permission to backup vault to perform disk restore. | b50d9833-a0cb-478e-945f-707fcc997c13 | -> | [Disk Snapshot Contributor](#disk-snapshot-contributor) | Provides permission to backup vault to manage disk snapshots. | 7efff54f-a5b4-42b5-a1c5-5411624893ce | -> | [Virtual Machine Administrator Login](#virtual-machine-administrator-login) | View Virtual Machines in the portal and login as administrator | 1c0163c0-47e6-4577-8991-ea5c82e286e4 | -> | [Virtual Machine Contributor](#virtual-machine-contributor) | Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. | 9980e02c-c2be-4d73-94e8-173b1dc7cf3c | -> | [Virtual Machine Data Access Administrator (preview)](#virtual-machine-data-access-administrator-preview) | Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. | 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04 | -> | [Virtual Machine Local User Login](#virtual-machine-local-user-login) | View Virtual Machines in the portal and login as a local user configured on the arc server | 602da2ba-a5c2-41da-b01d-5360126ab525 | -> | [Virtual Machine User Login](#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 | -> | [Windows Admin Center Administrator Login](#windows-admin-center-administrator-login) | Let's you manage the OS of your resource via Windows Admin Center as an administrator. | a6333a3e-0164-44c3-b281-7a577aff287f | -> | **Networking** | | | -> | [Azure Front Door Domain Contributor](#azure-front-door-domain-contributor) | For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users. | 0ab34830-df19-4f8c-b84e-aa85b8afa6e8 | -> | [Azure Front Door Domain Reader](#azure-front-door-domain-reader) | For internal use within Azure. Can view Azure Front Door domains, but can't make changes. | 0f99d363-226e-4dca-9920-b807cf8e1a5f | -> | [Azure Front Door Profile Reader](#azure-front-door-profile-reader) | Can view AFD standard and premium profiles and their endpoints, but can't make changes. | 662802e2-50f6-46b0-aed2-e834bacc6d12 | -> | [Azure Front Door Secret Contributor](#azure-front-door-secret-contributor) | For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users. | 3f2eb865-5811-4578-b90a-6fc6fa0df8e5 | -> | [Azure Front Door Secret Reader](#azure-front-door-secret-reader) | For internal use within Azure. Can view Azure Front Door secrets, but can't make changes. | 0db238c4-885e-4c4f-a933-aa2cef684fca | -> | [CDN Endpoint Contributor](#cdn-endpoint-contributor) | Can manage CDN endpoints, but can't grant access to other users. | 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 | -> | [CDN Endpoint Reader](#cdn-endpoint-reader) | Can view CDN endpoints, but can't make changes. | 871e35f6-b5c1-49cc-a043-bde969a0f2cd | -> | [CDN Profile Contributor](#cdn-profile-contributor) | Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. | ec156ff8-a8d1-4d15-830c-5b80698ca432 | -> | [CDN Profile Reader](#cdn-profile-reader) | Can view CDN profiles and their endpoints, but can't make changes. | 8f96442b-4075-438f-813d-ad51ab4019af | -> | [Classic Network Contributor](#classic-network-contributor) | Lets you manage classic networks, but not access to them. | b34d265f-36f7-4a0d-a4d4-e158ca92e90f | -> | [DNS Zone Contributor](#dns-zone-contributor) | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | befefa01-2a29-4197-83a8-272ff33ce314 | -> | [Network Contributor](#network-contributor) | Lets you manage networks, but not access to them. | 4d97b98b-1d4f-4787-a291-c67834d212e7 | -> | [Private DNS Zone Contributor](#private-dns-zone-contributor) | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | b12aa53e-6015-4669-85d0-8515ebb3ae7f | -> | [Traffic Manager Contributor](#traffic-manager-contributor) | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 | -> | **Storage** | | | -> | [Avere Contributor](#avere-contributor) | Can create and manage an Avere vFXT cluster. | 4f8fab4f-1852-4a58-a46a-8eaf358af14a | -> | [Avere Operator](#avere-operator) | Used by the Avere vFXT cluster to manage the cluster | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | -> | [Backup Contributor](#backup-contributor) | Lets you manage backup service, but can't create vaults and give access to others | 5e467623-bb1f-42f4-a55d-6e525e11384b | -> | [Backup Operator](#backup-operator) | Lets you manage backup services, except removal of backup, vault creation and giving access to others | 00c29273-979b-4161-815c-10b084fb9324 | -> | [Backup Reader](#backup-reader) | Can view backup services, but can't make changes | a795c7a0-d4a2-40c1-ae25-d81f01202912 | -> | [Classic Storage Account Contributor](#classic-storage-account-contributor) | Lets you manage classic storage accounts, but not access to them. | 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | -> | [Classic Storage Account Key Operator Service Role](#classic-storage-account-key-operator-service-role) | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | 985d6b00-f706-48f5-a6fe-d0ca12fb668d | -> | [Data Box Contributor](#data-box-contributor) | Lets you manage everything under Data Box Service except giving access to others. | add466c9-e687-43fc-8d98-dfcf8d720be5 | -> | [Data Box Reader](#data-box-reader) | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | -> | [Data Lake Analytics Developer](#data-lake-analytics-developer) | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | 47b7735b-770e-4598-a7da-8b91488b4c88 | -> | [Defender for Storage Data Scanner](#defender-for-storage-data-scanner) | Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. | 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 | -> | [Elastic SAN Owner](#elastic-san-owner) | Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access | 80dcbedb-47ef-405d-95bd-188a1b4ac406 | -> | [Elastic SAN Reader](#elastic-san-reader) | Allows for control path read access to Azure Elastic SAN | af6a70f8-3c9f-4105-acf1-d719e9fca4ca | -> | [Elastic SAN Volume Group Owner](#elastic-san-volume-group-owner) | Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access | a8281131-f312-4f34-8d98-ae12be9f0d23 | -> | [Reader and Data Access](#reader-and-data-access) | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | c12c1c16-33a1-487b-954d-41c89c60f349 | -> | [Storage Account Backup Contributor](#storage-account-backup-contributor) | Lets you perform backup and restore operations using Azure Backup on the storage account. | e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 | -> | [Storage Account Contributor](#storage-account-contributor) | Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. | 17d1049b-9a84-46fb-8f53-869881c3d3ab | -> | [Storage Account Key Operator Service Role](#storage-account-key-operator-service-role) | Permits listing and regenerating storage account access keys. | 81a9662b-bebf-436f-a333-f67b29880f12 | -> | [Storage Blob Data Contributor](#storage-blob-data-contributor) | Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). | ba92f5b4-2d11-453d-a403-e96b0029c9fe | -> | [Storage Blob Data Owner](#storage-blob-data-owner) | Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). | b7e6dc6d-f1e8-4753-8033-0f276bb0955b | -> | [Storage Blob Data Reader](#storage-blob-data-reader) | Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | -> | [Storage Blob Delegator](#storage-blob-delegator) | Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). | db58b8e5-c6ad-4a2a-8342-4190687cbf4a | -> | [Storage File Data Privileged Contributor](#storage-file-data-privileged-contributor) | Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. | 69566ab7-960f-475b-8e7c-b3118f30c6bd | -> | [Storage File Data Privileged Reader](#storage-file-data-privileged-reader) | Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. | b8eda974-7b85-4f76-af95-65846b26df6d | -> | [Storage File Data SMB Share Contributor](#storage-file-data-smb-share-contributor) | Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | -> | [Storage File Data SMB Share Elevated Contributor](#storage-file-data-smb-share-elevated-contributor) | Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. | a7264617-510b-434b-a828-9731dc254ea7 | -> | [Storage File Data SMB Share Reader](#storage-file-data-smb-share-reader) | Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. | aba4ae5f-2193-4029-9191-0cb91df5e314 | -> | [Storage Queue Data Contributor](#storage-queue-data-contributor) | Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | -> | [Storage Queue Data Message Processor](#storage-queue-data-message-processor) | Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). | 8a0f0c08-91a1-4084-bc3d-661d67233fed | -> | [Storage Queue Data Message Sender](#storage-queue-data-message-sender) | Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | -> | [Storage Queue Data Reader](#storage-queue-data-reader) | Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). | 19e7f393-937e-4f77-808e-94535e297925 | -> | [Storage Table Data Contributor](#storage-table-data-contributor) | Allows for read, write and delete access to Azure Storage tables and entities | 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 | -> | [Storage Table Data Reader](#storage-table-data-reader) | Allows for read access to Azure Storage tables and entities | 76199698-9eea-4c19-bc75-cec21354c6b6 | -> | **Web** | | | -> | [Azure Maps Data Contributor](#azure-maps-data-contributor) | Grants access to read, write, and delete access to map related data from an Azure maps account. | 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 | -> | [Azure Maps Data Reader](#azure-maps-data-reader) | Grants access to read map related data from an Azure maps account. | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | -> | [Azure Spring Cloud Config Server Contributor](#azure-spring-cloud-config-server-contributor) | Allow read, write and delete access to Azure Spring Cloud Config Server | a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b | -> | [Azure Spring Cloud Config Server Reader](#azure-spring-cloud-config-server-reader) | Allow read access to Azure Spring Cloud Config Server | d04c6db6-4947-4782-9e91-30a88feb7be7 | -> | [Azure Spring Cloud Data Reader](#azure-spring-cloud-data-reader) | Allow read access to Azure Spring Cloud Data | b5537268-8956-4941-a8f0-646150406f0c | -> | [Azure Spring Cloud Service Registry Contributor](#azure-spring-cloud-service-registry-contributor) | Allow read, write and delete access to Azure Spring Cloud Service Registry | f5880b48-c26d-48be-b172-7927bfa1c8f1 | -> | [Azure Spring Cloud Service Registry Reader](#azure-spring-cloud-service-registry-reader) | Allow read access to Azure Spring Cloud Service Registry | cff1b556-2399-4e7e-856d-a8f754be7b65 | -> | [Media Services Account Administrator](#media-services-account-administrator) | Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. | 054126f8-9a2b-4f1c-a9ad-eca461f08466 | -> | [Media Services Live Events Administrator](#media-services-live-events-administrator) | Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. | 532bc159-b25e-42c0-969e-a1d439f60d77 | -> | [Media Services Media Operator](#media-services-media-operator) | Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. | e4395492-1534-4db2-bedf-88c14621589c | -> | [Media Services Policy Administrator](#media-services-policy-administrator) | Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. | c4bba371-dacd-4a26-b320-7250bca963ae | -> | [Media Services Streaming Endpoints Administrator](#media-services-streaming-endpoints-administrator) | Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. | 99dba123-b5fe-44d5-874c-ced7199a5804 | -> | [Search Index Data Contributor](#search-index-data-contributor) | Grants full access to Azure Cognitive Search index data. | 8ebe5a00-799e-43f5-93ac-243d3dce84a7 | -> | [Search Index Data Reader](#search-index-data-reader) | Grants read access to Azure Cognitive Search index data. | 1407120a-92aa-4202-b7e9-c0e197c71c8f | -> | [Search Service Contributor](#search-service-contributor) | Lets you manage Search services, but not access to them. | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | -> | [SignalR AccessKey Reader](#signalr-accesskey-reader) | Read SignalR Service Access Keys | 04165923-9d83-45d5-8227-78b77b0a687e | -> | [SignalR App Server](#signalr-app-server) | Lets your app server access SignalR Service with AAD auth options. | 420fcaa2-552c-430f-98ca-3264be4806c7 | -> | [SignalR REST API Owner](#signalr-rest-api-owner) | Full access to Azure SignalR Service REST APIs | fd53cd77-2268-407a-8f46-7e7863d0f521 | -> | [SignalR REST API Reader](#signalr-rest-api-reader) | Read-only access to Azure SignalR Service REST APIs | ddde6b66-c0df-4114-a159-3618637b3035 | -> | [SignalR Service Owner](#signalr-service-owner) | Full access to Azure SignalR Service REST APIs | 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 | -> | [SignalR/Web PubSub Contributor](#signalrweb-pubsub-contributor) | Create, Read, Update, and Delete SignalR service resources | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | -> | [Web Plan Contributor](#web-plan-contributor) | Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC. | 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b | -> | [Website Contributor](#website-contributor) | Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC. | de139f84-1756-47ae-9be6-808fbbe84772 | -> | **Containers** | | | -> | [AcrDelete](#acrdelete) | Delete repositories, tags, or manifests from a container registry. | c2f4ef07-c644-48eb-af81-4b1b4947fb11 | -> | [AcrImageSigner](#acrimagesigner) | Push trusted images to or pull trusted images from a container registry enabled for content trust. | 6cef56e8-d556-48e5-a04f-b8e64114680f | -> | [AcrPull](#acrpull) | Pull artifacts from a container registry. | 7f951dda-4ed3-4680-a7ca-43fe172d538d | -> | [AcrPush](#acrpush) | Push artifacts to or pull artifacts from a container registry. | 8311e382-0749-4cb8-b61a-304f252e45ec | -> | [AcrQuarantineReader](#acrquarantinereader) | Pull quarantined images from a container registry. | cdda3590-29a3-44f6-95f2-9f980659eb04 | -> | [AcrQuarantineWriter](#acrquarantinewriter) | Push quarantined images to or pull quarantined images from a container registry. | c8d4ff99-41c3-41a8-9f60-21dfdad59608 | -> | [Azure Kubernetes Fleet Manager RBAC Admin](#azure-kubernetes-fleet-manager-rbac-admin) | This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. | 434fb43a-c01c-447e-9f67-c3ad923cfaba | -> | [Azure Kubernetes Fleet Manager RBAC Cluster Admin](#azure-kubernetes-fleet-manager-rbac-cluster-admin) | Lets you manage all resources in the fleet manager cluster. | 18ab4d3d-a1bf-4477-8ad9-8359bc988f69 | -> | [Azure Kubernetes Fleet Manager RBAC Reader](#azure-kubernetes-fleet-manager-rbac-reader) | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 30b27cfc-9c84-438e-b0ce-70e35255df80 | -> | [Azure Kubernetes Fleet Manager RBAC Writer](#azure-kubernetes-fleet-manager-rbac-writer) | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | 5af6afb3-c06c-4fa4-8848-71a8aee05683 | -> | [Azure Kubernetes Service Cluster Admin Role](#azure-kubernetes-service-cluster-admin-role) | List cluster admin credential action. | 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 | -> | [Azure Kubernetes Service Cluster Monitoring User](#azure-kubernetes-service-cluster-monitoring-user) | List cluster monitoring user credential action. | 1afdec4b-e479-420e-99e7-f82237c7c5e6 | -> | [Azure Kubernetes Service Cluster User Role](#azure-kubernetes-service-cluster-user-role) | List cluster user credential action. | 4abbcc35-e782-43d8-92c5-2d3f1bd2253f | -> | [Azure Kubernetes Service Contributor Role](#azure-kubernetes-service-contributor-role) | Grants access to read and write Azure Kubernetes Service clusters | ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 | -> | [Azure Kubernetes Service RBAC Admin](#azure-kubernetes-service-rbac-admin) | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | 3498e952-d568-435e-9b2c-8d77e338d7f7 | -> | [Azure Kubernetes Service RBAC Cluster Admin](#azure-kubernetes-service-rbac-cluster-admin) | Lets you manage all resources in the cluster. | b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b | -> | [Azure Kubernetes Service RBAC Reader](#azure-kubernetes-service-rbac-reader) | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 7f6c6a51-bcf8-42ba-9220-52d62157d7db | -> | [Azure Kubernetes Service RBAC Writer](#azure-kubernetes-service-rbac-writer) | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb | -> | **Databases** | | | -> | [Azure Connected SQL Server Onboarding](#azure-connected-sql-server-onboarding) | Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. | e8113dce-c529-4d33-91fa-e9b972617508 | -> | [Cosmos DB Account Reader Role](#cosmos-db-account-reader-role) | Can read Azure Cosmos DB account data. See [DocumentDB Account Contributor](#documentdb-account-contributor) for managing Azure Cosmos DB accounts. | fbdf93bf-df7d-467e-a4d2-9458aa1360c8 | -> | [Cosmos DB Operator](#cosmos-db-operator) | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | 230815da-be43-4aae-9cb4-875f7bd000aa | -> | [CosmosBackupOperator](#cosmosbackupoperator) | Can submit restore request for a Cosmos DB database or a container for an account | db7b14f2-5adf-42da-9f96-f2ee17bab5cb | -> | [CosmosRestoreOperator](#cosmosrestoreoperator) | Can perform restore action for Cosmos DB database account with continuous backup mode | 5432c526-bc82-444a-b7ba-57c5b0b5b34f | -> | [DocumentDB Account Contributor](#documentdb-account-contributor) | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. | 5bd9cd88-fe45-4216-938b-f97437e15450 | -> | [Redis Cache Contributor](#redis-cache-contributor) | Lets you manage Redis caches, but not access to them. | e0f68234-74aa-48ed-b826-c38b57376e17 | -> | [SQL DB Contributor](#sql-db-contributor) | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | -> | [SQL Managed Instance Contributor](#sql-managed-instance-contributor) | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | -> | [SQL Security Manager](#sql-security-manager) | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | 056cd41c-7e88-42e1-933e-88ba6a50c9c3 | -> | [SQL Server Contributor](#sql-server-contributor) | Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. | 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 | -> | **Analytics** | | | -> | [Azure Event Hubs Data Owner](#azure-event-hubs-data-owner) | Allows for full access to Azure Event Hubs resources. | f526a384-b230-433a-b45c-95f59c4a2dec | -> | [Azure Event Hubs Data Receiver](#azure-event-hubs-data-receiver) | Allows receive access to Azure Event Hubs resources. | a638d3c7-ab3a-418d-83e6-5f17a39d4fde | -> | [Azure Event Hubs Data Sender](#azure-event-hubs-data-sender) | Allows send access to Azure Event Hubs resources. | 2b629674-e913-4c01-ae53-ef4638d8f975 | -> | [Data Factory Contributor](#data-factory-contributor) | Create and manage data factories, as well as child resources within them. | 673868aa-7521-48a0-acc6-0f60742d39f5 | -> | [Data Purger](#data-purger) | Delete private data from a Log Analytics workspace. | 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | -> | [HDInsight Cluster Operator](#hdinsight-cluster-operator) | Lets you read and modify HDInsight cluster configurations. | 61ed4efc-fab3-44fd-b111-e24485cc132a | -> | [HDInsight Domain Services Contributor](#hdinsight-domain-services-contributor) | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | 8d8d5a11-05d3-4bda-a417-a08778121c7c | -> | [Log Analytics Contributor](#log-analytics-contributor) | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. | 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | -> | [Log Analytics Reader](#log-analytics-reader) | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | 73c42c96-874c-492b-b04d-ab87d138a893 | -> | [Schema Registry Contributor (Preview)](#schema-registry-contributor-preview) | Read, write, and delete Schema Registry groups and schemas. | 5dffeca3-4936-4216-b2bc-10343a5abb25 | -> | [Schema Registry Reader (Preview)](#schema-registry-reader-preview) | Read and list Schema Registry groups and schemas. | 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 | -> | [Stream Analytics Query Tester](#stream-analytics-query-tester) | Lets you perform query testing without creating a stream analytics job first | 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf | -> | **AI + machine learning** | | | -> | [AzureML Compute Operator](#azureml-compute-operator) | Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). | e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 | -> | [AzureML Data Scientist](#azureml-data-scientist) | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. | f6c7c914-8db3-469d-8ca1-694a8f32e121 | -> | [Cognitive Services Contributor](#cognitive-services-contributor) | Lets you create, read, update, delete and manage keys of Cognitive Services. | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | -> | [Cognitive Services Custom Vision Contributor](#cognitive-services-custom-vision-contributor) | Full access to the project, including the ability to view, create, edit, or delete projects. | c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 | -> | [Cognitive Services Custom Vision Deployment](#cognitive-services-custom-vision-deployment) | Publish, unpublish or export models. Deployment can view the project but can't update. | 5c4089e1-6d96-4d2f-b296-c1bc7137275f | -> | [Cognitive Services Custom Vision Labeler](#cognitive-services-custom-vision-labeler) | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. | 88424f51-ebe7-446f-bc41-7fa16989e96c | -> | [Cognitive Services Custom Vision Reader](#cognitive-services-custom-vision-reader) | Read-only actions in the project. Readers can't create or update the project. | 93586559-c37d-4a6b-ba08-b9f0940c2d73 | -> | [Cognitive Services Custom Vision Trainer](#cognitive-services-custom-vision-trainer) | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b | -> | [Cognitive Services Data Reader (Preview)](#cognitive-services-data-reader-preview) | Lets you read Cognitive Services data. | b59867f0-fa02-499b-be73-45a86b5b3e1c | -> | [Cognitive Services Face Recognizer](#cognitive-services-face-recognizer) | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. | 9894cab4-e18a-44aa-828b-cb588cd6f2d7 | -> | [Cognitive Services Metrics Advisor Administrator](#cognitive-services-metrics-advisor-administrator) | Full access to the project, including the system level configuration. | cb43c632-a144-4ec5-977c-e80c4affc34a | -> | [Cognitive Services OpenAI Contributor](#cognitive-services-openai-contributor) | Full access including the ability to fine-tune, deploy and generate text | a001fd3d-188f-4b5d-821b-7da978bf7442 | -> | [Cognitive Services OpenAI User](#cognitive-services-openai-user) | Read access to view files, models, deployments. The ability to create completion and embedding calls. | 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd | -> | [Cognitive Services QnA Maker Editor](#cognitive-services-qna-maker-editor) | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | f4cc2bf9-21be-47a1-bdf1-5c5804381025 | -> | [Cognitive Services QnA Maker Reader](#cognitive-services-qna-maker-reader) | Let's you read and test a KB only. | 466ccd10-b268-4a11-b098-b4849f024126 | -> | [Cognitive Services Usages Reader](#cognitive-services-usages-reader) | Minimal permission to view Cognitive Services usages. | bba48692-92b0-4667-a9ad-c31c7b334ac2 | -> | [Cognitive Services User](#cognitive-services-user) | Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908 | -> | **Internet of things** | | | -> | [Device Update Administrator](#device-update-administrator) | Gives you full access to management and content operations | 02ca0879-e8e4-47a5-a61e-5c618b76e64a | -> | [Device Update Content Administrator](#device-update-content-administrator) | Gives you full access to content operations | 0378884a-3af5-44ab-8323-f5b22f9f3c98 | -> | [Device Update Content Reader](#device-update-content-reader) | Gives you read access to content operations, but does not allow making changes | d1ee9a80-8b14-47f0-bdc2-f4a351625a7b | -> | [Device Update Deployments Administrator](#device-update-deployments-administrator) | Gives you full access to management operations | e4237640-0e3d-4a46-8fda-70bc94856432 | -> | [Device Update Deployments Reader](#device-update-deployments-reader) | Gives you read access to management operations, but does not allow making changes | 49e2f5d2-7741-4835-8efa-19e1fe35e47f | -> | [Device Update Reader](#device-update-reader) | Gives you read access to management and content operations, but does not allow making changes | e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f | -> | [IoT Hub Data Contributor](#iot-hub-data-contributor) | Allows for full access to IoT Hub data plane operations. | 4fc6c259-987e-4a07-842e-c321cc9d413f | -> | [IoT Hub Data Reader](#iot-hub-data-reader) | Allows for full read access to IoT Hub data-plane properties | b447c946-2db7-41ec-983d-d8bf3b1c77e3 | -> | [IoT Hub Registry Contributor](#iot-hub-registry-contributor) | Allows for full access to IoT Hub device registry. | 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 | -> | [IoT Hub Twin Contributor](#iot-hub-twin-contributor) | Allows for read and write access to all IoT Hub device and module twins. | 494bdba2-168f-4f31-a0a1-191d2f7c028c | -> | **Mixed reality** | | | -> | [Remote Rendering Administrator](#remote-rendering-administrator) | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | 3df8b902-2a6f-47c7-8cc5-360e9b272a7e | -> | [Remote Rendering Client](#remote-rendering-client) | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | d39065c4-c120-43c9-ab0a-63eed9795f0a | -> | [Spatial Anchors Account Contributor](#spatial-anchors-account-contributor) | Lets you manage spatial anchors in your account, but not delete them | 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 | -> | [Spatial Anchors Account Owner](#spatial-anchors-account-owner) | Lets you manage spatial anchors in your account, including deleting them | 70bbe301-9835-447d-afdd-19eb3167307c | -> | [Spatial Anchors Account Reader](#spatial-anchors-account-reader) | Lets you locate and read properties of spatial anchors in your account | 5d51204f-eb77-4b1c-b86a-2ec626c49413 | -> | **Integration** | | | -> | [API Management Service Contributor](#api-management-service-contributor) | Can manage service and the APIs | 312a565d-c81f-4fd8-895a-4e21e48d571c | -> | [API Management Service Operator Role](#api-management-service-operator-role) | Can manage service but not the APIs | e022efe7-f5ba-4159-bbe4-b44f577e9b61 | -> | [API Management Service Reader Role](#api-management-service-reader-role) | Read-only access to service and APIs | 71522526-b88f-4d52-b57f-d31fc3546d0d | -> | [API Management Service Workspace API Developer](#api-management-service-workspace-api-developer) | Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. | 9565a273-41b9-4368-97d2-aeb0c976a9b3 | -> | [API Management Service Workspace API Product Manager](#api-management-service-workspace-api-product-manager) | Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. | d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da | -> | [API Management Workspace API Developer](#api-management-workspace-api-developer) | Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. | 56328988-075d-4c6a-8766-d93edd6725b6 | -> | [API Management Workspace API Product Manager](#api-management-workspace-api-product-manager) | Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. | 73c2c328-d004-4c5e-938c-35c6f5679a1f | -> | [API Management Workspace Contributor](#api-management-workspace-contributor) | Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. | 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 | -> | [API Management Workspace Reader](#api-management-workspace-reader) | Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. | ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 | -> | [App Configuration Data Owner](#app-configuration-data-owner) | Allows full access to App Configuration data. | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | -> | [App Configuration Data Reader](#app-configuration-data-reader) | Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071 | -> | [Azure Relay Listener](#azure-relay-listener) | Allows for listen access to Azure Relay resources. | 26e0b698-aa6d-4085-9386-aadae190014d | -> | [Azure Relay Owner](#azure-relay-owner) | Allows for full access to Azure Relay resources. | 2787bf04-f1f5-4bfe-8383-c8a24483ee38 | -> | [Azure Relay Sender](#azure-relay-sender) | Allows for send access to Azure Relay resources. | 26baccc8-eea7-41f1-98f4-1762cc7f685d | -> | [Azure Service Bus Data Owner](#azure-service-bus-data-owner) | Allows for full access to Azure Service Bus resources. | 090c5cfd-751d-490a-894a-3ce6f1109419 | -> | [Azure Service Bus Data Receiver](#azure-service-bus-data-receiver) | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | -> | [Azure Service Bus Data Sender](#azure-service-bus-data-sender) | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | -> | [Azure Stack HCI Administrator](#azure-stack-hci-administrator) | Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader | bda0d508-adf1-4af0-9c28-88919fc3ae06 | -> | [Azure Stack HCI Device Management Role](#azure-stack-hci-device-management-role) | Microsoft.AzureStackHCI Device Management Role | 865ae368-6a45-4bd1-8fbf-0d5151f56fc1 | -> | [Azure Stack HCI VM Contributor](#azure-stack-hci-vm-contributor) | Grants permissions to perform all VM actions | 874d1c73-6003-4e60-a13a-cb31ea190a85 | -> | [Azure Stack HCI VM Reader](#azure-stack-hci-vm-reader) | Grants permissions to view VMs | 4b3fe76c-f777-4d24-a2d7-b027b0f7b273 | -> | [Azure Stack Registration Owner](#azure-stack-registration-owner) | Lets you manage Azure Stack registrations. | 6f12a6df-dd06-4f3e-bcb1-ce8be600526a | -> | [EventGrid Contributor](#eventgrid-contributor) | Lets you manage EventGrid operations. | 1e241071-0855-49ea-94dc-649edcd759de | -> | [EventGrid Data Sender](#eventgrid-data-sender) | Allows send access to event grid events. | d5a91429-5739-47e2-a06b-3470a27159e7 | -> | [EventGrid EventSubscription Contributor](#eventgrid-eventsubscription-contributor) | Lets you manage EventGrid event subscription operations. | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | -> | [EventGrid EventSubscription Reader](#eventgrid-eventsubscription-reader) | Lets you read EventGrid event subscriptions. | 2414bbcf-6497-4faf-8c65-045460748405 | -> | [FHIR Data Contributor](#fhir-data-contributor) | Role allows user or principal full access to FHIR Data | 5a1fc7df-4bf1-4951-a576-89034ee01acd | -> | [FHIR Data Exporter](#fhir-data-exporter) | Role allows user or principal to read and export FHIR Data | 3db33094-8700-4567-8da5-1501d4e7e843 | -> | [FHIR Data Importer](#fhir-data-importer) | Role allows user or principal to read and import FHIR Data | 4465e953-8ced-4406-a58e-0f6e3f3b530b | -> | [FHIR Data Reader](#fhir-data-reader) | Role allows user or principal to read FHIR Data | 4c8d0bbc-75d3-4935-991f-5f3c56d81508 | -> | [FHIR Data Writer](#fhir-data-writer) | Role allows user or principal to read and write FHIR Data | 3f88fce4-5892-4214-ae73-ba5294559913 | -> | [Integration Service Environment Contributor](#integration-service-environment-contributor) | Lets you manage integration service environments, but not access to them. | a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | -> | [Integration Service Environment Developer](#integration-service-environment-developer) | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | -> | [Intelligent Systems Account Contributor](#intelligent-systems-account-contributor) | Lets you manage Intelligent Systems accounts, but not access to them. | 03a6d094-3444-4b3d-88af-7477090a9e5e | -> | [Logic App Contributor](#logic-app-contributor) | Lets you manage logic apps, but not change access to them. | 87a39d53-fc1b-424a-814c-f7e04687dc9e | -> | [Logic App Operator](#logic-app-operator) | Lets you read, enable, and disable logic apps, but not edit or update them. | 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe | -> | [Logic Apps Standard Contributor (Preview)](#logic-apps-standard-contributor-preview) | You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership. | ad710c24-b039-4e85-a019-deb4a06e8570 | -> | [Logic Apps Standard Developer (Preview)](#logic-apps-standard-developer-preview) | You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope. | 523776ba-4eb2-4600-a3c8-f2dc93da4bdb | -> | [Logic Apps Standard Operator (Preview)](#logic-apps-standard-operator-preview) | You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings. | b70c96e9-66fe-4c09-b6e7-c98e69c98555 | -> | [Logic Apps Standard Reader (Preview)](#logic-apps-standard-reader-preview) | You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. | 4accf36b-2c05-432f-91c8-5c532dff4c73 | -> | **Identity** | | | -> | [Domain Services Contributor](#domain-services-contributor) | Can manage Azure AD Domain Services and related network configurations | eeaeda52-9324-47f6-8069-5d5bade478b2 | -> | [Domain Services Reader](#domain-services-reader) | Can view Azure AD Domain Services and related network configurations | 361898ef-9ed1-48c2-849c-a832951106bb | -> | [Managed Identity Contributor](#managed-identity-contributor) | Create, Read, Update, and Delete User Assigned Identity | e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | -> | [Managed Identity Operator](#managed-identity-operator) | Read and Assign User Assigned Identity | f1a07417-d97a-45cb-824c-7a7467783830 | -> | **Security** | | | -> | [App Compliance Automation Administrator](#app-compliance-automation-administrator) | Create, read, download, modify and delete reports objects and related other resource objects. | 0f37683f-2463-46b6-9ce7-9b788b988ba2 | -> | [App Compliance Automation Reader](#app-compliance-automation-reader) | Read, download the reports objects and related other resource objects. | ffc6bbe0-e443-4c3b-bf54-26581bb2f78e | -> | [Attestation Contributor](#attestation-contributor) | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | -> | [Attestation Reader](#attestation-reader) | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | -> | [Key Vault Administrator](#key-vault-administrator) | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e74483 | -> | [Key Vault Certificate User](#key-vault-certificate-user) | Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | db79e9a7-68ee-4b58-9aeb-b90e7c24fcba | -> | [Key Vault Certificates Officer](#key-vault-certificates-officer) | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | a4417e6f-fecd-4de8-b567-7b0420556985 | -> | [Key Vault Contributor](#key-vault-contributor) | Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. | f25e0fa2-a7c8-4377-a976-54943a77a395 | -> | [Key Vault Crypto Officer](#key-vault-crypto-officer) | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | -> | [Key Vault Crypto Service Encryption User](#key-vault-crypto-service-encryption-user) | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. | e147488a-f6f5-4113-8e2d-b22465e65bf6 | -> | [Key Vault Crypto Service Release User](#key-vault-crypto-service-release-user) | Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | 08bbd89e-9f13-488c-ac41-acfcb10c90ab | -> | [Key Vault Crypto User](#key-vault-crypto-user) | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | 12338af0-0e69-4776-bea7-57ae8d297424 | -> | [Key Vault Data Access Administrator](#key-vault-data-access-administrator) | Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. | 8b54135c-b56d-4d72-a534-26097cfdc8d8 | -> | [Key Vault Reader](#key-vault-reader) | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | 21090545-7ca7-4776-b22c-e363652d74d2 | -> | [Key Vault Secrets Officer](#key-vault-secrets-officer) | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | -> | [Key Vault Secrets User](#key-vault-secrets-user) | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e6 | -> | [Managed HSM contributor](#managed-hsm-contributor) | Lets you manage managed HSM pools, but not access to them. | 18500a29-7fe2-46b2-a342-b16a415e101d | -> | [Microsoft Sentinel Automation Contributor](#microsoft-sentinel-automation-contributor) | Microsoft Sentinel Automation Contributor | f4c81013-99ee-4d62-a7ee-b3f1f648599a | -> | [Microsoft Sentinel Contributor](#microsoft-sentinel-contributor) | Microsoft Sentinel Contributor | ab8e14d6-4a74-4a29-9ba8-549422addade | -> | [Microsoft Sentinel Playbook Operator](#microsoft-sentinel-playbook-operator) | Microsoft Sentinel Playbook Operator | 51d6186e-6489-4900-b93f-92e23144cca5 | -> | [Microsoft Sentinel Reader](#microsoft-sentinel-reader) | Microsoft Sentinel Reader | 8d289c81-5878-46d4-8554-54e1e3d8b5cb | -> | [Microsoft Sentinel Responder](#microsoft-sentinel-responder) | Microsoft Sentinel Responder | 3e150937-b8fe-4cfb-8069-0eaf05ecd056 | -> | [Security Admin](#security-admin) | View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.<br><br>For Microsoft Defender for IoT, see [Azure user roles for OT and Enterprise IoT monitoring](../defender-for-iot/organizations/roles-azure.md). | fb1c8493-542b-48eb-b624-b4c8fea62acd | -> | [Security Assessment Contributor](#security-assessment-contributor) | Lets you push assessments to Microsoft Defender for Cloud | 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | -> | [Security Manager (Legacy)](#security-manager-legacy) | This is a legacy role. Please use Security Admin instead. | e3d13bf0-dd5a-482e-ba6b-9b8433878d10 | -> | [Security Reader](#security-reader) | View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.<br><br>For Microsoft Defender for IoT, see [Azure user roles for OT and Enterprise IoT monitoring](../defender-for-iot/organizations/roles-azure.md). | 39bc4728-0917-49c7-9d2c-d95423bc2eb4 | -> | **DevOps** | | | -> | [DevTest Labs User](#devtest-labs-user) | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | 76283e04-6283-4c54-8f91-bcf1374a3c64 | -> | [Lab Assistant](#lab-assistant) | Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. | ce40b423-cede-4313-a93f-9b28290b72e1 | -> | [Lab Contributor](#lab-contributor) | Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. | 5daaa2af-1fe8-407c-9122-bba179798270 | -> | [Lab Creator](#lab-creator) | Lets you create new labs under your Azure Lab Accounts. | b97fb8bc-a8b2-4522-a38b-dd33c7e65ead | -> | [Lab Operator](#lab-operator) | Gives you limited ability to manage existing labs. | a36e6959-b6be-4b12-8e9f-ef4b474d304d | -> | [Lab Services Contributor](#lab-services-contributor) | Enables you to fully control all Lab Services scenarios in the resource group. | f69b8690-cc87-41d6-b77a-a4bc3c0a966f | -> | [Lab Services Reader](#lab-services-reader) | Enables you to view, but not change, all lab plans and lab resources. | 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc | -> | **Monitor** | | | -> | [Application Insights Component Contributor](#application-insights-component-contributor) | Can manage Application Insights components | ae349356-3a1b-4a5e-921d-050484c6347e | -> | [Application Insights Snapshot Debugger](#application-insights-snapshot-debugger) | Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the [Owner](#owner) or [Contributor](#contributor) roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. | 08954f03-6346-4c2e-81c0-ec3a5cfae23b | -> | [Monitoring Contributor](#monitoring-contributor) | Can read all monitoring data and edit monitoring settings. See also [Get started with roles, permissions, and security with Azure Monitor](../azure-monitor/roles-permissions-security.md#built-in-monitoring-roles). | 749f88d5-cbae-40b8-bcfc-e573ddc772fa | -> | [Monitoring Metrics Publisher](#monitoring-metrics-publisher) | Enables publishing metrics against Azure resources | 3913510d-42f4-4e42-8a64-420c390055eb | -> | [Monitoring Reader](#monitoring-reader) | Can read all monitoring data (metrics, logs, etc.). See also [Get started with roles, permissions, and security with Azure Monitor](../azure-monitor/roles-permissions-security.md#built-in-monitoring-roles). | 43d0d8ad-25c7-4714-9337-8ba259a9fe05 | -> | [Workbook Contributor](#workbook-contributor) | Can save shared workbooks. | e8ddcd69-c73f-4f9f-9844-4100522f16ad | -> | [Workbook Reader](#workbook-reader) | Can read workbooks. | b279062a-9be3-42a0-92ae-8b3cf002ec4d | -> | **Management and governance** | | | -> | [Automation Contributor](#automation-contributor) | Manage Azure Automation resources and other resources using Azure Automation. | f353d9bd-d4a6-484e-a77a-8050b599b867 | -> | [Automation Job Operator](#automation-job-operator) | Create and Manage Jobs using Automation Runbooks. | 4fe576fe-1146-4730-92eb-48519fa6bf9f | -> | [Automation Operator](#automation-operator) | Automation Operators are able to start, stop, suspend, and resume jobs | d3881f73-407a-4167-8283-e981cbba0404 | -> | [Automation Runbook Operator](#automation-runbook-operator) | Read Runbook properties - to be able to create Jobs of the runbook. | 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 | -> | [Azure Arc Enabled Kubernetes Cluster User Role](#azure-arc-enabled-kubernetes-cluster-user-role) | List cluster user credentials action. | 00493d72-78f6-4148-b6c5-d3ce8e4799dd | -> | [Azure Arc Kubernetes Admin](#azure-arc-kubernetes-admin) | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | dffb1e0c-446f-4dde-a09f-99eb5cc68b96 | -> | [Azure Arc Kubernetes Cluster Admin](#azure-arc-kubernetes-cluster-admin) | Lets you manage all resources in the cluster. | 8393591c-06b9-48a2-a542-1bd6b377f6a2 | -> | [Azure Arc Kubernetes Viewer](#azure-arc-kubernetes-viewer) | Lets you view all resources in cluster/namespace, except secrets. | 63f0a09d-1495-4db4-a681-037d84835eb4 | -> | [Azure Arc Kubernetes Writer](#azure-arc-kubernetes-writer) | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. | 5b999177-9696-4545-85c7-50de3797e5a1 | -> | [Azure Connected Machine Onboarding](#azure-connected-machine-onboarding) | Can onboard Azure Connected Machines. | b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | -> | [Azure Connected Machine Resource Administrator](#azure-connected-machine-resource-administrator) | Can read, write, delete and re-onboard Azure Connected Machines. | cd570a14-e51a-42ad-bac8-bafd67325302 | -> | [Azure Connected Machine Resource Manager](#azure-connected-machine-resource-manager) | Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group | f5819b54-e033-4d82-ac66-4fec3cbf3f4c | -> | [Azure Resource Bridge Deployment Role](#azure-resource-bridge-deployment-role) | Azure Resource Bridge Deployment Role | 7b1f81f9-4196-4058-8aae-762e593270df | -> | [Billing Reader](#billing-reader) | Allows read access to billing data | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | -> | [Blueprint Contributor](#blueprint-contributor) | Can manage blueprint definitions, but not assign them. | 41077137-e803-4205-871c-5a86e6a753b4 | -> | [Blueprint Operator](#blueprint-operator) | Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. | 437d2ced-4a38-4302-8479-ed2bcb43d090 | -> | [Cost Management Contributor](#cost-management-contributor) | Can view costs and manage cost configuration (e.g. budgets, exports) | 434105ed-43f6-45c7-a02f-909b2ba83430 | -> | [Cost Management Reader](#cost-management-reader) | Can view cost data and configuration (e.g. budgets, exports) | 72fafb9e-0641-4937-9268-a91bfd8191a3 | -> | [Hierarchy Settings Administrator](#hierarchy-settings-administrator) | Allows users to edit and delete Hierarchy Settings | 350f8d15-c687-4448-8ae1-157740a3936d | -> | [Kubernetes Agentless Operator](#kubernetes-agentless-operator) | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | d5a2ae44-610b-4500-93be-660a0c5f5ca6 | -> | [Kubernetes Cluster - Azure Arc Onboarding](#kubernetes-clusterazure-arc-onboarding) | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | -> | [Kubernetes Extension Contributor](#kubernetes-extension-contributor) | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 | -> | [Managed Application Contributor Role](#managed-application-contributor-role) | Allows for creating managed application resources. | 641177b8-a67a-45b9-a033-47bc880bb21e | -> | [Managed Application Operator Role](#managed-application-operator-role) | Lets you read and perform actions on Managed Application resources | c7393b34-138c-406f-901b-d8cf2b17e6ae | -> | [Managed Applications Reader](#managed-applications-reader) | Lets you read resources in a managed app and request JIT access. | b9331d33-8a36-4f8c-b097-4f54124fdb44 | -> | [Managed Services Registration assignment Delete Role](#managed-services-registration-assignment-delete-role) | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | 91c1777a-f3dc-4fae-b103-61d183457e46 | -> | [Management Group Contributor](#management-group-contributor) | Management Group Contributor Role | 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c | -> | [Management Group Reader](#management-group-reader) | Management Group Reader Role | ac63b705-f282-497d-ac71-919bf39d939d | -> | [New Relic APM Account Contributor](#new-relic-apm-account-contributor) | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | 5d28c62d-5b37-4476-8438-e587778df237 | -> | [Policy Insights Data Writer (Preview)](#policy-insights-data-writer-preview) | Allows read access to resource policies and write access to resource component policy events. | 66bb4e9e-b016-4a94-8249-4c0511c2be84 | -> | [Quota Request Operator](#quota-request-operator) | Read and create quota requests, get quota request status, and create support tickets. | 0e5f05e5-9ab9-446b-b98d-1e2157c94125 | -> | [Reservation Purchaser](#reservation-purchaser) | Lets you purchase reservations | f7b75c60-3036-4b75-91c3-6b41c27c1689 | -> | [Resource Policy Contributor](#resource-policy-contributor) | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | 36243c78-bf99-498c-9df9-86d9f8d28608 | -> | [Site Recovery Contributor](#site-recovery-contributor) | Lets you manage Site Recovery service except vault creation and role assignment | 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | -> | [Site Recovery Operator](#site-recovery-operator) | Lets you failover and failback but not perform other Site Recovery management operations | 494ae006-db33-4328-bf46-533a6560a3ca | -> | [Site Recovery Reader](#site-recovery-reader) | Lets you view Site Recovery status but not perform other management operations | dbaa88c4-0c30-4179-9fb3-46319faa6149 | -> | [Support Request Contributor](#support-request-contributor) | Lets you create and manage Support requests | cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e | -> | [Tag Contributor](#tag-contributor) | Lets you manage tags on entities, without providing access to the entities themselves. | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f | -> | [Template Spec Contributor](#template-spec-contributor) | Allows full access to Template Spec operations at the assigned scope. | 1c9b6475-caf0-4164-b5a1-2142a7116f4b | -> | [Template Spec Reader](#template-spec-reader) | Allows read access to Template Specs at the assigned scope. | 392ae280-861d-42bd-9ea5-08ee6d83b80e | -> | **Virtual desktop infrastructure** | | | -> | [Desktop Virtualization Application Group Contributor](#desktop-virtualization-application-group-contributor) | Contributor of the Desktop Virtualization Application Group. | 86240b0e-9422-4c43-887b-b61143f32ba8 | -> | [Desktop Virtualization Application Group Reader](#desktop-virtualization-application-group-reader) | Reader of the Desktop Virtualization Application Group. | aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 | -> | [Desktop Virtualization Contributor](#desktop-virtualization-contributor) | Contributor of Desktop Virtualization. | 082f0a83-3be5-4ba1-904c-961cca79b387 | -> | [Desktop Virtualization Host Pool Contributor](#desktop-virtualization-host-pool-contributor) | Contributor of the Desktop Virtualization Host Pool. | e307426c-f9b6-4e81-87de-d99efb3c32bc | -> | [Desktop Virtualization Host Pool Reader](#desktop-virtualization-host-pool-reader) | Reader of the Desktop Virtualization Host Pool. | ceadfde2-b300-400a-ab7b-6143895aa822 | -> | [Desktop Virtualization Reader](#desktop-virtualization-reader) | Reader of Desktop Virtualization. | 49a72310-ab8d-41df-bbb0-79b649203868 | -> | [Desktop Virtualization Session Host Operator](#desktop-virtualization-session-host-operator) | Operator of the Desktop Virtualization Session Host. | 2ad6aaab-ead9-4eaa-8ac5-da422f562408 | -> | [Desktop Virtualization User](#desktop-virtualization-user) | Allows user to use the applications in an application group. | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | -> | [Desktop Virtualization User Session Operator](#desktop-virtualization-user-session-operator) | Operator of the Desktop Virtualization User Session. | ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 | -> | [Desktop Virtualization Workspace Contributor](#desktop-virtualization-workspace-contributor) | Contributor of the Desktop Virtualization Workspace. | 21efdde3-836f-432b-bf3d-3e8e734d4b2b | -> | [Desktop Virtualization Workspace Reader](#desktop-virtualization-workspace-reader) | Reader of the Desktop Virtualization Workspace. | 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d | -> | **Other** | | | -> | [Azure Digital Twins Data Owner](#azure-digital-twins-data-owner) | Full access role for Digital Twins data-plane | bcd981a7-7f74-457b-83e1-cceb9e632ffe | -> | [Azure Digital Twins Data Reader](#azure-digital-twins-data-reader) | Read-only role for Digital Twins data-plane properties | d57506d4-4c8d-48b1-8587-93c323f6a5a3 | -> | [BizTalk Contributor](#biztalk-contributor) | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 | -> | [Grafana Admin](#grafana-admin) | Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana. | 22926164-76b3-42b3-bc55-97df8dab3e41 | -> | [Grafana Editor](#grafana-editor) | View and edit a Grafana instance, including its dashboards and alerts. | a79a5197-3a5c-4973-a920-486035ffd60f | -> | [Grafana Viewer](#grafana-viewer) | View a Grafana instance, including its dashboards and alerts. | 60921a7e-fef1-4a43-9b16-a26c52ad4769 | -> | [Load Test Contributor](#load-test-contributor) | View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. | 749a398d-560b-491b-bb21-08924219302e | -> | [Load Test Owner](#load-test-owner) | Execute all operations on load test resources and load tests | 45bb0b16-2f0c-4e78-afaa-a07599b003f6 | -> | [Load Test Reader](#load-test-reader) | View and list all load tests and load test resources but can not make any changes | 3ae3fb29-0000-4ccd-bf80-542e7b26e081 | -> | [Scheduler Job Collections Contributor](#scheduler-job-collections-contributor) | Lets you manage Scheduler job collections, but not access to them. | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 | -> | [Services Hub Operator](#services-hub-operator) | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | 82200a5b-e217-47a5-b665-6d8765ee745b | +The following table provides a brief description of each built-in role. Click the role name to see the list of `Actions`, `NotActions`, `DataActions`, and `NotDataActions` for each role. For information about what these actions mean and how they apply to the control and data planes, see [Understand Azure role definitions](/azure/role-based-access-control/role-definitions). ## General --### Contributor --Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. --[Learn more](rbac-and-directory-admin-roles.md) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | * | Create and manage resources of all types | -> | **NotActions** | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/Delete | Delete roles, policy assignments, policy definitions and policy set definitions | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/Write | Create roles, role assignments, policy assignments, policy definitions and policy set definitions | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/elevateAccess/Action | Grants the caller User Access Administrator access at the tenant scope | -> | [Microsoft.Blueprint](resource-provider-operations.md#microsoftblueprint)/blueprintAssignments/write | Create or update any blueprint assignments | -> | [Microsoft.Blueprint](resource-provider-operations.md#microsoftblueprint)/blueprintAssignments/delete | Delete any blueprint assignments | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/galleries/share/action | Shares a Gallery to different scopes | -> | [Microsoft.Purview](resource-provider-operations.md#microsoftpurview)/consents/write | Create or Update a Consent Resource. | -> | [Microsoft.Purview](resource-provider-operations.md#microsoftpurview)/consents/delete | Delete the Consent Resource. | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "name": "b24988ac-6180-42a0-ab88-20f7382dd24c", - "permissions": [ - { - "actions": [ - "*" - ], - "notActions": [ - "Microsoft.Authorization/*/Delete", - "Microsoft.Authorization/*/Write", - "Microsoft.Authorization/elevateAccess/Action", - "Microsoft.Blueprint/blueprintAssignments/write", - "Microsoft.Blueprint/blueprintAssignments/delete", - "Microsoft.Compute/galleries/share/action", - "Microsoft.Purview/consents/write", - "Microsoft.Purview/consents/delete" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Owner --Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. --[Learn more](rbac-and-directory-admin-roles.md) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | * | Create and manage resources of all types | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "permissions": [ - { - "actions": [ - "*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Reader --View all resources, but does not allow you to make any changes. --[Learn more](rbac-and-directory-admin-roles.md) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "View all resources, but does not allow you to make any changes.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7", - "permissions": [ - { - "actions": [ - "*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Role Based Access Control Administrator --Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168", - "name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/roleAssignments/write", - "Microsoft.Authorization/roleAssignments/delete", - "*/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Role Based Access Control Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### User Access Administrator --Lets you manage user access to Azure resources. --[Learn more](rbac-and-directory-admin-roles.md) - > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/* | Manage authorization | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage user access to Azure resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", - "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.Authorization/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "User Access Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` +> | Built-in role | Description | ID | +> | | | | +> | <a name='contributor'></a>[Contributor](./built-in-roles/general.md#contributor) | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | b24988ac-6180-42a0-ab88-20f7382dd24c | +> | <a name='owner'></a>[Owner](./built-in-roles/general.md#owner) | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 | +> | <a name='reader'></a>[Reader](./built-in-roles/general.md#reader) | View all resources, but does not allow you to make any changes. | acdd72a7-3385-48ef-bd42-f606fba81ae7 | +> | <a name='role-based-access-control-administrator'></a>[Role Based Access Control Administrator](./built-in-roles/general.md#role-based-access-control-administrator) | Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. | f58310d9-a9f6-439a-9e8d-f62e7b41a168 | +> | <a name='user-access-administrator'></a>[User Access Administrator](./built-in-roles/general.md#user-access-administrator) | Lets you manage user access to Azure resources. | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 | ## Compute --### Classic Virtual Machine Contributor --Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.ClassicCompute](resource-provider-operations.md#microsoftclassiccompute)/domainNames/* | Create and manage classic compute domain names | -> | [Microsoft.ClassicCompute](resource-provider-operations.md#microsoftclassiccompute)/virtualMachines/* | Create and manage virtual machines | -> | [Microsoft.ClassicNetwork](resource-provider-operations.md#microsoftclassicnetwork)/networkSecurityGroups/join/action | | -> | [Microsoft.ClassicNetwork](resource-provider-operations.md#microsoftclassicnetwork)/reservedIps/link/action | Link a reserved Ip | -> | [Microsoft.ClassicNetwork](resource-provider-operations.md#microsoftclassicnetwork)/reservedIps/read | Gets the reserved Ips | -> | [Microsoft.ClassicNetwork](resource-provider-operations.md#microsoftclassicnetwork)/virtualNetworks/join/action | Joins the virtual network. | -> | [Microsoft.ClassicNetwork](resource-provider-operations.md#microsoftclassicnetwork)/virtualNetworks/read | Get the virtual network. | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/disks/read | Returns the storage account disk. | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/images/read | Returns the storage account image. (Deprecated. Use 'Microsoft.ClassicStorage/storageAccounts/vmImages') | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/read | Return the storage account with the given account. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", - "name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.ClassicCompute/domainNames/*", - "Microsoft.ClassicCompute/virtualMachines/*", - "Microsoft.ClassicNetwork/networkSecurityGroups/join/action", - "Microsoft.ClassicNetwork/reservedIps/link/action", - "Microsoft.ClassicNetwork/reservedIps/read", - "Microsoft.ClassicNetwork/virtualNetworks/join/action", - "Microsoft.ClassicNetwork/virtualNetworks/read", - "Microsoft.ClassicStorage/storageAccounts/disks/read", - "Microsoft.ClassicStorage/storageAccounts/images/read", - "Microsoft.ClassicStorage/storageAccounts/listKeys/action", - "Microsoft.ClassicStorage/storageAccounts/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Classic Virtual Machine Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Data Operator for Managed Disks --Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/download/action | Perform read data operations on Disk SAS Uri | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/upload/action | Perform write data operations on Disk SAS Uri | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/download/action | Perform read data operations on Snapshot SAS Uri | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/upload/action | Perform write data operations on Snapshot SAS Uri | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e", - "name": "959f8984-c045-4866-89c7-12bf9737be2e", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Compute/disks/download/action", - "Microsoft.Compute/disks/upload/action", - "Microsoft.Compute/snapshots/download/action", - "Microsoft.Compute/snapshots/upload/action" - ], - "notDataActions": [] - } - ], - "roleName": "Data Operator for Managed Disks", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Disk Backup Reader --Provides permission to backup vault to perform disk backup. --[Learn more](/azure/backup/disk-backup-faq) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/read | Get the properties of a Disk | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Provides permission to backup vault to perform disk backup.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", - "name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Compute/disks/read", - "Microsoft.Compute/disks/beginGetAccess/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Disk Backup Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Disk Pool Operator --Provide permission to StoragePool Resource Provider to manage disks added to a disk pool. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/read | Get the properties of a Disk | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840", - "name": "60fc6e62-5479-42d4-8bf4-67625fcc2840", - "permissions": [ - { - "actions": [ - "Microsoft.Compute/disks/write", - "Microsoft.Compute/disks/read", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Disk Pool Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Disk Restore Operator --Provides permission to backup vault to perform disk restore. --[Learn more](/azure/backup/restore-managed-disks) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/read | Get the properties of a Disk | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Provides permission to backup vault to perform disk restore.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13", - "name": "b50d9833-a0cb-478e-945f-707fcc997c13", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Compute/disks/write", - "Microsoft.Compute/disks/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Disk Restore Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Disk Snapshot Contributor --Provides permission to backup vault to manage disk snapshots. --[Learn more](/azure/backup/backup-managed-disks) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/delete | Delete a Snapshot | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/write | Create a new Snapshot or update an existing one | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/read | Get the properties of a Snapshot | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/beginGetAccess/action | Get the SAS URI of the Snapshot for blob access | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/snapshots/endGetAccess/action | Revoke the SAS URI of the Snapshot | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/write | Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/delete | Deletes an existing storage account. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Provides permission to backup vault to manage disk snapshots.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce", - "name": "7efff54f-a5b4-42b5-a1c5-5411624893ce", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Compute/snapshots/delete", - "Microsoft.Compute/snapshots/write", - "Microsoft.Compute/snapshots/read", - "Microsoft.Compute/snapshots/beginGetAccess/action", - "Microsoft.Compute/snapshots/endGetAccess/action", - "Microsoft.Compute/disks/beginGetAccess/action", - "Microsoft.Storage/storageAccounts/listkeys/action", - "Microsoft.Storage/storageAccounts/write", - "Microsoft.Storage/storageAccounts/read", - "Microsoft.Storage/storageAccounts/delete" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Disk Snapshot Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Virtual Machine Administrator Login --View Virtual Machines in the portal and login as administrator --[Learn more](/entra/identity/devices/howto-vm-sign-in-azure-ad-windows) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/*/read | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/*/read | | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/listCredentials/action | Gets the endpoint access credentials to the resource. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/login/action | Log in to a virtual machine as a regular user | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/loginAsAdmin/action | Log in to a virtual machine with Windows administrator or Linux root user privileges | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/login/action | Log in to an Azure Arc machine as a regular user | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/loginAsAdmin/action | Log in to an Azure Arc machine with Windows administrator or Linux root user privilege | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "View Virtual Machines in the portal and login as administrator", - "id": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", - "name": "1c0163c0-47e6-4577-8991-ea5c82e286e4", - "permissions": [ - { - "actions": [ - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/loadBalancers/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Compute/virtualMachines/*/read", - "Microsoft.HybridCompute/machines/*/read", - "Microsoft.HybridConnectivity/endpoints/listCredentials/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Compute/virtualMachines/login/action", - "Microsoft.Compute/virtualMachines/loginAsAdmin/action", - "Microsoft.HybridCompute/machines/login/action", - "Microsoft.HybridCompute/machines/loginAsAdmin/action" - ], - "notDataActions": [] - } - ], - "roleName": "Virtual Machine Administrator Login", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Virtual Machine Contributor --Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. --[Learn more](/azure/architecture/reference-architectures/n-tier/linux-vm) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/availabilitySets/* | Create and manage compute availability sets | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/locations/* | Create and manage compute locations | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/* | Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines. | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachineScaleSets/* | Create and manage virtual machine scale sets | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/cloudServices/* | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/read | Get the properties of a Disk | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/delete | Deletes the Disk | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/schedules/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/applicationGateways/backendAddressPools/join/action | Joins an application gateway backend address pool. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/inboundNatPools/join/action | Joins a load balancer inbound NAT pool. Not alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/probes/join/action | Allows using probes of a load balancer. For example, with this permission healthProbe property of VM scale set can reference the probe. Not alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/locations/* | Create and manage network locations | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/* | Create and manage network interfaces | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/join/action | Joins a public IP address. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/*/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupPolicies/read | Returns all Protection Policies | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupPolicies/write | Creates Protection Policy | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | Microsoft.SerialConsole/serialPorts/connect/action | Connect to a serial port | -> | [Microsoft.SqlVirtualMachine](resource-provider-operations.md#microsoftsqlvirtualmachine)/* | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Compute/availabilitySets/*", - "Microsoft.Compute/locations/*", - "Microsoft.Compute/virtualMachines/*", - "Microsoft.Compute/virtualMachineScaleSets/*", - "Microsoft.Compute/cloudServices/*", - "Microsoft.Compute/disks/write", - "Microsoft.Compute/disks/read", - "Microsoft.Compute/disks/delete", - "Microsoft.DevTestLab/schedules/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Network/applicationGateways/backendAddressPools/join/action", - "Microsoft.Network/loadBalancers/backendAddressPools/join/action", - "Microsoft.Network/loadBalancers/inboundNatPools/join/action", - "Microsoft.Network/loadBalancers/inboundNatRules/join/action", - "Microsoft.Network/loadBalancers/probes/join/action", - "Microsoft.Network/loadBalancers/read", - "Microsoft.Network/locations/*", - "Microsoft.Network/networkInterfaces/*", - "Microsoft.Network/networkSecurityGroups/join/action", - "Microsoft.Network/networkSecurityGroups/read", - "Microsoft.Network/publicIPAddresses/join/action", - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/subnets/join/action", - "Microsoft.RecoveryServices/locations/*", - "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write", - "Microsoft.RecoveryServices/Vaults/backupPolicies/read", - "Microsoft.RecoveryServices/Vaults/backupPolicies/write", - "Microsoft.RecoveryServices/Vaults/read", - "Microsoft.RecoveryServices/Vaults/usages/read", - "Microsoft.RecoveryServices/Vaults/write", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.SerialConsole/serialPorts/connect/action", - "Microsoft.SqlVirtualMachine/*", - "Microsoft.Storage/storageAccounts/listKeys/action", - "Microsoft.Storage/storageAccounts/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Virtual Machine Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Virtual Machine Data Access Administrator (preview) --Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/*/read | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/*/read | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | -> | **Condition** | | -> | ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) | Add or remove role assignments for the following roles:<br/>Virtual Machine Administrator Login<br/>Virtual Machine User Login | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-4b70-9f1e-c350c4c9ad04", - "name": "66f75aeb-eabe-4b70-9f1e-c350c4c9ad04", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/roleAssignments/write", - "Microsoft.Authorization/roleAssignments/delete", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Management/managementGroups/read", - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/loadBalancers/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Compute/virtualMachines/*/read", - "Microsoft.HybridCompute/machines/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [], - "conditionVersion": "2.0", - "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52}))" - } - ], - "roleName": "Virtual Machine Data Access Administrator (preview)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Virtual Machine Local User Login --View Virtual Machines in the portal and login as a local user configured on the arc server --[Learn more](/azure/azure-arc/servers/ssh-arc-troubleshoot) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/*/read | | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/listCredentials/action | Gets the endpoint access credentials to the resource. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "View Virtual Machines in the portal and login as a local user configured on the arc server", - "id": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525", - "name": "602da2ba-a5c2-41da-b01d-5360126ab525", - "permissions": [ - { - "actions": [ - "Microsoft.HybridCompute/machines/*/read", - "Microsoft.HybridConnectivity/endpoints/listCredentials/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Virtual Machine Local User Login", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Virtual Machine User Login --View Virtual Machines in the portal and login as a regular user. --[Learn more](/entra/identity/devices/howto-vm-sign-in-azure-ad-windows) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/*/read | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/*/read | | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/listCredentials/action | Gets the endpoint access credentials to the resource. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/login/action | Log in to a virtual machine as a regular user | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/login/action | Log in to an Azure Arc machine as a regular user | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "View Virtual Machines in the portal and login as a regular user.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", - "name": "fb879df8-f326-4884-b1cf-06f3ad86be52", - "permissions": [ - { - "actions": [ - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/loadBalancers/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Compute/virtualMachines/*/read", - "Microsoft.HybridCompute/machines/*/read", - "Microsoft.HybridConnectivity/endpoints/listCredentials/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Compute/virtualMachines/login/action", - "Microsoft.HybridCompute/machines/login/action" - ], - "notDataActions": [] - } - ], - "roleName": "Virtual Machine User Login", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Windows Admin Center Administrator Login --Let's you manage the OS of your resource via Windows Admin Center as an administrator. --[Learn more](/windows-server/manage/windows-admin-center/azure/manage-vm) - > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/*/read | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/* | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/upgradeExtensions/action | Upgrades Extensions on Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkWatchers/securityGroupView/action | View the configured and effective network security group rules applied on a VM. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/securityRules/read | Gets a security rule definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/securityRules/write | Creates a security rule or updates an existing security rule | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/write | Update the endpoint to the target resource. | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/read | Gets the endpoint to the resource. | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/write | Update the service details in the service configurations of the target resource. | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/read | Gets the details about the service to the resource. | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/listManagedProxyDetails/action | Fetches the managed proxy details | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/patchAssessmentResults/latest/read | Retrieves the summary of the latest patch assessment operation | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/patchAssessmentResults/latest/softwarePatches/read | Retrieves list of patches assessed during the last patch assessment operation | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/patchInstallationResults/read | Retrieves the summary of the latest patch installation operation | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/patchInstallationResults/softwarePatches/read | Retrieves list of patches attempted to be installed during the last patch installation operation | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/extensions/read | Get the properties of a virtual machine extension | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/instanceView/read | Gets the detailed runtime status of the virtual machine and its resources | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/runCommands/read | Get the properties of a virtual machine run command | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/vmSizes/read | Lists available sizes the virtual machine can be updated to | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/locations/publishers/artifacttypes/types/read | Get the properties of a VMExtension Type | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/locations/publishers/artifacttypes/types/versions/read | Get the properties of a VMExtension Version | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/diskAccesses/read | Get the properties of DiskAccess resource | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/galleries/images/read | Gets the properties of Gallery Image | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/images/read | Get the properties of the Image | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/Read | Gets clusters | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/ArcSettings/Read | Gets arc resource of HCI cluster | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Read | Gets extension resource of HCI cluster | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Write | Create or update extension resource of HCI cluster | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Delete | Delete extension resources of HCI cluster | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Operations/Read | Gets operations | -> | Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read | Read virtualmachines | -> | Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write | Write extension resource | -> | Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read | Gets extension resource | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/WACLoginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/WACloginAsAdmin/Action | Manage OS of HCI resource via Windows Admin Center as an administrator | -> | Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Let's you manage the OS of your resource via Windows Admin Center as an administrator.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f", - "name": "a6333a3e-0164-44c3-b281-7a577aff287f", - "permissions": [ - { - "actions": [ - "Microsoft.HybridCompute/machines/*/read", - "Microsoft.HybridCompute/machines/extensions/*", - "Microsoft.HybridCompute/machines/upgradeExtensions/action", - "Microsoft.HybridCompute/operations/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/loadBalancers/read", - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/networkSecurityGroups/read", - "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", - "Microsoft.Network/networkWatchers/securityGroupView/action", - "Microsoft.Network/networkSecurityGroups/securityRules/read", - "Microsoft.Network/networkSecurityGroups/securityRules/write", - "Microsoft.HybridConnectivity/endpoints/write", - "Microsoft.HybridConnectivity/endpoints/read", - "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write", - "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read", - "Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action", - "Microsoft.Compute/virtualMachines/read", - "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read", - "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read", - "Microsoft.Compute/virtualMachines/patchInstallationResults/read", - "Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read", - "Microsoft.Compute/virtualMachines/extensions/read", - "Microsoft.Compute/virtualMachines/instanceView/read", - "Microsoft.Compute/virtualMachines/runCommands/read", - "Microsoft.Compute/virtualMachines/vmSizes/read", - "Microsoft.Compute/locations/publishers/artifacttypes/types/read", - "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read", - "Microsoft.Compute/diskAccesses/read", - "Microsoft.Compute/galleries/images/read", - "Microsoft.Compute/images/read", - "Microsoft.AzureStackHCI/Clusters/Read", - "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read", - "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read", - "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write", - "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete", - "Microsoft.AzureStackHCI/Operations/Read", - "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read", - "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write", - "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.HybridCompute/machines/WACLoginAsAdmin/action", - "Microsoft.Compute/virtualMachines/WACloginAsAdmin/action", - "Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action", - "Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action" - ], - "notDataActions": [] - } - ], - "roleName": "Windows Admin Center Administrator Login", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` +> | Built-in role | Description | ID | +> | | | | +> | <a name='classic-virtual-machine-contributor'></a>[Classic Virtual Machine Contributor](./built-in-roles/compute.md#classic-virtual-machine-contributor) | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | d73bb868-a0df-4d4d-bd69-98a00b01fccb | +> | <a name='data-operator-for-managed-disks'></a>[Data Operator for Managed Disks](./built-in-roles/compute.md#data-operator-for-managed-disks) | Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. | 959f8984-c045-4866-89c7-12bf9737be2e | +> | <a name='desktop-virtualization-application-group-contributor'></a>[Desktop Virtualization Application Group Contributor](./built-in-roles/compute.md#desktop-virtualization-application-group-contributor) | Contributor of the Desktop Virtualization Application Group. | 86240b0e-9422-4c43-887b-b61143f32ba8 | +> | <a name='desktop-virtualization-application-group-reader'></a>[Desktop Virtualization Application Group Reader](./built-in-roles/compute.md#desktop-virtualization-application-group-reader) | Reader of the Desktop Virtualization Application Group. | aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 | +> | <a name='desktop-virtualization-contributor'></a>[Desktop Virtualization Contributor](./built-in-roles/compute.md#desktop-virtualization-contributor) | Contributor of Desktop Virtualization. | 082f0a83-3be5-4ba1-904c-961cca79b387 | +> | <a name='desktop-virtualization-host-pool-contributor'></a>[Desktop Virtualization Host Pool Contributor](./built-in-roles/compute.md#desktop-virtualization-host-pool-contributor) | Contributor of the Desktop Virtualization Host Pool. | e307426c-f9b6-4e81-87de-d99efb3c32bc | +> | <a name='desktop-virtualization-host-pool-reader'></a>[Desktop Virtualization Host Pool Reader](./built-in-roles/compute.md#desktop-virtualization-host-pool-reader) | Reader of the Desktop Virtualization Host Pool. | ceadfde2-b300-400a-ab7b-6143895aa822 | +> | <a name='desktop-virtualization-reader'></a>[Desktop Virtualization Reader](./built-in-roles/compute.md#desktop-virtualization-reader) | Reader of Desktop Virtualization. | 49a72310-ab8d-41df-bbb0-79b649203868 | +> | <a name='desktop-virtualization-session-host-operator'></a>[Desktop Virtualization Session Host Operator](./built-in-roles/compute.md#desktop-virtualization-session-host-operator) | Operator of the Desktop Virtualization Session Host. | 2ad6aaab-ead9-4eaa-8ac5-da422f562408 | +> | <a name='desktop-virtualization-user'></a>[Desktop Virtualization User](./built-in-roles/compute.md#desktop-virtualization-user) | Allows user to use the applications in an application group. | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | +> | <a name='desktop-virtualization-user-session-operator'></a>[Desktop Virtualization User Session Operator](./built-in-roles/compute.md#desktop-virtualization-user-session-operator) | Operator of the Desktop Virtualization User Session. | ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 | +> | <a name='desktop-virtualization-workspace-contributor'></a>[Desktop Virtualization Workspace Contributor](./built-in-roles/compute.md#desktop-virtualization-workspace-contributor) | Contributor of the Desktop Virtualization Workspace. | 21efdde3-836f-432b-bf3d-3e8e734d4b2b | +> | <a name='desktop-virtualization-workspace-reader'></a>[Desktop Virtualization Workspace Reader](./built-in-roles/compute.md#desktop-virtualization-workspace-reader) | Reader of the Desktop Virtualization Workspace. | 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d | +> | <a name='disk-backup-reader'></a>[Disk Backup Reader](./built-in-roles/compute.md#disk-backup-reader) | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 | +> | <a name='disk-pool-operator'></a>[Disk Pool Operator](./built-in-roles/compute.md#disk-pool-operator) | Provide permission to StoragePool Resource Provider to manage disks added to a disk pool. | 60fc6e62-5479-42d4-8bf4-67625fcc2840 | +> | <a name='disk-restore-operator'></a>[Disk Restore Operator](./built-in-roles/compute.md#disk-restore-operator) | Provides permission to backup vault to perform disk restore. | b50d9833-a0cb-478e-945f-707fcc997c13 | +> | <a name='disk-snapshot-contributor'></a>[Disk Snapshot Contributor](./built-in-roles/compute.md#disk-snapshot-contributor) | Provides permission to backup vault to manage disk snapshots. | 7efff54f-a5b4-42b5-a1c5-5411624893ce | +> | <a name='virtual-machine-administrator-login'></a>[Virtual Machine Administrator Login](./built-in-roles/compute.md#virtual-machine-administrator-login) | View Virtual Machines in the portal and login as administrator | 1c0163c0-47e6-4577-8991-ea5c82e286e4 | +> | <a name='virtual-machine-contributor'></a>[Virtual Machine Contributor](./built-in-roles/compute.md#virtual-machine-contributor) | Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. | 9980e02c-c2be-4d73-94e8-173b1dc7cf3c | +> | <a name='virtual-machine-data-access-administrator-preview'></a>[Virtual Machine Data Access Administrator (preview)](./built-in-roles/compute.md#virtual-machine-data-access-administrator-preview) | Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. | 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04 | +> | <a name='virtual-machine-local-user-login'></a>[Virtual Machine Local User Login](./built-in-roles/compute.md#virtual-machine-local-user-login) | View Virtual Machines in the portal and login as a local user configured on the arc server | 602da2ba-a5c2-41da-b01d-5360126ab525 | +> | <a name='virtual-machine-user-login'></a>[Virtual Machine User Login](./built-in-roles/compute.md#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 | +> | <a name='windows-admin-center-administrator-login'></a>[Windows Admin Center Administrator Login](./built-in-roles/compute.md#windows-admin-center-administrator-login) | Let's you manage the OS of your resource via Windows Admin Center as an administrator. | a6333a3e-0164-44c3-b281-7a577aff287f | ## Networking --### Azure Front Door Domain Contributor --For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/profileresults/customdomainresults/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/customdomains/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/customdomains/write | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/customdomains/delete | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8", - "name": "0ab34830-df19-4f8c-b84e-aa85b8afa6e8", - "permissions": [ - { - "actions": [ - "Microsoft.Cdn/operationresults/profileresults/customdomainresults/read", - "Microsoft.Cdn/profiles/customdomains/read", - "Microsoft.Cdn/profiles/customdomains/write", - "Microsoft.Cdn/profiles/customdomains/delete", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Front Door Domain Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Front Door Domain Reader --For internal use within Azure. Can view Azure Front Door domains, but can't make changes. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/profileresults/customdomainresults/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/customdomains/read | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "For internal use within Azure. Can view Azure Front Door domains, but can't make changes.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f", - "name": "0f99d363-226e-4dca-9920-b807cf8e1a5f", - "permissions": [ - { - "actions": [ - "Microsoft.Cdn/operationresults/profileresults/customdomainresults/read", - "Microsoft.Cdn/profiles/customdomains/read", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Front Door Domain Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Front Door Profile Reader --Can view AFD standard and premium profiles and their endpoints, but can't make changes. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/edgenodes/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/* | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/*/read | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/queryloganalyticsmetrics/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/queryloganalyticsrankings/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/querywafloganalyticsmetrics/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/querywafloganalyticsrankings/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/Usages/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/afdendpoints/Usages/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/origingroups/Usages/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/rulesets/Usages/action | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can view AFD standard and premium profiles and their endpoints, but can't make changes.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/662802e2-50f6-46b0-aed2-e834bacc6d12", - "name": "662802e2-50f6-46b0-aed2-e834bacc6d12", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Cdn/edgenodes/read", - "Microsoft.Cdn/operationresults/*", - "Microsoft.Cdn/profiles/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action", - "Microsoft.Cdn/profiles/queryloganalyticsmetrics/action", - "Microsoft.Cdn/profiles/queryloganalyticsrankings/action", - "Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action", - "Microsoft.Cdn/profiles/querywafloganalyticsrankings/action", - "Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action", - "Microsoft.Cdn/profiles/Usages/action", - "Microsoft.Cdn/profiles/afdendpoints/Usages/action", - "Microsoft.Cdn/profiles/origingroups/Usages/action", - "Microsoft.Cdn/profiles/rulesets/Usages/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Front Door Profile Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Front Door Secret Contributor --For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/profileresults/secretresults/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/secrets/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/secrets/write | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/secrets/delete | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5", - "name": "3f2eb865-5811-4578-b90a-6fc6fa0df8e5", - "permissions": [ - { - "actions": [ - "Microsoft.Cdn/operationresults/profileresults/secretresults/read", - "Microsoft.Cdn/profiles/secrets/read", - "Microsoft.Cdn/profiles/secrets/write", - "Microsoft.Cdn/profiles/secrets/delete", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Front Door Secret Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Front Door Secret Reader --For internal use within Azure. Can view Azure Front Door secrets, but can't make changes. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/profileresults/secretresults/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/secrets/read | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "For internal use within Azure. Can view Azure Front Door secrets, but can't make changes.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca", - "name": "0db238c4-885e-4c4f-a933-aa2cef684fca", - "permissions": [ - { - "actions": [ - "Microsoft.Cdn/operationresults/profileresults/secretresults/read", - "Microsoft.Cdn/profiles/secrets/read", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Front Door Secret Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### CDN Endpoint Contributor --Can manage CDN endpoints, but can't grant access to other users. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/edgenodes/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/* | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/endpoints/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can manage CDN endpoints, but can't grant access to other users.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", - "name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Cdn/edgenodes/read", - "Microsoft.Cdn/operationresults/*", - "Microsoft.Cdn/profiles/endpoints/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "CDN Endpoint Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### CDN Endpoint Reader --Can view CDN endpoints, but can't make changes. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/edgenodes/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/* | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/endpoints/*/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/afdendpoints/validateCustomDomain/action | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can view CDN endpoints, but can't make changes.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", - "name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Cdn/edgenodes/read", - "Microsoft.Cdn/operationresults/*", - "Microsoft.Cdn/profiles/endpoints/*/read", - "Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "CDN Endpoint Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### CDN Profile Contributor --Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. --[Learn more](/azure/cdn/cdn-app-dev-net) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/edgenodes/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/* | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", - "name": "ec156ff8-a8d1-4d15-830c-5b80698ca432", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Cdn/edgenodes/read", - "Microsoft.Cdn/operationresults/*", - "Microsoft.Cdn/profiles/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "CDN Profile Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### CDN Profile Reader --Can view CDN profiles and their endpoints, but can't make changes. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/edgenodes/read | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/operationresults/* | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/*/read | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/afdendpoints/validateCustomDomain/action | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/CheckResourceUsage/action | | -> | [Microsoft.Cdn](resource-provider-operations.md#microsoftcdn)/profiles/endpoints/CheckResourceUsage/action | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can view CDN profiles and their endpoints, but can't make changes.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", - "name": "8f96442b-4075-438f-813d-ad51ab4019af", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Cdn/edgenodes/read", - "Microsoft.Cdn/operationresults/*", - "Microsoft.Cdn/profiles/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Cdn/profiles/CheckResourceUsage/action", - "Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "CDN Profile Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Classic Network Contributor --Lets you manage classic networks, but not access to them. --[Learn more](/azure/virtual-network/virtual-network-manage-peering) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.ClassicNetwork](resource-provider-operations.md#microsoftclassicnetwork)/* | Create and manage classic networks | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage classic networks, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", - "name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.ClassicNetwork/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Classic Network Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### DNS Zone Contributor --Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. --[Learn more](/azure/dns/dns-protect-zones-recordsets) - > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/dnsZones/* | Create and manage DNS zones and records | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", - "name": "befefa01-2a29-4197-83a8-272ff33ce314", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Network/dnsZones/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "DNS Zone Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Network Contributor --Lets you manage networks, but not access to them. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/* | Create and manage networks | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage networks, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "name": "4d97b98b-1d4f-4787-a291-c67834d212e7", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Network/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Network Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Private DNS Zone Contributor --Lets you manage private DNS zone resources, but not the virtual networks they are linked to. +> | Built-in role | Description | ID | +> | | | | +> | <a name='azure-front-door-domain-contributor'></a>[Azure Front Door Domain Contributor](./built-in-roles/networking.md#azure-front-door-domain-contributor) | For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users. | 0ab34830-df19-4f8c-b84e-aa85b8afa6e8 | +> | <a name='azure-front-door-domain-reader'></a>[Azure Front Door Domain Reader](./built-in-roles/networking.md#azure-front-door-domain-reader) | For internal use within Azure. Can view Azure Front Door domains, but can't make changes. | 0f99d363-226e-4dca-9920-b807cf8e1a5f | +> | <a name='azure-front-door-profile-reader'></a>[Azure Front Door Profile Reader](./built-in-roles/networking.md#azure-front-door-profile-reader) | Can view AFD standard and premium profiles and their endpoints, but can't make changes. | 662802e2-50f6-46b0-aed2-e834bacc6d12 | +> | <a name='azure-front-door-secret-contributor'></a>[Azure Front Door Secret Contributor](./built-in-roles/networking.md#azure-front-door-secret-contributor) | For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users. | 3f2eb865-5811-4578-b90a-6fc6fa0df8e5 | +> | <a name='azure-front-door-secret-reader'></a>[Azure Front Door Secret Reader](./built-in-roles/networking.md#azure-front-door-secret-reader) | For internal use within Azure. Can view Azure Front Door secrets, but can't make changes. | 0db238c4-885e-4c4f-a933-aa2cef684fca | +> | <a name='cdn-endpoint-contributor'></a>[CDN Endpoint Contributor](./built-in-roles/networking.md#cdn-endpoint-contributor) | Can manage CDN endpoints, but can't grant access to other users. | 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 | +> | <a name='cdn-endpoint-reader'></a>[CDN Endpoint Reader](./built-in-roles/networking.md#cdn-endpoint-reader) | Can view CDN endpoints, but can't make changes. | 871e35f6-b5c1-49cc-a043-bde969a0f2cd | +> | <a name='cdn-profile-contributor'></a>[CDN Profile Contributor](./built-in-roles/networking.md#cdn-profile-contributor) | Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. | ec156ff8-a8d1-4d15-830c-5b80698ca432 | +> | <a name='cdn-profile-reader'></a>[CDN Profile Reader](./built-in-roles/networking.md#cdn-profile-reader) | Can view CDN profiles and their endpoints, but can't make changes. | 8f96442b-4075-438f-813d-ad51ab4019af | +> | <a name='classic-network-contributor'></a>[Classic Network Contributor](./built-in-roles/networking.md#classic-network-contributor) | Lets you manage classic networks, but not access to them. | b34d265f-36f7-4a0d-a4d4-e158ca92e90f | +> | <a name='dns-zone-contributor'></a>[DNS Zone Contributor](./built-in-roles/networking.md#dns-zone-contributor) | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | befefa01-2a29-4197-83a8-272ff33ce314 | +> | <a name='network-contributor'></a>[Network Contributor](./built-in-roles/networking.md#network-contributor) | Lets you manage networks, but not access to them. | 4d97b98b-1d4f-4787-a291-c67834d212e7 | +> | <a name='private-dns-zone-contributor'></a>[Private DNS Zone Contributor](./built-in-roles/networking.md#private-dns-zone-contributor) | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | b12aa53e-6015-4669-85d0-8515ebb3ae7f | +> | <a name='traffic-manager-contributor'></a>[Traffic Manager Contributor](./built-in-roles/networking.md#traffic-manager-contributor) | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 | -[Learn more](/azure/dns/dns-protect-private-zones-recordsets) +## Storage > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/privateDnsZones/* | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/privateDnsOperationResults/* | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/privateDnsOperationStatuses/* | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/join/action | Joins a virtual network. Not Alertable. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "permissions": [ - { - "actions": [ - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Network/privateDnsZones/*", - "Microsoft.Network/privateDnsOperationResults/*", - "Microsoft.Network/privateDnsOperationStatuses/*", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/join/action", - "Microsoft.Authorization/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Private DNS Zone Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Traffic Manager Contributor --Lets you manage Traffic Manager profiles, but does not let you control who has access to them. +> | Built-in role | Description | ID | +> | | | | +> | <a name='avere-contributor'></a>[Avere Contributor](./built-in-roles/storage.md#avere-contributor) | Can create and manage an Avere vFXT cluster. | 4f8fab4f-1852-4a58-a46a-8eaf358af14a | +> | <a name='avere-operator'></a>[Avere Operator](./built-in-roles/storage.md#avere-operator) | Used by the Avere vFXT cluster to manage the cluster | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | +> | <a name='backup-contributor'></a>[Backup Contributor](./built-in-roles/storage.md#backup-contributor) | Lets you manage backup service, but can't create vaults and give access to others | 5e467623-bb1f-42f4-a55d-6e525e11384b | +> | <a name='backup-operator'></a>[Backup Operator](./built-in-roles/storage.md#backup-operator) | Lets you manage backup services, except removal of backup, vault creation and giving access to others | 00c29273-979b-4161-815c-10b084fb9324 | +> | <a name='backup-reader'></a>[Backup Reader](./built-in-roles/storage.md#backup-reader) | Can view backup services, but can't make changes | a795c7a0-d4a2-40c1-ae25-d81f01202912 | +> | <a name='classic-storage-account-contributor'></a>[Classic Storage Account Contributor](./built-in-roles/storage.md#classic-storage-account-contributor) | Lets you manage classic storage accounts, but not access to them. | 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | +> | <a name='classic-storage-account-key-operator-service-role'></a>[Classic Storage Account Key Operator Service Role](./built-in-roles/storage.md#classic-storage-account-key-operator-service-role) | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | 985d6b00-f706-48f5-a6fe-d0ca12fb668d | +> | <a name='data-box-contributor'></a>[Data Box Contributor](./built-in-roles/storage.md#data-box-contributor) | Lets you manage everything under Data Box Service except giving access to others. | add466c9-e687-43fc-8d98-dfcf8d720be5 | +> | <a name='data-box-reader'></a>[Data Box Reader](./built-in-roles/storage.md#data-box-reader) | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | +> | <a name='data-lake-analytics-developer'></a>[Data Lake Analytics Developer](./built-in-roles/storage.md#data-lake-analytics-developer) | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | 47b7735b-770e-4598-a7da-8b91488b4c88 | +> | <a name='defender-for-storage-data-scanner'></a>[Defender for Storage Data Scanner](./built-in-roles/storage.md#defender-for-storage-data-scanner) | Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. | 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 | +> | <a name='elastic-san-owner'></a>[Elastic SAN Owner](./built-in-roles/storage.md#elastic-san-owner) | Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access | 80dcbedb-47ef-405d-95bd-188a1b4ac406 | +> | <a name='elastic-san-reader'></a>[Elastic SAN Reader](./built-in-roles/storage.md#elastic-san-reader) | Allows for control path read access to Azure Elastic SAN | af6a70f8-3c9f-4105-acf1-d719e9fca4ca | +> | <a name='elastic-san-volume-group-owner'></a>[Elastic SAN Volume Group Owner](./built-in-roles/storage.md#elastic-san-volume-group-owner) | Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access | a8281131-f312-4f34-8d98-ae12be9f0d23 | +> | <a name='reader-and-data-access'></a>[Reader and Data Access](./built-in-roles/storage.md#reader-and-data-access) | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | c12c1c16-33a1-487b-954d-41c89c60f349 | +> | <a name='storage-account-backup-contributor'></a>[Storage Account Backup Contributor](./built-in-roles/storage.md#storage-account-backup-contributor) | Lets you perform backup and restore operations using Azure Backup on the storage account. | e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 | +> | <a name='storage-account-contributor'></a>[Storage Account Contributor](./built-in-roles/storage.md#storage-account-contributor) | Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. | 17d1049b-9a84-46fb-8f53-869881c3d3ab | +> | <a name='storage-account-key-operator-service-role'></a>[Storage Account Key Operator Service Role](./built-in-roles/storage.md#storage-account-key-operator-service-role) | Permits listing and regenerating storage account access keys. | 81a9662b-bebf-436f-a333-f67b29880f12 | +> | <a name='storage-blob-data-contributor'></a>[Storage Blob Data Contributor](./built-in-roles/storage.md#storage-blob-data-contributor) | Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). | ba92f5b4-2d11-453d-a403-e96b0029c9fe | +> | <a name='storage-blob-data-owner'></a>[Storage Blob Data Owner](./built-in-roles/storage.md#storage-blob-data-owner) | Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). | b7e6dc6d-f1e8-4753-8033-0f276bb0955b | +> | <a name='storage-blob-data-reader'></a>[Storage Blob Data Reader](./built-in-roles/storage.md#storage-blob-data-reader) | Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | +> | <a name='storage-blob-delegator'></a>[Storage Blob Delegator](./built-in-roles/storage.md#storage-blob-delegator) | Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). | db58b8e5-c6ad-4a2a-8342-4190687cbf4a | +> | <a name='storage-file-data-privileged-contributor'></a>[Storage File Data Privileged Contributor](./built-in-roles/storage.md#storage-file-data-privileged-contributor) | Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. | 69566ab7-960f-475b-8e7c-b3118f30c6bd | +> | <a name='storage-file-data-privileged-reader'></a>[Storage File Data Privileged Reader](./built-in-roles/storage.md#storage-file-data-privileged-reader) | Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. | b8eda974-7b85-4f76-af95-65846b26df6d | +> | <a name='storage-file-data-smb-share-contributor'></a>[Storage File Data SMB Share Contributor](./built-in-roles/storage.md#storage-file-data-smb-share-contributor) | Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | +> | <a name='storage-file-data-smb-share-elevated-contributor'></a>[Storage File Data SMB Share Elevated Contributor](./built-in-roles/storage.md#storage-file-data-smb-share-elevated-contributor) | Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. | a7264617-510b-434b-a828-9731dc254ea7 | +> | <a name='storage-file-data-smb-share-reader'></a>[Storage File Data SMB Share Reader](./built-in-roles/storage.md#storage-file-data-smb-share-reader) | Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. | aba4ae5f-2193-4029-9191-0cb91df5e314 | +> | <a name='storage-queue-data-contributor'></a>[Storage Queue Data Contributor](./built-in-roles/storage.md#storage-queue-data-contributor) | Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | +> | <a name='storage-queue-data-message-processor'></a>[Storage Queue Data Message Processor](./built-in-roles/storage.md#storage-queue-data-message-processor) | Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). | 8a0f0c08-91a1-4084-bc3d-661d67233fed | +> | <a name='storage-queue-data-message-sender'></a>[Storage Queue Data Message Sender](./built-in-roles/storage.md#storage-queue-data-message-sender) | Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | +> | <a name='storage-queue-data-reader'></a>[Storage Queue Data Reader](./built-in-roles/storage.md#storage-queue-data-reader) | Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). | 19e7f393-937e-4f77-808e-94535e297925 | +> | <a name='storage-table-data-contributor'></a>[Storage Table Data Contributor](./built-in-roles/storage.md#storage-table-data-contributor) | Allows for read, write and delete access to Azure Storage tables and entities | 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 | +> | <a name='storage-table-data-reader'></a>[Storage Table Data Reader](./built-in-roles/storage.md#storage-table-data-reader) | Allows for read access to Azure Storage tables and entities | 76199698-9eea-4c19-bc75-cec21354c6b6 | ++## Web and Mobile > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/trafficManagerProfiles/* | | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", - "name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Network/trafficManagerProfiles/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Traffic Manager Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Storage ---### Avere Contributor --Can create and manage an Avere vFXT cluster. +> | Built-in role | Description | ID | +> | | | | +> | <a name='azure-maps-data-contributor'></a>[Azure Maps Data Contributor](./built-in-roles/web-and-mobile.md#azure-maps-data-contributor) | Grants access to read, write, and delete access to map related data from an Azure maps account. | 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 | +> | <a name='azure-maps-data-reader'></a>[Azure Maps Data Reader](./built-in-roles/web-and-mobile.md#azure-maps-data-reader) | Grants access to read map related data from an Azure maps account. | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | +> | <a name='azure-spring-cloud-config-server-contributor'></a>[Azure Spring Cloud Config Server Contributor](./built-in-roles/web-and-mobile.md#azure-spring-cloud-config-server-contributor) | Allow read, write and delete access to Azure Spring Cloud Config Server | a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b | +> | <a name='azure-spring-cloud-config-server-reader'></a>[Azure Spring Cloud Config Server Reader](./built-in-roles/web-and-mobile.md#azure-spring-cloud-config-server-reader) | Allow read access to Azure Spring Cloud Config Server | d04c6db6-4947-4782-9e91-30a88feb7be7 | +> | <a name='azure-spring-cloud-data-reader'></a>[Azure Spring Cloud Data Reader](./built-in-roles/web-and-mobile.md#azure-spring-cloud-data-reader) | Allow read access to Azure Spring Cloud Data | b5537268-8956-4941-a8f0-646150406f0c | +> | <a name='azure-spring-cloud-service-registry-contributor'></a>[Azure Spring Cloud Service Registry Contributor](./built-in-roles/web-and-mobile.md#azure-spring-cloud-service-registry-contributor) | Allow read, write and delete access to Azure Spring Cloud Service Registry | f5880b48-c26d-48be-b172-7927bfa1c8f1 | +> | <a name='azure-spring-cloud-service-registry-reader'></a>[Azure Spring Cloud Service Registry Reader](./built-in-roles/web-and-mobile.md#azure-spring-cloud-service-registry-reader) | Allow read access to Azure Spring Cloud Service Registry | cff1b556-2399-4e7e-856d-a8f754be7b65 | +> | <a name='media-services-account-administrator'></a>[Media Services Account Administrator](./built-in-roles/web-and-mobile.md#media-services-account-administrator) | Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. | 054126f8-9a2b-4f1c-a9ad-eca461f08466 | +> | <a name='media-services-live-events-administrator'></a>[Media Services Live Events Administrator](./built-in-roles/web-and-mobile.md#media-services-live-events-administrator) | Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. | 532bc159-b25e-42c0-969e-a1d439f60d77 | +> | <a name='media-services-media-operator'></a>[Media Services Media Operator](./built-in-roles/web-and-mobile.md#media-services-media-operator) | Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. | e4395492-1534-4db2-bedf-88c14621589c | +> | <a name='media-services-policy-administrator'></a>[Media Services Policy Administrator](./built-in-roles/web-and-mobile.md#media-services-policy-administrator) | Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. | c4bba371-dacd-4a26-b320-7250bca963ae | +> | <a name='media-services-streaming-endpoints-administrator'></a>[Media Services Streaming Endpoints Administrator](./built-in-roles/web-and-mobile.md#media-services-streaming-endpoints-administrator) | Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. | 99dba123-b5fe-44d5-874c-ced7199a5804 | +> | <a name='search-index-data-contributor'></a>[Search Index Data Contributor](./built-in-roles/web-and-mobile.md#search-index-data-contributor) | Grants full access to Azure Cognitive Search index data. | 8ebe5a00-799e-43f5-93ac-243d3dce84a7 | +> | <a name='search-index-data-reader'></a>[Search Index Data Reader](./built-in-roles/web-and-mobile.md#search-index-data-reader) | Grants read access to Azure Cognitive Search index data. | 1407120a-92aa-4202-b7e9-c0e197c71c8f | +> | <a name='search-service-contributor'></a>[Search Service Contributor](./built-in-roles/web-and-mobile.md#search-service-contributor) | Lets you manage Search services, but not access to them. | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | +> | <a name='signalr-accesskey-reader'></a>[SignalR AccessKey Reader](./built-in-roles/web-and-mobile.md#signalr-accesskey-reader) | Read SignalR Service Access Keys | 04165923-9d83-45d5-8227-78b77b0a687e | +> | <a name='signalr-app-server'></a>[SignalR App Server](./built-in-roles/web-and-mobile.md#signalr-app-server) | Lets your app server access SignalR Service with AAD auth options. | 420fcaa2-552c-430f-98ca-3264be4806c7 | +> | <a name='signalr-rest-api-owner'></a>[SignalR REST API Owner](./built-in-roles/web-and-mobile.md#signalr-rest-api-owner) | Full access to Azure SignalR Service REST APIs | fd53cd77-2268-407a-8f46-7e7863d0f521 | +> | <a name='signalr-rest-api-reader'></a>[SignalR REST API Reader](./built-in-roles/web-and-mobile.md#signalr-rest-api-reader) | Read-only access to Azure SignalR Service REST APIs | ddde6b66-c0df-4114-a159-3618637b3035 | +> | <a name='signalr-service-owner'></a>[SignalR Service Owner](./built-in-roles/web-and-mobile.md#signalr-service-owner) | Full access to Azure SignalR Service REST APIs | 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 | +> | <a name='signalrweb-pubsub-contributor'></a>[SignalR/Web PubSub Contributor](./built-in-roles/web-and-mobile.md#signalrweb-pubsub-contributor) | Create, Read, Update, and Delete SignalR service resources | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | +> | <a name='web-plan-contributor'></a>[Web Plan Contributor](./built-in-roles/web-and-mobile.md#web-plan-contributor) | Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC. | 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b | +> | <a name='website-contributor'></a>[Website Contributor](./built-in-roles/web-and-mobile.md#website-contributor) | Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC. | de139f84-1756-47ae-9be6-808fbbe84772 | -[Learn more](/azure/avere-vfxt/avere-vfxt-deploy-plan) +## Containers > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/*/read | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/availabilitySets/* | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/proximityPlacementGroups/* | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/* | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/disks/* | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/*/read | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/* | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/*/read | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/* | Create and manage storage accounts | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can create and manage an Avere vFXT cluster.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", - "name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Compute/*/read", - "Microsoft.Compute/availabilitySets/*", - "Microsoft.Compute/proximityPlacementGroups/*", - "Microsoft.Compute/virtualMachines/*", - "Microsoft.Compute/disks/*", - "Microsoft.Network/*/read", - "Microsoft.Network/networkInterfaces/*", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/subnets/read", - "Microsoft.Network/virtualNetworks/subnets/join/action", - "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", - "Microsoft.Network/networkSecurityGroups/join/action", - "Microsoft.Resources/deployments/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/*/read", - "Microsoft.Storage/storageAccounts/*", - "Microsoft.Support/*", - "Microsoft.Resources/subscriptions/resourceGroups/resources/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" - ], - "notDataActions": [] - } - ], - "roleName": "Avere Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Avere Operator --Used by the Avere vFXT cluster to manage the cluster +> | Built-in role | Description | ID | +> | | | | +> | <a name='acrdelete'></a>[AcrDelete](./built-in-roles/containers.md#acrdelete) | Delete repositories, tags, or manifests from a container registry. | c2f4ef07-c644-48eb-af81-4b1b4947fb11 | +> | <a name='acrimagesigner'></a>[AcrImageSigner](./built-in-roles/containers.md#acrimagesigner) | Push trusted images to or pull trusted images from a container registry enabled for content trust. | 6cef56e8-d556-48e5-a04f-b8e64114680f | +> | <a name='acrpull'></a>[AcrPull](./built-in-roles/containers.md#acrpull) | Pull artifacts from a container registry. | 7f951dda-4ed3-4680-a7ca-43fe172d538d | +> | <a name='acrpush'></a>[AcrPush](./built-in-roles/containers.md#acrpush) | Push artifacts to or pull artifacts from a container registry. | 8311e382-0749-4cb8-b61a-304f252e45ec | +> | <a name='acrquarantinereader'></a>[AcrQuarantineReader](./built-in-roles/containers.md#acrquarantinereader) | Pull quarantined images from a container registry. | cdda3590-29a3-44f6-95f2-9f980659eb04 | +> | <a name='acrquarantinewriter'></a>[AcrQuarantineWriter](./built-in-roles/containers.md#acrquarantinewriter) | Push quarantined images to or pull quarantined images from a container registry. | c8d4ff99-41c3-41a8-9f60-21dfdad59608 | +> | <a name='azure-arc-enabled-kubernetes-cluster-user-role'></a>[Azure Arc Enabled Kubernetes Cluster User Role](./built-in-roles/containers.md#azure-arc-enabled-kubernetes-cluster-user-role) | List cluster user credentials action. | 00493d72-78f6-4148-b6c5-d3ce8e4799dd | +> | <a name='azure-arc-kubernetes-admin'></a>[Azure Arc Kubernetes Admin](./built-in-roles/containers.md#azure-arc-kubernetes-admin) | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | dffb1e0c-446f-4dde-a09f-99eb5cc68b96 | +> | <a name='azure-arc-kubernetes-cluster-admin'></a>[Azure Arc Kubernetes Cluster Admin](./built-in-roles/containers.md#azure-arc-kubernetes-cluster-admin) | Lets you manage all resources in the cluster. | 8393591c-06b9-48a2-a542-1bd6b377f6a2 | +> | <a name='azure-arc-kubernetes-viewer'></a>[Azure Arc Kubernetes Viewer](./built-in-roles/containers.md#azure-arc-kubernetes-viewer) | Lets you view all resources in cluster/namespace, except secrets. | 63f0a09d-1495-4db4-a681-037d84835eb4 | +> | <a name='azure-arc-kubernetes-writer'></a>[Azure Arc Kubernetes Writer](./built-in-roles/containers.md#azure-arc-kubernetes-writer) | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. | 5b999177-9696-4545-85c7-50de3797e5a1 | +> | <a name='azure-kubernetes-fleet-manager-rbac-admin'></a>[Azure Kubernetes Fleet Manager RBAC Admin](./built-in-roles/containers.md#azure-kubernetes-fleet-manager-rbac-admin) | This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. | 434fb43a-c01c-447e-9f67-c3ad923cfaba | +> | <a name='azure-kubernetes-fleet-manager-rbac-cluster-admin'></a>[Azure Kubernetes Fleet Manager RBAC Cluster Admin](./built-in-roles/containers.md#azure-kubernetes-fleet-manager-rbac-cluster-admin) | Lets you manage all resources in the fleet manager cluster. | 18ab4d3d-a1bf-4477-8ad9-8359bc988f69 | +> | <a name='azure-kubernetes-fleet-manager-rbac-reader'></a>[Azure Kubernetes Fleet Manager RBAC Reader](./built-in-roles/containers.md#azure-kubernetes-fleet-manager-rbac-reader) | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 30b27cfc-9c84-438e-b0ce-70e35255df80 | +> | <a name='azure-kubernetes-fleet-manager-rbac-writer'></a>[Azure Kubernetes Fleet Manager RBAC Writer](./built-in-roles/containers.md#azure-kubernetes-fleet-manager-rbac-writer) | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | 5af6afb3-c06c-4fa4-8848-71a8aee05683 | +> | <a name='azure-kubernetes-service-cluster-admin-role'></a>[Azure Kubernetes Service Cluster Admin Role](./built-in-roles/containers.md#azure-kubernetes-service-cluster-admin-role) | List cluster admin credential action. | 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 | +> | <a name='azure-kubernetes-service-cluster-monitoring-user'></a>[Azure Kubernetes Service Cluster Monitoring User](./built-in-roles/containers.md#azure-kubernetes-service-cluster-monitoring-user) | List cluster monitoring user credential action. | 1afdec4b-e479-420e-99e7-f82237c7c5e6 | +> | <a name='azure-kubernetes-service-cluster-user-role'></a>[Azure Kubernetes Service Cluster User Role](./built-in-roles/containers.md#azure-kubernetes-service-cluster-user-role) | List cluster user credential action. | 4abbcc35-e782-43d8-92c5-2d3f1bd2253f | +> | <a name='azure-kubernetes-service-contributor-role'></a>[Azure Kubernetes Service Contributor Role](./built-in-roles/containers.md#azure-kubernetes-service-contributor-role) | Grants access to read and write Azure Kubernetes Service clusters | ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 | +> | <a name='azure-kubernetes-service-rbac-admin'></a>[Azure Kubernetes Service RBAC Admin](./built-in-roles/containers.md#azure-kubernetes-service-rbac-admin) | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | 3498e952-d568-435e-9b2c-8d77e338d7f7 | +> | <a name='azure-kubernetes-service-rbac-cluster-admin'></a>[Azure Kubernetes Service RBAC Cluster Admin](./built-in-roles/containers.md#azure-kubernetes-service-rbac-cluster-admin) | Lets you manage all resources in the cluster. | b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b | +> | <a name='azure-kubernetes-service-rbac-reader'></a>[Azure Kubernetes Service RBAC Reader](./built-in-roles/containers.md#azure-kubernetes-service-rbac-reader) | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 7f6c6a51-bcf8-42ba-9220-52d62157d7db | +> | <a name='azure-kubernetes-service-rbac-writer'></a>[Azure Kubernetes Service RBAC Writer](./built-in-roles/containers.md#azure-kubernetes-service-rbac-writer) | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb | +> | <a name='kubernetes-agentless-operator'></a>[Kubernetes Agentless Operator](./built-in-roles/containers.md#kubernetes-agentless-operator) | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | d5a2ae44-610b-4500-93be-660a0c5f5ca6 | +> | <a name='kubernetes-clusterazure-arc-onboarding'></a>[Kubernetes Cluster - Azure Arc Onboarding](./built-in-roles/containers.md#kubernetes-clusterazure-arc-onboarding) | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | +> | <a name='kubernetes-extension-contributor'></a>[Kubernetes Extension Contributor](./built-in-roles/containers.md#kubernetes-extension-contributor) | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 | -[Learn more](/azure/avere-vfxt/avere-vfxt-manage-cluster) +## Databases > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/delete | Returns the result of deleting a container | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Used by the Avere vFXT cluster to manage the cluster", - "id": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", - "name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", - "permissions": [ - { - "actions": [ - "Microsoft.Compute/virtualMachines/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/networkInterfaces/write", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/subnets/read", - "Microsoft.Network/virtualNetworks/subnets/join/action", - "Microsoft.Network/networkSecurityGroups/join/action", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/delete", - "Microsoft.Storage/storageAccounts/blobServices/containers/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/write" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" - ], - "notDataActions": [] - } - ], - "roleName": "Avere Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Backup Contributor --Lets you manage backup service, but can't create vaults and give access to others +> | Built-in role | Description | ID | +> | | | | +> | <a name='azure-connected-sql-server-onboarding'></a>[Azure Connected SQL Server Onboarding](./built-in-roles/databases.md#azure-connected-sql-server-onboarding) | Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. | e8113dce-c529-4d33-91fa-e9b972617508 | +> | <a name='cosmos-db-account-reader-role'></a>[Cosmos DB Account Reader Role](./built-in-roles/databases.md#cosmos-db-account-reader-role) | Can read Azure Cosmos DB account data. See [DocumentDB Account Contributor](#documentdb-account-contributor) for managing Azure Cosmos DB accounts. | fbdf93bf-df7d-467e-a4d2-9458aa1360c8 | +> | <a name='cosmos-db-operator'></a>[Cosmos DB Operator](./built-in-roles/databases.md#cosmos-db-operator) | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | 230815da-be43-4aae-9cb4-875f7bd000aa | +> | <a name='cosmosbackupoperator'></a>[CosmosBackupOperator](./built-in-roles/databases.md#cosmosbackupoperator) | Can submit restore request for a Cosmos DB database or a container for an account | db7b14f2-5adf-42da-9f96-f2ee17bab5cb | +> | <a name='cosmosrestoreoperator'></a>[CosmosRestoreOperator](./built-in-roles/databases.md#cosmosrestoreoperator) | Can perform restore action for Cosmos DB database account with continuous backup mode | 5432c526-bc82-444a-b7ba-57c5b0b5b34f | +> | <a name='documentdb-account-contributor'></a>[DocumentDB Account Contributor](./built-in-roles/databases.md#documentdb-account-contributor) | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. | 5bd9cd88-fe45-4216-938b-f97437e15450 | +> | <a name='redis-cache-contributor'></a>[Redis Cache Contributor](./built-in-roles/databases.md#redis-cache-contributor) | Lets you manage Redis caches, but not access to them. | e0f68234-74aa-48ed-b826-c38b57376e17 | +> | <a name='sql-db-contributor'></a>[SQL DB Contributor](./built-in-roles/databases.md#sql-db-contributor) | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | +> | <a name='sql-managed-instance-contributor'></a>[SQL Managed Instance Contributor](./built-in-roles/databases.md#sql-managed-instance-contributor) | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | +> | <a name='sql-security-manager'></a>[SQL Security Manager](./built-in-roles/databases.md#sql-security-manager) | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | 056cd41c-7e88-42e1-933e-88ba6a50c9c3 | +> | <a name='sql-server-contributor'></a>[SQL Server Contributor](./built-in-roles/databases.md#sql-server-contributor) | Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. | 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 | -[Learn more](/azure/backup/backup-rbac-rs-vault) +## Analytics > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/operationResults/* | Manage results of operation on backup management | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/* | Create and manage backup containers inside backup fabrics of Recovery Services vault | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupJobs/* | Create and manage backup jobs | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupJobsExport/action | Export Jobs | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupOperationResults/* | Create and manage Results of backup management operations | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupPolicies/* | Create and manage backup policies | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectableItems/* | Create and manage items which can be backed up | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectedItems/* | Create and manage backed up items | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectionContainers/* | Create and manage containers holding backup items | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupSecurityPIN/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/certificates/* | Create and manage certificates related to backup in Recovery Services vault | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/extendedInformation/* | Create and manage extended info related to vault | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/* | Create and manage registered identities | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/usages/* | Create and manage usage of Recovery Services vault | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupstorageconfig/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupconfig/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupValidateOperation/action | Validate Operation on Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/operationStatus/read | Gets Operation Status for a given Operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupPreValidateProtection/action | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupValidateFeatures/action | Validate Features | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/write | Resolves the alert. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/operations/read | Operation returns the list of Operations for a Resource Provider | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/operationStatus/read | Gets Operation Status for a given Operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectionIntents/read | List all backup Protection Intents | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/write | Creates a Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/delete | Deletes the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/undelete/action | Perform undelete of soft-deleted Backup Instance. Backup Instance moves from SoftDeleted to ProtectionStopped state. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupPolicies/write | Creates Backup Policy | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupPolicies/delete | Deletes the Backup Policy | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/write | Update BackupVault operation updates an Azure resource of type 'Backup Vault' | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/checkNameAvailability/action | Checks if the requested BackupVault Name is Available | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/validateForBackup/action | Validates for backup of Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/operations/read | Operation returns the list of Operations for a Resource Provider | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage backup service,but can't create vaults and give access to others", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "name": "5e467623-bb1f-42f4-a55d-6e525e11384b", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.RecoveryServices/locations/*", - "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*", - "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action", - "Microsoft.RecoveryServices/Vaults/backupJobs/*", - "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", - "Microsoft.RecoveryServices/Vaults/backupOperationResults/*", - "Microsoft.RecoveryServices/Vaults/backupPolicies/*", - "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*", - "Microsoft.RecoveryServices/Vaults/backupProtectedItems/*", - "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*", - "Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*", - "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", - "Microsoft.RecoveryServices/Vaults/certificates/*", - "Microsoft.RecoveryServices/Vaults/extendedInformation/*", - "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", - "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", - "Microsoft.RecoveryServices/Vaults/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/*", - "Microsoft.RecoveryServices/Vaults/usages/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/storageAccounts/read", - "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*", - "Microsoft.RecoveryServices/Vaults/backupconfig/*", - "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action", - "Microsoft.RecoveryServices/Vaults/write", - "Microsoft.RecoveryServices/Vaults/backupOperations/read", - "Microsoft.RecoveryServices/Vaults/backupEngines/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read", - "Microsoft.RecoveryServices/vaults/operationStatus/read", - "Microsoft.RecoveryServices/vaults/operationResults/read", - "Microsoft.RecoveryServices/locations/backupStatus/action", - "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action", - "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", - "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", - "Microsoft.RecoveryServices/operations/read", - "Microsoft.RecoveryServices/locations/operationStatus/read", - "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", - "Microsoft.Support/*", - "Microsoft.DataProtection/locations/getBackupStatus/action", - "Microsoft.DataProtection/backupVaults/backupInstances/write", - "Microsoft.DataProtection/backupVaults/backupInstances/delete", - "Microsoft.DataProtection/backupVaults/backupInstances/read", - "Microsoft.DataProtection/backupVaults/backupInstances/read", - "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", - "Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action", - "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", - "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", - "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action", - "Microsoft.DataProtection/backupVaults/backupPolicies/write", - "Microsoft.DataProtection/backupVaults/backupPolicies/delete", - "Microsoft.DataProtection/backupVaults/backupPolicies/read", - "Microsoft.DataProtection/backupVaults/backupPolicies/read", - "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", - "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", - "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", - "Microsoft.DataProtection/backupVaults/write", - "Microsoft.DataProtection/backupVaults/read", - "Microsoft.DataProtection/backupVaults/operationResults/read", - "Microsoft.DataProtection/backupVaults/operationStatus/read", - "Microsoft.DataProtection/locations/checkNameAvailability/action", - "Microsoft.DataProtection/locations/checkFeatureSupport/action", - "Microsoft.DataProtection/backupVaults/read", - "Microsoft.DataProtection/backupVaults/read", - "Microsoft.DataProtection/locations/operationStatus/read", - "Microsoft.DataProtection/locations/operationResults/read", - "Microsoft.DataProtection/backupVaults/validateForBackup/action", - "Microsoft.DataProtection/operations/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Backup Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Backup Operator --Lets you manage backup services, except removal of backup, vault creation and giving access to others +> | Built-in role | Description | ID | +> | | | | +> | <a name='azure-event-hubs-data-owner'></a>[Azure Event Hubs Data Owner](./built-in-roles/analytics.md#azure-event-hubs-data-owner) | Allows for full access to Azure Event Hubs resources. | f526a384-b230-433a-b45c-95f59c4a2dec | +> | <a name='azure-event-hubs-data-receiver'></a>[Azure Event Hubs Data Receiver](./built-in-roles/analytics.md#azure-event-hubs-data-receiver) | Allows receive access to Azure Event Hubs resources. | a638d3c7-ab3a-418d-83e6-5f17a39d4fde | +> | <a name='azure-event-hubs-data-sender'></a>[Azure Event Hubs Data Sender](./built-in-roles/analytics.md#azure-event-hubs-data-sender) | Allows send access to Azure Event Hubs resources. | 2b629674-e913-4c01-ae53-ef4638d8f975 | +> | <a name='data-factory-contributor'></a>[Data Factory Contributor](./built-in-roles/analytics.md#data-factory-contributor) | Create and manage data factories, as well as child resources within them. | 673868aa-7521-48a0-acc6-0f60742d39f5 | +> | <a name='data-purger'></a>[Data Purger](./built-in-roles/analytics.md#data-purger) | Delete private data from a Log Analytics workspace. | 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | +> | <a name='hdinsight-cluster-operator'></a>[HDInsight Cluster Operator](./built-in-roles/analytics.md#hdinsight-cluster-operator) | Lets you read and modify HDInsight cluster configurations. | 61ed4efc-fab3-44fd-b111-e24485cc132a | +> | <a name='hdinsight-domain-services-contributor'></a>[HDInsight Domain Services Contributor](./built-in-roles/analytics.md#hdinsight-domain-services-contributor) | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | 8d8d5a11-05d3-4bda-a417-a08778121c7c | +> | <a name='log-analytics-contributor'></a>[Log Analytics Contributor](./built-in-roles/analytics.md#log-analytics-contributor) | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. | 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | +> | <a name='log-analytics-reader'></a>[Log Analytics Reader](./built-in-roles/analytics.md#log-analytics-reader) | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | 73c42c96-874c-492b-b04d-ab87d138a893 | +> | <a name='schema-registry-contributor-preview'></a>[Schema Registry Contributor (Preview)](./built-in-roles/analytics.md#schema-registry-contributor-preview) | Read, write, and delete Schema Registry groups and schemas. | 5dffeca3-4936-4216-b2bc-10343a5abb25 | +> | <a name='schema-registry-reader-preview'></a>[Schema Registry Reader (Preview)](./built-in-roles/analytics.md#schema-registry-reader-preview) | Read and list Schema Registry groups and schemas. | 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 | +> | <a name='stream-analytics-query-tester'></a>[Stream Analytics Query Tester](./built-in-roles/analytics.md#stream-analytics-query-tester) | Lets you perform query testing without creating a stream analytics job first | 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf | -[Learn more](/azure/backup/backup-rbac-rs-vault) +## AI + machine learning > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/operationResults/read | Returns status of the operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupJobs/* | Create and manage backup jobs | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupJobsExport/action | Export Jobs | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupOperationResults/* | Create and manage Results of backup management operations | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupPolicies/read | Returns all Protection Policies | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectableItems/* | Create and manage items which can be backed up | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/extendedInformation/write | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/write | The Register Service Container operation can be used to register a container with Recovery Service. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupstorageconfig/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupValidateOperation/action | Validate Operation on Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupTriggerValidateOperation/action | Validate Operation on Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupValidateOperationResults/read | Validate Operation on Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupValidateOperationsStatuses/read | Validate Operation on Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/write | Creates a registered container | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupPreValidateProtection/action | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupValidateFeatures/action | Validate Features | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupCrossRegionRestore/action | Trigger Cross region restore. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/write | Resolves the alert. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/operations/read | Operation returns the list of Operations for a Resource Provider | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/operationStatus/read | Gets Operation Status for a given Operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectionIntents/read | List all backup Protection Intents | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/operations/read | Operation returns the list of Operations for a Resource Provider | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/validateForBackup/action | Validates for backup of Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others", - "id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", - "name": "00c29273-979b-4161-815c-10b084fb9324", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action", - "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action", - "Microsoft.RecoveryServices/Vaults/backupJobs/*", - "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", - "Microsoft.RecoveryServices/Vaults/backupOperationResults/*", - "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read", - "Microsoft.RecoveryServices/Vaults/backupPolicies/read", - "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*", - "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read", - "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read", - "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", - "Microsoft.RecoveryServices/Vaults/certificates/write", - "Microsoft.RecoveryServices/Vaults/extendedInformation/read", - "Microsoft.RecoveryServices/Vaults/extendedInformation/write", - "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", - "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", - "Microsoft.RecoveryServices/Vaults/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/write", - "Microsoft.RecoveryServices/Vaults/usages/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/storageAccounts/read", - "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*", - "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action", - "Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action", - "Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read", - "Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read", - "Microsoft.RecoveryServices/Vaults/backupOperations/read", - "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action", - "Microsoft.RecoveryServices/Vaults/backupEngines/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write", - "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read", - "Microsoft.RecoveryServices/locations/backupStatus/action", - "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action", - "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", - "Microsoft.RecoveryServices/locations/backupAadProperties/read", - "Microsoft.RecoveryServices/locations/backupCrrJobs/action", - "Microsoft.RecoveryServices/locations/backupCrrJob/action", - "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action", - "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read", - "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read", - "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", - "Microsoft.RecoveryServices/operations/read", - "Microsoft.RecoveryServices/locations/operationStatus/read", - "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", - "Microsoft.Support/*", - "Microsoft.DataProtection/backupVaults/backupInstances/read", - "Microsoft.DataProtection/backupVaults/backupInstances/read", - "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", - "Microsoft.DataProtection/backupVaults/backupPolicies/read", - "Microsoft.DataProtection/backupVaults/backupPolicies/read", - "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", - "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", - "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", - "Microsoft.DataProtection/backupVaults/read", - "Microsoft.DataProtection/backupVaults/operationResults/read", - "Microsoft.DataProtection/backupVaults/operationStatus/read", - "Microsoft.DataProtection/backupVaults/read", - "Microsoft.DataProtection/backupVaults/read", - "Microsoft.DataProtection/locations/operationStatus/read", - "Microsoft.DataProtection/locations/operationResults/read", - "Microsoft.DataProtection/operations/read", - "Microsoft.DataProtection/backupVaults/validateForBackup/action", - "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", - "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", - "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action", - "Microsoft.DataProtection/locations/checkFeatureSupport/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Backup Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Backup Reader --Can view backup services, but can't make changes --[Learn more](/azure/backup/backup-rbac-rs-vault) +> | Built-in role | Description | ID | +> | | | | +> | <a name='azureml-compute-operator'></a>[AzureML Compute Operator](./built-in-roles/ai-machine-learning.md#azureml-compute-operator) | Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). | e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 | +> | <a name='azureml-data-scientist'></a>[AzureML Data Scientist](./built-in-roles/ai-machine-learning.md#azureml-data-scientist) | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. | f6c7c914-8db3-469d-8ca1-694a8f32e121 | +> | <a name='cognitive-services-contributor'></a>[Cognitive Services Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-contributor) | Lets you create, read, update, delete and manage keys of Cognitive Services. | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | +> | <a name='cognitive-services-custom-vision-contributor'></a>[Cognitive Services Custom Vision Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-contributor) | Full access to the project, including the ability to view, create, edit, or delete projects. | c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 | +> | <a name='cognitive-services-custom-vision-deployment'></a>[Cognitive Services Custom Vision Deployment](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-deployment) | Publish, unpublish or export models. Deployment can view the project but can't update. | 5c4089e1-6d96-4d2f-b296-c1bc7137275f | +> | <a name='cognitive-services-custom-vision-labeler'></a>[Cognitive Services Custom Vision Labeler](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-labeler) | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. | 88424f51-ebe7-446f-bc41-7fa16989e96c | +> | <a name='cognitive-services-custom-vision-reader'></a>[Cognitive Services Custom Vision Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-reader) | Read-only actions in the project. Readers can't create or update the project. | 93586559-c37d-4a6b-ba08-b9f0940c2d73 | +> | <a name='cognitive-services-custom-vision-trainer'></a>[Cognitive Services Custom Vision Trainer](./built-in-roles/ai-machine-learning.md#cognitive-services-custom-vision-trainer) | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b | +> | <a name='cognitive-services-data-reader-preview'></a>[Cognitive Services Data Reader (Preview)](./built-in-roles/ai-machine-learning.md#cognitive-services-data-reader-preview) | Lets you read Cognitive Services data. | b59867f0-fa02-499b-be73-45a86b5b3e1c | +> | <a name='cognitive-services-face-recognizer'></a>[Cognitive Services Face Recognizer](./built-in-roles/ai-machine-learning.md#cognitive-services-face-recognizer) | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. | 9894cab4-e18a-44aa-828b-cb588cd6f2d7 | +> | <a name='cognitive-services-metrics-advisor-administrator'></a>[Cognitive Services Metrics Advisor Administrator](./built-in-roles/ai-machine-learning.md#cognitive-services-metrics-advisor-administrator) | Full access to the project, including the system level configuration. | cb43c632-a144-4ec5-977c-e80c4affc34a | +> | <a name='cognitive-services-openai-contributor'></a>[Cognitive Services OpenAI Contributor](./built-in-roles/ai-machine-learning.md#cognitive-services-openai-contributor) | Full access including the ability to fine-tune, deploy and generate text | a001fd3d-188f-4b5d-821b-7da978bf7442 | +> | <a name='cognitive-services-openai-user'></a>[Cognitive Services OpenAI User](./built-in-roles/ai-machine-learning.md#cognitive-services-openai-user) | Read access to view files, models, deployments. The ability to create completion and embedding calls. | 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd | +> | <a name='cognitive-services-qna-maker-editor'></a>[Cognitive Services QnA Maker Editor](./built-in-roles/ai-machine-learning.md#cognitive-services-qna-maker-editor) | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | f4cc2bf9-21be-47a1-bdf1-5c5804381025 | +> | <a name='cognitive-services-qna-maker-reader'></a>[Cognitive Services QnA Maker Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-qna-maker-reader) | Let's you read and test a KB only. | 466ccd10-b268-4a11-b098-b4849f024126 | +> | <a name='cognitive-services-usages-reader'></a>[Cognitive Services Usages Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-usages-reader) | Minimal permission to view Cognitive Services usages. | bba48692-92b0-4667-a9ad-c31c7b334ac2 | +> | <a name='cognitive-services-user'></a>[Cognitive Services User](./built-in-roles/ai-machine-learning.md#cognitive-services-user) | Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908 | ++## Internet of Things > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/operationResults/read | Returns status of the operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupJobs/read | Returns all Job Objects | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupJobsExport/action | Export Jobs | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupPolicies/read | Returns all Protection Policies | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/write | Resolves the alert. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/operations/read | Operation returns the list of Operations for a Resource Provider | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/operationStatus/read | Gets Operation Status for a given Operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/backupProtectionIntents/read | List all backup Protection Intents | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupValidateFeatures/action | Validate Features | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/write | Creates a Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/backupVaults/validateForBackup/action | Validates for backup of Backup Instance | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/operations/read | Operation returns the list of Operations for a Resource Provider | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | -> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can view backup services, but can't make changes", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", - "name": "a795c7a0-d4a2-40c1-ae25-d81f01202912", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.RecoveryServices/locations/allocatedStamp/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read", - "Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read", - "Microsoft.RecoveryServices/Vaults/backupJobs/read", - "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", - "Microsoft.RecoveryServices/Vaults/backupOperationResults/read", - "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read", - "Microsoft.RecoveryServices/Vaults/backupPolicies/read", - "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read", - "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read", - "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", - "Microsoft.RecoveryServices/Vaults/extendedInformation/read", - "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", - "Microsoft.RecoveryServices/Vaults/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", - "Microsoft.RecoveryServices/Vaults/backupstorageconfig/read", - "Microsoft.RecoveryServices/Vaults/backupconfig/read", - "Microsoft.RecoveryServices/Vaults/backupOperations/read", - "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read", - "Microsoft.RecoveryServices/Vaults/backupEngines/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read", - "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read", - "Microsoft.RecoveryServices/locations/backupStatus/action", - "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", - "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", - "Microsoft.RecoveryServices/operations/read", - "Microsoft.RecoveryServices/locations/operationStatus/read", - "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", - "Microsoft.RecoveryServices/Vaults/usages/read", - "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", - "Microsoft.RecoveryServices/locations/backupCrrJobs/action", - "Microsoft.RecoveryServices/locations/backupCrrJob/action", - "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read", - "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read", - "Microsoft.DataProtection/locations/getBackupStatus/action", - "Microsoft.DataProtection/backupVaults/backupInstances/write", - "Microsoft.DataProtection/backupVaults/backupInstances/read", - "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", - "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", - "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", - "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", - "Microsoft.DataProtection/backupVaults/backupPolicies/read", - "Microsoft.DataProtection/backupVaults/backupPolicies/read", - "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", - "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", - "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", - "Microsoft.DataProtection/backupVaults/read", - "Microsoft.DataProtection/backupVaults/operationResults/read", - "Microsoft.DataProtection/backupVaults/operationStatus/read", - "Microsoft.DataProtection/backupVaults/read", - "Microsoft.DataProtection/backupVaults/read", - "Microsoft.DataProtection/locations/operationStatus/read", - "Microsoft.DataProtection/locations/operationResults/read", - "Microsoft.DataProtection/backupVaults/validateForBackup/action", - "Microsoft.DataProtection/operations/read", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action", - "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action", - "Microsoft.DataProtection/locations/checkFeatureSupport/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Backup Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Classic Storage Account Contributor +> | Built-in role | Description | ID | +> | | | | +> | <a name='azure-digital-twins-data-owner'></a>[Azure Digital Twins Data Owner](./built-in-roles/internet-of-things.md#azure-digital-twins-data-owner) | Full access role for Digital Twins data-plane | bcd981a7-7f74-457b-83e1-cceb9e632ffe | +> | <a name='azure-digital-twins-data-reader'></a>[Azure Digital Twins Data Reader](./built-in-roles/internet-of-things.md#azure-digital-twins-data-reader) | Read-only role for Digital Twins data-plane properties | d57506d4-4c8d-48b1-8587-93c323f6a5a3 | +> | <a name='device-update-administrator'></a>[Device Update Administrator](./built-in-roles/internet-of-things.md#device-update-administrator) | Gives you full access to management and content operations | 02ca0879-e8e4-47a5-a61e-5c618b76e64a | +> | <a name='device-update-content-administrator'></a>[Device Update Content Administrator](./built-in-roles/internet-of-things.md#device-update-content-administrator) | Gives you full access to content operations | 0378884a-3af5-44ab-8323-f5b22f9f3c98 | +> | <a name='device-update-content-reader'></a>[Device Update Content Reader](./built-in-roles/internet-of-things.md#device-update-content-reader) | Gives you read access to content operations, but does not allow making changes | d1ee9a80-8b14-47f0-bdc2-f4a351625a7b | +> | <a name='device-update-deployments-administrator'></a>[Device Update Deployments Administrator](./built-in-roles/internet-of-things.md#device-update-deployments-administrator) | Gives you full access to management operations | e4237640-0e3d-4a46-8fda-70bc94856432 | +> | <a name='device-update-deployments-reader'></a>[Device Update Deployments Reader](./built-in-roles/internet-of-things.md#device-update-deployments-reader) | Gives you read access to management operations, but does not allow making changes | 49e2f5d2-7741-4835-8efa-19e1fe35e47f | +> | <a name='device-update-reader'></a>[Device Update Reader](./built-in-roles/internet-of-things.md#device-update-reader) | Gives you read access to management and content operations, but does not allow making changes | e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f | +> | <a name='iot-hub-data-contributor'></a>[IoT Hub Data Contributor](./built-in-roles/internet-of-things.md#iot-hub-data-contributor) | Allows for full access to IoT Hub data plane operations. | 4fc6c259-987e-4a07-842e-c321cc9d413f | +> | <a name='iot-hub-data-reader'></a>[IoT Hub Data Reader](./built-in-roles/internet-of-things.md#iot-hub-data-reader) | Allows for full read access to IoT Hub data-plane properties | b447c946-2db7-41ec-983d-d8bf3b1c77e3 | +> | <a name='iot-hub-registry-contributor'></a>[IoT Hub Registry Contributor](./built-in-roles/internet-of-things.md#iot-hub-registry-contributor) | Allows for full access to IoT Hub device registry. | 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 | +> | <a name='iot-hub-twin-contributor'></a>[IoT Hub Twin Contributor](./built-in-roles/internet-of-things.md#iot-hub-twin-contributor) | Allows for read and write access to all IoT Hub device and module twins. | 494bdba2-168f-4f31-a0a1-191d2f7c028c | -Lets you manage classic storage accounts, but not access to them. +## Mixed reality > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/* | Create and manage storage accounts | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage classic storage accounts, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", - "name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.ClassicStorage/storageAccounts/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Classic Storage Account Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Classic Storage Account Key Operator Service Role --Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts +> | Built-in role | Description | ID | +> | | | | +> | <a name='remote-rendering-administrator'></a>[Remote Rendering Administrator](./built-in-roles/mixed-reality.md#remote-rendering-administrator) | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | 3df8b902-2a6f-47c7-8cc5-360e9b272a7e | +> | <a name='remote-rendering-client'></a>[Remote Rendering Client](./built-in-roles/mixed-reality.md#remote-rendering-client) | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | d39065c4-c120-43c9-ab0a-63eed9795f0a | +> | <a name='spatial-anchors-account-contributor'></a>[Spatial Anchors Account Contributor](./built-in-roles/mixed-reality.md#spatial-anchors-account-contributor) | Lets you manage spatial anchors in your account, but not delete them | 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 | +> | <a name='spatial-anchors-account-owner'></a>[Spatial Anchors Account Owner](./built-in-roles/mixed-reality.md#spatial-anchors-account-owner) | Lets you manage spatial anchors in your account, including deleting them | 70bbe301-9835-447d-afdd-19eb3167307c | +> | <a name='spatial-anchors-account-reader'></a>[Spatial Anchors Account Reader](./built-in-roles/mixed-reality.md#spatial-anchors-account-reader) | Lets you locate and read properties of spatial anchors in your account | 5d51204f-eb77-4b1c-b86a-2ec626c49413 | -[Learn more](/azure/key-vault/secrets/overview-storage-keys) +## Integration > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/listkeys/action | Lists the access keys for the storage accounts. | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/regeneratekey/action | Regenerates the existing access keys for the storage account. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts", - "id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", - "name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d", - "permissions": [ - { - "actions": [ - "Microsoft.ClassicStorage/storageAccounts/listkeys/action", - "Microsoft.ClassicStorage/storageAccounts/regeneratekey/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Classic Storage Account Key Operator Service Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Data Box Contributor --Lets you manage everything under Data Box Service except giving access to others. +> | Built-in role | Description | ID | +> | | | | +> | <a name='api-management-service-contributor'></a>[API Management Service Contributor](./built-in-roles/integration.md#api-management-service-contributor) | Can manage service and the APIs | 312a565d-c81f-4fd8-895a-4e21e48d571c | +> | <a name='api-management-service-operator-role'></a>[API Management Service Operator Role](./built-in-roles/integration.md#api-management-service-operator-role) | Can manage service but not the APIs | e022efe7-f5ba-4159-bbe4-b44f577e9b61 | +> | <a name='api-management-service-reader-role'></a>[API Management Service Reader Role](./built-in-roles/integration.md#api-management-service-reader-role) | Read-only access to service and APIs | 71522526-b88f-4d52-b57f-d31fc3546d0d | +> | <a name='api-management-service-workspace-api-developer'></a>[API Management Service Workspace API Developer](./built-in-roles/integration.md#api-management-service-workspace-api-developer) | Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. | 9565a273-41b9-4368-97d2-aeb0c976a9b3 | +> | <a name='api-management-service-workspace-api-product-manager'></a>[API Management Service Workspace API Product Manager](./built-in-roles/integration.md#api-management-service-workspace-api-product-manager) | Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. | d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da | +> | <a name='api-management-workspace-api-developer'></a>[API Management Workspace API Developer](./built-in-roles/integration.md#api-management-workspace-api-developer) | Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. | 56328988-075d-4c6a-8766-d93edd6725b6 | +> | <a name='api-management-workspace-api-product-manager'></a>[API Management Workspace API Product Manager](./built-in-roles/integration.md#api-management-workspace-api-product-manager) | Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. | 73c2c328-d004-4c5e-938c-35c6f5679a1f | +> | <a name='api-management-workspace-contributor'></a>[API Management Workspace Contributor](./built-in-roles/integration.md#api-management-workspace-contributor) | Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. | 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 | +> | <a name='api-management-workspace-reader'></a>[API Management Workspace Reader](./built-in-roles/integration.md#api-management-workspace-reader) | Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. | ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 | +> | <a name='app-configuration-data-owner'></a>[App Configuration Data Owner](./built-in-roles/integration.md#app-configuration-data-owner) | Allows full access to App Configuration data. | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | +> | <a name='app-configuration-data-reader'></a>[App Configuration Data Reader](./built-in-roles/integration.md#app-configuration-data-reader) | Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071 | +> | <a name='azure-relay-listener'></a>[Azure Relay Listener](./built-in-roles/integration.md#azure-relay-listener) | Allows for listen access to Azure Relay resources. | 26e0b698-aa6d-4085-9386-aadae190014d | +> | <a name='azure-relay-owner'></a>[Azure Relay Owner](./built-in-roles/integration.md#azure-relay-owner) | Allows for full access to Azure Relay resources. | 2787bf04-f1f5-4bfe-8383-c8a24483ee38 | +> | <a name='azure-relay-sender'></a>[Azure Relay Sender](./built-in-roles/integration.md#azure-relay-sender) | Allows for send access to Azure Relay resources. | 26baccc8-eea7-41f1-98f4-1762cc7f685d | +> | <a name='azure-service-bus-data-owner'></a>[Azure Service Bus Data Owner](./built-in-roles/integration.md#azure-service-bus-data-owner) | Allows for full access to Azure Service Bus resources. | 090c5cfd-751d-490a-894a-3ce6f1109419 | +> | <a name='azure-service-bus-data-receiver'></a>[Azure Service Bus Data Receiver](./built-in-roles/integration.md#azure-service-bus-data-receiver) | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | +> | <a name='azure-service-bus-data-sender'></a>[Azure Service Bus Data Sender](./built-in-roles/integration.md#azure-service-bus-data-sender) | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | +> | <a name='biztalk-contributor'></a>[BizTalk Contributor](./built-in-roles/integration.md#biztalk-contributor) | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 | +> | <a name='eventgrid-contributor'></a>[EventGrid Contributor](./built-in-roles/integration.md#eventgrid-contributor) | Lets you manage EventGrid operations. | 1e241071-0855-49ea-94dc-649edcd759de | +> | <a name='eventgrid-data-sender'></a>[EventGrid Data Sender](./built-in-roles/integration.md#eventgrid-data-sender) | Allows send access to event grid events. | d5a91429-5739-47e2-a06b-3470a27159e7 | +> | <a name='eventgrid-eventsubscription-contributor'></a>[EventGrid EventSubscription Contributor](./built-in-roles/integration.md#eventgrid-eventsubscription-contributor) | Lets you manage EventGrid event subscription operations. | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | +> | <a name='eventgrid-eventsubscription-reader'></a>[EventGrid EventSubscription Reader](./built-in-roles/integration.md#eventgrid-eventsubscription-reader) | Lets you read EventGrid event subscriptions. | 2414bbcf-6497-4faf-8c65-045460748405 | +> | <a name='fhir-data-contributor'></a>[FHIR Data Contributor](./built-in-roles/integration.md#fhir-data-contributor) | Role allows user or principal full access to FHIR Data | 5a1fc7df-4bf1-4951-a576-89034ee01acd | +> | <a name='fhir-data-exporter'></a>[FHIR Data Exporter](./built-in-roles/integration.md#fhir-data-exporter) | Role allows user or principal to read and export FHIR Data | 3db33094-8700-4567-8da5-1501d4e7e843 | +> | <a name='fhir-data-importer'></a>[FHIR Data Importer](./built-in-roles/integration.md#fhir-data-importer) | Role allows user or principal to read and import FHIR Data | 4465e953-8ced-4406-a58e-0f6e3f3b530b | +> | <a name='fhir-data-reader'></a>[FHIR Data Reader](./built-in-roles/integration.md#fhir-data-reader) | Role allows user or principal to read FHIR Data | 4c8d0bbc-75d3-4935-991f-5f3c56d81508 | +> | <a name='fhir-data-writer'></a>[FHIR Data Writer](./built-in-roles/integration.md#fhir-data-writer) | Role allows user or principal to read and write FHIR Data | 3f88fce4-5892-4214-ae73-ba5294559913 | +> | <a name='integration-service-environment-contributor'></a>[Integration Service Environment Contributor](./built-in-roles/integration.md#integration-service-environment-contributor) | Lets you manage integration service environments, but not access to them. | a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | +> | <a name='integration-service-environment-developer'></a>[Integration Service Environment Developer](./built-in-roles/integration.md#integration-service-environment-developer) | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | +> | <a name='intelligent-systems-account-contributor'></a>[Intelligent Systems Account Contributor](./built-in-roles/integration.md#intelligent-systems-account-contributor) | Lets you manage Intelligent Systems accounts, but not access to them. | 03a6d094-3444-4b3d-88af-7477090a9e5e | +> | <a name='logic-app-contributor'></a>[Logic App Contributor](./built-in-roles/integration.md#logic-app-contributor) | Lets you manage logic apps, but not change access to them. | 87a39d53-fc1b-424a-814c-f7e04687dc9e | +> | <a name='logic-app-operator'></a>[Logic App Operator](./built-in-roles/integration.md#logic-app-operator) | Lets you read, enable, and disable logic apps, but not edit or update them. | 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe | +> | <a name='logic-apps-standard-contributor-preview'></a>[Logic Apps Standard Contributor (Preview)](./built-in-roles/integration.md#logic-apps-standard-contributor-preview) | You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership. | ad710c24-b039-4e85-a019-deb4a06e8570 | +> | <a name='logic-apps-standard-developer-preview'></a>[Logic Apps Standard Developer (Preview)](./built-in-roles/integration.md#logic-apps-standard-developer-preview) | You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope. | 523776ba-4eb2-4600-a3c8-f2dc93da4bdb | +> | <a name='logic-apps-standard-operator-preview'></a>[Logic Apps Standard Operator (Preview)](./built-in-roles/integration.md#logic-apps-standard-operator-preview) | You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings. | b70c96e9-66fe-4c09-b6e7-c98e69c98555 | +> | <a name='logic-apps-standard-reader-preview'></a>[Logic Apps Standard Reader (Preview)](./built-in-roles/integration.md#logic-apps-standard-reader-preview) | You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. | 4accf36b-2c05-432f-91c8-5c532dff4c73 | +> | <a name='scheduler-job-collections-contributor'></a>[Scheduler Job Collections Contributor](./built-in-roles/integration.md#scheduler-job-collections-contributor) | Lets you manage Scheduler job collections, but not access to them. | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 | +> | <a name='services-hub-operator'></a>[Services Hub Operator](./built-in-roles/integration.md#services-hub-operator) | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | 82200a5b-e217-47a5-b665-6d8765ee745b | -[Learn more](/azure/databox/data-box-logs) +## Identity > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Databox](resource-provider-operations.md#microsoftdatabox)/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage everything under Data Box Service except giving access to others.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", - "name": "add466c9-e687-43fc-8d98-dfcf8d720be5", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Databox/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Data Box Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Data Box Reader --Lets you manage Data Box Service except creating order or editing order details and giving access to others. +> | Built-in role | Description | ID | +> | | | | +> | <a name='domain-services-contributor'></a>[Domain Services Contributor](./built-in-roles/identity.md#domain-services-contributor) | Can manage Azure AD Domain Services and related network configurations | eeaeda52-9324-47f6-8069-5d5bade478b2 | +> | <a name='domain-services-reader'></a>[Domain Services Reader](./built-in-roles/identity.md#domain-services-reader) | Can view Azure AD Domain Services and related network configurations | 361898ef-9ed1-48c2-849c-a832951106bb | +> | <a name='managed-identity-contributor'></a>[Managed Identity Contributor](./built-in-roles/identity.md#managed-identity-contributor) | Create, Read, Update, and Delete User Assigned Identity | e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | +> | <a name='managed-identity-operator'></a>[Managed Identity Operator](./built-in-roles/identity.md#managed-identity-operator) | Read and Assign User Assigned Identity | f1a07417-d97a-45cb-824c-7a7467783830 | -[Learn more](/azure/databox/data-box-logs) +## Security > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Databox](resource-provider-operations.md#microsoftdatabox)/*/read | | -> | [Microsoft.Databox](resource-provider-operations.md#microsoftdatabox)/jobs/listsecrets/action | | -> | [Microsoft.Databox](resource-provider-operations.md#microsoftdatabox)/jobs/listcredentials/action | Lists the unencrypted credentials related to the order. | -> | [Microsoft.Databox](resource-provider-operations.md#microsoftdatabox)/locations/availableSkus/action | This method returns the list of available skus. | -> | [Microsoft.Databox](resource-provider-operations.md#microsoftdatabox)/locations/validateInputs/action | This method does all type of validations. | -> | [Microsoft.Databox](resource-provider-operations.md#microsoftdatabox)/locations/regionConfiguration/action | This method returns the configurations for the region. | -> | [Microsoft.Databox](resource-provider-operations.md#microsoftdatabox)/locations/validateAddress/action | Validates the shipping address and provides alternate addresses if any. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", - "name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Databox/*/read", - "Microsoft.Databox/jobs/listsecrets/action", - "Microsoft.Databox/jobs/listcredentials/action", - "Microsoft.Databox/locations/availableSkus/action", - "Microsoft.Databox/locations/validateInputs/action", - "Microsoft.Databox/locations/regionConfiguration/action", - "Microsoft.Databox/locations/validateAddress/action", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Data Box Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Data Lake Analytics Developer --Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. +> | Built-in role | Description | ID | +> | | | | +> | <a name='app-compliance-automation-administrator'></a>[App Compliance Automation Administrator](./built-in-roles/security.md#app-compliance-automation-administrator) | Create, read, download, modify and delete reports objects and related other resource objects. | 0f37683f-2463-46b6-9ce7-9b788b988ba2 | +> | <a name='app-compliance-automation-reader'></a>[App Compliance Automation Reader](./built-in-roles/security.md#app-compliance-automation-reader) | Read, download the reports objects and related other resource objects. | ffc6bbe0-e443-4c3b-bf54-26581bb2f78e | +> | <a name='attestation-contributor'></a>[Attestation Contributor](./built-in-roles/security.md#attestation-contributor) | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | +> | <a name='attestation-reader'></a>[Attestation Reader](./built-in-roles/security.md#attestation-reader) | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | +> | <a name='key-vault-administrator'></a>[Key Vault Administrator](./built-in-roles/security.md#key-vault-administrator) | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e74483 | +> | <a name='key-vault-certificate-user'></a>[Key Vault Certificate User](./built-in-roles/security.md#key-vault-certificate-user) | Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | db79e9a7-68ee-4b58-9aeb-b90e7c24fcba | +> | <a name='key-vault-certificates-officer'></a>[Key Vault Certificates Officer](./built-in-roles/security.md#key-vault-certificates-officer) | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | a4417e6f-fecd-4de8-b567-7b0420556985 | +> | <a name='key-vault-contributor'></a>[Key Vault Contributor](./built-in-roles/security.md#key-vault-contributor) | Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. | f25e0fa2-a7c8-4377-a976-54943a77a395 | +> | <a name='key-vault-crypto-officer'></a>[Key Vault Crypto Officer](./built-in-roles/security.md#key-vault-crypto-officer) | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | +> | <a name='key-vault-crypto-service-encryption-user'></a>[Key Vault Crypto Service Encryption User](./built-in-roles/security.md#key-vault-crypto-service-encryption-user) | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. | e147488a-f6f5-4113-8e2d-b22465e65bf6 | +> | <a name='key-vault-crypto-service-release-user'></a>[Key Vault Crypto Service Release User](./built-in-roles/security.md#key-vault-crypto-service-release-user) | Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | 08bbd89e-9f13-488c-ac41-acfcb10c90ab | +> | <a name='key-vault-crypto-user'></a>[Key Vault Crypto User](./built-in-roles/security.md#key-vault-crypto-user) | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | 12338af0-0e69-4776-bea7-57ae8d297424 | +> | <a name='key-vault-data-access-administrator'></a>[Key Vault Data Access Administrator](./built-in-roles/security.md#key-vault-data-access-administrator) | Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. | 8b54135c-b56d-4d72-a534-26097cfdc8d8 | +> | <a name='key-vault-reader'></a>[Key Vault Reader](./built-in-roles/security.md#key-vault-reader) | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | 21090545-7ca7-4776-b22c-e363652d74d2 | +> | <a name='key-vault-secrets-officer'></a>[Key Vault Secrets Officer](./built-in-roles/security.md#key-vault-secrets-officer) | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | +> | <a name='key-vault-secrets-user'></a>[Key Vault Secrets User](./built-in-roles/security.md#key-vault-secrets-user) | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e6 | +> | <a name='managed-hsm-contributor'></a>[Managed HSM contributor](./built-in-roles/security.md#managed-hsm-contributor) | Lets you manage managed HSM pools, but not access to them. | 18500a29-7fe2-46b2-a342-b16a415e101d | +> | <a name='microsoft-sentinel-automation-contributor'></a>[Microsoft Sentinel Automation Contributor](./built-in-roles/security.md#microsoft-sentinel-automation-contributor) | Microsoft Sentinel Automation Contributor | f4c81013-99ee-4d62-a7ee-b3f1f648599a | +> | <a name='microsoft-sentinel-contributor'></a>[Microsoft Sentinel Contributor](./built-in-roles/security.md#microsoft-sentinel-contributor) | Microsoft Sentinel Contributor | ab8e14d6-4a74-4a29-9ba8-549422addade | +> | <a name='microsoft-sentinel-playbook-operator'></a>[Microsoft Sentinel Playbook Operator](./built-in-roles/security.md#microsoft-sentinel-playbook-operator) | Microsoft Sentinel Playbook Operator | 51d6186e-6489-4900-b93f-92e23144cca5 | +> | <a name='microsoft-sentinel-reader'></a>[Microsoft Sentinel Reader](./built-in-roles/security.md#microsoft-sentinel-reader) | Microsoft Sentinel Reader | 8d289c81-5878-46d4-8554-54e1e3d8b5cb | +> | <a name='microsoft-sentinel-responder'></a>[Microsoft Sentinel Responder](./built-in-roles/security.md#microsoft-sentinel-responder) | Microsoft Sentinel Responder | 3e150937-b8fe-4cfb-8069-0eaf05ecd056 | +> | <a name='security-admin'></a>[Security Admin](./built-in-roles/security.md#security-admin) | View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.<br><br>For Microsoft Defender for IoT, see [Azure user roles for OT and Enterprise IoT monitoring](/azure/defender-for-iot/organizations/roles-azure). | fb1c8493-542b-48eb-b624-b4c8fea62acd | +> | <a name='security-assessment-contributor'></a>[Security Assessment Contributor](./built-in-roles/security.md#security-assessment-contributor) | Lets you push assessments to Microsoft Defender for Cloud | 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | +> | <a name='security-manager-legacy'></a>[Security Manager (Legacy)](./built-in-roles/security.md#security-manager-legacy) | This is a legacy role. Please use Security Admin instead. | e3d13bf0-dd5a-482e-ba6b-9b8433878d10 | +> | <a name='security-reader'></a>[Security Reader](./built-in-roles/security.md#security-reader) | View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.<br><br>For Microsoft Defender for IoT, see [Azure user roles for OT and Enterprise IoT monitoring](/azure/defender-for-iot/organizations/roles-azure). | 39bc4728-0917-49c7-9d2c-d95423bc2eb4 | -[Learn more](/azure/data-lake-analytics/data-lake-analytics-manage-use-portal) +## DevOps > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | Microsoft.BigAnalytics/accounts/* | | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | Microsoft.BigAnalytics/accounts/Delete | | -> | Microsoft.BigAnalytics/accounts/TakeOwnership/action | | -> | Microsoft.BigAnalytics/accounts/Write | | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/Delete | Delete a DataLakeAnalytics account. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/TakeOwnership/action | Grant permissions to cancel jobs submitted by other users. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/Write | Create or update a DataLakeAnalytics account. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/dataLakeStoreAccounts/Write | Create or update a linked DataLakeStore account of a DataLakeAnalytics account. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/dataLakeStoreAccounts/Delete | Unlink a DataLakeStore account from a DataLakeAnalytics account. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/storageAccounts/Write | Create or update a linked Storage account of a DataLakeAnalytics account. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/storageAccounts/Delete | Unlink a Storage account from a DataLakeAnalytics account. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/firewallRules/Write | Create or update a firewall rule. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/firewallRules/Delete | Delete a firewall rule. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/computePolicies/Write | Create or update a compute policy. | -> | [Microsoft.DataLakeAnalytics](resource-provider-operations.md#microsoftdatalakeanalytics)/accounts/computePolicies/Delete | Delete a compute policy. | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", - "name": "47b7735b-770e-4598-a7da-8b91488b4c88", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.BigAnalytics/accounts/*", - "Microsoft.DataLakeAnalytics/accounts/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [ - "Microsoft.BigAnalytics/accounts/Delete", - "Microsoft.BigAnalytics/accounts/TakeOwnership/action", - "Microsoft.BigAnalytics/accounts/Write", - "Microsoft.DataLakeAnalytics/accounts/Delete", - "Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action", - "Microsoft.DataLakeAnalytics/accounts/Write", - "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write", - "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete", - "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write", - "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete", - "Microsoft.DataLakeAnalytics/accounts/firewallRules/Write", - "Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete", - "Microsoft.DataLakeAnalytics/accounts/computePolicies/Write", - "Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Data Lake Analytics Developer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Defender for Storage Data Scanner +> | Built-in role | Description | ID | +> | | | | +> | <a name='devtest-labs-user'></a>[DevTest Labs User](./built-in-roles/devops.md#devtest-labs-user) | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | 76283e04-6283-4c54-8f91-bcf1374a3c64 | +> | <a name='lab-assistant'></a>[Lab Assistant](./built-in-roles/devops.md#lab-assistant) | Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. | ce40b423-cede-4313-a93f-9b28290b72e1 | +> | <a name='lab-contributor'></a>[Lab Contributor](./built-in-roles/devops.md#lab-contributor) | Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. | 5daaa2af-1fe8-407c-9122-bba179798270 | +> | <a name='lab-creator'></a>[Lab Creator](./built-in-roles/devops.md#lab-creator) | Lets you create new labs under your Azure Lab Accounts. | b97fb8bc-a8b2-4522-a38b-dd33c7e65ead | +> | <a name='lab-operator'></a>[Lab Operator](./built-in-roles/devops.md#lab-operator) | Gives you limited ability to manage existing labs. | a36e6959-b6be-4b12-8e9f-ef4b474d304d | +> | <a name='lab-services-contributor'></a>[Lab Services Contributor](./built-in-roles/devops.md#lab-services-contributor) | Enables you to fully control all Lab Services scenarios in the resource group. | f69b8690-cc87-41d6-b77a-a4bc3c0a966f | +> | <a name='lab-services-reader'></a>[Lab Services Reader](./built-in-roles/devops.md#lab-services-reader) | Enables you to view, but not change, all lab plans and lab resources. | 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc | +> | <a name='load-test-contributor'></a>[Load Test Contributor](./built-in-roles/devops.md#load-test-contributor) | View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. | 749a398d-560b-491b-bb21-08924219302e | +> | <a name='load-test-owner'></a>[Load Test Owner](./built-in-roles/devops.md#load-test-owner) | Execute all operations on load test resources and load tests | 45bb0b16-2f0c-4e78-afaa-a07599b003f6 | +> | <a name='load-test-reader'></a>[Load Test Reader](./built-in-roles/devops.md#load-test-reader) | View and list all load tests and load test resources but can not make any changes | 3ae3fb29-0000-4ccd-bf80-542e7b26e081 | -Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. +## Monitor > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/tags/write | Returns the result of writing blob tags | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/tags/read | Returns the result of reading blob tags | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", - "name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read" - ], - "notDataActions": [] - } - ], - "roleName": "Defender for Storage Data Scanner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Elastic SAN Owner +> | Built-in role | Description | ID | +> | | | | +> | <a name='application-insights-component-contributor'></a>[Application Insights Component Contributor](./built-in-roles/monitor.md#application-insights-component-contributor) | Can manage Application Insights components | ae349356-3a1b-4a5e-921d-050484c6347e | +> | <a name='application-insights-snapshot-debugger'></a>[Application Insights Snapshot Debugger](./built-in-roles/monitor.md#application-insights-snapshot-debugger) | Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the [Owner](/azure/role-based-access-control/built-in-roles#owner) or [Contributor](/azure/role-based-access-control/built-in-roles#contributor) roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. | 08954f03-6346-4c2e-81c0-ec3a5cfae23b | +> | <a name='grafana-admin'></a>[Grafana Admin](./built-in-roles/monitor.md#grafana-admin) | Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana. | 22926164-76b3-42b3-bc55-97df8dab3e41 | +> | <a name='grafana-editor'></a>[Grafana Editor](./built-in-roles/monitor.md#grafana-editor) | View and edit a Grafana instance, including its dashboards and alerts. | a79a5197-3a5c-4973-a920-486035ffd60f | +> | <a name='grafana-viewer'></a>[Grafana Viewer](./built-in-roles/monitor.md#grafana-viewer) | View a Grafana instance, including its dashboards and alerts. | 60921a7e-fef1-4a43-9b16-a26c52ad4769 | +> | <a name='monitoring-contributor'></a>[Monitoring Contributor](./built-in-roles/monitor.md#monitoring-contributor) | Can read all monitoring data and edit monitoring settings. See also [Get started with roles, permissions, and security with Azure Monitor](/azure/azure-monitor/roles-permissions-security#built-in-monitoring-roles). | 749f88d5-cbae-40b8-bcfc-e573ddc772fa | +> | <a name='monitoring-metrics-publisher'></a>[Monitoring Metrics Publisher](./built-in-roles/monitor.md#monitoring-metrics-publisher) | Enables publishing metrics against Azure resources | 3913510d-42f4-4e42-8a64-420c390055eb | +> | <a name='monitoring-reader'></a>[Monitoring Reader](./built-in-roles/monitor.md#monitoring-reader) | Can read all monitoring data (metrics, logs, etc.). See also [Get started with roles, permissions, and security with Azure Monitor](/azure/azure-monitor/roles-permissions-security#built-in-monitoring-roles). | 43d0d8ad-25c7-4714-9337-8ba259a9fe05 | +> | <a name='workbook-contributor'></a>[Workbook Contributor](./built-in-roles/monitor.md#workbook-contributor) | Can save shared workbooks. | e8ddcd69-c73f-4f9f-9844-4100522f16ad | +> | <a name='workbook-reader'></a>[Workbook Reader](./built-in-roles/monitor.md#workbook-reader) | Can read workbooks. | b279062a-9be3-42a0-92ae-8b3cf002ec4d | -Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access +## Management and governance > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ElasticSan](resource-provider-operations.md#microsoftelasticsan)/elasticSans/* | | -> | [Microsoft.ElasticSan](resource-provider-operations.md#microsoftelasticsan)/locations/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access", - "id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406", - "name": "80dcbedb-47ef-405d-95bd-188a1b4ac406", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ElasticSan/elasticSans/*", - "Microsoft.ElasticSan/locations/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Elastic SAN Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Elastic SAN Reader --Allows for control path read access to Azure Elastic SAN +> | Built-in role | Description | ID | +> | | | | +> | <a name='automation-contributor'></a>[Automation Contributor](./built-in-roles/management-and-governance.md#automation-contributor) | Manage Azure Automation resources and other resources using Azure Automation. | f353d9bd-d4a6-484e-a77a-8050b599b867 | +> | <a name='automation-job-operator'></a>[Automation Job Operator](./built-in-roles/management-and-governance.md#automation-job-operator) | Create and Manage Jobs using Automation Runbooks. | 4fe576fe-1146-4730-92eb-48519fa6bf9f | +> | <a name='automation-operator'></a>[Automation Operator](./built-in-roles/management-and-governance.md#automation-operator) | Automation Operators are able to start, stop, suspend, and resume jobs | d3881f73-407a-4167-8283-e981cbba0404 | +> | <a name='automation-runbook-operator'></a>[Automation Runbook Operator](./built-in-roles/management-and-governance.md#automation-runbook-operator) | Read Runbook properties - to be able to create Jobs of the runbook. | 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 | +> | <a name='azure-connected-machine-onboarding'></a>[Azure Connected Machine Onboarding](./built-in-roles/management-and-governance.md#azure-connected-machine-onboarding) | Can onboard Azure Connected Machines. | b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | +> | <a name='azure-connected-machine-resource-administrator'></a>[Azure Connected Machine Resource Administrator](./built-in-roles/management-and-governance.md#azure-connected-machine-resource-administrator) | Can read, write, delete and re-onboard Azure Connected Machines. | cd570a14-e51a-42ad-bac8-bafd67325302 | +> | <a name='azure-connected-machine-resource-manager'></a>[Azure Connected Machine Resource Manager](./built-in-roles/management-and-governance.md#azure-connected-machine-resource-manager) | Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group | f5819b54-e033-4d82-ac66-4fec3cbf3f4c | +> | <a name='azure-resource-bridge-deployment-role'></a>[Azure Resource Bridge Deployment Role](./built-in-roles/management-and-governance.md#azure-resource-bridge-deployment-role) | Azure Resource Bridge Deployment Role | 7b1f81f9-4196-4058-8aae-762e593270df | +> | <a name='billing-reader'></a>[Billing Reader](./built-in-roles/management-and-governance.md#billing-reader) | Allows read access to billing data | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | +> | <a name='blueprint-contributor'></a>[Blueprint Contributor](./built-in-roles/management-and-governance.md#blueprint-contributor) | Can manage blueprint definitions, but not assign them. | 41077137-e803-4205-871c-5a86e6a753b4 | +> | <a name='blueprint-operator'></a>[Blueprint Operator](./built-in-roles/management-and-governance.md#blueprint-operator) | Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. | 437d2ced-4a38-4302-8479-ed2bcb43d090 | +> | <a name='cost-management-contributor'></a>[Cost Management Contributor](./built-in-roles/management-and-governance.md#cost-management-contributor) | Can view costs and manage cost configuration (e.g. budgets, exports) | 434105ed-43f6-45c7-a02f-909b2ba83430 | +> | <a name='cost-management-reader'></a>[Cost Management Reader](./built-in-roles/management-and-governance.md#cost-management-reader) | Can view cost data and configuration (e.g. budgets, exports) | 72fafb9e-0641-4937-9268-a91bfd8191a3 | +> | <a name='hierarchy-settings-administrator'></a>[Hierarchy Settings Administrator](./built-in-roles/management-and-governance.md#hierarchy-settings-administrator) | Allows users to edit and delete Hierarchy Settings | 350f8d15-c687-4448-8ae1-157740a3936d | +> | <a name='managed-application-contributor-role'></a>[Managed Application Contributor Role](./built-in-roles/management-and-governance.md#managed-application-contributor-role) | Allows for creating managed application resources. | 641177b8-a67a-45b9-a033-47bc880bb21e | +> | <a name='managed-application-operator-role'></a>[Managed Application Operator Role](./built-in-roles/management-and-governance.md#managed-application-operator-role) | Lets you read and perform actions on Managed Application resources | c7393b34-138c-406f-901b-d8cf2b17e6ae | +> | <a name='managed-applications-reader'></a>[Managed Applications Reader](./built-in-roles/management-and-governance.md#managed-applications-reader) | Lets you read resources in a managed app and request JIT access. | b9331d33-8a36-4f8c-b097-4f54124fdb44 | +> | <a name='managed-services-registration-assignment-delete-role'></a>[Managed Services Registration assignment Delete Role](./built-in-roles/management-and-governance.md#managed-services-registration-assignment-delete-role) | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | 91c1777a-f3dc-4fae-b103-61d183457e46 | +> | <a name='management-group-contributor'></a>[Management Group Contributor](./built-in-roles/management-and-governance.md#management-group-contributor) | Management Group Contributor Role | 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c | +> | <a name='management-group-reader'></a>[Management Group Reader](./built-in-roles/management-and-governance.md#management-group-reader) | Management Group Reader Role | ac63b705-f282-497d-ac71-919bf39d939d | +> | <a name='new-relic-apm-account-contributor'></a>[New Relic APM Account Contributor](./built-in-roles/management-and-governance.md#new-relic-apm-account-contributor) | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | 5d28c62d-5b37-4476-8438-e587778df237 | +> | <a name='policy-insights-data-writer-preview'></a>[Policy Insights Data Writer (Preview)](./built-in-roles/management-and-governance.md#policy-insights-data-writer-preview) | Allows read access to resource policies and write access to resource component policy events. | 66bb4e9e-b016-4a94-8249-4c0511c2be84 | +> | <a name='quota-request-operator'></a>[Quota Request Operator](./built-in-roles/management-and-governance.md#quota-request-operator) | Read and create quota requests, get quota request status, and create support tickets. | 0e5f05e5-9ab9-446b-b98d-1e2157c94125 | +> | <a name='reservation-purchaser'></a>[Reservation Purchaser](./built-in-roles/management-and-governance.md#reservation-purchaser) | Lets you purchase reservations | f7b75c60-3036-4b75-91c3-6b41c27c1689 | +> | <a name='resource-policy-contributor'></a>[Resource Policy Contributor](./built-in-roles/management-and-governance.md#resource-policy-contributor) | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | 36243c78-bf99-498c-9df9-86d9f8d28608 | +> | <a name='site-recovery-contributor'></a>[Site Recovery Contributor](./built-in-roles/management-and-governance.md#site-recovery-contributor) | Lets you manage Site Recovery service except vault creation and role assignment | 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | +> | <a name='site-recovery-operator'></a>[Site Recovery Operator](./built-in-roles/management-and-governance.md#site-recovery-operator) | Lets you failover and failback but not perform other Site Recovery management operations | 494ae006-db33-4328-bf46-533a6560a3ca | +> | <a name='site-recovery-reader'></a>[Site Recovery Reader](./built-in-roles/management-and-governance.md#site-recovery-reader) | Lets you view Site Recovery status but not perform other management operations | dbaa88c4-0c30-4179-9fb3-46319faa6149 | +> | <a name='support-request-contributor'></a>[Support Request Contributor](./built-in-roles/management-and-governance.md#support-request-contributor) | Lets you create and manage Support requests | cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e | +> | <a name='tag-contributor'></a>[Tag Contributor](./built-in-roles/management-and-governance.md#tag-contributor) | Lets you manage tags on entities, without providing access to the entities themselves. | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f | +> | <a name='template-spec-contributor'></a>[Template Spec Contributor](./built-in-roles/management-and-governance.md#template-spec-contributor) | Allows full access to Template Spec operations at the assigned scope. | 1c9b6475-caf0-4164-b5a1-2142a7116f4b | +> | <a name='template-spec-reader'></a>[Template Spec Reader](./built-in-roles/management-and-governance.md#template-spec-reader) | Allows read access to Template Specs at the assigned scope. | 392ae280-861d-42bd-9ea5-08ee6d83b80e | ++## Hybrid + multicloud > [!div class="mx-tableFixed"]-> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ElasticSan](resource-provider-operations.md#microsoftelasticsan)/elasticSans/*/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for control path read access to Azure Elastic SAN", - "id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca", - "name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/roleAssignments/read", - "Microsoft.Authorization/roleDefinitions/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ElasticSan/elasticSans/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Elastic SAN Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Elastic SAN Volume Group Owner --Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | -> | [Microsoft.ElasticSan](resource-provider-operations.md#microsoftelasticsan)/elasticSans/volumeGroups/* | | -> | [Microsoft.ElasticSan](resource-provider-operations.md#microsoftelasticsan)/locations/asyncoperations/read | Polls the status of an asynchronous operation. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23", - "name": "a8281131-f312-4f34-8d98-ae12be9f0d23", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/roleAssignments/read", - "Microsoft.Authorization/roleDefinitions/read", - "Microsoft.ElasticSan/elasticSans/volumeGroups/*", - "Microsoft.ElasticSan/locations/asyncoperations/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Elastic SAN Volume Group Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Reader and Data Access --Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/ListAccountSas/action | Returns the Account SAS token for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", - "name": "c12c1c16-33a1-487b-954d-41c89c60f349", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/listKeys/action", - "Microsoft.Storage/storageAccounts/ListAccountSas/action", - "Microsoft.Storage/storageAccounts/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Reader and Data Access", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Account Backup Contributor --Lets you perform backup and restore operations using Azure Backup on the storage account. --[Learn more](/azure/backup/blob-backup-configure-manage) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/locks/read | Gets locks at the specified scope. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/locks/write | Add locks at the specified scope. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/locks/delete | Delete locks at the specified scope. | -> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/features/read | Gets the features of a subscription. | -> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/operations/read | Polls the status of an asynchronous operation. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/delete | Delete object replication policy | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/read | List object replication policies | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/write | Create or update object replication policy | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | Create object replication restore point marker | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/write | Returns the result of put blob service properties | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/restoreBlobRanges/action | Restore blob ranges to the state of the specified time | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you perform backup and restore operations using Azure Backup on the storage account.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", - "name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Authorization/locks/read", - "Microsoft.Authorization/locks/write", - "Microsoft.Authorization/locks/delete", - "Microsoft.Features/features/read", - "Microsoft.Features/providers/features/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/operations/read", - "Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete", - "Microsoft.Storage/storageAccounts/objectReplicationPolicies/read", - "Microsoft.Storage/storageAccounts/objectReplicationPolicies/write", - "Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write", - "Microsoft.Storage/storageAccounts/blobServices/containers/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/write", - "Microsoft.Storage/storageAccounts/blobServices/read", - "Microsoft.Storage/storageAccounts/blobServices/write", - "Microsoft.Storage/storageAccounts/read", - "Microsoft.Storage/storageAccounts/restoreBlobRanges/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Storage Account Backup Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Account Contributor --Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. --[Learn more](/azure/storage/common/storage-auth-aad) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/* | Create and manage storage accounts | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "name": "17d1049b-9a84-46fb-8f53-869881c3d3ab", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/diagnosticSettings/*", - "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/storageAccounts/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Storage Account Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Account Key Operator Service Role --Permits listing and regenerating storage account access keys. --[Learn more](/azure/storage/common/storage-account-keys-manage) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/regeneratekey/action | Regenerates the access keys for the specified storage account. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts", - "id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", - "name": "81a9662b-bebf-436f-a333-f67b29880f12", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/listkeys/action", - "Microsoft.Storage/storageAccounts/regeneratekey/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Storage Account Key Operator Service Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Blob Data Contributor --Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). --[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/delete | Delete a container. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Return a container or a list of containers. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Modify a container's metadata or properties. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Delete a blob. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Write to a blob. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/move/action | Moves the blob from one path to another | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/add/action | Returns the result of adding blob content | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read, write and delete access to Azure Storage blob containers and data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/delete", - "Microsoft.Storage/storageAccounts/blobServices/containers/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/write", - "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" - ], - "notDataActions": [] - } - ], - "roleName": "Storage Blob Data Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Blob Data Owner --Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). --[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/* | Full permissions on containers. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/* | Full permissions on blobs. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", - "name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/*", - "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*" - ], - "notDataActions": [] - } - ], - "roleName": "Storage Blob Data Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Blob Data Reader --Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). --[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Return a container or a list of containers. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read access to Azure Storage blob containers and data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", - "name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/read", - "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" - ], - "notDataActions": [] - } - ], - "roleName": "Storage Blob Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Blob Delegator --Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). --[Learn more](/rest/api/storageservices/get-user-delegation-key) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for generation of a user delegation key which can be used to sign SAS tokens", - "id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", - "name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Storage Blob Delegator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage File Data Privileged Contributor --Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Sematics Privilege | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/writeFileBackupSemantics/action | Write File Backup Sematics Privilege | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd", - "name": "69566ab7-960f-475b-8e7c-b3118f30c6bd", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete", - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action", - "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action", - "Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action" - ], - "notDataActions": [] - } - ], - "roleName": "Storage File Data Privileged Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage File Data Privileged Reader --Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Sematics Privilege | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Customer has read access on Azure Storage file shares.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d", - "name": "b8eda974-7b85-4f76-af95-65846b26df6d", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", - "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action" - ], - "notDataActions": [] - } - ], - "roleName": "Storage File Data Privileged Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage File Data SMB Share Contributor --Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. --[Learn more](/azure/storage/files/storage-files-identity-auth-active-directory-enable) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", - "name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete" - ], - "notDataActions": [] - } - ], - "roleName": "Storage File Data SMB Share Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage File Data SMB Share Elevated Contributor --Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. --[Learn more](/azure/storage/files/storage-files-identity-auth-active-directory-enable) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", - "name": "a7264617-510b-434b-a828-9731dc254ea7", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete", - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action" - ], - "notDataActions": [] - } - ], - "roleName": "Storage File Data SMB Share Elevated Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage File Data SMB Share Reader --Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. --[Learn more](/azure/storage/files/storage-files-identity-auth-active-directory-enable) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read access to Azure File Share over SMB", - "id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", - "name": "aba4ae5f-2193-4029-9191-0cb91df5e314", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read" - ], - "notDataActions": [] - } - ], - "roleName": "Storage File Data SMB Share Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Queue Data Contributor --Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). --[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/delete | Delete a queue. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/read | Return a queue or a list of queues. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/write | Modify queue metadata or properties. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/delete | Delete one or more messages from a queue. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/write | Add a message to a queue. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/process/action | Returns the result of processing a message | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read, write, and delete access to Azure Storage queues and queue messages", - "id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", - "name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/queueServices/queues/delete", - "Microsoft.Storage/storageAccounts/queueServices/queues/read", - "Microsoft.Storage/storageAccounts/queueServices/queues/write" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete", - "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read", - "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write", - "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action" - ], - "notDataActions": [] - } - ], - "roleName": "Storage Queue Data Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Queue Data Message Processor --Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). --[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/read | Peek a message. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/process/action | Retrieve and delete a message. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for peek, receive, and delete access to Azure Storage queue messages", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", - "name": "8a0f0c08-91a1-4084-bc3d-661d67233fed", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read", - "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action" - ], - "notDataActions": [] - } - ], - "roleName": "Storage Queue Data Message Processor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Queue Data Message Sender --Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). --[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/add/action | Add a message to a queue. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for sending of Azure Storage queue messages", - "id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", - "name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action" - ], - "notDataActions": [] - } - ], - "roleName": "Storage Queue Data Message Sender", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Queue Data Reader --Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). --[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/read | Returns a queue or a list of queues. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read access to Azure Storage queues and queue messages", - "id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", - "name": "19e7f393-937e-4f77-808e-94535e297925", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/queueServices/queues/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read" - ], - "notDataActions": [] - } - ], - "roleName": "Storage Queue Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Table Data Contributor --Allows for read, write and delete access to Azure Storage tables and entities --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/read | Query tables | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/write | Create tables | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/delete | Delete tables | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/read | Query table entities | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/write | Insert, merge, or replace table entities | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/delete | Delete table entities | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/add/action | Insert table entities | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/update/action | Merge or update table entities | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read, write and delete access to Azure Storage tables and entities", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", - "name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/tableServices/tables/read", - "Microsoft.Storage/storageAccounts/tableServices/tables/write", - "Microsoft.Storage/storageAccounts/tableServices/tables/delete" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read", - "Microsoft.Storage/storageAccounts/tableServices/tables/entities/write", - "Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete", - "Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action", - "Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action" - ], - "notDataActions": [] - } - ], - "roleName": "Storage Table Data Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Storage Table Data Reader --Allows for read access to Azure Storage tables and entities --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/read | Query tables | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/read | Query table entities | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read access to Azure Storage tables and entities", - "id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6", - "name": "76199698-9eea-4c19-bc75-cec21354c6b6", - "permissions": [ - { - "actions": [ - "Microsoft.Storage/storageAccounts/tableServices/tables/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read" - ], - "notDataActions": [] - } - ], - "roleName": "Storage Table Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Web ---### Azure Maps Data Contributor --Grants access to read, write, and delete access to map related data from an Azure maps account. --[Learn more](/azure/azure-maps/azure-maps-authentication) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Maps](resource-provider-operations.md#microsoftmaps)/accounts/*/read | | -> | [Microsoft.Maps](resource-provider-operations.md#microsoftmaps)/accounts/*/write | | -> | [Microsoft.Maps](resource-provider-operations.md#microsoftmaps)/accounts/*/delete | | -> | [Microsoft.Maps](resource-provider-operations.md#microsoftmaps)/accounts/*/action | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants access to read, write, and delete access to map related data from an Azure maps account.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", - "name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Maps/accounts/*/read", - "Microsoft.Maps/accounts/*/write", - "Microsoft.Maps/accounts/*/delete", - "Microsoft.Maps/accounts/*/action" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Maps Data Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Maps Data Reader --Grants access to read map related data from an Azure maps account. --[Learn more](/azure/azure-maps/azure-maps-authentication) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Maps](resource-provider-operations.md#microsoftmaps)/accounts/*/read | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants access to read map related data from an Azure maps account.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", - "name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Maps/accounts/*/read" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Maps Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Spring Cloud Config Server Contributor --Allow read, write and delete access to Azure Spring Cloud Config Server --[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.AppPlatform](resource-provider-operations.md#microsoftappplatform)/Spring/configService/read | Read the configuration content(for example, application.yaml) for a specific Azure Spring Apps service instance | -> | [Microsoft.AppPlatform](resource-provider-operations.md#microsoftappplatform)/Spring/configService/write | Write config server content for a specific Azure Spring Apps service instance | -> | [Microsoft.AppPlatform](resource-provider-operations.md#microsoftappplatform)/Spring/configService/delete | Delete config server content for a specific Azure Spring Apps service instance | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allow read, write and delete access to Azure Spring Cloud Config Server", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", - "name": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.AppPlatform/Spring/configService/read", - "Microsoft.AppPlatform/Spring/configService/write", - "Microsoft.AppPlatform/Spring/configService/delete" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Spring Cloud Config Server Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Spring Cloud Config Server Reader --Allow read access to Azure Spring Cloud Config Server --[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.AppPlatform](resource-provider-operations.md#microsoftappplatform)/Spring/configService/read | Read the configuration content(for example, application.yaml) for a specific Azure Spring Apps service instance | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allow read access to Azure Spring Cloud Config Server", - "id": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7", - "name": "d04c6db6-4947-4782-9e91-30a88feb7be7", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.AppPlatform/Spring/configService/read" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Spring Cloud Config Server Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Spring Cloud Data Reader --Allow read access to Azure Spring Cloud Data --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.AppPlatform](resource-provider-operations.md#microsoftappplatform)/Spring/*/read | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allow read access to Azure Spring Cloud Data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c", - "name": "b5537268-8956-4941-a8f0-646150406f0c", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.AppPlatform/Spring/*/read" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Spring Cloud Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Spring Cloud Service Registry Contributor --Allow read, write and delete access to Azure Spring Cloud Service Registry --[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.AppPlatform](resource-provider-operations.md#microsoftappplatform)/Spring/eurekaService/read | Read the user app(s) registration information for a specific Azure Spring Apps service instance | -> | [Microsoft.AppPlatform](resource-provider-operations.md#microsoftappplatform)/Spring/eurekaService/write | Write the user app(s) registration information for a specific Azure Spring Apps service instance | -> | [Microsoft.AppPlatform](resource-provider-operations.md#microsoftappplatform)/Spring/eurekaService/delete | Delete the user app registration information for a specific Azure Spring Apps service instance | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allow read, write and delete access to Azure Spring Cloud Service Registry", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1", - "name": "f5880b48-c26d-48be-b172-7927bfa1c8f1", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.AppPlatform/Spring/eurekaService/read", - "Microsoft.AppPlatform/Spring/eurekaService/write", - "Microsoft.AppPlatform/Spring/eurekaService/delete" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Spring Cloud Service Registry Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Spring Cloud Service Registry Reader --Allow read access to Azure Spring Cloud Service Registry --[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.AppPlatform](resource-provider-operations.md#microsoftappplatform)/Spring/eurekaService/read | Read the user app(s) registration information for a specific Azure Spring Apps service instance | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allow read access to Azure Spring Cloud Service Registry", - "id": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65", - "name": "cff1b556-2399-4e7e-856d-a8f754be7b65", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.AppPlatform/Spring/eurekaService/read" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Spring Cloud Service Registry Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Media Services Account Administrator --Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/*/read | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/streamingLocators/listPaths/action | List Paths | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/write | Create or Update any Media Services Account | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/delete | Delete any Media Services Account | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/privateEndpointConnectionsApproval/action | Approve Private Endpoint Connections | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/privateEndpointConnections/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466", - "name": "054126f8-9a2b-4f1c-a9ad-eca461f08466", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/metrics/read", - "Microsoft.Insights/metricDefinitions/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Media/mediaservices/*/read", - "Microsoft.Media/mediaservices/assets/listStreamingLocators/action", - "Microsoft.Media/mediaservices/streamingLocators/listPaths/action", - "Microsoft.Media/mediaservices/write", - "Microsoft.Media/mediaservices/delete", - "Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action", - "Microsoft.Media/mediaservices/privateEndpointConnections/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Media Services Account Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Media Services Live Events Administrator --Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/*/read | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/assets/* | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/assets/assetfilters/* | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/streamingLocators/* | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/liveEvents/* | | -> | **NotActions** | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/assets/getEncryptionKey/action | Get Asset Encryption Key | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/streamingLocators/listContentKeys/action | List Content Keys | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77", - "name": "532bc159-b25e-42c0-969e-a1d439f60d77", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/metrics/read", - "Microsoft.Insights/metricDefinitions/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Media/mediaservices/*/read", - "Microsoft.Media/mediaservices/assets/*", - "Microsoft.Media/mediaservices/assets/assetfilters/*", - "Microsoft.Media/mediaservices/streamingLocators/*", - "Microsoft.Media/mediaservices/liveEvents/*" - ], - "notActions": [ - "Microsoft.Media/mediaservices/assets/getEncryptionKey/action", - "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Media Services Live Events Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Media Services Media Operator --Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/*/read | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/assets/* | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/assets/assetfilters/* | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/streamingLocators/* | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/transforms/jobs/* | | -> | **NotActions** | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/assets/getEncryptionKey/action | Get Asset Encryption Key | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/streamingLocators/listContentKeys/action | List Content Keys | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c", - "name": "e4395492-1534-4db2-bedf-88c14621589c", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/metrics/read", - "Microsoft.Insights/metricDefinitions/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Media/mediaservices/*/read", - "Microsoft.Media/mediaservices/assets/*", - "Microsoft.Media/mediaservices/assets/assetfilters/*", - "Microsoft.Media/mediaservices/streamingLocators/*", - "Microsoft.Media/mediaservices/transforms/jobs/*" - ], - "notActions": [ - "Microsoft.Media/mediaservices/assets/getEncryptionKey/action", - "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Media Services Media Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Media Services Policy Administrator --Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/*/read | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/streamingLocators/listPaths/action | List Paths | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/accountFilters/* | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/streamingPolicies/* | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/contentKeyPolicies/* | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/transforms/* | | -> | **NotActions** | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action | Get Policy Properties With Secrets | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae", - "name": "c4bba371-dacd-4a26-b320-7250bca963ae", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/metrics/read", - "Microsoft.Insights/metricDefinitions/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Media/mediaservices/*/read", - "Microsoft.Media/mediaservices/assets/listStreamingLocators/action", - "Microsoft.Media/mediaservices/streamingLocators/listPaths/action", - "Microsoft.Media/mediaservices/accountFilters/*", - "Microsoft.Media/mediaservices/streamingPolicies/*", - "Microsoft.Media/mediaservices/contentKeyPolicies/*", - "Microsoft.Media/mediaservices/transforms/*" - ], - "notActions": [ - "Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Media Services Policy Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Media Services Streaming Endpoints Administrator --Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/*/read | | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/streamingLocators/listPaths/action | List Paths | -> | [Microsoft.Media](resource-provider-operations.md#microsoftmedia)/mediaservices/streamingEndpoints/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804", - "name": "99dba123-b5fe-44d5-874c-ced7199a5804", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/metrics/read", - "Microsoft.Insights/metricDefinitions/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Media/mediaservices/*/read", - "Microsoft.Media/mediaservices/assets/listStreamingLocators/action", - "Microsoft.Media/mediaservices/streamingLocators/listPaths/action", - "Microsoft.Media/mediaservices/streamingEndpoints/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Media Services Streaming Endpoints Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Search Index Data Contributor --Grants full access to Azure Cognitive Search index data. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Search](resource-provider-operations.md#microsoftsearch)/searchServices/indexes/documents/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants full access to Azure Cognitive Search index data.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7", - "name": "8ebe5a00-799e-43f5-93ac-243d3dce84a7", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Search/searchServices/indexes/documents/*" - ], - "notDataActions": [] - } - ], - "roleName": "Search Index Data Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Search Index Data Reader --Grants read access to Azure Cognitive Search index data. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Search](resource-provider-operations.md#microsoftsearch)/searchServices/indexes/documents/read | Read documents or suggested query terms from an index. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants read access to Azure Cognitive Search index data.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f", - "name": "1407120a-92aa-4202-b7e9-c0e197c71c8f", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Search/searchServices/indexes/documents/read" - ], - "notDataActions": [] - } - ], - "roleName": "Search Index Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Search Service Contributor --Lets you manage Search services, but not access to them. --[Learn more](/azure/search/search-security-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Search](resource-provider-operations.md#microsoftsearch)/searchServices/* | Create and manage search services | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage Search services, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Search/searchServices/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Search Service Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SignalR AccessKey Reader --Read SignalR Service Access Keys --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/*/read | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/listkeys/action | View the value of SignalR access keys in the management portal or through API | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read SignalR Service Access Keys", - "id": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", - "name": "04165923-9d83-45d5-8227-78b77b0a687e", - "permissions": [ - { - "actions": [ - "Microsoft.SignalRService/*/read", - "Microsoft.SignalRService/SignalR/listkeys/action", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "SignalR AccessKey Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SignalR App Server --Lets your app server access SignalR Service with AAD auth options. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/auth/accessKey/action | Generate an AccessKey for signing AccessTokens, the key will expire in 90 minutes by default | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/serverConnection/write | Start a server connection | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/clientConnection/write | Close client connection | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets your app server access SignalR Service with AAD auth options.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7", - "name": "420fcaa2-552c-430f-98ca-3264be4806c7", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.SignalRService/SignalR/auth/accessKey/action", - "Microsoft.SignalRService/SignalR/serverConnection/write", - "Microsoft.SignalRService/SignalR/clientConnection/write" - ], - "notDataActions": [] - } - ], - "roleName": "SignalR App Server", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SignalR REST API Owner --Full access to Azure SignalR Service REST APIs --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/auth/clientToken/action | Generate an AccessToken for client to connect to ASRS, the token will expire in 5 minutes by default | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/hub/* | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/group/* | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/clientConnection/* | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/user/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Full access to Azure SignalR Service REST APIs", - "id": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521", - "name": "fd53cd77-2268-407a-8f46-7e7863d0f521", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.SignalRService/SignalR/auth/clientToken/action", - "Microsoft.SignalRService/SignalR/hub/*", - "Microsoft.SignalRService/SignalR/group/*", - "Microsoft.SignalRService/SignalR/clientConnection/*", - "Microsoft.SignalRService/SignalR/user/*" - ], - "notDataActions": [] - } - ], - "roleName": "SignalR REST API Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SignalR REST API Reader --Read-only access to Azure SignalR Service REST APIs --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/group/read | Check group existence or user existence in group | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/clientConnection/read | Check client connection existence | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/user/read | Check user existence | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read-only access to Azure SignalR Service REST APIs", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035", - "name": "ddde6b66-c0df-4114-a159-3618637b3035", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.SignalRService/SignalR/group/read", - "Microsoft.SignalRService/SignalR/clientConnection/read", - "Microsoft.SignalRService/SignalR/user/read" - ], - "notDataActions": [] - } - ], - "roleName": "SignalR REST API Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SignalR Service Owner --Full access to Azure SignalR Service REST APIs --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/SignalR/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Full access to Azure SignalR Service REST APIs", - "id": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3", - "name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.SignalRService/SignalR/*" - ], - "notDataActions": [] - } - ], - "roleName": "SignalR Service Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SignalR/Web PubSub Contributor --Create, Read, Update, and Delete SignalR service resources --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.SignalRService](resource-provider-operations.md#microsoftsignalrservice)/* | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create, Read, Update, and Delete SignalR service resources", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", - "name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", - "permissions": [ - { - "actions": [ - "Microsoft.SignalRService/*", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "SignalR/Web PubSub Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Web Plan Contributor --Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/* | Create and manage server farms | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/hostingEnvironments/Join/Action | Joins an App Service Environment | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/autoscalesettings/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage the web plans for websites, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", - "name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Web/serverFarms/*", - "Microsoft.Web/hostingEnvironments/Join/Action", - "Microsoft.Insights/autoscalesettings/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Web Plan Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Website Contributor --Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/components/* | Create and manage Insights components | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/certificates/* | Create and manage website certificates | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/listSitesAssignedToHostName/read | Get names of sites assigned to hostname. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/join/action | Joins an App Service Plan | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/* | Create and manage websites (site creation also requires write permissions to the associated App Service Plan) | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage websites (not web plans), but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", - "name": "de139f84-1756-47ae-9be6-808fbbe84772", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/components/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Web/certificates/*", - "Microsoft.Web/listSitesAssignedToHostName/read", - "Microsoft.Web/serverFarms/join/action", - "Microsoft.Web/serverFarms/read", - "Microsoft.Web/sites/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Website Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Containers ---### AcrDelete --Delete repositories, tags, or manifests from a container registry. --[Learn more](/azure/container-registry/container-registry-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/artifacts/delete | Delete artifact in a container registry. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "acr delete", - "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerRegistry/registries/artifacts/delete" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "AcrDelete", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### AcrImageSigner --Push trusted images to or pull trusted images from a container registry enabled for content trust. --[Learn more](/azure/container-registry/container-registry-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/sign/write | Push/Pull content trust metadata for a container registry. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/trustedCollections/write | Allows push or publish of trusted collections of container registry content. This is similar to Microsoft.ContainerRegistry/registries/sign/write action except that this is a data action | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "acr image signer", - "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", - "name": "6cef56e8-d556-48e5-a04f-b8e64114680f", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerRegistry/registries/sign/write" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerRegistry/registries/trustedCollections/write" - ], - "notDataActions": [] - } - ], - "roleName": "AcrImageSigner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### AcrPull --Pull artifacts from a container registry. --[Learn more](/azure/container-registry/container-registry-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/pull/read | Pull or Get images from a container registry. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "acr pull", - "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", - "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerRegistry/registries/pull/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "AcrPull", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### AcrPush --Push artifacts to or pull artifacts from a container registry. --[Learn more](/azure/container-registry/container-registry-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/pull/read | Pull or Get images from a container registry. | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/push/write | Push or Write images to a container registry. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "acr push", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", - "name": "8311e382-0749-4cb8-b61a-304f252e45ec", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerRegistry/registries/pull/read", - "Microsoft.ContainerRegistry/registries/push/write" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "AcrPush", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### AcrQuarantineReader --Pull quarantined images from a container registry. --[Learn more](/azure/container-registry/container-registry-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/quarantine/read | Pull or Get quarantined images from container registry | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/quarantinedArtifacts/read | Allows pull or get of the quarantined artifacts from container registry. This is similar to Microsoft.ContainerRegistry/registries/quarantine/read except that it is a data action | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "acr quarantine data reader", - "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", - "name": "cdda3590-29a3-44f6-95f2-9f980659eb04", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerRegistry/registries/quarantine/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read" - ], - "notDataActions": [] - } - ], - "roleName": "AcrQuarantineReader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### AcrQuarantineWriter --Push quarantined images to or pull quarantined images from a container registry. --[Learn more](/azure/container-registry/container-registry-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/quarantine/read | Pull or Get quarantined images from container registry | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/quarantine/write | Write/Modify quarantine state of quarantined images | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/quarantinedArtifacts/read | Allows pull or get of the quarantined artifacts from container registry. This is similar to Microsoft.ContainerRegistry/registries/quarantine/read except that it is a data action | -> | [Microsoft.ContainerRegistry](resource-provider-operations.md#microsoftcontainerregistry)/registries/quarantinedArtifacts/write | Allows write or update of the quarantine state of quarantined artifacts. This is similar to Microsoft.ContainerRegistry/registries/quarantine/write action except that it is a data action | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "acr quarantine data writer", - "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", - "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerRegistry/registries/quarantine/read", - "Microsoft.ContainerRegistry/registries/quarantine/write" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read", - "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write" - ], - "notDataActions": [] - } - ], - "roleName": "AcrQuarantineWriter", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Fleet Manager RBAC Admin --This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/read | Get fleet | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/controllerrevisions/read | Reads controllerrevisions | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/daemonsets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/deployments/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/statefulsets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Writes localsubjectaccessreviews | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/autoscaling/horizontalpodautoscalers/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/cronjobs/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/jobs/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/configmaps/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/endpoints/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events.k8s.io/events/read | Reads events | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events/read | Reads events | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/daemonsets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/deployments/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/ingresses/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/networkpolicies/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/limitranges/read | Reads limitranges | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/namespaces/read | Reads namespaces | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/ingresses/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/networkpolicies/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/persistentvolumeclaims/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/policy/poddisruptionbudgets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/rbac.authorization.k8s.io/rolebindings/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/rbac.authorization.k8s.io/roles/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/resourcequotas/read | Reads resourcequotas | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/secrets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/serviceaccounts/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/services/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "This role grants admin access - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba", - "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ContainerService/fleets/read", - "Microsoft.ContainerService/fleets/listCredentials/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerService/fleets/apps/controllerrevisions/read", - "Microsoft.ContainerService/fleets/apps/daemonsets/*", - "Microsoft.ContainerService/fleets/apps/deployments/*", - "Microsoft.ContainerService/fleets/apps/statefulsets/*", - "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write", - "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*", - "Microsoft.ContainerService/fleets/batch/cronjobs/*", - "Microsoft.ContainerService/fleets/batch/jobs/*", - "Microsoft.ContainerService/fleets/configmaps/*", - "Microsoft.ContainerService/fleets/endpoints/*", - "Microsoft.ContainerService/fleets/events.k8s.io/events/read", - "Microsoft.ContainerService/fleets/events/read", - "Microsoft.ContainerService/fleets/extensions/daemonsets/*", - "Microsoft.ContainerService/fleets/extensions/deployments/*", - "Microsoft.ContainerService/fleets/extensions/ingresses/*", - "Microsoft.ContainerService/fleets/extensions/networkpolicies/*", - "Microsoft.ContainerService/fleets/limitranges/read", - "Microsoft.ContainerService/fleets/namespaces/read", - "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*", - "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*", - "Microsoft.ContainerService/fleets/persistentvolumeclaims/*", - "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*", - "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*", - "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*", - "Microsoft.ContainerService/fleets/replicationcontrollers/*", - "Microsoft.ContainerService/fleets/replicationcontrollers/*", - "Microsoft.ContainerService/fleets/resourcequotas/read", - "Microsoft.ContainerService/fleets/secrets/*", - "Microsoft.ContainerService/fleets/serviceaccounts/*", - "Microsoft.ContainerService/fleets/services/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Fleet Manager RBAC Admin", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Fleet Manager RBAC Cluster Admin --Lets you manage all resources in the fleet manager cluster. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/read | Get fleet | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage all resources in the fleet manager cluster.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", - "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ContainerService/fleets/read", - "Microsoft.ContainerService/fleets/listCredentials/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerService/fleets/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Fleet Manager RBAC Reader --Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/read | Get fleet | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/controllerrevisions/read | Reads controllerrevisions | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/daemonsets/read | Reads daemonsets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/deployments/read | Reads deployments | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/statefulsets/read | Reads statefulsets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/cronjobs/read | Reads cronjobs | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/jobs/read | Reads jobs | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/configmaps/read | Reads configmaps | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/endpoints/read | Reads endpoints | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events.k8s.io/events/read | Reads events | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events/read | Reads events | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/daemonsets/read | Reads daemonsets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/deployments/read | Reads deployments | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/ingresses/read | Reads ingresses | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/networkpolicies/read | Reads networkpolicies | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/limitranges/read | Reads limitranges | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/namespaces/read | Reads namespaces | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/ingresses/read | Reads ingresses | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/networkpolicies/read | Reads networkpolicies | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/persistentvolumeclaims/read | Reads persistentvolumeclaims | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/read | Reads replicationcontrollers | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/read | Reads replicationcontrollers | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/resourcequotas/read | Reads resourcequotas | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/serviceaccounts/read | Reads serviceaccounts | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/services/read | Reads services | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80", - "name": "30b27cfc-9c84-438e-b0ce-70e35255df80", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ContainerService/fleets/read", - "Microsoft.ContainerService/fleets/listCredentials/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerService/fleets/apps/controllerrevisions/read", - "Microsoft.ContainerService/fleets/apps/daemonsets/read", - "Microsoft.ContainerService/fleets/apps/deployments/read", - "Microsoft.ContainerService/fleets/apps/statefulsets/read", - "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read", - "Microsoft.ContainerService/fleets/batch/cronjobs/read", - "Microsoft.ContainerService/fleets/batch/jobs/read", - "Microsoft.ContainerService/fleets/configmaps/read", - "Microsoft.ContainerService/fleets/endpoints/read", - "Microsoft.ContainerService/fleets/events.k8s.io/events/read", - "Microsoft.ContainerService/fleets/events/read", - "Microsoft.ContainerService/fleets/extensions/daemonsets/read", - "Microsoft.ContainerService/fleets/extensions/deployments/read", - "Microsoft.ContainerService/fleets/extensions/ingresses/read", - "Microsoft.ContainerService/fleets/extensions/networkpolicies/read", - "Microsoft.ContainerService/fleets/limitranges/read", - "Microsoft.ContainerService/fleets/namespaces/read", - "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read", - "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read", - "Microsoft.ContainerService/fleets/persistentvolumeclaims/read", - "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read", - "Microsoft.ContainerService/fleets/replicationcontrollers/read", - "Microsoft.ContainerService/fleets/replicationcontrollers/read", - "Microsoft.ContainerService/fleets/resourcequotas/read", - "Microsoft.ContainerService/fleets/serviceaccounts/read", - "Microsoft.ContainerService/fleets/services/read" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Fleet Manager RBAC Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Fleet Manager RBAC Writer --Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/read | Get fleet | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/controllerrevisions/read | Reads controllerrevisions | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/daemonsets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/deployments/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/statefulsets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/autoscaling/horizontalpodautoscalers/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/cronjobs/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/jobs/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/configmaps/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/endpoints/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events.k8s.io/events/read | Reads events | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events/read | Reads events | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/daemonsets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/deployments/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/ingresses/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/networkpolicies/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/limitranges/read | Reads limitranges | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/namespaces/read | Reads namespaces | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/ingresses/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/networkpolicies/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/persistentvolumeclaims/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/policy/poddisruptionbudgets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/resourcequotas/read | Reads resourcequotas | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/secrets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/serviceaccounts/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/services/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683", - "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ContainerService/fleets/read", - "Microsoft.ContainerService/fleets/listCredentials/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerService/fleets/apps/controllerrevisions/read", - "Microsoft.ContainerService/fleets/apps/daemonsets/*", - "Microsoft.ContainerService/fleets/apps/deployments/*", - "Microsoft.ContainerService/fleets/apps/statefulsets/*", - "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*", - "Microsoft.ContainerService/fleets/batch/cronjobs/*", - "Microsoft.ContainerService/fleets/batch/jobs/*", - "Microsoft.ContainerService/fleets/configmaps/*", - "Microsoft.ContainerService/fleets/endpoints/*", - "Microsoft.ContainerService/fleets/events.k8s.io/events/read", - "Microsoft.ContainerService/fleets/events/read", - "Microsoft.ContainerService/fleets/extensions/daemonsets/*", - "Microsoft.ContainerService/fleets/extensions/deployments/*", - "Microsoft.ContainerService/fleets/extensions/ingresses/*", - "Microsoft.ContainerService/fleets/extensions/networkpolicies/*", - "Microsoft.ContainerService/fleets/limitranges/read", - "Microsoft.ContainerService/fleets/namespaces/read", - "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*", - "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*", - "Microsoft.ContainerService/fleets/persistentvolumeclaims/*", - "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*", - "Microsoft.ContainerService/fleets/replicationcontrollers/*", - "Microsoft.ContainerService/fleets/replicationcontrollers/*", - "Microsoft.ContainerService/fleets/resourcequotas/read", - "Microsoft.ContainerService/fleets/secrets/*", - "Microsoft.ContainerService/fleets/serviceaccounts/*", - "Microsoft.ContainerService/fleets/services/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Fleet Manager RBAC Writer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Service Cluster Admin Role --List cluster admin credential action. --[Learn more](/azure/aks/control-kubeconfig-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/listClusterAdminCredential/action | List the clusterAdmin credential of a managed cluster | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/accessProfiles/listCredential/action | Get a managed cluster access profile by role name using list credential | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/runcommand/action | Run user issued command against managed kubernetes server. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "List cluster admin credential action.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", - "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action", - "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action", - "Microsoft.ContainerService/managedClusters/read", - "Microsoft.ContainerService/managedClusters/runcommand/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Service Cluster Admin Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Service Cluster Monitoring User --List cluster monitoring user credential action. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/listClusterMonitoringUserCredential/action | List the clusterMonitoringUser credential of a managed cluster | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "List cluster monitoring user credential action.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6", - "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action", - "Microsoft.ContainerService/managedClusters/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Service Cluster Monitoring User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Service Cluster User Role --List cluster user credential action. --[Learn more](/azure/aks/control-kubeconfig-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "List cluster user credential action.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", - "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", - "Microsoft.ContainerService/managedClusters/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Service Cluster User Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Service Contributor Role --Grants access to read and write Azure Kubernetes Service clusters --[Learn more](/azure/aks/concepts-identity) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/write | Creates a new managed cluster or updates an existing one | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants access to read and write Azure Kubernetes Service clusters", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerService/managedClusters/read", - "Microsoft.ContainerService/managedClusters/write", - "Microsoft.Resources/deployments/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Service Contributor Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Service RBAC Admin --Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. --[Learn more](/azure/aks/manage-azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/* | | -> | **NotDataActions** | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/resourcequotas/write | Writes resourcequotas | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/resourcequotas/delete | Deletes resourcequotas | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/namespaces/write | Writes namespaces | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/namespaces/delete | Deletes namespaces | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7", - "name": "3498e952-d568-435e-9b2c-8d77e338d7f7", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerService/managedClusters/*" - ], - "notDataActions": [ - "Microsoft.ContainerService/managedClusters/resourcequotas/write", - "Microsoft.ContainerService/managedClusters/resourcequotas/delete", - "Microsoft.ContainerService/managedClusters/namespaces/write", - "Microsoft.ContainerService/managedClusters/namespaces/delete" - ] - } - ], - "roleName": "Azure Kubernetes Service RBAC Admin", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Service RBAC Cluster Admin --Lets you manage all resources in the cluster. --[Learn more](/azure/aks/manage-azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage all resources in the cluster.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", - "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerService/managedClusters/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Service RBAC Cluster Admin", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Service RBAC Reader --Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. --[Learn more](/azure/aks/manage-azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/controllerrevisions/read | Reads controllerrevisions | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/daemonsets/read | Reads daemonsets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/deployments/read | Reads deployments | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/replicasets/read | Reads replicasets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/statefulsets/read | Reads statefulsets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/batch/cronjobs/read | Reads cronjobs | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/batch/jobs/read | Reads jobs | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/configmaps/read | Reads configmaps | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/discovery.k8s.io/endpointslices/read | Reads endpointslices | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/endpoints/read | Reads endpoints | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/events.k8s.io/events/read | Reads events | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/events/read | Reads events | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/daemonsets/read | Reads daemonsets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/deployments/read | Reads deployments | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/ingresses/read | Reads ingresses | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/networkpolicies/read | Reads networkpolicies | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/replicasets/read | Reads replicasets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/limitranges/read | Reads limitranges | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/metrics.k8s.io/pods/read | Reads pods | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/metrics.k8s.io/nodes/read | Reads nodes | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/namespaces/read | Reads namespaces | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/networking.k8s.io/ingresses/read | Reads ingresses | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/networking.k8s.io/networkpolicies/read | Reads networkpolicies | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/persistentvolumeclaims/read | Reads persistentvolumeclaims | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/pods/read | Reads pods | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/replicationcontrollers/read | Reads replicationcontrollers | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/resourcequotas/read | Reads resourcequotas | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/serviceaccounts/read | Reads serviceaccounts | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/services/read | Reads services | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db", - "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read", - "Microsoft.ContainerService/managedClusters/apps/daemonsets/read", - "Microsoft.ContainerService/managedClusters/apps/deployments/read", - "Microsoft.ContainerService/managedClusters/apps/replicasets/read", - "Microsoft.ContainerService/managedClusters/apps/statefulsets/read", - "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read", - "Microsoft.ContainerService/managedClusters/batch/cronjobs/read", - "Microsoft.ContainerService/managedClusters/batch/jobs/read", - "Microsoft.ContainerService/managedClusters/configmaps/read", - "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read", - "Microsoft.ContainerService/managedClusters/endpoints/read", - "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read", - "Microsoft.ContainerService/managedClusters/events/read", - "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read", - "Microsoft.ContainerService/managedClusters/extensions/deployments/read", - "Microsoft.ContainerService/managedClusters/extensions/ingresses/read", - "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read", - "Microsoft.ContainerService/managedClusters/extensions/replicasets/read", - "Microsoft.ContainerService/managedClusters/limitranges/read", - "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read", - "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read", - "Microsoft.ContainerService/managedClusters/namespaces/read", - "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read", - "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read", - "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read", - "Microsoft.ContainerService/managedClusters/pods/read", - "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read", - "Microsoft.ContainerService/managedClusters/replicationcontrollers/read", - "Microsoft.ContainerService/managedClusters/resourcequotas/read", - "Microsoft.ContainerService/managedClusters/serviceaccounts/read", - "Microsoft.ContainerService/managedClusters/services/read" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Service RBAC Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Kubernetes Service RBAC Writer --Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. --[Learn more](/azure/aks/manage-azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/controllerrevisions/read | Reads controllerrevisions | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/daemonsets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/deployments/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/replicasets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/apps/statefulsets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/autoscaling/horizontalpodautoscalers/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/batch/cronjobs/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/coordination.k8s.io/leases/read | Reads leases | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/coordination.k8s.io/leases/write | Writes leases | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/coordination.k8s.io/leases/delete | Deletes leases | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/discovery.k8s.io/endpointslices/read | Reads endpointslices | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/batch/jobs/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/configmaps/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/endpoints/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/events.k8s.io/events/read | Reads events | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/events/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/daemonsets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/deployments/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/ingresses/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/networkpolicies/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/extensions/replicasets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/limitranges/read | Reads limitranges | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/metrics.k8s.io/pods/read | Reads pods | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/metrics.k8s.io/nodes/read | Reads nodes | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/namespaces/read | Reads namespaces | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/networking.k8s.io/ingresses/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/networking.k8s.io/networkpolicies/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/persistentvolumeclaims/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/pods/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/policy/poddisruptionbudgets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/replicationcontrollers/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/resourcequotas/read | Reads resourcequotas | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/secrets/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/serviceaccounts/* | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/services/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", - "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read", - "Microsoft.ContainerService/managedClusters/apps/daemonsets/*", - "Microsoft.ContainerService/managedClusters/apps/deployments/*", - "Microsoft.ContainerService/managedClusters/apps/replicasets/*", - "Microsoft.ContainerService/managedClusters/apps/statefulsets/*", - "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*", - "Microsoft.ContainerService/managedClusters/batch/cronjobs/*", - "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read", - "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write", - "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete", - "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read", - "Microsoft.ContainerService/managedClusters/batch/jobs/*", - "Microsoft.ContainerService/managedClusters/configmaps/*", - "Microsoft.ContainerService/managedClusters/endpoints/*", - "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read", - "Microsoft.ContainerService/managedClusters/events/*", - "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*", - "Microsoft.ContainerService/managedClusters/extensions/deployments/*", - "Microsoft.ContainerService/managedClusters/extensions/ingresses/*", - "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*", - "Microsoft.ContainerService/managedClusters/extensions/replicasets/*", - "Microsoft.ContainerService/managedClusters/limitranges/read", - "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read", - "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read", - "Microsoft.ContainerService/managedClusters/namespaces/read", - "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*", - "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*", - "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*", - "Microsoft.ContainerService/managedClusters/pods/*", - "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*", - "Microsoft.ContainerService/managedClusters/replicationcontrollers/*", - "Microsoft.ContainerService/managedClusters/resourcequotas/read", - "Microsoft.ContainerService/managedClusters/secrets/*", - "Microsoft.ContainerService/managedClusters/serviceaccounts/*", - "Microsoft.ContainerService/managedClusters/services/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Kubernetes Service RBAC Writer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Databases ---### Azure Connected SQL Server Onboarding --Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. --[Learn more](/sql/sql-server/azure-arc/connect) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | Microsoft.AzureArcData/sqlServerInstances/read | Retrieves a SQL Server Instance resource | -> | Microsoft.AzureArcData/sqlServerInstances/write | Updates a SQL Server Instance resource | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Microsoft.AzureArcData┬áservice┬árole┬áto┬áaccess┬áthe┬áresources┬áof┬áMicrosoft.AzureArcData┬ástored┬áwith┬áRPSAAS.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508", - "name": "e8113dce-c529-4d33-91fa-e9b972617508", - "permissions": [ - { - "actions": [ - "Microsoft.AzureArcData/sqlServerInstances/read", - "Microsoft.AzureArcData/sqlServerInstances/write" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Connected SQL Server Onboarding", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cosmos DB Account Reader Role --Can read Azure Cosmos DB account data. See [DocumentDB Account Contributor](#documentdb-account-contributor) for managing Azure Cosmos DB accounts. --[Learn more](/azure/cosmos-db/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/*/read | Read any collection | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/readonlykeys/action | Reads the database account readonly keys. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/MetricDefinitions/read | Read metric definitions | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Metrics/read | Read metrics | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can read Azure Cosmos DB Accounts data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", - "name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.DocumentDB/*/read", - "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action", - "Microsoft.Insights/MetricDefinitions/read", - "Microsoft.Insights/Metrics/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Cosmos DB Account Reader Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cosmos DB Operator --Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. --[Learn more](/azure/cosmos-db/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DocumentDb](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | -> | **NotActions** | | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/dataTransferJobs/* | | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/readonlyKeys/* | | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/regenerateKey/* | | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/listKeys/* | | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/listConnectionStrings/* | | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/sqlRoleDefinitions/write | Create or update a SQL Role Definition | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/sqlRoleDefinitions/delete | Delete a SQL Role Definition | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/sqlRoleAssignments/write | Create or update a SQL Role Assignment | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/sqlRoleAssignments/delete | Delete a SQL Role Assignment | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/mongodbRoleDefinitions/write | Create or update a Mongo Role Definition | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/mongodbRoleDefinitions/delete | Delete a MongoDB Role Definition | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/mongodbUserDefinitions/write | Create or update a MongoDB User Definition | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/mongodbUserDefinitions/delete | Delete a MongoDB User Definition | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", - "name": "230815da-be43-4aae-9cb4-875f7bd000aa", - "permissions": [ - { - "actions": [ - "Microsoft.DocumentDb/databaseAccounts/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Authorization/*/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" - ], - "notActions": [ - "Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*", - "Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*", - "Microsoft.DocumentDB/databaseAccounts/regenerateKey/*", - "Microsoft.DocumentDB/databaseAccounts/listKeys/*", - "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*", - "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write", - "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete", - "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write", - "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete", - "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write", - "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete", - "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write", - "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Cosmos DB Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### CosmosBackupOperator --Can submit restore request for a Cosmos DB database or a container for an account --[Learn more](/azure/cosmos-db/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/backup/action | Submit a request to configure backup | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/restore/action | Submit a restore request | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can submit restore request for a Cosmos DB database or a container for an account", - "id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", - "name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb", - "permissions": [ - { - "actions": [ - "Microsoft.DocumentDB/databaseAccounts/backup/action", - "Microsoft.DocumentDB/databaseAccounts/restore/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "CosmosBackupOperator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### CosmosRestoreOperator --Can perform restore action for Cosmos DB database account with continuous backup mode --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/locations/restorableDatabaseAccounts/restore/action | Submit a restore request | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/locations/restorableDatabaseAccounts/*/read | | -> | [Microsoft.DocumentDB](resource-provider-operations.md#microsoftdocumentdb)/locations/restorableDatabaseAccounts/read | Read a restorable database account or List all the restorable database accounts | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can perform restore action for Cosmos DB database account with continuous backup mode", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f", - "name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f", - "permissions": [ - { - "actions": [ - "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action", - "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read", - "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "CosmosRestoreOperator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### DocumentDB Account Contributor --Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. --[Learn more](/azure/cosmos-db/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.DocumentDb](resource-provider-operations.md#microsoftdocumentdb)/databaseAccounts/* | Create and manage Azure Cosmos DB accounts | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage DocumentDB accounts, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", - "name": "5bd9cd88-fe45-4216-938b-f97437e15450", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.DocumentDb/databaseAccounts/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "DocumentDB Account Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Redis Cache Contributor --Lets you manage Redis caches, but not access to them. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Cache](resource-provider-operations.md#microsoftcache)/register/action | Registers the 'Microsoft.Cache' resource provider with a subscription | -> | [Microsoft.Cache](resource-provider-operations.md#microsoftcache)/redis/* | Create and manage Redis caches | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage Redis caches, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", - "name": "e0f68234-74aa-48ed-b826-c38b57376e17", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Cache/register/action", - "Microsoft.Cache/redis/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Redis Cache Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SQL DB Contributor --Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. --[Learn more](/azure/data-share/concepts-roles-permissions) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/locations/*/read | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/* | Create and manage SQL databases | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/read | Return the list of servers or gets the properties for the specified server. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | -> | **NotActions** | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/ledgerDigestUploads/write | Enable uploading ledger digests | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/ledgerDigestUploads/disable/action | Disable uploading ledger digests | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/currentSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/recommendedSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/securityAlertPolicies/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/securityAlertPolicies/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/auditingSettings/* | Edit audit settings | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/auditRecords/read | Retrieve the database blob audit records | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/currentSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/dataMaskingPolicies/* | Edit data masking policies | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/extendedAuditingSettings/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/recommendedSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/schemas/tables/columns/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/securityAlertPolicies/* | Edit security alert policies | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/securityMetrics/* | Edit security metrics | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/vulnerabilityAssessmentScans/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/vulnerabilityAssessmentSettings/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/vulnerabilityAssessments/* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", - "name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Sql/locations/*/read", - "Microsoft.Sql/servers/databases/*", - "Microsoft.Sql/servers/read", - "Microsoft.Support/*", - "Microsoft.Insights/metrics/read", - "Microsoft.Insights/metricDefinitions/read" - ], - "notActions": [ - "Microsoft.Sql/servers/databases/ledgerDigestUploads/write", - "Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action", - "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*", - "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*", - "Microsoft.Sql/managedInstances/securityAlertPolicies/*", - "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*", - "Microsoft.Sql/servers/databases/auditingSettings/*", - "Microsoft.Sql/servers/databases/auditRecords/read", - "Microsoft.Sql/servers/databases/currentSensitivityLabels/*", - "Microsoft.Sql/servers/databases/dataMaskingPolicies/*", - "Microsoft.Sql/servers/databases/extendedAuditingSettings/*", - "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*", - "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*", - "Microsoft.Sql/servers/databases/securityAlertPolicies/*", - "Microsoft.Sql/servers/databases/securityMetrics/*", - "Microsoft.Sql/servers/databases/sensitivityLabels/*", - "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*", - "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*", - "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*", - "Microsoft.Sql/servers/vulnerabilityAssessments/*" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "SQL DB Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SQL Managed Instance Contributor --Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/* | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/locations/*/read | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/locations/instanceFailoverGroups/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/* | | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/* | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/* | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | -> | **NotActions** | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/azureADOnlyAuthentications/delete | Deletes a specific managed server Azure Active Directory only authentication object | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/azureADOnlyAuthentications/write | Adds or updates a specific managed server Azure Active Directory only authentication object | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", - "name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", - "permissions": [ - { - "actions": [ - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Network/networkSecurityGroups/*", - "Microsoft.Network/routeTables/*", - "Microsoft.Sql/locations/*/read", - "Microsoft.Sql/locations/instanceFailoverGroups/*", - "Microsoft.Sql/managedInstances/*", - "Microsoft.Support/*", - "Microsoft.Network/virtualNetworks/subnets/*", - "Microsoft.Network/virtualNetworks/*", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/metrics/read", - "Microsoft.Insights/metricDefinitions/read" - ], - "notActions": [ - "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete", - "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "SQL Managed Instance Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SQL Security Manager --Lets you manage the security-related policies of SQL servers and databases, but not access to them. --[Learn more](/azure/azure-sql/database/azure-defender-for-sql) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/locations/administratorAzureAsyncOperation/read | Gets the Managed instance azure async administrator operations result. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/advancedThreatProtectionSettings/read | Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/advancedThreatProtectionSettings/write | Change the managed instance Advanced Threat Protection settings for a given managed instance | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/advancedThreatProtectionSettings/read | Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given managed database | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/advancedThreatProtectionSettings/read | Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/advancedThreatProtectionSettings/write | Change the managed instance Advanced Threat Protection settings for a given managed instance | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/advancedThreatProtectionSettings/read | Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given managed database | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/currentSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/recommendedSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/securityAlertPolicies/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/securityAlertPolicies/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/transparentDataEncryption/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/serverConfigurationOptions/read | Gets properties for the specified Azure SQL Managed Instance Server Configuration Option. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/serverConfigurationOptions/write | Updates Azure SQL Managed Instance's Server Configuration Option properties for the specified instance. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/locations/serverConfigurationOptionAzureAsyncOperation/read | Gets the status of Azure SQL Managed Instance Server Configuration Option Azure async operation. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/auditingSettings/* | Create and manage SQL server auditing setting | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/extendedAuditingSettings/read | Retrieve details of the extended server blob auditing policy configured on a given server | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/auditingSettings/* | Create and manage SQL server database auditing settings | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/auditRecords/read | Retrieve the database blob audit records | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/currentSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/dataMaskingPolicies/* | Create and manage SQL server database data masking policies | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/extendedAuditingSettings/read | Retrieve details of the extended blob auditing policy configured on a given database | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/read | Return the list of databases or gets the properties for the specified database. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/recommendedSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/schemas/read | Get a database schema. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/schemas/tables/columns/read | Get a database column. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/schemas/tables/columns/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/schemas/tables/read | Get a database table. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/securityAlertPolicies/* | Create and manage SQL server database security alert policies | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/securityMetrics/* | Create and manage SQL server database security metrics | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/transparentDataEncryption/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/sqlvulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/vulnerabilityAssessmentScans/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/vulnerabilityAssessmentSettings/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/devOpsAuditingSettings/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/firewallRules/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/read | Return the list of servers or gets the properties for the specified server. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/securityAlertPolicies/* | Create and manage SQL server security alert policies | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/sqlvulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/vulnerabilityAssessments/* | | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/azureADOnlyAuthentications/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/read | Return the list of managed instances or gets the properties for the specified managed instance. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/azureADOnlyAuthentications/* | | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/sqlVulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/administrators/read | Gets a list of managed instance administrators. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/administrators/read | Gets a specific Azure Active Directory administrator object | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/ledgerDigestUploads/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/locations/ledgerDigestUploadsAzureAsyncOperation/read | Gets in-progress operations of ledger digest upload settings | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/locations/ledgerDigestUploadsOperationResults/read | Gets in-progress operations of ledger digest upload settings | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/externalPolicyBasedAuthorizations/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Sql/locations/administratorAzureAsyncOperation/read", - "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read", - "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write", - "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read", - "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write", - "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read", - "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write", - "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read", - "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write", - "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*", - "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*", - "Microsoft.Sql/servers/advancedThreatProtectionSettings/read", - "Microsoft.Sql/servers/advancedThreatProtectionSettings/write", - "Microsoft.Sql/managedInstances/securityAlertPolicies/*", - "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*", - "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*", - "Microsoft.Sql/managedInstances/serverConfigurationOptions/read", - "Microsoft.Sql/managedInstances/serverConfigurationOptions/write", - "Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read", - "Microsoft.Sql/servers/advancedThreatProtectionSettings/read", - "Microsoft.Sql/servers/advancedThreatProtectionSettings/write", - "Microsoft.Sql/servers/auditingSettings/*", - "Microsoft.Sql/servers/extendedAuditingSettings/read", - "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read", - "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write", - "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read", - "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write", - "Microsoft.Sql/servers/databases/auditingSettings/*", - "Microsoft.Sql/servers/databases/auditRecords/read", - "Microsoft.Sql/servers/databases/currentSensitivityLabels/*", - "Microsoft.Sql/servers/databases/dataMaskingPolicies/*", - "Microsoft.Sql/servers/databases/extendedAuditingSettings/read", - "Microsoft.Sql/servers/databases/read", - "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*", - "Microsoft.Sql/servers/databases/schemas/read", - "Microsoft.Sql/servers/databases/schemas/tables/columns/read", - "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*", - "Microsoft.Sql/servers/databases/schemas/tables/read", - "Microsoft.Sql/servers/databases/securityAlertPolicies/*", - "Microsoft.Sql/servers/databases/securityMetrics/*", - "Microsoft.Sql/servers/databases/sensitivityLabels/*", - "Microsoft.Sql/servers/databases/transparentDataEncryption/*", - "Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*", - "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*", - "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*", - "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*", - "Microsoft.Sql/servers/devOpsAuditingSettings/*", - "Microsoft.Sql/servers/firewallRules/*", - "Microsoft.Sql/servers/read", - "Microsoft.Sql/servers/securityAlertPolicies/*", - "Microsoft.Sql/servers/sqlvulnerabilityAssessments/*", - "Microsoft.Sql/servers/vulnerabilityAssessments/*", - "Microsoft.Support/*", - "Microsoft.Sql/servers/azureADOnlyAuthentications/*", - "Microsoft.Sql/managedInstances/read", - "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*", - "Microsoft.Security/sqlVulnerabilityAssessments/*", - "Microsoft.Sql/managedInstances/administrators/read", - "Microsoft.Sql/servers/administrators/read", - "Microsoft.Sql/servers/databases/ledgerDigestUploads/*", - "Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read", - "Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read", - "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "SQL Security Manager", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### SQL Server Contributor --Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. --[Learn more](/azure/azure-sql/database/authentication-aad-configure) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/locations/*/read | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/* | Create and manage SQL servers | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | -> | **NotActions** | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/currentSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/recommendedSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/securityAlertPolicies/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/databases/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/securityAlertPolicies/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/managedInstances/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/auditingSettings/* | Edit SQL server auditing settings | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/auditingSettings/* | Edit SQL server database auditing settings | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/auditRecords/read | Retrieve the database blob audit records | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/currentSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/dataMaskingPolicies/* | Edit SQL server database data masking policies | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/extendedAuditingSettings/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/recommendedSensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/schemas/tables/columns/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/securityAlertPolicies/* | Edit SQL server database security alert policies | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/securityMetrics/* | Edit SQL server database security metrics | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/sensitivityLabels/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/vulnerabilityAssessmentScans/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/databases/vulnerabilityAssessmentSettings/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/devOpsAuditingSettings/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/extendedAuditingSettings/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/securityAlertPolicies/* | Edit SQL server security alert policies | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/vulnerabilityAssessments/* | | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/azureADOnlyAuthentications/delete | Deletes a specific server Azure Active Directory only authentication object | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/azureADOnlyAuthentications/write | Adds or updates a specific server Azure Active Directory only authentication object | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/externalPolicyBasedAuthorizations/delete | Deletes a specific server external policy based authorization property | -> | [Microsoft.Sql](resource-provider-operations.md#microsoftsql)/servers/externalPolicyBasedAuthorizations/write | Adds or updates a specific server external policy based authorization property | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", - "name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Sql/locations/*/read", - "Microsoft.Sql/servers/*", - "Microsoft.Support/*", - "Microsoft.Insights/metrics/read", - "Microsoft.Insights/metricDefinitions/read" - ], - "notActions": [ - "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*", - "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*", - "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*", - "Microsoft.Sql/managedInstances/securityAlertPolicies/*", - "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*", - "Microsoft.Sql/servers/auditingSettings/*", - "Microsoft.Sql/servers/databases/auditingSettings/*", - "Microsoft.Sql/servers/databases/auditRecords/read", - "Microsoft.Sql/servers/databases/currentSensitivityLabels/*", - "Microsoft.Sql/servers/databases/dataMaskingPolicies/*", - "Microsoft.Sql/servers/databases/extendedAuditingSettings/*", - "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*", - "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*", - "Microsoft.Sql/servers/databases/securityAlertPolicies/*", - "Microsoft.Sql/servers/databases/securityMetrics/*", - "Microsoft.Sql/servers/databases/sensitivityLabels/*", - "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*", - "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*", - "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*", - "Microsoft.Sql/servers/devOpsAuditingSettings/*", - "Microsoft.Sql/servers/extendedAuditingSettings/*", - "Microsoft.Sql/servers/securityAlertPolicies/*", - "Microsoft.Sql/servers/vulnerabilityAssessments/*", - "Microsoft.Sql/servers/azureADOnlyAuthentications/delete", - "Microsoft.Sql/servers/azureADOnlyAuthentications/write", - "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete", - "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "SQL Server Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Analytics ---### Azure Event Hubs Data Owner --Allows for full access to Azure Event Hubs resources. --[Learn more](/azure/event-hubs/authenticate-application) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for full access to Azure Event Hubs resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", - "name": "f526a384-b230-433a-b45c-95f59c4a2dec", - "permissions": [ - { - "actions": [ - "Microsoft.EventHub/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.EventHub/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Event Hubs Data Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Event Hubs Data Receiver --Allows receive access to Azure Event Hubs resources. --[Learn more](/azure/event-hubs/authenticate-application) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/*/eventhubs/consumergroups/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/*/receive/action | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows receive access to Azure Event Hubs resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", - "name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde", - "permissions": [ - { - "actions": [ - "Microsoft.EventHub/*/eventhubs/consumergroups/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.EventHub/*/receive/action" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Event Hubs Data Receiver", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Event Hubs Data Sender --Allows send access to Azure Event Hubs resources. --[Learn more](/azure/event-hubs/authenticate-application) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/*/eventhubs/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/*/send/action | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows send access to Azure Event Hubs resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", - "name": "2b629674-e913-4c01-ae53-ef4638d8f975", - "permissions": [ - { - "actions": [ - "Microsoft.EventHub/*/eventhubs/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.EventHub/*/send/action" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Event Hubs Data Sender", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Data Factory Contributor --Create and manage data factories, as well as child resources within them. --[Learn more](/azure/data-factory/concepts-roles-permissions) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.DataFactory](resource-provider-operations.md#microsoftdatafactory)/dataFactories/* | Create and manage data factories, and child resources within them. | -> | [Microsoft.DataFactory](resource-provider-operations.md#microsoftdatafactory)/factories/* | Create and manage data factories, and child resources within them. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/write | Create or update an eventSubscription | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create and manage data factories, as well as child resources within them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", - "name": "673868aa-7521-48a0-acc6-0f60742d39f5", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.DataFactory/dataFactories/*", - "Microsoft.DataFactory/factories/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.EventGrid/eventSubscriptions/write" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Data Factory Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Data Purger --Delete private data from a Log Analytics workspace. --[Learn more](/azure/azure-monitor/logs/personal-data-mgmt) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/components/*/read | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/components/purge/action | Purging data from Application Insights | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/purge/action | Delete specified data by query from workspace. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can purge analytics data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", - "name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90", - "permissions": [ - { - "actions": [ - "Microsoft.Insights/components/*/read", - "Microsoft.Insights/components/purge/action", - "Microsoft.OperationalInsights/workspaces/*/read", - "Microsoft.OperationalInsights/workspaces/purge/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Data Purger", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### HDInsight Cluster Operator --Lets you read and modify HDInsight cluster configurations. --[Learn more](/azure/hdinsight/hdinsight-migrate-granular-access-cluster-configurations) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.HDInsight](resource-provider-operations.md#microsofthdinsight)/*/read | | -> | [Microsoft.HDInsight](resource-provider-operations.md#microsofthdinsight)/clusters/getGatewaySettings/action | Get gateway settings for HDInsight Cluster | -> | [Microsoft.HDInsight](resource-provider-operations.md#microsofthdinsight)/clusters/updateGatewaySettings/action | Update gateway settings for HDInsight Cluster | -> | [Microsoft.HDInsight](resource-provider-operations.md#microsofthdinsight)/clusters/configurations/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you read and modify HDInsight cluster configurations.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", - "name": "61ed4efc-fab3-44fd-b111-e24485cc132a", - "permissions": [ - { - "actions": [ - "Microsoft.HDInsight/*/read", - "Microsoft.HDInsight/clusters/getGatewaySettings/action", - "Microsoft.HDInsight/clusters/updateGatewaySettings/action", - "Microsoft.HDInsight/clusters/configurations/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Authorization/*/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "HDInsight Cluster Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### HDInsight Domain Services Contributor --Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package --[Learn more](/azure/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.AAD](resource-provider-operations.md#microsoftaad)/*/read | | -> | [Microsoft.AAD](resource-provider-operations.md#microsoftaad)/domainServices/*/read | | -> | [Microsoft.AAD](resource-provider-operations.md#microsoftaad)/domainServices/oucontainer/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", - "name": "8d8d5a11-05d3-4bda-a417-a08778121c7c", - "permissions": [ - { - "actions": [ - "Microsoft.AAD/*/read", - "Microsoft.AAD/domainServices/*/read", - "Microsoft.AAD/domainServices/oucontainer/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "HDInsight Domain Services Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Log Analytics Contributor --Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. --[Learn more](/azure/azure-monitor/logs/manage-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.ClassicCompute](resource-provider-operations.md#microsoftclassiccompute)/virtualMachines/extensions/* | | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/extensions/* | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/* | | -> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/* | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.ClassicCompute/virtualMachines/extensions/*", - "Microsoft.ClassicStorage/storageAccounts/listKeys/action", - "Microsoft.Compute/virtualMachines/extensions/*", - "Microsoft.HybridCompute/machines/extensions/write", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/diagnosticSettings/*", - "Microsoft.OperationalInsights/*", - "Microsoft.OperationsManagement/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", - "Microsoft.Storage/storageAccounts/listKeys/action", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Log Analytics Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Log Analytics Reader --Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. --[Learn more](/azure/azure-monitor/logs/manage-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/search/action | Executes a search query | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/sharedKeys/read | Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", - "name": "73c42c96-874c-492b-b04d-ab87d138a893", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.OperationalInsights/workspaces/analytics/query/action", - "Microsoft.OperationalInsights/workspaces/search/action", - "Microsoft.Support/*" - ], - "notActions": [ - "Microsoft.OperationalInsights/workspaces/sharedKeys/read" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Log Analytics Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Schema Registry Contributor (Preview) --Read, write, and delete Schema Registry groups and schemas. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/namespaces/schemagroups/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/namespaces/schemas/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read, write, and delete Schema Registry groups and schemas.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25", - "name": "5dffeca3-4936-4216-b2bc-10343a5abb25", - "permissions": [ - { - "actions": [ - "Microsoft.EventHub/namespaces/schemagroups/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.EventHub/namespaces/schemas/*" - ], - "notDataActions": [] - } - ], - "roleName": "Schema Registry Contributor (Preview)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Schema Registry Reader (Preview) --Read and list Schema Registry groups and schemas. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/namespaces/schemagroups/read | Get list of SchemaGroup Resource Descriptions | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.EventHub](resource-provider-operations.md#microsofteventhub)/namespaces/schemas/read | Retrieve schemas | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read and list Schema Registry groups and schemas.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", - "name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", - "permissions": [ - { - "actions": [ - "Microsoft.EventHub/namespaces/schemagroups/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.EventHub/namespaces/schemas/read" - ], - "notDataActions": [] - } - ], - "roleName": "Schema Registry Reader (Preview)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Stream Analytics Query Tester --Lets you perform query testing without creating a stream analytics job first --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.StreamAnalytics](resource-provider-operations.md#microsoftstreamanalytics)/locations/TestQuery/action | Test Query for Stream Analytics Resource Provider | -> | [Microsoft.StreamAnalytics](resource-provider-operations.md#microsoftstreamanalytics)/locations/OperationResults/read | Read Stream Analytics Operation Result | -> | [Microsoft.StreamAnalytics](resource-provider-operations.md#microsoftstreamanalytics)/locations/SampleInput/action | Sample Input for Stream Analytics Resource Provider | -> | [Microsoft.StreamAnalytics](resource-provider-operations.md#microsoftstreamanalytics)/locations/CompileQuery/action | Compile Query for Stream Analytics Resource Provider | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you perform query testing without creating a stream analytics job first", - "id": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", - "name": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", - "permissions": [ - { - "actions": [ - "Microsoft.StreamAnalytics/locations/TestQuery/action", - "Microsoft.StreamAnalytics/locations/OperationResults/read", - "Microsoft.StreamAnalytics/locations/SampleInput/action", - "Microsoft.StreamAnalytics/locations/CompileQuery/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Stream Analytics Query Tester", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## AI + machine learning ---### AzureML Compute Operator --Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). --[Learn more](/azure/machine-learning/how-to-assign-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/computes/* | | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/notebooks/vm/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs).", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", - "name": "e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", - "permissions": [ - { - "actions": [ - "Microsoft.MachineLearningServices/workspaces/computes/*", - "Microsoft.MachineLearningServices/workspaces/notebooks/vm/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "AzureML Compute Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### AzureML Data Scientist --Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. --[Learn more](/azure/machine-learning/how-to-assign-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/*/read | | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/*/action | | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/*/delete | | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/*/write | | -> | **NotActions** | | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/delete | Deletes the Machine Learning Services Workspace(s) | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/write | Creates or updates a Machine Learning Services Workspace(s) | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/computes/*/write | | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/computes/*/delete | | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/computes/listKeys/action | List secrets for compute resources in Machine Learning Services Workspace | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/listKeys/action | List secrets for a Machine Learning Services Workspace | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/hubs/write | Creates or updates a Machine Learning Services Hub Workspace(s) | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/hubs/delete | Deletes the Machine Learning Services Hub Workspace(s) | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/featurestores/write | Creates or Updates the Machine Learning Services FeatureStore(s) | -> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/workspaces/featurestores/delete | Deletes the Machine Learning Services FeatureStore(s) | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121", - "name": "f6c7c914-8db3-469d-8ca1-694a8f32e121", - "permissions": [ - { - "actions": [ - "Microsoft.MachineLearningServices/workspaces/*/read", - "Microsoft.MachineLearningServices/workspaces/*/action", - "Microsoft.MachineLearningServices/workspaces/*/delete", - "Microsoft.MachineLearningServices/workspaces/*/write" - ], - "notActions": [ - "Microsoft.MachineLearningServices/workspaces/delete", - "Microsoft.MachineLearningServices/workspaces/write", - "Microsoft.MachineLearningServices/workspaces/computes/*/write", - "Microsoft.MachineLearningServices/workspaces/computes/*/delete", - "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action", - "Microsoft.MachineLearningServices/workspaces/listKeys/action", - "Microsoft.MachineLearningServices/workspaces/hubs/write", - "Microsoft.MachineLearningServices/workspaces/hubs/delete", - "Microsoft.MachineLearningServices/workspaces/featurestores/write", - "Microsoft.MachineLearningServices/workspaces/featurestores/delete" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "AzureML Data Scientist", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Contributor --Lets you create, read, update, delete and manage keys of Cognitive Services. --[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/* | | -> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/features/read | Gets the features of a subscription. | -> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. | -> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/register/action | Registers the feature for a subscription in a given resource provider. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/logDefinitions/read | Read log definitions | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricdefinitions/read | Read metric definitions | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you create, read, update, delete and manage keys of Cognitive Services.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", - "name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.CognitiveServices/*", - "Microsoft.Features/features/read", - "Microsoft.Features/providers/features/read", - "Microsoft.Features/providers/features/register/action", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/diagnosticSettings/*", - "Microsoft.Insights/logDefinitions/read", - "Microsoft.Insights/metricdefinitions/read", - "Microsoft.Insights/metrics/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Custom Vision Contributor --Full access to the project, including the ability to view, create, edit, or delete projects. --[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Full access to the project, including the ability to view, create, edit, or delete projects.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", - "name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/CustomVision/*" - ], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services Custom Vision Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Custom Vision Deployment --Publish, unpublish or export models. Deployment can view the project but can't update. --[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/*/read | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/predictions/* | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/iterations/publish/* | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/iterations/export/* | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/quicktest/* | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/classify/* | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/detect/* | | -> | **NotDataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Publish, unpublish or export models. Deployment can view the project but can't update.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", - "name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/CustomVision/*/read", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*", - "Microsoft.CognitiveServices/accounts/CustomVision/classify/*", - "Microsoft.CognitiveServices/accounts/CustomVision/detect/*" - ], - "notDataActions": [ - "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" - ] - } - ], - "roleName": "Cognitive Services Custom Vision Deployment", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Custom Vision Labeler --View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. --[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/*/read | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/predictions/query/action | Get images that were sent to your prediction endpoint. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/images/* | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/tags/* | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/images/suggested/* | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/tagsandregions/suggestions/action | This API will get suggested tags and regions for an array/batch of untagged images along with confidences for the tags. It returns an empty array if no tags are found. | -> | **NotDataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", - "name": "88424f51-ebe7-446f-bc41-7fa16989e96c", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/CustomVision/*/read", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action" - ], - "notDataActions": [ - "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" - ] - } - ], - "roleName": "Cognitive Services Custom Vision Labeler", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Custom Vision Reader --Read-only actions in the project. Readers can't create or update the project. --[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/*/read | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/predictions/query/action | Get images that were sent to your prediction endpoint. | -> | **NotDataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read-only actions in the project. Readers can't create or update the project.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", - "name": "93586559-c37d-4a6b-ba08-b9f0940c2d73", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/CustomVision/*/read", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action" - ], - "notDataActions": [ - "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" - ] - } - ], - "roleName": "Cognitive Services Custom Vision Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Custom Vision Trainer --View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. --[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/* | | -> | **NotDataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/action | Create a project. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/delete | Delete a specific project. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/import/action | Imports a project. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", - "name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/CustomVision/*" - ], - "notDataActions": [ - "Microsoft.CognitiveServices/accounts/CustomVision/projects/action", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/delete", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action", - "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" - ] - } - ], - "roleName": "Cognitive Services Custom Vision Trainer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Data Reader (Preview) --Lets you read Cognitive Services data. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you read Cognitive Services data.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", - "name": "b59867f0-fa02-499b-be73-45a86b5b3e1c", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/*/read" - ], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services Data Reader (Preview)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Face Recognizer --Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/detect/action | Detect human faces in an image, return face rectangles, and optionally with faceIds, landmarks, and attributes. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/verify/action | Verify whether two faces belong to a same person or whether one face belongs to a person. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/identify/action | 1-to-many identification to find the closest matches of the specific query person face from a person group or large person group. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/group/action | Divide candidate faces into groups based on face similarity. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/findsimilars/action | Given query face's faceId, to search the similar-looking faces from a faceId array, a face list or a large face list. faceId | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/detectliveness/multimodal/action | <p>Performs liveness detection on a target face in a sequence of infrared, color and/or depth images, and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs.</p> | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/detectliveness/singlemodal/action | <p>Performs liveness detection on a target face in a sequence of images of the same modality (e.g. color or infrared), and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs.</p> | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/detectlivenesswithverify/singlemodal/action | Detects liveness of a target face in a sequence of images of the same stream type (e.g. color) and then compares with VerifyImage to return confidence score for identity scenarios. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/*/sessions/action | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/*/sessions/delete | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/*/sessions/read | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/Face/*/sessions/audit/read | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7", - "name": "9894cab4-e18a-44aa-828b-cb588cd6f2d7", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/Face/detect/action", - "Microsoft.CognitiveServices/accounts/Face/verify/action", - "Microsoft.CognitiveServices/accounts/Face/identify/action", - "Microsoft.CognitiveServices/accounts/Face/group/action", - "Microsoft.CognitiveServices/accounts/Face/findsimilars/action", - "Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action", - "Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action", - "Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action", - "Microsoft.CognitiveServices/accounts/Face/*/sessions/action", - "Microsoft.CognitiveServices/accounts/Face/*/sessions/delete", - "Microsoft.CognitiveServices/accounts/Face/*/sessions/read", - "Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read" - ], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services Face Recognizer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Metrics Advisor Administrator --Full access to the project, including the system level configuration. --[Learn more](/azure/ai-services/metrics-advisor/how-tos/alerts) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Full access to the project, including the system level configuration.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", - "name": "cb43c632-a144-4ec5-977c-e80c4affc34a", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*" - ], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services Metrics Advisor Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services OpenAI Contributor --Full access including the ability to fine-tune, deploy and generate text --[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/deployments/write | Writes deployments. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/deployments/delete | Deletes deployments. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/raiPolicies/read | Gets all applicable policies under the account including default policies. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/raiPolicies/write | Create or update a custom Responsible AI policy. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/raiPolicies/delete | Deletes a custom Responsible AI policy that's not referenced by an existing deployment. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/commitmentplans/read | Reads commitment plans. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/commitmentplans/write | Writes commitment plans. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/commitmentplans/delete | Deletes commitment plans. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Full access including the ability to fine-tune, deploy and generate text", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", - "name": "a001fd3d-188f-4b5d-821b-7da978bf7442", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read", - "Microsoft.CognitiveServices/accounts/deployments/write", - "Microsoft.CognitiveServices/accounts/deployments/delete", - "Microsoft.CognitiveServices/accounts/raiPolicies/read", - "Microsoft.CognitiveServices/accounts/raiPolicies/write", - "Microsoft.CognitiveServices/accounts/raiPolicies/delete", - "Microsoft.CognitiveServices/accounts/commitmentplans/read", - "Microsoft.CognitiveServices/accounts/commitmentplans/write", - "Microsoft.CognitiveServices/accounts/commitmentplans/delete", - "Microsoft.Authorization/roleAssignments/read", - "Microsoft.Authorization/roleDefinitions/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/OpenAI/*" - ], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services OpenAI Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services OpenAI User --Read access to view files, models, deployments. The ability to create completion and embedding calls. --[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/*/read | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/engines/completions/action | Create a completion from a chosen model | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/engines/search/action | Search for the most relevant documents using the current engine. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/engines/generate/action | (Intended for browsers only.) Stream generated text from the model via GET request. This method is provided because the browser-native EventSource method can only send GET requests. It supports a more limited set of configuration options than the POST variant. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/search/action | Search for the most relevant documents using the current engine. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/completions/action | Create a completion from a chosen model. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/chat/completions/action | Creates a completion for the chat message | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/extensions/chat/completions/action | Creates a completion for the chat message with extensions | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/embeddings/action | Return the embeddings for a given prompt. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/images/generations/action | Create image generations. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Ability to view files, models, deployments. Readers are able to call inference operations such as chat completions and image generation.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", - "name": "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read", - "Microsoft.Authorization/roleAssignments/read", - "Microsoft.Authorization/roleDefinitions/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/OpenAI/*/read", - "Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action", - "Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action", - "Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action", - "Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action", - "Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action", - "Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action", - "Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action", - "Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action", - "Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action" - ], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services OpenAI User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services QnA Maker Editor --Let's you create, edit, import and export a KB. You cannot publish or delete a KB. --[Learn more](/azure/ai-services/qnamaker/) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/download/read | Download the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/alterations/read | Download alterations from runtime. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/alterations/write | Replace alterations data. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointkeys/refreshkeys/action | Re-generates an endpoint key. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointsettings/write | Update endpoint seettings for an endpoint. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/operations/read | Gets details of a specific long running operation. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/download/read | Download the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/alterations/read | Download alterations from runtime. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/alterations/write | Replace alterations data. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointkeys/read | Gets endpoint keys for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action | Re-generates an endpoint key. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointsettings/read | Gets endpoint settings for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointsettings/write | Update endpoint seettings for an endpoint. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/operations/read | Gets details of a specific long running operation. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read | Download the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/alterations/read | Download alterations from runtime. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/alterations/write | Replace alterations data. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action | Re-generates an endpoint key. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointsettings/write | Update endpoint seettings for an endpoint. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/operations/read | Gets details of a specific long running operation. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Let's you create, edit, import and export a KB. You cannot publish or delete a KB.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", - "name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read", - "Microsoft.Authorization/roleAssignments/read", - "Microsoft.Authorization/roleDefinitions/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read", - "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read", - "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write", - "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write", - "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action", - "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action", - "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read", - "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write", - "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read", - "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action", - "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read", - "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write", - "Microsoft.CognitiveServices/accounts/QnAMaker/operations/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read" - ], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services QnA Maker Editor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services QnA Maker Reader --Let's you read and test a KB only. --[Learn more](/azure/ai-services/qnamaker/) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/download/read | Download the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/alterations/read | Download alterations from runtime. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/download/read | Download the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/alterations/read | Download alterations from runtime. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointkeys/read | Gets endpoint keys for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointsettings/read | Gets endpoint settings for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read | Download the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/alterations/read | Download alterations from runtime. | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Let's you read and test a KB only.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", - "name": "466ccd10-b268-4a11-b098-b4849f024126", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read", - "Microsoft.Authorization/roleAssignments/read", - "Microsoft.Authorization/roleDefinitions/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read", - "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read", - "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action", - "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read", - "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read", - "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read", - "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read", - "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read" - ], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services QnA Maker Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services Usages Reader --Minimal permission to view Cognitive Services usages. --[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/locations/usages/read | Read all usages data | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Minimal permission to view Cognitive Services usages.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/bba48692-92b0-4667-a9ad-c31c7b334ac2", - "name": "bba48692-92b0-4667-a9ad-c31c7b334ac2", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/locations/usages/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services Usages Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cognitive Services User --Lets you read and list keys of Cognitive Services. --[Learn more](/azure/ai-services/authentication) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/*/read | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/listkeys/action | List keys | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/read | Read a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/read | Read a resource diagnostic setting | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/logDefinitions/read | Read log definitions | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricdefinitions/read | Read metric definitions | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metrics/read | Read metrics | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you read and list keys of Cognitive Services.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", - "name": "a97b65f3-24c7-4388-baec-2e87135dc908", - "permissions": [ - { - "actions": [ - "Microsoft.CognitiveServices/*/read", - "Microsoft.CognitiveServices/accounts/listkeys/action", - "Microsoft.Insights/alertRules/read", - "Microsoft.Insights/diagnosticSettings/read", - "Microsoft.Insights/logDefinitions/read", - "Microsoft.Insights/metricdefinitions/read", - "Microsoft.Insights/metrics/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.CognitiveServices/*" - ], - "notDataActions": [] - } - ], - "roleName": "Cognitive Services User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Internet of things ---### Device Update Administrator --Gives you full access to management and content operations --[Learn more](/azure/iot-hub-device-update/device-update-control-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/write | Performs a write operation related to updates | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/delete | Performs a delete operation related to updates | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/management/read | Performs a read operation related to management | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/management/write | Performs a write operation related to management | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/management/delete | Performs a delete operation related to management | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Gives you full access to management and content operations", - "id": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a", - "name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Insights/alertRules/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.DeviceUpdate/accounts/instances/updates/read", - "Microsoft.DeviceUpdate/accounts/instances/updates/write", - "Microsoft.DeviceUpdate/accounts/instances/updates/delete", - "Microsoft.DeviceUpdate/accounts/instances/management/read", - "Microsoft.DeviceUpdate/accounts/instances/management/write", - "Microsoft.DeviceUpdate/accounts/instances/management/delete" - ], - "notDataActions": [] - } - ], - "roleName": "Device Update Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Device Update Content Administrator --Gives you full access to content operations --[Learn more](/azure/iot-hub-device-update/device-update-control-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/write | Performs a write operation related to updates | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/delete | Performs a delete operation related to updates | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Gives you full access to content operations", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98", - "name": "0378884a-3af5-44ab-8323-f5b22f9f3c98", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Insights/alertRules/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.DeviceUpdate/accounts/instances/updates/read", - "Microsoft.DeviceUpdate/accounts/instances/updates/write", - "Microsoft.DeviceUpdate/accounts/instances/updates/delete" - ], - "notDataActions": [] - } - ], - "roleName": "Device Update Content Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Device Update Content Reader --Gives you read access to content operations, but does not allow making changes --[Learn more](/azure/iot-hub-device-update/device-update-control-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Gives you read access to content operations, but does not allow making changes", - "id": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", - "name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Insights/alertRules/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.DeviceUpdate/accounts/instances/updates/read" - ], - "notDataActions": [] - } - ], - "roleName": "Device Update Content Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Device Update Deployments Administrator --Gives you full access to management operations --[Learn more](/azure/iot-hub-device-update/device-update-control-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/management/read | Performs a read operation related to management | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/management/write | Performs a write operation related to management | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/management/delete | Performs a delete operation related to management | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Gives you full access to management operations", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432", - "name": "e4237640-0e3d-4a46-8fda-70bc94856432", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Insights/alertRules/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.DeviceUpdate/accounts/instances/management/read", - "Microsoft.DeviceUpdate/accounts/instances/management/write", - "Microsoft.DeviceUpdate/accounts/instances/management/delete", - "Microsoft.DeviceUpdate/accounts/instances/updates/read" - ], - "notDataActions": [] - } - ], - "roleName": "Device Update Deployments Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Device Update Deployments Reader --Gives you read access to management operations, but does not allow making changes --[Learn more](/azure/iot-hub-device-update/device-update-control-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/management/read | Performs a read operation related to management | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Gives you read access to management operations, but does not allow making changes", - "id": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f", - "name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Insights/alertRules/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.DeviceUpdate/accounts/instances/management/read", - "Microsoft.DeviceUpdate/accounts/instances/updates/read" - ], - "notDataActions": [] - } - ], - "roleName": "Device Update Deployments Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Device Update Reader --Gives you read access to management and content operations, but does not allow making changes --[Learn more](/azure/iot-hub-device-update/device-update-control-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | -> | [Microsoft.DeviceUpdate](resource-provider-operations.md#microsoftdeviceupdate)/accounts/instances/management/read | Performs a read operation related to management | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Gives you read access to management and content operations, but does not allow making changes", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", - "name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Insights/alertRules/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.DeviceUpdate/accounts/instances/updates/read", - "Microsoft.DeviceUpdate/accounts/instances/management/read" - ], - "notDataActions": [] - } - ], - "roleName": "Device Update Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### IoT Hub Data Contributor --Allows for full access to IoT Hub data plane operations. --[Learn more](/azure/iot-hub/iot-hub-dev-guide-azure-ad-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Devices](resource-provider-operations.md#microsoftdevices)/IotHubs/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for full access to IoT Hub data plane operations.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f", - "name": "4fc6c259-987e-4a07-842e-c321cc9d413f", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Devices/IotHubs/*" - ], - "notDataActions": [] - } - ], - "roleName": "IoT Hub Data Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### IoT Hub Data Reader --Allows for full read access to IoT Hub data-plane properties --[Learn more](/azure/iot-hub/iot-hub-dev-guide-azure-ad-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Devices](resource-provider-operations.md#microsoftdevices)/IotHubs/*/read | | -> | [Microsoft.Devices](resource-provider-operations.md#microsoftdevices)/IotHubs/fileUpload/notifications/action | Receive, complete, or abandon file upload notifications | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for full read access to IoT Hub data-plane properties", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3", - "name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Devices/IotHubs/*/read", - "Microsoft.Devices/IotHubs/fileUpload/notifications/action" - ], - "notDataActions": [] - } - ], - "roleName": "IoT Hub Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### IoT Hub Registry Contributor --Allows for full access to IoT Hub device registry. --[Learn more](/azure/iot-hub/iot-hub-dev-guide-azure-ad-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Devices](resource-provider-operations.md#microsoftdevices)/IotHubs/devices/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for full access to IoT Hub device registry.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47", - "name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Devices/IotHubs/devices/*" - ], - "notDataActions": [] - } - ], - "roleName": "IoT Hub Registry Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### IoT Hub Twin Contributor --Allows for read and write access to all IoT Hub device and module twins. --[Learn more](/azure/iot-hub/iot-hub-dev-guide-azure-ad-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Devices](resource-provider-operations.md#microsoftdevices)/IotHubs/twins/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for read and write access to all IoT Hub device and module twins.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c", - "name": "494bdba2-168f-4f31-a0a1-191d2f7c028c", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Devices/IotHubs/twins/*" - ], - "notDataActions": [] - } - ], - "roleName": "IoT Hub Twin Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Mixed reality ---### Remote Rendering Administrator --Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering --[Learn more](/azure/remote-rendering/how-tos/authentication) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/action | Start asset conversion | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/read | Get asset conversion properties | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/delete | Stop asset conversion | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/read | Get session properties | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/action | Start sessions | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/delete | Stop sessions | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/render/read | Connect to a session | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering", - "id": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", - "name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.MixedReality/RemoteRenderingAccounts/convert/action", - "Microsoft.MixedReality/RemoteRenderingAccounts/convert/read", - "Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete", - "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read", - "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action", - "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete", - "Microsoft.MixedReality/RemoteRenderingAccounts/render/read", - "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read" - ], - "notDataActions": [] - } - ], - "roleName": "Remote Rendering Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Remote Rendering Client --Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. --[Learn more](/azure/remote-rendering/how-tos/authentication) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/read | Get session properties | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/action | Start sessions | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/delete | Stop sessions | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/render/read | Connect to a session | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", - "name": "d39065c4-c120-43c9-ab0a-63eed9795f0a", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read", - "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action", - "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete", - "Microsoft.MixedReality/RemoteRenderingAccounts/render/read", - "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read" - ], - "notDataActions": [] - } - ], - "roleName": "Remote Rendering Client", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Spatial Anchors Account Contributor --Lets you manage spatial anchors in your account, but not delete them --[Learn more](/azure/spatial-anchors/concepts/authentication) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/create/action | Create spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/write | Update spatial anchors properties | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage spatial anchors in your account, but not delete them", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", - "name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action", - "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/write" - ], - "notDataActions": [] - } - ], - "roleName": "Spatial Anchors Account Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Spatial Anchors Account Owner --Lets you manage spatial anchors in your account, including deleting them --[Learn more](/azure/spatial-anchors/concepts/authentication) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/create/action | Create spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/delete | Delete spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/write | Update spatial anchors properties | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage spatial anchors in your account, including deleting them", - "id": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", - "name": "70bbe301-9835-447d-afdd-19eb3167307c", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action", - "Microsoft.MixedReality/SpatialAnchorsAccounts/delete", - "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/write" - ], - "notDataActions": [] - } - ], - "roleName": "Spatial Anchors Account Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Spatial Anchors Account Reader --Lets you locate and read properties of spatial anchors in your account --[Learn more](/azure/spatial-anchors/concepts/authentication) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors | -> | [Microsoft.MixedReality](resource-provider-operations.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you locate and read properties of spatial anchors in your account", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", - "name": "5d51204f-eb77-4b1c-b86a-2ec626c49413", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read", - "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read" - ], - "notDataActions": [] - } - ], - "roleName": "Spatial Anchors Account Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Integration ---### API Management Service Contributor --Can manage service and the APIs --[Learn more](/azure/api-management/api-management-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/* | Create and manage API Management service | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can manage service and the APIs", - "id": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", - "name": "312a565d-c81f-4fd8-895a-4e21e48d571c", - "permissions": [ - { - "actions": [ - "Microsoft.ApiManagement/service/*", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "API Management Service Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### API Management Service Operator Role --Can manage service but not the APIs --[Learn more](/azure/api-management/api-management-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/*/read | Read API Management Service instances | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/backup/action | Backup API Management Service to the specified container in a user provided storage account | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/delete | Delete API Management Service instance | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/managedeployments/action | Change SKU/units, add/remove regional deployments of API Management Service | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/restore/action | Restore API Management Service from the specified container in a user provided storage account | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/updatecertificate/action | Upload TLS/SSL certificate for an API Management Service | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/updatehostname/action | Setup, update or remove custom domain names for an API Management Service | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/write | Create or Update API Management Service instance | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/users/keys/read | Get keys associated with user | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can manage service but not the APIs", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", - "name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61", - "permissions": [ - { - "actions": [ - "Microsoft.ApiManagement/service/*/read", - "Microsoft.ApiManagement/service/backup/action", - "Microsoft.ApiManagement/service/delete", - "Microsoft.ApiManagement/service/managedeployments/action", - "Microsoft.ApiManagement/service/read", - "Microsoft.ApiManagement/service/restore/action", - "Microsoft.ApiManagement/service/updatecertificate/action", - "Microsoft.ApiManagement/service/updatehostname/action", - "Microsoft.ApiManagement/service/write", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [ - "Microsoft.ApiManagement/service/users/keys/read" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "API Management Service Operator Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### API Management Service Reader Role --Read-only access to service and APIs --[Learn more](/azure/api-management/api-management-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/*/read | Read API Management Service instances | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/users/keys/read | Get keys associated with user | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read-only access to service and APIs", - "id": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", - "name": "71522526-b88f-4d52-b57f-d31fc3546d0d", - "permissions": [ - { - "actions": [ - "Microsoft.ApiManagement/service/*/read", - "Microsoft.ApiManagement/service/read", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [ - "Microsoft.ApiManagement/service/users/keys/read" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "API Management Service Reader Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### API Management Service Workspace API Developer --Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. --[Learn more](/azure/api-management/api-management-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/tags/read | Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/tags/apiLinks/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/tags/operationLinks/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/tags/productLinks/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/products/read | Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/products/apiLinks/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/9565a273-41b9-4368-97d2-aeb0c976a9b3", - "name": "9565a273-41b9-4368-97d2-aeb0c976a9b3", - "permissions": [ - { - "actions": [ - "Microsoft.ApiManagement/service/tags/read", - "Microsoft.ApiManagement/service/tags/apiLinks/*", - "Microsoft.ApiManagement/service/tags/operationLinks/*", - "Microsoft.ApiManagement/service/tags/productLinks/*", - "Microsoft.ApiManagement/service/products/read", - "Microsoft.ApiManagement/service/products/apiLinks/*", - "Microsoft.ApiManagement/service/read", - "Microsoft.Authorization/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "API Management Service Workspace API Developer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### API Management Service Workspace API Product Manager --Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. --[Learn more](/azure/api-management/api-management-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/users/read | Lists a collection of registered users in the specified service instance. or Gets the details of the user specified by its identifier. | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/tags/read | Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/tags/apiLinks/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/tags/operationLinks/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/tags/productLinks/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/products/read | Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/products/apiLinks/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/groups/read | Lists a collection of groups defined within a service instance. or Gets the details of the group specified by its identifier. | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/groups/users/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da", - "name": "d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da", - "permissions": [ - { - "actions": [ - "Microsoft.ApiManagement/service/users/read", - "Microsoft.ApiManagement/service/tags/read", - "Microsoft.ApiManagement/service/tags/apiLinks/*", - "Microsoft.ApiManagement/service/tags/operationLinks/*", - "Microsoft.ApiManagement/service/tags/productLinks/*", - "Microsoft.ApiManagement/service/products/read", - "Microsoft.ApiManagement/service/products/apiLinks/*", - "Microsoft.ApiManagement/service/groups/read", - "Microsoft.ApiManagement/service/groups/users/*", - "Microsoft.ApiManagement/service/read", - "Microsoft.Authorization/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "API Management Service Workspace API Product Manager", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### API Management Workspace API Developer --Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. --[Learn more](/azure/api-management/api-management-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/*/read | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/apis/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/apiVersionSets/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/policies/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/schemas/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/products/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/policyFragments/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/namedValues/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/tags/* | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/56328988-075d-4c6a-8766-d93edd6725b6", - "name": "56328988-075d-4c6a-8766-d93edd6725b6", - "permissions": [ - { - "actions": [ - "Microsoft.ApiManagement/service/workspaces/*/read", - "Microsoft.ApiManagement/service/workspaces/apis/*", - "Microsoft.ApiManagement/service/workspaces/apiVersionSets/*", - "Microsoft.ApiManagement/service/workspaces/policies/*", - "Microsoft.ApiManagement/service/workspaces/schemas/*", - "Microsoft.ApiManagement/service/workspaces/products/*", - "Microsoft.ApiManagement/service/workspaces/policyFragments/*", - "Microsoft.ApiManagement/service/workspaces/namedValues/*", - "Microsoft.ApiManagement/service/workspaces/tags/*", - "Microsoft.Authorization/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "API Management Workspace API Developer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### API Management Workspace API Product Manager --Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. --[Learn more](/azure/api-management/api-management-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/*/read | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/products/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/subscriptions/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/groups/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/tags/* | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/notifications/* | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/73c2c328-d004-4c5e-938c-35c6f5679a1f", - "name": "73c2c328-d004-4c5e-938c-35c6f5679a1f", - "permissions": [ - { - "actions": [ - "Microsoft.ApiManagement/service/workspaces/*/read", - "Microsoft.ApiManagement/service/workspaces/products/*", - "Microsoft.ApiManagement/service/workspaces/subscriptions/*", - "Microsoft.ApiManagement/service/workspaces/groups/*", - "Microsoft.ApiManagement/service/workspaces/tags/*", - "Microsoft.ApiManagement/service/workspaces/notifications/*", - "Microsoft.Authorization/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "API Management Workspace API Product Manager", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### API Management Workspace Contributor --Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. --[Learn more](/azure/api-management/api-management-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/* | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0c34c906-8d99-4cb7-8bb7-33f5b0a1a799", - "name": "0c34c906-8d99-4cb7-8bb7-33f5b0a1a799", - "permissions": [ - { - "actions": [ - "Microsoft.ApiManagement/service/workspaces/*", - "Microsoft.Authorization/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "API Management Workspace Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### API Management Workspace Reader --Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. --[Learn more](/azure/api-management/api-management-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ApiManagement](resource-provider-operations.md#microsoftapimanagement)/service/workspaces/*/read | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2", - "name": "ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2", - "permissions": [ - { - "actions": [ - "Microsoft.ApiManagement/service/workspaces/*/read", - "Microsoft.Authorization/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "API Management Workspace Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### App Configuration Data Owner --Allows full access to App Configuration data. --[Learn more](/azure/azure-app-configuration/concept-enable-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/read | | -> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/write | | -> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/delete | | -> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/action | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows full access to App Configuration data.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", - "name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.AppConfiguration/configurationStores/*/read", - "Microsoft.AppConfiguration/configurationStores/*/write", - "Microsoft.AppConfiguration/configurationStores/*/delete", - "Microsoft.AppConfiguration/configurationStores/*/action" - ], - "notDataActions": [] - } - ], - "roleName": "App Configuration Data Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### App Configuration Data Reader --Allows read access to App Configuration data. --[Learn more](/azure/azure-app-configuration/concept-enable-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.AppConfiguration](resource-provider-operations.md#microsoftappconfiguration)/configurationStores/*/read | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows read access to App Configuration data.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", - "name": "516239f1-63e1-4d78-a4de-a74fb236a071", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.AppConfiguration/configurationStores/*/read" - ], - "notDataActions": [] - } - ], - "roleName": "App Configuration Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Relay Listener --Allows for listen access to Azure Relay resources. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/wcfRelays/read | | -> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/hybridConnections/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/listen/action | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for listen access to Azure Relay resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d", - "name": "26e0b698-aa6d-4085-9386-aadae190014d", - "permissions": [ - { - "actions": [ - "Microsoft.Relay/*/wcfRelays/read", - "Microsoft.Relay/*/hybridConnections/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Relay/*/listen/action" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Relay Listener", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Relay Owner --Allows for full access to Azure Relay resources. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for full access to Azure Relay resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38", - "name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38", - "permissions": [ - { - "actions": [ - "Microsoft.Relay/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Relay/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Relay Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Relay Sender --Allows for send access to Azure Relay resources. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/wcfRelays/read | | -> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/hybridConnections/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Relay](resource-provider-operations.md#microsoftrelay)/*/send/action | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for send access to Azure Relay resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d", - "name": "26baccc8-eea7-41f1-98f4-1762cc7f685d", - "permissions": [ - { - "actions": [ - "Microsoft.Relay/*/wcfRelays/read", - "Microsoft.Relay/*/hybridConnections/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Relay/*/send/action" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Relay Sender", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Service Bus Data Owner --Allows for full access to Azure Service Bus resources. --[Learn more](/azure/service-bus-messaging/authenticate-application) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for full access to Azure Service Bus resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", - "name": "090c5cfd-751d-490a-894a-3ce6f1109419", - "permissions": [ - { - "actions": [ - "Microsoft.ServiceBus/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ServiceBus/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Service Bus Data Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Service Bus Data Receiver --Allows for receive access to Azure Service Bus resources. --[Learn more](/azure/service-bus-messaging/authenticate-application) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/queues/read | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/read | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/subscriptions/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/receive/action | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for receive access to Azure Service Bus resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", - "name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", - "permissions": [ - { - "actions": [ - "Microsoft.ServiceBus/*/queues/read", - "Microsoft.ServiceBus/*/topics/read", - "Microsoft.ServiceBus/*/topics/subscriptions/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ServiceBus/*/receive/action" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Service Bus Data Receiver", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Service Bus Data Sender --Allows for send access to Azure Service Bus resources. --[Learn more](/azure/service-bus-messaging/authenticate-application) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/queues/read | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/read | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/topics/subscriptions/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.ServiceBus](resource-provider-operations.md#microsoftservicebus)/*/send/action | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for send access to Azure Service Bus resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", - "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", - "permissions": [ - { - "actions": [ - "Microsoft.ServiceBus/*/queues/read", - "Microsoft.ServiceBus/*/topics/read", - "Microsoft.ServiceBus/*/topics/subscriptions/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.ServiceBus/*/send/action" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Service Bus Data Sender", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Stack HCI Administrator --Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader --[Learn more](/azure-stack/hci/manage/assign-vm-rbac-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/register/action | Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources. | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Unregister/Action | Unregisters the subscription for the Azure Stack HCI resource provider. | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/clusters/* | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/register/action | Registers the subscription for the Microsoft.HybridCompute Resource Provider | -> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/register/action | Registers the subscription for the Microsoft.GuestConfiguration resource provider. | -> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/write | Creates or updates a resource group. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/delete | Deletes a resource group and all its resources. | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/register/action | Register the subscription for Microsoft.HybridConnectivity | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/installPatches/action | Installs patches on any Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/read | Reads any Azure Arc runcommands | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/write | Installs or Updates an Azure Arc runcommands | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/delete | Deletes an Azure Arc runcommands | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/read | Reads any Azure Arc licenses | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/write | Installs or Updates an Azure Arc licenses | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/delete | Deletes an Azure Arc licenses | -> | Microsoft.ResourceConnector/register/action | Registers the subscription for Appliances resource provider and enables the creation of Appliance. | -> | Microsoft.ResourceConnector/appliances/read | Gets an Appliance resource | -> | Microsoft.ResourceConnector/appliances/write | Creates or Updates Appliance resource | -> | Microsoft.ResourceConnector/appliances/delete | Deletes Appliance resource | -> | Microsoft.ResourceConnector/locations/operationresults/read | Get result of Appliance operation | -> | Microsoft.ResourceConnector/locations/operationsstatus/read | Get result of Appliance operation | -> | Microsoft.ResourceConnector/appliances/listClusterUserCredential/action | Get an appliance cluster user credential | -> | Microsoft.ResourceConnector/appliances/listKeys/action | Get an appliance cluster customer user keys | -> | Microsoft.ResourceConnector/operations/read | Gets list of Available Operations for Appliances | -> | Microsoft.ExtendedLocation/register/action | Registers the subscription for Custom Location resource provider and enables the creation of Custom Location. | -> | Microsoft.ExtendedLocation/customLocations/read | Gets an Custom Location resource | -> | Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource | -> | Microsoft.ExtendedLocation/customLocations/write | Creates or Updates Custom Location resource | -> | Microsoft.ExtendedLocation/customLocations/delete | Deletes Custom Location resource | -> | Microsoft.EdgeMarketplace/offers/read | Get a Offer | -> | Microsoft.EdgeMarketplace/publishers/read | Get a Publisher | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/register/action | Registers Subscription with Microsoft.Kubernetes resource provider | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/register/action | Registers subscription to Microsoft.KubernetesConfiguration resource provider. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/write | Creates or updates extension resource. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/delete | Deletes extension instance resource. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/operations/read | Gets Async Operation status. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/namespaces/read | Get Namespace Resource | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/operations/read | Gets available operations of the Microsoft.KubernetesConfiguration resource provider. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Write | Creates/Updates storage containers resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource | -> | Microsoft.HybridContainerService/register/action | Register the subscription for Microsoft.HybridContainerService | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | -> | **Condition** | | -> | ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) | Add or remove role assignments for the following roles:<br/>Azure Connected Machine Resource Manager<br/>Azure Connected Machine Resource Administrator<br/>Azure Connected Machine Onboarding<br/>Azure Stack HCI VM Reader<br/>Azure Stack HCI VM Contributor<br/>Azure Stack HCI Device Management Role<br/>Azure Resource Bridge Deployment Role<br/>Key Vault Secrets User | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader", - "id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06", - "name": "bda0d508-adf1-4af0-9c28-88919fc3ae06", - "permissions": [ - { - "actions": [ - "Microsoft.AzureStackHCI/register/action", - "Microsoft.AzureStackHCI/Unregister/Action", - "Microsoft.AzureStackHCI/clusters/*", - "Microsoft.HybridCompute/register/action", - "Microsoft.GuestConfiguration/register/action", - "Microsoft.GuestConfiguration/guestConfigurationAssignments/read", - "Microsoft.Resources/subscriptions/resourceGroups/write", - "Microsoft.Resources/subscriptions/resourceGroups/delete", - "Microsoft.HybridConnectivity/register/action", - "Microsoft.Authorization/roleAssignments/write", - "Microsoft.Authorization/roleAssignments/delete", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Management/managementGroups/read", - "Microsoft.Support/*", - "Microsoft.AzureStackHCI/*", - "Microsoft.Insights/AlertRules/Write", - "Microsoft.Insights/AlertRules/Delete", - "Microsoft.Insights/AlertRules/Read", - "Microsoft.Insights/AlertRules/Activated/Action", - "Microsoft.Insights/AlertRules/Resolved/Action", - "Microsoft.Insights/AlertRules/Throttled/Action", - "Microsoft.Insights/AlertRules/Incidents/Read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/write", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.HybridCompute/machines/read", - "Microsoft.HybridCompute/machines/write", - "Microsoft.HybridCompute/machines/delete", - "Microsoft.HybridCompute/machines/UpgradeExtensions/action", - "Microsoft.HybridCompute/machines/assessPatches/action", - "Microsoft.HybridCompute/machines/installPatches/action", - "Microsoft.HybridCompute/machines/extensions/read", - "Microsoft.HybridCompute/machines/extensions/write", - "Microsoft.HybridCompute/machines/extensions/delete", - "Microsoft.HybridCompute/operations/read", - "Microsoft.HybridCompute/locations/operationresults/read", - "Microsoft.HybridCompute/locations/operationstatus/read", - "Microsoft.HybridCompute/machines/patchAssessmentResults/read", - "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read", - "Microsoft.HybridCompute/machines/patchInstallationResults/read", - "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read", - "Microsoft.HybridCompute/locations/updateCenterOperationResults/read", - "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read", - "Microsoft.HybridCompute/osType/agentVersions/read", - "Microsoft.HybridCompute/osType/agentVersions/latest/read", - "Microsoft.HybridCompute/machines/runcommands/read", - "Microsoft.HybridCompute/machines/runcommands/write", - "Microsoft.HybridCompute/machines/runcommands/delete", - "Microsoft.HybridCompute/machines/licenseProfiles/read", - "Microsoft.HybridCompute/machines/licenseProfiles/write", - "Microsoft.HybridCompute/machines/licenseProfiles/delete", - "Microsoft.HybridCompute/licenses/read", - "Microsoft.HybridCompute/licenses/write", - "Microsoft.HybridCompute/licenses/delete", - "Microsoft.ResourceConnector/register/action", - "Microsoft.ResourceConnector/appliances/read", - "Microsoft.ResourceConnector/appliances/write", - "Microsoft.ResourceConnector/appliances/delete", - "Microsoft.ResourceConnector/locations/operationresults/read", - "Microsoft.ResourceConnector/locations/operationsstatus/read", - "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action", - "Microsoft.ResourceConnector/appliances/listKeys/action", - "Microsoft.ResourceConnector/operations/read", - "Microsoft.ExtendedLocation/register/action", - "Microsoft.ExtendedLocation/customLocations/read", - "Microsoft.ExtendedLocation/customLocations/deploy/action", - "Microsoft.ExtendedLocation/customLocations/write", - "Microsoft.ExtendedLocation/customLocations/delete", - "Microsoft.EdgeMarketplace/offers/read", - "Microsoft.EdgeMarketplace/publishers/read", - "Microsoft.Kubernetes/register/action", - "Microsoft.KubernetesConfiguration/register/action", - "Microsoft.KubernetesConfiguration/extensions/write", - "Microsoft.KubernetesConfiguration/extensions/read", - "Microsoft.KubernetesConfiguration/extensions/delete", - "Microsoft.KubernetesConfiguration/extensions/operations/read", - "Microsoft.KubernetesConfiguration/namespaces/read", - "Microsoft.KubernetesConfiguration/operations/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.AzureStackHCI/StorageContainers/Write", - "Microsoft.AzureStackHCI/StorageContainers/Read", - "Microsoft.HybridContainerService/register/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [], - "conditionVersion": "2.0", - "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6}))" - } - ], - "roleName": "Azure Stack HCI Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Stack HCI Device Management Role --Microsoft.AzureStackHCI Device Management Role --[Learn more](/azure-stack/hci/deploy/deployment-azure-resource-manager-template) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/* | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/EdgeDevices/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Microsoft.AzureStackHCI Device Management Role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/865ae368-6a45-4bd1-8fbf-0d5151f56fc1", - "name": "865ae368-6a45-4bd1-8fbf-0d5151f56fc1", - "permissions": [ - { - "actions": [ - "Microsoft.AzureStackHCI/Clusters/*", - "Microsoft.AzureStackHCI/EdgeDevices/*", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Stack HCI Device Management Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Stack HCI VM Contributor --Grants permissions to perform all VM actions --[Learn more](/azure-stack/hci/manage/assign-vm-rbac-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualMachines/* | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/virtualMachineInstances/* | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/NetworkInterfaces/* | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualHardDisks/* | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualNetworks/Read | Gets/Lists virtual networks resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualNetworks/join/action | Joins virtual networks resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/LogicalNetworks/Read | Gets/Lists logical networks resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/LogicalNetworks/join/action | Joins logical networks resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/GalleryImages/Read | Gets/Lists gallery images resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/GalleryImages/deploy/action | Deploys gallery images resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/deploy/action | Deploys storage containers resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/MarketplaceGalleryImages/Read | Gets/Lists market place gallery images resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/MarketPlaceGalleryImages/deploy/action | Deploys market place gallery images resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/Read | Gets clusters | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Clusters/ArcSettings/Read | Gets arc resource of HCI cluster | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/delete | Deletes a deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/cancel/action | Cancels a deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/validate/action | Validates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/whatIf/action | Predicts template deployment changes. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/installPatches/action | Installs patches on any Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/read | Reads any Azure Arc runcommands | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/write | Installs or Updates an Azure Arc runcommands | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/runcommands/delete | Deletes an Azure Arc runcommands | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/read | Reads any Azure Arc licenses | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/write | Installs or Updates an Azure Arc licenses | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/delete | Deletes an Azure Arc licenses | -> | Microsoft.ExtendedLocation/customLocations/Read | Gets an Custom Location resource | -> | Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants permissions to perform all VM actions", - "id": "/providers/Microsoft.Authorization/roleDefinitions/874d1c73-6003-4e60-a13a-cb31ea190a85", - "name": "874d1c73-6003-4e60-a13a-cb31ea190a85", - "permissions": [ - { - "actions": [ - "Microsoft.AzureStackHCI/VirtualMachines/*", - "Microsoft.AzureStackHCI/virtualMachineInstances/*", - "Microsoft.AzureStackHCI/NetworkInterfaces/*", - "Microsoft.AzureStackHCI/VirtualHardDisks/*", - "Microsoft.AzureStackHCI/VirtualNetworks/Read", - "Microsoft.AzureStackHCI/VirtualNetworks/join/action", - "Microsoft.AzureStackHCI/LogicalNetworks/Read", - "Microsoft.AzureStackHCI/LogicalNetworks/join/action", - "Microsoft.AzureStackHCI/GalleryImages/Read", - "Microsoft.AzureStackHCI/GalleryImages/deploy/action", - "Microsoft.AzureStackHCI/StorageContainers/Read", - "Microsoft.AzureStackHCI/StorageContainers/deploy/action", - "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read", - "Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action", - "Microsoft.AzureStackHCI/Clusters/Read", - "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read", - "Microsoft.Insights/AlertRules/Write", - "Microsoft.Insights/AlertRules/Delete", - "Microsoft.Insights/AlertRules/Read", - "Microsoft.Insights/AlertRules/Activated/Action", - "Microsoft.Insights/AlertRules/Resolved/Action", - "Microsoft.Insights/AlertRules/Throttled/Action", - "Microsoft.Insights/AlertRules/Incidents/Read", - "Microsoft.Resources/deployments/read", - "Microsoft.Resources/deployments/write", - "Microsoft.Resources/deployments/delete", - "Microsoft.Resources/deployments/cancel/action", - "Microsoft.Resources/deployments/validate/action", - "Microsoft.Resources/deployments/whatIf/action", - "Microsoft.Resources/deployments/exportTemplate/action", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/deployments/operationstatuses/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/write", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.HybridCompute/machines/read", - "Microsoft.HybridCompute/machines/write", - "Microsoft.HybridCompute/machines/delete", - "Microsoft.HybridCompute/machines/UpgradeExtensions/action", - "Microsoft.HybridCompute/machines/assessPatches/action", - "Microsoft.HybridCompute/machines/installPatches/action", - "Microsoft.HybridCompute/machines/extensions/read", - "Microsoft.HybridCompute/machines/extensions/write", - "Microsoft.HybridCompute/machines/extensions/delete", - "Microsoft.HybridCompute/operations/read", - "Microsoft.HybridCompute/locations/operationresults/read", - "Microsoft.HybridCompute/locations/operationstatus/read", - "Microsoft.HybridCompute/machines/patchAssessmentResults/read", - "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read", - "Microsoft.HybridCompute/machines/patchInstallationResults/read", - "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read", - "Microsoft.HybridCompute/locations/updateCenterOperationResults/read", - "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read", - "Microsoft.HybridCompute/osType/agentVersions/read", - "Microsoft.HybridCompute/osType/agentVersions/latest/read", - "Microsoft.HybridCompute/machines/runcommands/read", - "Microsoft.HybridCompute/machines/runcommands/write", - "Microsoft.HybridCompute/machines/runcommands/delete", - "Microsoft.HybridCompute/machines/licenseProfiles/read", - "Microsoft.HybridCompute/machines/licenseProfiles/write", - "Microsoft.HybridCompute/machines/licenseProfiles/delete", - "Microsoft.HybridCompute/licenses/read", - "Microsoft.HybridCompute/licenses/write", - "Microsoft.HybridCompute/licenses/delete", - "Microsoft.ExtendedLocation/customLocations/Read", - "Microsoft.ExtendedLocation/customLocations/deploy/action", - "Microsoft.KubernetesConfiguration/extensions/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Stack HCI VM Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Stack HCI VM Reader --Grants permissions to view VMs --[Learn more](/azure-stack/hci/manage/assign-vm-rbac-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualMachines/Read | Gets/Lists virtual machine resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/virtualMachineInstances/Read | Gets/Lists virtual machine instance resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualMachines/Extensions/Read | Gets/Lists virtual machine extensions resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualNetworks/Read | Gets/Lists virtual networks resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/LogicalNetworks/Read | Gets/Lists logical networks resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/NetworkInterfaces/Read | Gets/Lists network interfaces resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/VirtualHardDisks/Read | Gets/Lists virtual hard disk resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/GalleryImages/Read | Gets/Lists gallery images resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/MarketplaceGalleryImages/Read | Gets/Lists market place gallery images resource | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants permissions to view VMs", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4b3fe76c-f777-4d24-a2d7-b027b0f7b273", - "name": "4b3fe76c-f777-4d24-a2d7-b027b0f7b273", - "permissions": [ - { - "actions": [ - "Microsoft.AzureStackHCI/VirtualMachines/Read", - "Microsoft.AzureStackHCI/virtualMachineInstances/Read", - "Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read", - "Microsoft.AzureStackHCI/VirtualNetworks/Read", - "Microsoft.AzureStackHCI/LogicalNetworks/Read", - "Microsoft.AzureStackHCI/NetworkInterfaces/Read", - "Microsoft.AzureStackHCI/VirtualHardDisks/Read", - "Microsoft.AzureStackHCI/StorageContainers/Read", - "Microsoft.AzureStackHCI/GalleryImages/Read", - "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read", - "Microsoft.Insights/AlertRules/Write", - "Microsoft.Insights/AlertRules/Delete", - "Microsoft.Insights/AlertRules/Read", - "Microsoft.Insights/AlertRules/Activated/Action", - "Microsoft.Insights/AlertRules/Resolved/Action", - "Microsoft.Insights/AlertRules/Throttled/Action", - "Microsoft.Insights/AlertRules/Incidents/Read", - "Microsoft.Resources/deployments/read", - "Microsoft.Resources/deployments/exportTemplate/action", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/deployments/operationstatuses/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/operationresults/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Stack HCI VM Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Stack Registration Owner --Lets you manage Azure Stack registrations. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/edgeSubscriptions/read | | -> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/products/*/action | | -> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/products/read | Gets the properties of an Azure Stack Marketplace product | -> | [Microsoft.AzureStack](resource-provider-operations.md#microsoftazurestack)/registrations/read | Gets the properties of an Azure Stack registration | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage Azure Stack registrations.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", - "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a", - "permissions": [ - { - "actions": [ - "Microsoft.AzureStack/edgeSubscriptions/read", - "Microsoft.AzureStack/registrations/products/*/action", - "Microsoft.AzureStack/registrations/products/read", - "Microsoft.AzureStack/registrations/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Stack Registration Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### EventGrid Contributor --Lets you manage EventGrid operations. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/* | Create and manage Event Grid resources | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage EventGrid operations.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de", - "name": "1e241071-0855-49ea-94dc-649edcd759de", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.EventGrid/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "EventGrid Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### EventGrid Data Sender --Allows send access to event grid events. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/topics/read | Read a topic | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/domains/read | Read a domain | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/partnerNamespaces/read | Read a partner namespace | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/namespaces/read | Read a namespace | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/events/send/action | Send events to topics | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows send access to event grid events.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7", - "name": "d5a91429-5739-47e2-a06b-3470a27159e7", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.EventGrid/topics/read", - "Microsoft.EventGrid/domains/read", - "Microsoft.EventGrid/partnerNamespaces/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.EventGrid/namespaces/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.EventGrid/events/send/action" - ], - "notDataActions": [] - } - ], - "roleName": "EventGrid Data Sender", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### EventGrid EventSubscription Contributor --Lets you manage EventGrid event subscription operations. --[Learn more](/azure/event-grid/security-authorization) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/* | Create and manage regional event subscriptions | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/eventSubscriptions/read | List regional event subscriptions | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage EventGrid event subscription operations.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", - "name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.EventGrid/eventSubscriptions/*", - "Microsoft.EventGrid/topicTypes/eventSubscriptions/read", - "Microsoft.EventGrid/locations/eventSubscriptions/read", - "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "EventGrid EventSubscription Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### EventGrid EventSubscription Reader --Lets you read EventGrid event subscriptions. --[Learn more](/azure/event-grid/security-authorization) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/read | Read an eventSubscription | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/eventSubscriptions/read | List regional event subscriptions | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you read EventGrid event subscriptions.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", - "name": "2414bbcf-6497-4faf-8c65-045460748405", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.EventGrid/eventSubscriptions/read", - "Microsoft.EventGrid/topicTypes/eventSubscriptions/read", - "Microsoft.EventGrid/locations/eventSubscriptions/read", - "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "EventGrid EventSubscription Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### FHIR Data Contributor --Role allows user or principal full access to FHIR Data --[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/* | | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/* | | -> | **NotDataActions** | | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Role allows user or principal full access to FHIR Data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", - "name": "5a1fc7df-4bf1-4951-a576-89034ee01acd", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.HealthcareApis/services/fhir/resources/*", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*" - ], - "notDataActions": [ - "Microsoft.HealthcareApis/services/fhir/resources/smart/action", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action" - ] - } - ], - "roleName": "FHIR Data Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### FHIR Data Exporter --Role allows user or principal to read and export FHIR Data --[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/export/action | Export operation ($export). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/export/action | Export operation ($export). | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Role allows user or principal to read and export FHIR Data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", - "name": "3db33094-8700-4567-8da5-1501d4e7e843", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.HealthcareApis/services/fhir/resources/read", - "Microsoft.HealthcareApis/services/fhir/resources/export/action", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action" - ], - "notDataActions": [] - } - ], - "roleName": "FHIR Data Exporter", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### FHIR Data Importer --Role allows user or principal to read and import FHIR Data --[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/import/action | Import FHIR resources in batch. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Role allows user or principal to read and import FHIR Data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b", - "name": "4465e953-8ced-4406-a58e-0f6e3f3b530b", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action" - ], - "notDataActions": [] - } - ], - "roleName": "FHIR Data Importer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### FHIR Data Reader --Role allows user or principal to read FHIR Data --[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Role allows user or principal to read FHIR Data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", - "name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.HealthcareApis/services/fhir/resources/read", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read" - ], - "notDataActions": [] - } - ], - "roleName": "FHIR Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### FHIR Data Writer --Role allows user or principal to read and write FHIR Data --[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/write | Write FHIR resources (includes create and update). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/delete | Delete FHIR resources (soft delete). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/export/action | Export operation ($export). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/resourceValidate/action | Validate operation ($validate). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/reindex/action | Allows user to run Reindex job to index any search parameters that haven't yet been indexed. | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/convertData/action | Data convert operation ($convert-data) | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/editProfileDefinitions/action | Allows user to perform Create Update Delete operations on profile resources. | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/services/fhir/resources/import/action | Import FHIR resources in batch. | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/write | Write FHIR resources (includes create and update). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/delete | Delete FHIR resources (soft delete). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/export/action | Export operation ($export). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/resourceValidate/action | Validate operation ($validate). | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/reindex/action | Allows user to run Reindex job to index any search parameters that haven't yet been indexed. | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/convertData/action | Data convert operation ($convert-data) | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/editProfileDefinitions/action | Allows user to perform Create Update Delete operations on profile resources. | -> | [Microsoft.HealthcareApis](resource-provider-operations.md#microsofthealthcareapis)/workspaces/fhirservices/resources/import/action | Import FHIR resources in batch. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Role allows user or principal to read and write FHIR Data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", - "name": "3f88fce4-5892-4214-ae73-ba5294559913", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.HealthcareApis/services/fhir/resources/read", - "Microsoft.HealthcareApis/services/fhir/resources/write", - "Microsoft.HealthcareApis/services/fhir/resources/delete", - "Microsoft.HealthcareApis/services/fhir/resources/export/action", - "Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action", - "Microsoft.HealthcareApis/services/fhir/resources/reindex/action", - "Microsoft.HealthcareApis/services/fhir/resources/convertData/action", - "Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action", - "Microsoft.HealthcareApis/services/fhir/resources/import/action", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/write", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action", - "Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action" - ], - "notDataActions": [] - } - ], - "roleName": "FHIR Data Writer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Integration Service Environment Contributor --Lets you manage integration service environments, but not access to them. --[Learn more](/azure/logic-apps/add-artifacts-integration-service-environment-ise) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/integrationServiceEnvironments/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage integration service environments, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", - "name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Support/*", - "Microsoft.Logic/integrationServiceEnvironments/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Integration Service Environment Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Integration Service Environment Developer --Allows developers to create and update workflows, integration accounts and API connections in integration service environments. --[Learn more](/azure/logic-apps/add-artifacts-integration-service-environment-ise) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/integrationServiceEnvironments/read | Reads the integration service environment. | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/integrationServiceEnvironments/*/join/action | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", - "name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Support/*", - "Microsoft.Logic/integrationServiceEnvironments/read", - "Microsoft.Logic/integrationServiceEnvironments/*/join/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Integration Service Environment Developer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Intelligent Systems Account Contributor --Lets you manage Intelligent Systems accounts, but not access to them. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | Microsoft.IntelligentSystems/accounts/* | Create and manage intelligent systems accounts | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage Intelligent Systems accounts, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", - "name": "03a6d094-3444-4b3d-88af-7477090a9e5e", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.IntelligentSystems/accounts/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Intelligent Systems Account Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Logic App Contributor --Lets you manage logic apps, but not change access to them. --[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. | -> | [Microsoft.ClassicStorage](resource-provider-operations.md#microsoftclassicstorage)/storageAccounts/read | Return the storage account with the given account. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricAlerts/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/logdefinitions/* | This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/* | Read metric definitions (list of available metric types for a resource). | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/* | Manages Logic Apps resources. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/* | Create and manages a Connection Gateway. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/* | Create and manages a Connection. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/* | Creates and manages a Custom API. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/join/action | Joins an App Service Plan | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/functions/listSecrets/action | List Function secrets. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage logic app, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", - "name": "87a39d53-fc1b-424a-814c-f7e04687dc9e", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.ClassicStorage/storageAccounts/listKeys/action", - "Microsoft.ClassicStorage/storageAccounts/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/metricAlerts/*", - "Microsoft.Insights/diagnosticSettings/*", - "Microsoft.Insights/logdefinitions/*", - "Microsoft.Insights/metricDefinitions/*", - "Microsoft.Logic/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/storageAccounts/listkeys/action", - "Microsoft.Storage/storageAccounts/read", - "Microsoft.Support/*", - "Microsoft.Web/connectionGateways/*", - "Microsoft.Web/connections/*", - "Microsoft.Web/customApis/*", - "Microsoft.Web/serverFarms/join/action", - "Microsoft.Web/serverFarms/read", - "Microsoft.Web/sites/functions/listSecrets/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Logic App Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Logic App Operator --Lets you read, enable, and disable logic apps, but not edit or update them. --[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/*/read | Read Insights alert rules | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricAlerts/*/read | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/*/read | Gets diagnostic settings for Logic Apps | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricDefinitions/*/read | Gets the available metrics for Logic Apps. | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/*/read | Reads Logic Apps resources. | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/disable/action | Disables the workflow. | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/enable/action | Enables the workflow. | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/validate/action | Validates the workflow. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/*/read | Read Connections. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/*/read | Read Custom API. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you read, enable and disable logic app.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", - "name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*/read", - "Microsoft.Insights/metricAlerts/*/read", - "Microsoft.Insights/diagnosticSettings/*/read", - "Microsoft.Insights/metricDefinitions/*/read", - "Microsoft.Logic/*/read", - "Microsoft.Logic/workflows/disable/action", - "Microsoft.Logic/workflows/enable/action", - "Microsoft.Logic/workflows/validate/action", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Web/connectionGateways/*/read", - "Microsoft.Web/connections/*/read", - "Microsoft.Web/customApis/*/read", - "Microsoft.Web/serverFarms/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Logic App Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Logic Apps Standard Contributor (Preview) --You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership. --[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/certificates/* | Create and manage a certificate. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/* | Create and manages a Connection Gateway. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/* | Create and manages a Connection. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/* | Creates and manages a Custom API. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/listSitesAssignedToHostName/read | Get names of sites assigned to hostname. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/* | Create and manage an App Service Plan. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/* | Create and manage a web app. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ad710c24-b039-4e85-a019-deb4a06e8570", - "name": "ad710c24-b039-4e85-a019-deb4a06e8570", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Web/certificates/*", - "Microsoft.Web/connectionGateways/*", - "Microsoft.Web/connections/*", - "Microsoft.Web/customApis/*", - "Microsoft.Web/listSitesAssignedToHostName/read", - "Microsoft.Web/serverFarms/*", - "Microsoft.Web/sites/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Logic Apps Standard Contributor (Preview)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Logic Apps Standard Developer (Preview) --You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope. --[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/* | Create and manages a Connection. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/* | Creates and manages a Custom API. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/appsettings/read | Get Web App settings. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/config/list/Action | List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/config/Read | Get Web App configuration settings | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/Write | Update Web App's configuration settings | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/web/appsettings/delete | Delete Web Apps App Setting | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/web/appsettings/read | Get Web App Single App setting. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/config/web/appsettings/write | Create or Update Web App Single App setting | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/deployWorkflowArtifacts/action | Create the artifacts in a Logic App. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/* | Get or list hostruntime artifacts for the web app or function app. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/listworkflowsconnections/action | List logic app's connections by its ID in a Logic App. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/publish/Action | Publish a Web App | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/Read | Get the properties of a Web App | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/config/appsettings/read | Get Web App Slot's single App setting. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/config/appsettings/write | Create or Update Web App Slot's Single App setting | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/config/list/Action | List Web App Slot's security sensitive settings, such as publishing credentials, app settings and connection strings | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/config/Read | Get Web App Slot's configuration settings | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/config/web/appsettings/delete | Delete Web App Slot's App Setting | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/deployWorkflowArtifacts/action | Create the artifacts in a deployment slot in a Logic App. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/listworkflowsconnections/action | List logic app's connections by its ID in a deployment slot in a Logic App. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/publish/Action | Publish a Web App Slot | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflows/* | | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflowsconfiguration/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/523776ba-4eb2-4600-a3c8-f2dc93da4bdb", - "name": "523776ba-4eb2-4600-a3c8-f2dc93da4bdb", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Web/connectionGateways/*/read", - "Microsoft.Web/connections/*", - "Microsoft.Web/customApis/*", - "Microsoft.Web/serverFarms/read", - "microsoft.web/sites/config/appsettings/read", - "Microsoft.Web/sites/config/list/Action", - "Microsoft.Web/sites/config/Read", - "microsoft.web/sites/config/Write", - "microsoft.web/sites/config/web/appsettings/delete", - "microsoft.web/sites/config/web/appsettings/read", - "microsoft.web/sites/config/web/appsettings/write", - "microsoft.web/sites/deployWorkflowArtifacts/action", - "microsoft.web/sites/hostruntime/*", - "microsoft.web/sites/listworkflowsconnections/action", - "Microsoft.Web/sites/publish/Action", - "Microsoft.Web/sites/Read", - "microsoft.web/sites/slots/config/appsettings/read", - "microsoft.web/sites/slots/config/appsettings/write", - "Microsoft.Web/sites/slots/config/list/Action", - "Microsoft.Web/sites/slots/config/Read", - "microsoft.web/sites/slots/config/web/appsettings/delete", - "microsoft.web/sites/slots/deployWorkflowArtifacts/action", - "microsoft.web/sites/slots/listworkflowsconnections/action", - "Microsoft.Web/sites/slots/publish/Action", - "microsoft.web/sites/slots/workflows/read", - "microsoft.web/sites/slots/workflowsconfiguration/read", - "microsoft.web/sites/workflows/*", - "microsoft.web/sites/workflowsconfiguration/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Logic Apps Standard Developer (Preview)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Logic Apps Standard Operator (Preview) --You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings. --[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/*/read | Read Connections. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/*/read | Read Custom API. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/applySlotConfig/Action | Apply web app slot configuration from target slot to the current web app | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/config/Read | Get Web App configuration settings | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/* | Get or list hostruntime artifacts for the web app or function app. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/Read | Get the properties of a Web App | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/restart/Action | Restart a Web App | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/config/Read | Get Web App Slot's configuration settings | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/restart/Action | Restart a Web App Slot | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/slotsswap/Action | Swap Web App deployment slots | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/start/Action | Start a Web App Slot | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slots/stop/Action | Stop a Web App Slot | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slotsdiffs/Action | Get differences in configuration between web app and slots | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/slotsswap/Action | Swap Web App deployment slots | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/start/Action | Start a Web App | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/stop/Action | Stop a Web App | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflows/read | List the workflows in a Logic App. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflowsconfiguration/read | Get logic app's configuration information by its ID in a Logic App. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/write | Create a new Web App or update an existing one | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b70c96e9-66fe-4c09-b6e7-c98e69c98555", - "name": "b70c96e9-66fe-4c09-b6e7-c98e69c98555", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Web/connectionGateways/*/read", - "Microsoft.Web/connections/*/read", - "Microsoft.Web/customApis/*/read", - "Microsoft.Web/serverFarms/read", - "Microsoft.Web/sites/applySlotConfig/Action", - "Microsoft.Web/sites/config/Read", - "microsoft.web/sites/hostruntime/*", - "Microsoft.Web/sites/Read", - "Microsoft.Web/sites/restart/Action", - "Microsoft.Web/sites/slots/config/Read", - "Microsoft.Web/sites/slots/restart/Action", - "Microsoft.Web/sites/slots/slotsswap/Action", - "Microsoft.Web/sites/slots/start/Action", - "Microsoft.Web/sites/slots/stop/Action", - "microsoft.web/sites/slots/workflows/read", - "microsoft.web/sites/slots/workflowsconfiguration/read", - "Microsoft.Web/sites/slotsdiffs/Action", - "Microsoft.Web/sites/slotsswap/Action", - "Microsoft.Web/sites/start/Action", - "Microsoft.Web/sites/stop/Action", - "microsoft.web/sites/workflows/read", - "microsoft.web/sites/workflowsconfiguration/read", - "Microsoft.Web/sites/write" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Logic Apps Standard Operator (Preview)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Logic Apps Standard Reader (Preview) --You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. --[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/connections/*/read | Read Connections. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/customApis/*/read | Read Custom API. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/triggers/read | List Web Apps Hostruntime Workflow Triggers. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/runs/read | List Web Apps Hostruntime Workflow Runs. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflows/read | List the workflows in a Logic App. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/workflowsconfiguration/read | Get logic app's configuration information by its ID in a Logic App. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. | -> | [microsoft.web](resource-provider-operations.md#microsoftweb)/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4accf36b-2c05-432f-91c8-5c532dff4c73", - "name": "4accf36b-2c05-432f-91c8-5c532dff4c73", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Web/connectionGateways/*/read", - "Microsoft.Web/connections/*/read", - "Microsoft.Web/customApis/*/read", - "Microsoft.Web/serverFarms/read", - "microsoft.web/sites/hostruntime/webhooks/api/workflows/triggers/read", - "microsoft.web/sites/hostruntime/webhooks/api/workflows/runs/read", - "microsoft.web/sites/workflows/read", - "microsoft.web/sites/workflowsconfiguration/read", - "microsoft.web/sites/slots/workflows/read", - "microsoft.web/sites/slots/workflowsconfiguration/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Logic Apps Standard Reader (Preview)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Identity ---### Domain Services Contributor --Can manage Azure AD Domain Services and related network configurations --[Learn more](/entra/identity/domain-services/tutorial-create-instance) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/delete | Deletes a deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/cancel/action | Cancels a deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/validate/action | Validates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/whatIf/action | Predicts template deployment changes. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Logs/Read | Reading data from all your logs | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Metrics/Read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/DiagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/DiagnosticSettingsCategories/Read | Read diagnostic settings categories | -> | [Microsoft.AAD](resource-provider-operations.md#microsoftaad)/register/action | Register Domain Service | -> | [Microsoft.AAD](resource-provider-operations.md#microsoftaad)/unregister/action | Unregister Domain Service | -> | [Microsoft.AAD](resource-provider-operations.md#microsoftaad)/domainServices/* | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/register/action | Registers the subscription | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/unregister/action | Unregisters the subscription | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/write | Creates a virtual network or updates an existing virtual network | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/delete | Deletes a virtual network | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/peer/action | Peers a virtual network with another virtual network | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/join/action | Joins a virtual network. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/delete | Deletes a virtual network subnet | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/virtualNetworkPeerings/read | Gets a virtual network peering definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/virtualNetworkPeerings/write | Creates a virtual network peering or updates an existing virtual network peering | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/virtualNetworkPeerings/delete | Deletes a virtual network peering | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings of Virtual Network | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the PingMesh | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/azureFirewalls/read | Get Azure Firewall | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/ddosProtectionPlans/read | Gets a DDoS Protection Plan | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/ddosProtectionPlans/join/action | Joins a DDoS Protection Plan. Not alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/delete | Deletes a load balancer | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/*/read | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/natGateways/join/action | Joins a NAT Gateway | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/delete | Deletes a network interface | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/join/action | Joins a Virtual Machine to a network interface. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/write | Creates a network security group or updates an existing network security group | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/delete | Deletes a network security group | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/securityRules/read | Gets a security rule definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/securityRules/write | Creates a security rule or updates an existing security rule | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/securityRules/delete | Deletes a security rule | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/read | Gets a route table definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/write | Creates a route table or Updates an existing route table | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/delete | Deletes a route table definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/join/action | Joins a route table. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/routes/read | Gets a route definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/routes/write | Creates a route or Updates an existing route | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/routes/delete | Deletes a route definition | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can manage Azure AD Domain Services and related network configurations", - "id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2", - "name": "eeaeda52-9324-47f6-8069-5d5bade478b2", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/read", - "Microsoft.Resources/deployments/write", - "Microsoft.Resources/deployments/delete", - "Microsoft.Resources/deployments/cancel/action", - "Microsoft.Resources/deployments/validate/action", - "Microsoft.Resources/deployments/whatIf/action", - "Microsoft.Resources/deployments/exportTemplate/action", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/deployments/operationstatuses/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Insights/AlertRules/Write", - "Microsoft.Insights/AlertRules/Delete", - "Microsoft.Insights/AlertRules/Read", - "Microsoft.Insights/AlertRules/Activated/Action", - "Microsoft.Insights/AlertRules/Resolved/Action", - "Microsoft.Insights/AlertRules/Throttled/Action", - "Microsoft.Insights/AlertRules/Incidents/Read", - "Microsoft.Insights/Logs/Read", - "Microsoft.Insights/Metrics/Read", - "Microsoft.Insights/DiagnosticSettings/*", - "Microsoft.Insights/DiagnosticSettingsCategories/Read", - "Microsoft.AAD/register/action", - "Microsoft.AAD/unregister/action", - "Microsoft.AAD/domainServices/*", - "Microsoft.Network/register/action", - "Microsoft.Network/unregister/action", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/write", - "Microsoft.Network/virtualNetworks/delete", - "Microsoft.Network/virtualNetworks/peer/action", - "Microsoft.Network/virtualNetworks/join/action", - "Microsoft.Network/virtualNetworks/subnets/read", - "Microsoft.Network/virtualNetworks/subnets/write", - "Microsoft.Network/virtualNetworks/subnets/delete", - "Microsoft.Network/virtualNetworks/subnets/join/action", - "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", - "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", - "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", - "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read", - "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read", - "Microsoft.Network/azureFirewalls/read", - "Microsoft.Network/ddosProtectionPlans/read", - "Microsoft.Network/ddosProtectionPlans/join/action", - "Microsoft.Network/loadBalancers/read", - "Microsoft.Network/loadBalancers/delete", - "Microsoft.Network/loadBalancers/*/read", - "Microsoft.Network/loadBalancers/backendAddressPools/join/action", - "Microsoft.Network/loadBalancers/inboundNatRules/join/action", - "Microsoft.Network/natGateways/join/action", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/networkInterfaces/write", - "Microsoft.Network/networkInterfaces/delete", - "Microsoft.Network/networkInterfaces/join/action", - "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", - "Microsoft.Network/networkSecurityGroups/read", - "Microsoft.Network/networkSecurityGroups/write", - "Microsoft.Network/networkSecurityGroups/delete", - "Microsoft.Network/networkSecurityGroups/join/action", - "Microsoft.Network/networkSecurityGroups/securityRules/read", - "Microsoft.Network/networkSecurityGroups/securityRules/write", - "Microsoft.Network/networkSecurityGroups/securityRules/delete", - "Microsoft.Network/routeTables/read", - "Microsoft.Network/routeTables/write", - "Microsoft.Network/routeTables/delete", - "Microsoft.Network/routeTables/join/action", - "Microsoft.Network/routeTables/routes/read", - "Microsoft.Network/routeTables/routes/write", - "Microsoft.Network/routeTables/routes/delete" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Domain Services Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Domain Services Reader --Can view Azure AD Domain Services and related network configurations --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Logs/Read | Reading data from all your logs | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Metrics/read | Read metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/DiagnosticSettings/read | Read a resource diagnostic setting | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/DiagnosticSettingsCategories/Read | Read diagnostic settings categories | -> | [Microsoft.AAD](resource-provider-operations.md#microsoftaad)/domainServices/*/read | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/virtualNetworkPeerings/read | Gets a virtual network peering definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings of Virtual Network | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the PingMesh | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/azureFirewalls/read | Get Azure Firewall | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/ddosProtectionPlans/read | Gets a DDoS Protection Plan | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/*/read | | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/natGateways/read | Gets a Nat Gateway Definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkSecurityGroups/securityRules/read | Gets a security rule definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/read | Gets a route table definition | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/routeTables/routes/read | Gets a route definition | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can view Azure AD Domain Services and related network configurations", - "id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb", - "name": "361898ef-9ed1-48c2-849c-a832951106bb", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/read", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/deployments/operationstatuses/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Insights/AlertRules/Read", - "Microsoft.Insights/AlertRules/Incidents/Read", - "Microsoft.Insights/Logs/Read", - "Microsoft.Insights/Metrics/read", - "Microsoft.Insights/DiagnosticSettings/read", - "Microsoft.Insights/DiagnosticSettingsCategories/Read", - "Microsoft.AAD/domainServices/*/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/subnets/read", - "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", - "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read", - "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read", - "Microsoft.Network/azureFirewalls/read", - "Microsoft.Network/ddosProtectionPlans/read", - "Microsoft.Network/loadBalancers/read", - "Microsoft.Network/loadBalancers/*/read", - "Microsoft.Network/natGateways/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", - "Microsoft.Network/networkSecurityGroups/read", - "Microsoft.Network/networkSecurityGroups/securityRules/read", - "Microsoft.Network/routeTables/read", - "Microsoft.Network/routeTables/routes/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Domain Services Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Managed Identity Contributor --Create, Read, Update, and Delete User Assigned Identity --[Learn more](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/read | Gets an existing user assigned identity | -> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/write | Creates a new user assigned identity or updates the tags associated with an existing user assigned identity | -> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/delete | Deletes an existing user assigned identity | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create, Read, Update, and Delete User Assigned Identity", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", - "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", - "permissions": [ - { - "actions": [ - "Microsoft.ManagedIdentity/userAssignedIdentities/read", - "Microsoft.ManagedIdentity/userAssignedIdentities/write", - "Microsoft.ManagedIdentity/userAssignedIdentities/delete", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Managed Identity Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Managed Identity Operator --Read and Assign User Assigned Identity --[Learn more](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/*/read | | -> | [Microsoft.ManagedIdentity](resource-provider-operations.md#microsoftmanagedidentity)/userAssignedIdentities/*/assign/action | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read and Assign User Assigned Identity", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", - "name": "f1a07417-d97a-45cb-824c-7a7467783830", - "permissions": [ - { - "actions": [ - "Microsoft.ManagedIdentity/userAssignedIdentities/*/read", - "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Managed Identity Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Security ---### App Compliance Automation Administrator --Create, read, download, modify and delete reports objects and related other resource objects. --[Learn more](/microsoft-365-app-certification/docs/automate-certification-with-acat) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.AppComplianceAutomation](resource-provider-operations.md#microsoftappcomplianceautomation)/* | | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/write | Returns the result of put blob service properties | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileservices/write | Put file service properties | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/write | Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the blob service | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | -> | [Microsoft.PolicyInsights](resource-provider-operations.md#microsoftpolicyinsights)/policyStates/queryResults/action | Query information about policy states. | -> | [Microsoft.PolicyInsights](resource-provider-operations.md#microsoftpolicyinsights)/policyStates/triggerEvaluation/action | Triggers a new compliance evaluation for the selected scope. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/resources/read | Get the list of resources based upon filters. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resources/read | Gets resources of a subscription. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/delete | Deletes a resource group and all its resources. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/write | Creates or updates a resource group. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/tags/read | Gets all the tags on a resource. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/validate/action | Validates an deployment. | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/automations/read | Gets the automations for the scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/automations/delete | Deletes the automation for the scope | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/automations/write | Creates or updates the automation for the scope | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/register/action | Registers the subscription for Azure Security Center | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/unregister/action | Unregisters the subscription from Azure Security Center | -> | */read | Read resources of all types, except secrets. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create, read, download, modify and delete reports objects and related other resource objects.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2", - "name": "0f37683f-2463-46b6-9ce7-9b788b988ba2", - "permissions": [ - { - "actions": [ - "Microsoft.AppComplianceAutomation/*", - "Microsoft.Storage/storageAccounts/blobServices/write", - "Microsoft.Storage/storageAccounts/fileservices/write", - "Microsoft.Storage/storageAccounts/listKeys/action", - "Microsoft.Storage/storageAccounts/write", - "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action", - "Microsoft.Storage/storageAccounts/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/write", - "Microsoft.Storage/storageAccounts/blobServices/read", - "Microsoft.PolicyInsights/policyStates/queryResults/action", - "Microsoft.PolicyInsights/policyStates/triggerEvaluation/action", - "Microsoft.Resources/resources/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/resourceGroups/resources/read", - "Microsoft.Resources/subscriptions/resources/read", - "Microsoft.Resources/subscriptions/resourceGroups/delete", - "Microsoft.Resources/subscriptions/resourceGroups/write", - "Microsoft.Resources/tags/read", - "Microsoft.Resources/deployments/validate/action", - "Microsoft.Security/automations/read", - "Microsoft.Resources/deployments/write", - "Microsoft.Security/automations/delete", - "Microsoft.Security/automations/write", - "Microsoft.Security/register/action", - "Microsoft.Security/unregister/action", - "*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "App Compliance Automation Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### App Compliance Automation Reader --Read, download the reports objects and related other resource objects. --[Learn more](/microsoft-365-app-certification/docs/automate-certification-with-acat) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read, download the reports objects and related other resource objects.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e", - "name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e", - "permissions": [ - { - "actions": [ - "*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "App Compliance Automation Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Attestation Contributor --Can read write or delete the attestation provider instance --[Learn more](/azure/attestation/quickstart-powershell) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | Microsoft.Attestation/attestationProviders/attestation/read | Gets the attestation service status. | -> | Microsoft.Attestation/attestationProviders/attestation/write | Adds attestation service. | -> | Microsoft.Attestation/attestationProviders/attestation/delete | Removes attestation service. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can read write or delete the attestation provider instance", - "id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", - "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", - "permissions": [ - { - "actions": [ - "Microsoft.Attestation/attestationProviders/attestation/read", - "Microsoft.Attestation/attestationProviders/attestation/write", - "Microsoft.Attestation/attestationProviders/attestation/delete" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Attestation Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Attestation Reader --Can read the attestation provider properties --[Learn more](/azure/attestation/troubleshoot-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | Microsoft.Attestation/attestationProviders/attestation/read | Gets the attestation service status. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can read the attestation provider properties", - "id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", - "name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3", - "permissions": [ - { - "actions": [ - "Microsoft.Attestation/attestationProviders/attestation/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Attestation Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Administrator --Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483", - "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.KeyVault/checkNameAvailability/read", - "Microsoft.KeyVault/deletedVaults/read", - "Microsoft.KeyVault/locations/*/read", - "Microsoft.KeyVault/vaults/*/read", - "Microsoft.KeyVault/operations/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/*" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Certificate User --Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificates/read | List certificates in a specified key vault, or get information about a certificate. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/getSecret/action | Gets the value of a secret. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba", - "name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/certificates/read", - "Microsoft.KeyVault/vaults/secrets/getSecret/action", - "Microsoft.KeyVault/vaults/secrets/readMetadata/action", - "Microsoft.KeyVault/vaults/keys/read" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Certificate User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Certificates Officer --Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificatecas/* | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificates/* | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificatecontacts/write | Manage Certificate Contact | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985", - "name": "a4417e6f-fecd-4de8-b567-7b0420556985", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.KeyVault/checkNameAvailability/read", - "Microsoft.KeyVault/deletedVaults/read", - "Microsoft.KeyVault/locations/*/read", - "Microsoft.KeyVault/vaults/*/read", - "Microsoft.KeyVault/operations/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/certificatecas/*", - "Microsoft.KeyVault/vaults/certificates/*", - "Microsoft.KeyVault/vaults/certificatecontacts/write" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Certificates Officer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Contributor --Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. --[Learn more](/azure/key-vault/general/security-features) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/deletedVaults/purge/action | Purge a soft deleted key vault | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/hsmPools/* | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/managedHsms/* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage key vaults, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", - "name": "f25e0fa2-a7c8-4377-a976-54943a77a395", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.KeyVault/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [ - "Microsoft.KeyVault/locations/deletedVaults/purge/action", - "Microsoft.KeyVault/hsmPools/*", - "Microsoft.KeyVault/managedHsms/*" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Key Vault Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Crypto Officer --Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/* | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keyrotationpolicies/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603", - "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.KeyVault/checkNameAvailability/read", - "Microsoft.KeyVault/deletedVaults/read", - "Microsoft.KeyVault/locations/*/read", - "Microsoft.KeyVault/vaults/*/read", - "Microsoft.KeyVault/operations/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/keys/*", - "Microsoft.KeyVault/vaults/keyrotationpolicies/*" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Crypto Officer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Crypto Service Encryption User --Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/write | Create or update an eventSubscription | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/read | Read an eventSubscription | -> | [Microsoft.EventGrid](resource-provider-operations.md#microsofteventgrid)/eventSubscriptions/delete | Delete an eventSubscription | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6", - "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6", - "permissions": [ - { - "actions": [ - "Microsoft.EventGrid/eventSubscriptions/write", - "Microsoft.EventGrid/eventSubscriptions/read", - "Microsoft.EventGrid/eventSubscriptions/delete" - ], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/keys/read", - "Microsoft.KeyVault/vaults/keys/wrap/action", - "Microsoft.KeyVault/vaults/keys/unwrap/action" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Crypto Service Encryption User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Crypto Service Release User --Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/release/action | Release a key using public part of KEK from attestation token. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/08bbd89e-9f13-488c-ac41-acfcb10c90ab", - "name": "08bbd89e-9f13-488c-ac41-acfcb10c90ab", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/keys/release/action" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Crypto Service Release User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Crypto User --Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/update/action | Updates the specified attributes associated with the given key. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/backup/action | Creates the backup file of a key. The file can used to restore the key in a Key Vault of same subscription. Restrictions may apply. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/encrypt/action | Encrypts plaintext with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/decrypt/action | Decrypts ciphertext with a key. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/sign/action | Signs a message digest (hash) with a key. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/verify/action | Verifies the signature of a message digest (hash) with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424", - "name": "12338af0-0e69-4776-bea7-57ae8d297424", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/keys/read", - "Microsoft.KeyVault/vaults/keys/update/action", - "Microsoft.KeyVault/vaults/keys/backup/action", - "Microsoft.KeyVault/vaults/keys/encrypt/action", - "Microsoft.KeyVault/vaults/keys/decrypt/action", - "Microsoft.KeyVault/vaults/keys/wrap/action", - "Microsoft.KeyVault/vaults/keys/unwrap/action", - "Microsoft.KeyVault/vaults/keys/sign/action", - "Microsoft.KeyVault/vaults/keys/verify/action" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Crypto User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Data Access Administrator --Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | -> | **Condition** | | -> | ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) | Add or remove role assignments for the following roles:<br/>Key Vault Administrator<br/>Key Vault Certificates Officer<br/>Key Vault Crypto Officer<br/>Key Vault Crypto Service Encryption User<br/>Key Vault Crypto User<br/>Key Vault Reader<br/>Key Vault Secrets Officer<br/>Key Vault Secrets User | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8", - "name": "8b54135c-b56d-4d72-a534-26097cfdc8d8", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/roleAssignments/write", - "Microsoft.Authorization/roleAssignments/delete", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Management/managementGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*", - "Microsoft.KeyVault/vaults/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [], - "conditionVersion": "2.0", - "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))" - } - ], - "roleName": "Key Vault Data Access Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Reader --Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2", - "name": "21090545-7ca7-4776-b22c-e363652d74d2", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.KeyVault/checkNameAvailability/read", - "Microsoft.KeyVault/deletedVaults/read", - "Microsoft.KeyVault/locations/*/read", - "Microsoft.KeyVault/vaults/*/read", - "Microsoft.KeyVault/operations/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/*/read", - "Microsoft.KeyVault/vaults/secrets/readMetadata/action" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Secrets Officer --Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/*/read | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7", - "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.KeyVault/checkNameAvailability/read", - "Microsoft.KeyVault/deletedVaults/read", - "Microsoft.KeyVault/locations/*/read", - "Microsoft.KeyVault/vaults/*/read", - "Microsoft.KeyVault/operations/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/secrets/*" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Secrets Officer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Key Vault Secrets User --Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. --[Learn more](/azure/key-vault/general/rbac-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/getSecret/action | Gets the value of a secret. | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6", - "name": "4633458b-17de-408a-b874-0445c86b69e6", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.KeyVault/vaults/secrets/getSecret/action", - "Microsoft.KeyVault/vaults/secrets/readMetadata/action" - ], - "notDataActions": [] - } - ], - "roleName": "Key Vault Secrets User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Managed HSM contributor --Lets you manage managed HSM pools, but not access to them. --[Learn more](/azure/key-vault/managed-hsm/secure-your-managed-hsm) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/managedHSMs/* | | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/deletedManagedHsms/read | View the properties of a deleted managed hsm | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/deletedManagedHsms/read | View the properties of a deleted managed hsm | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/deletedManagedHsms/purge/action | Purge a soft deleted managed hsm | -> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/locations/managedHsmOperationResults/read | Check the result of a long run operation | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage managed HSM pools, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d", - "name": "18500a29-7fe2-46b2-a342-b16a415e101d", - "permissions": [ - { - "actions": [ - "Microsoft.KeyVault/managedHSMs/*", - "Microsoft.KeyVault/deletedManagedHsms/read", - "Microsoft.KeyVault/locations/deletedManagedHsms/read", - "Microsoft.KeyVault/locations/deletedManagedHsms/purge/action", - "Microsoft.KeyVault/locations/managedHsmOperationResults/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Managed HSM contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Microsoft Sentinel Automation Contributor --Microsoft Sentinel Automation Contributor --[Learn more](/azure/sentinel/roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/triggers/read | Reads the trigger. | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/triggers/listCallbackUrl/action | Gets the callback URL for trigger. | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/runs/read | Reads the workflow run. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/triggers/read | List Web Apps Hostruntime Workflow Triggers. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | Get Web Apps Hostruntime Workflow Trigger Uri. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/runs/read | List Web Apps Hostruntime Workflow Runs. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Microsoft Sentinel Automation Contributor", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a", - "name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Logic/workflows/triggers/read", - "Microsoft.Logic/workflows/triggers/listCallbackUrl/action", - "Microsoft.Logic/workflows/runs/read", - "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read", - "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action", - "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Microsoft Sentinel Automation Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Microsoft Sentinel Contributor --Microsoft Sentinel Contributor --[Learn more](/azure/sentinel/roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/* | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/* | | -> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/solutions/read | Get existing OMS solution | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/*/read | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get data source under a workspace. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/querypacks/*/read | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/myworkbooks/read | Read a private Workbook | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/ConfidentialWatchlists/* | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/ConfidentialWatchlist/* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Microsoft Sentinel Contributor", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", - "name": "ab8e14d6-4a74-4a29-9ba8-549422addade", - "permissions": [ - { - "actions": [ - "Microsoft.SecurityInsights/*", - "Microsoft.OperationalInsights/workspaces/analytics/query/action", - "Microsoft.OperationalInsights/workspaces/*/read", - "Microsoft.OperationalInsights/workspaces/savedSearches/*", - "Microsoft.OperationsManagement/solutions/read", - "Microsoft.OperationalInsights/workspaces/query/read", - "Microsoft.OperationalInsights/workspaces/query/*/read", - "Microsoft.OperationalInsights/workspaces/dataSources/read", - "Microsoft.OperationalInsights/querypacks/*/read", - "Microsoft.Insights/workbooks/*", - "Microsoft.Insights/myworkbooks/read", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [ - "Microsoft.SecurityInsights/ConfidentialWatchlists/*", - "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Microsoft Sentinel Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Microsoft Sentinel Playbook Operator --Microsoft Sentinel Playbook Operator --[Learn more](/azure/sentinel/roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/read | Reads the workflow. | -> | [Microsoft.Logic](resource-provider-operations.md#microsoftlogic)/workflows/triggers/listCallbackUrl/action | Gets the callback URL for trigger. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | Get Web Apps Hostruntime Workflow Trigger Uri. | -> | [Microsoft.Web](resource-provider-operations.md#microsoftweb)/sites/read | Get the properties of a Web App | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Microsoft Sentinel Playbook Operator", - "id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5", - "name": "51d6186e-6489-4900-b93f-92e23144cca5", - "permissions": [ - { - "actions": [ - "Microsoft.Logic/workflows/read", - "Microsoft.Logic/workflows/triggers/listCallbackUrl/action", - "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action", - "Microsoft.Web/sites/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Microsoft Sentinel Playbook Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Microsoft Sentinel Reader --Microsoft Sentinel Reader --[Learn more](/azure/sentinel/roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/*/read | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/dataConnectorsCheckRequirements/action | Check user authorization and license | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/LinkedServices/read | Get linked services under given workspace. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/read | Gets a saved search query. | -> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/solutions/read | Get existing OMS solution | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/*/read | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/querypacks/*/read | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get data source under a workspace. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/read | Read a workbook | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/myworkbooks/read | Read a private Workbook | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/templateSpecs/*/read | Get or list template specs and template spec versions | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/ConfidentialWatchlists/* | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/ConfidentialWatchlist/* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Microsoft Sentinel Reader", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", - "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb", - "permissions": [ - { - "actions": [ - "Microsoft.SecurityInsights/*/read", - "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action", - "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action", - "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action", - "Microsoft.OperationalInsights/workspaces/analytics/query/action", - "Microsoft.OperationalInsights/workspaces/*/read", - "Microsoft.OperationalInsights/workspaces/LinkedServices/read", - "Microsoft.OperationalInsights/workspaces/savedSearches/read", - "Microsoft.OperationsManagement/solutions/read", - "Microsoft.OperationalInsights/workspaces/query/read", - "Microsoft.OperationalInsights/workspaces/query/*/read", - "Microsoft.OperationalInsights/querypacks/*/read", - "Microsoft.OperationalInsights/workspaces/dataSources/read", - "Microsoft.Insights/workbooks/read", - "Microsoft.Insights/myworkbooks/read", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/templateSpecs/*/read", - "Microsoft.Support/*" - ], - "notActions": [ - "Microsoft.SecurityInsights/ConfidentialWatchlists/*", - "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Microsoft Sentinel Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Microsoft Sentinel Responder --Microsoft Sentinel Responder --[Learn more](/azure/sentinel/roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/*/read | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/dataConnectorsCheckRequirements/action | Check user authorization and license | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/automationRules/* | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/cases/* | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/incidents/* | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/entities/runPlaybook/action | Run playbook on entity | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/bulkTag/action | Bulk Tags Threat Intelligence | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/replaceTags/action | Replace Tags of Threat Intelligence Indicator | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get data source under a workspace. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/read | Gets a saved search query. | -> | [Microsoft.OperationsManagement](resource-provider-operations.md#microsoftoperationsmanagement)/solutions/read | Get existing OMS solution | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/*/read | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get data source under a workspace. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/querypacks/*/read | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/read | Read a workbook | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/myworkbooks/read | Read a private Workbook | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/cases/*/Delete | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/incidents/*/Delete | | -> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/ConfidentialWatchlists/* | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/query/ConfidentialWatchlist/* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Microsoft Sentinel Responder", - "id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", - "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056", - "permissions": [ - { - "actions": [ - "Microsoft.SecurityInsights/*/read", - "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action", - "Microsoft.SecurityInsights/automationRules/*", - "Microsoft.SecurityInsights/cases/*", - "Microsoft.SecurityInsights/incidents/*", - "Microsoft.SecurityInsights/entities/runPlaybook/action", - "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action", - "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action", - "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action", - "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action", - "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action", - "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action", - "Microsoft.OperationalInsights/workspaces/analytics/query/action", - "Microsoft.OperationalInsights/workspaces/*/read", - "Microsoft.OperationalInsights/workspaces/dataSources/read", - "Microsoft.OperationalInsights/workspaces/savedSearches/read", - "Microsoft.OperationsManagement/solutions/read", - "Microsoft.OperationalInsights/workspaces/query/read", - "Microsoft.OperationalInsights/workspaces/query/*/read", - "Microsoft.OperationalInsights/workspaces/dataSources/read", - "Microsoft.OperationalInsights/querypacks/*/read", - "Microsoft.Insights/workbooks/read", - "Microsoft.Insights/myworkbooks/read", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [ - "Microsoft.SecurityInsights/cases/*/Delete", - "Microsoft.SecurityInsights/incidents/*/Delete", - "Microsoft.SecurityInsights/ConfidentialWatchlists/*", - "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Microsoft Sentinel Responder", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Security Admin --View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.<br><br>For Microsoft Defender for IoT, see [Azure user roles for OT and Enterprise IoT monitoring](../defender-for-iot/organizations/roles-azure.md). --[Learn more](/azure/defender-for-cloud/permissions) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyAssignments/* | Create and manage policy assignments | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyDefinitions/* | Create and manage policy definitions | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyExemptions/* | Create and manage policy exemptions | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policySetDefinitions/* | Create and manage policy sets | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | [Microsoft.operationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/* | Create and manage security components and policies | -> | [Microsoft.IoTSecurity](resource-provider-operations.md#microsoftiotsecurity)/* | | -> | Microsoft.IoTFirmwareDefense/* | | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Security Admin Role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Authorization/policyAssignments/*", - "Microsoft.Authorization/policyDefinitions/*", - "Microsoft.Authorization/policyExemptions/*", - "Microsoft.Authorization/policySetDefinitions/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Management/managementGroups/read", - "Microsoft.operationalInsights/workspaces/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Security/*", - "Microsoft.IoTSecurity/*", - "Microsoft.IoTFirmwareDefense/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Security Admin", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Security Assessment Contributor --Lets you push assessments to Microsoft Defender for Cloud --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/assessments/write | Create or update security assessments on your subscription | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you push assessments to Security Center", - "id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", - "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5", - "permissions": [ - { - "actions": [ - "Microsoft.Security/assessments/write" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Security Assessment Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Security Manager (Legacy) --This is a legacy role. Please use Security Admin instead. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.ClassicCompute](resource-provider-operations.md#microsoftclassiccompute)/*/read | Read configuration information classic virtual machines | -> | [Microsoft.ClassicCompute](resource-provider-operations.md#microsoftclassiccompute)/virtualMachines/*/write | Write configuration for classic virtual machines | -> | [Microsoft.ClassicNetwork](resource-provider-operations.md#microsoftclassicnetwork)/*/read | Read configuration information about classic network | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/* | Create and manage security components and policies | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "This is a legacy role. Please use Security Administrator instead", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", - "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.ClassicCompute/*/read", - "Microsoft.ClassicCompute/virtualMachines/*/write", - "Microsoft.ClassicNetwork/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Security/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Security Manager (Legacy)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Security Reader --View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.<br><br>For Microsoft Defender for IoT, see [Azure user roles for OT and Enterprise IoT monitoring](../defender-for-iot/organizations/roles-azure.md). --[Learn more](/azure/defender-for-cloud/permissions) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/read | Read a classic metric alert | -> | [Microsoft.operationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/*/read | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/*/read | Read security components and policies | -> | [Microsoft.IoTSecurity](resource-provider-operations.md#microsoftiotsecurity)/*/read | | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/*/read | | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotDefenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotDefenderSettings/downloadManagerActivation/action | Download manager activation file with subscription quota data | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/iotSensors/downloadResetPassword/action | Downloads reset password file for IoT Sensors | -> | [Microsoft.IoTSecurity](resource-provider-operations.md#microsoftiotsecurity)/defenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information | -> | [Microsoft.IoTSecurity](resource-provider-operations.md#microsoftiotsecurity)/defenderSettings/downloadManagerActivation/action | Download manager activation file | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Security Reader Role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", - "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/read", - "Microsoft.operationalInsights/workspaces/*/read", - "Microsoft.Resources/deployments/*/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Security/*/read", - "Microsoft.IoTSecurity/*/read", - "Microsoft.Support/*/read", - "Microsoft.Security/iotDefenderSettings/packageDownloads/action", - "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action", - "Microsoft.Security/iotSensors/downloadResetPassword/action", - "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action", - "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action", - "Microsoft.Management/managementGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Security Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## DevOps ---### DevTest Labs User --Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. --[Learn more](/azure/devtest-labs/devtest-lab-add-devtest-user) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/availabilitySets/read | Get the properties of an availability set | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/*/read | Read the properties of a virtual machine (VM sizes, runtime status, VM extensions, etc.) | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/deallocate/action | Powers off the virtual machine and releases the compute resources | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/restart/action | Restarts the virtual machine | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/start/action | Starts the virtual machine | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/*/read | Read the properties of a lab | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/claimAnyVm/action | Claim a random claimable virtual machine in the lab. | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/createEnvironment/action | Create virtual machines in a lab. | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/ensureCurrentUserProfile/action | Ensure the current user has a valid profile in the lab. | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/formulas/delete | Delete formulas. | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/formulas/read | Read formulas. | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/formulas/write | Add or modify formulas. | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/policySets/evaluatePolicies/action | Evaluates lab policy. | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/virtualMachines/claim/action | Take ownership of an existing virtual machine | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/virtualmachines/listApplicableSchedules/action | Lists the applicable start/stop schedules, if any. | -> | [Microsoft.DevTestLab](resource-provider-operations.md#microsoftdevtestlab)/labs/virtualMachines/getRdpFileContents/action | Gets a string that represents the contents of the RDP file for the virtual machine | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/*/read | Read the properties of a network interface (for example, all the load balancers that the network interface is a part of) | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/join/action | Joins a Virtual Machine to a network interface. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/*/read | Read the properties of a public IP address | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/join/action | Joins a public IP address. Not Alertable. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | -> | **NotActions** | | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/virtualMachines/vmSizes/read | Lists available sizes the virtual machine can be updated to | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", - "name": "76283e04-6283-4c54-8f91-bcf1374a3c64", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Compute/availabilitySets/read", - "Microsoft.Compute/virtualMachines/*/read", - "Microsoft.Compute/virtualMachines/deallocate/action", - "Microsoft.Compute/virtualMachines/read", - "Microsoft.Compute/virtualMachines/restart/action", - "Microsoft.Compute/virtualMachines/start/action", - "Microsoft.DevTestLab/*/read", - "Microsoft.DevTestLab/labs/claimAnyVm/action", - "Microsoft.DevTestLab/labs/createEnvironment/action", - "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action", - "Microsoft.DevTestLab/labs/formulas/delete", - "Microsoft.DevTestLab/labs/formulas/read", - "Microsoft.DevTestLab/labs/formulas/write", - "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action", - "Microsoft.DevTestLab/labs/virtualMachines/claim/action", - "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action", - "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action", - "Microsoft.Network/loadBalancers/backendAddressPools/join/action", - "Microsoft.Network/loadBalancers/inboundNatRules/join/action", - "Microsoft.Network/networkInterfaces/*/read", - "Microsoft.Network/networkInterfaces/join/action", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/networkInterfaces/write", - "Microsoft.Network/publicIPAddresses/*/read", - "Microsoft.Network/publicIPAddresses/join/action", - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/subnets/join/action", - "Microsoft.Resources/deployments/operations/read", - "Microsoft.Resources/deployments/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/storageAccounts/listKeys/action" - ], - "notActions": [ - "Microsoft.Compute/virtualMachines/vmSizes/read" - ], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "DevTest Labs User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Lab Assistant --Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. --[Learn more](/azure/lab-services/administrator-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/read | Get the properties of a lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/read | Get the properties of a user. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/invite/action | Send email invitation to a user to join the lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/start/action | Start a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/stop/action | Stop and deallocate a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/reimage/action | Reimage a virtual machine to the last published image. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/redeploy/action | Redeploy a virtual machine to a different compute node. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/locations/usages/read | Get Usage in a location | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "The lab assistant role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1", - "name": "ce40b423-cede-4313-a93f-9b28290b72e1", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.LabServices/labPlans/images/read", - "Microsoft.LabServices/labPlans/read", - "Microsoft.LabServices/labs/read", - "Microsoft.LabServices/labs/schedules/read", - "Microsoft.LabServices/labs/users/read", - "Microsoft.LabServices/labs/users/invite/action", - "Microsoft.LabServices/labs/virtualMachines/read", - "Microsoft.LabServices/labs/virtualMachines/start/action", - "Microsoft.LabServices/labs/virtualMachines/stop/action", - "Microsoft.LabServices/labs/virtualMachines/reimage/action", - "Microsoft.LabServices/labs/virtualMachines/redeploy/action", - "Microsoft.LabServices/locations/usages/read", - "Microsoft.LabServices/skus/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Lab Assistant", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Lab Contributor --Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. --[Learn more](/azure/lab-services/administrator-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/saveImage/action | Create an image from a virtual machine in the gallery attached to the lab plan. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/read | Get the properties of a lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/write | Create new or update an existing lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/delete | Delete the lab and all its users, schedules and virtual machines. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/publish/action | Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/syncGroup/action | Updates the list of users from the Active Directory group assigned to the lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/write | Create new or update an existing schedule. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/delete | Delete the schedule. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/read | Get the properties of a user. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/write | Create new or update an existing user. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/delete | Delete the user. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/invite/action | Send email invitation to a user to join the lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/start/action | Start a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/stop/action | Stop and deallocate a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/reimage/action | Reimage a virtual machine to the last published image. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/redeploy/action | Redeploy a virtual machine to a different compute node. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/resetPassword/action | Reset local user's password on a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/locations/usages/read | Get Usage in a location | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/createLab/action | Create a new lab from a lab plan. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "The lab contributor role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270", - "name": "5daaa2af-1fe8-407c-9122-bba179798270", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.LabServices/labPlans/images/read", - "Microsoft.LabServices/labPlans/read", - "Microsoft.LabServices/labPlans/saveImage/action", - "Microsoft.LabServices/labs/read", - "Microsoft.LabServices/labs/write", - "Microsoft.LabServices/labs/delete", - "Microsoft.LabServices/labs/publish/action", - "Microsoft.LabServices/labs/syncGroup/action", - "Microsoft.LabServices/labs/schedules/read", - "Microsoft.LabServices/labs/schedules/write", - "Microsoft.LabServices/labs/schedules/delete", - "Microsoft.LabServices/labs/users/read", - "Microsoft.LabServices/labs/users/write", - "Microsoft.LabServices/labs/users/delete", - "Microsoft.LabServices/labs/users/invite/action", - "Microsoft.LabServices/labs/virtualMachines/read", - "Microsoft.LabServices/labs/virtualMachines/start/action", - "Microsoft.LabServices/labs/virtualMachines/stop/action", - "Microsoft.LabServices/labs/virtualMachines/reimage/action", - "Microsoft.LabServices/labs/virtualMachines/redeploy/action", - "Microsoft.LabServices/labs/virtualMachines/resetPassword/action", - "Microsoft.LabServices/locations/usages/read", - "Microsoft.LabServices/skus/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.LabServices/labPlans/createLab/action" - ], - "notDataActions": [] - } - ], - "roleName": "Lab Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Lab Creator --Lets you create new labs under your Azure Lab Accounts. --[Learn more](/azure/lab-services/administrator-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labAccounts/*/read | | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labAccounts/createLab/action | Create a lab in a lab account. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labAccounts/getPricingAndAvailability/action | Get the pricing and availability of combinations of sizes, geographies, and operating systems for the lab account. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labAccounts/getRestrictionsAndUsage/action | Get core restrictions and usage for this subscription | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/saveImage/action | Create an image from a virtual machine in the gallery attached to the lab plan. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/read | Get the properties of a lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/read | Get the properties of a user. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/locations/usages/read | Get Usage in a location | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/createLab/action | Create a new lab from a lab plan. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you create new labs under your Azure Lab Accounts.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", - "name": "b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.LabServices/labAccounts/*/read", - "Microsoft.LabServices/labAccounts/createLab/action", - "Microsoft.LabServices/labAccounts/getPricingAndAvailability/action", - "Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action", - "Microsoft.Insights/alertRules/*", - "Microsoft.LabServices/labPlans/images/read", - "Microsoft.LabServices/labPlans/read", - "Microsoft.LabServices/labPlans/saveImage/action", - "Microsoft.LabServices/labs/read", - "Microsoft.LabServices/labs/schedules/read", - "Microsoft.LabServices/labs/users/read", - "Microsoft.LabServices/labs/virtualMachines/read", - "Microsoft.LabServices/locations/usages/read", - "Microsoft.LabServices/skus/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.LabServices/labPlans/createLab/action" - ], - "notDataActions": [] - } - ], - "roleName": "Lab Creator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Lab Operator --Gives you limited ability to manage existing labs. --[Learn more](/azure/lab-services/administrator-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/saveImage/action | Create an image from a virtual machine in the gallery attached to the lab plan. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/publish/action | Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/read | Get the properties of a lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/write | Create new or update an existing schedule. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/schedules/delete | Delete the schedule. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/read | Get the properties of a user. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/write | Create new or update an existing user. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/delete | Delete the user. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/users/invite/action | Send email invitation to a user to join the lab. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/start/action | Start a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/stop/action | Stop and deallocate a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/reimage/action | Reimage a virtual machine to the last published image. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/redeploy/action | Redeploy a virtual machine to a different compute node. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labs/virtualMachines/resetPassword/action | Reset local user's password on a virtual machine. | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/locations/usages/read | Get Usage in a location | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "The lab operator role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d", - "name": "a36e6959-b6be-4b12-8e9f-ef4b474d304d", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.LabServices/labPlans/images/read", - "Microsoft.LabServices/labPlans/read", - "Microsoft.LabServices/labPlans/saveImage/action", - "Microsoft.LabServices/labs/publish/action", - "Microsoft.LabServices/labs/read", - "Microsoft.LabServices/labs/schedules/read", - "Microsoft.LabServices/labs/schedules/write", - "Microsoft.LabServices/labs/schedules/delete", - "Microsoft.LabServices/labs/users/read", - "Microsoft.LabServices/labs/users/write", - "Microsoft.LabServices/labs/users/delete", - "Microsoft.LabServices/labs/users/invite/action", - "Microsoft.LabServices/labs/virtualMachines/read", - "Microsoft.LabServices/labs/virtualMachines/start/action", - "Microsoft.LabServices/labs/virtualMachines/stop/action", - "Microsoft.LabServices/labs/virtualMachines/reimage/action", - "Microsoft.LabServices/labs/virtualMachines/redeploy/action", - "Microsoft.LabServices/labs/virtualMachines/resetPassword/action", - "Microsoft.LabServices/locations/usages/read", - "Microsoft.LabServices/skus/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Lab Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Lab Services Contributor --Enables you to fully control all Lab Services scenarios in the resource group. --[Learn more](/azure/lab-services/administrator-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/* | Create and manage lab services components | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/labPlans/createLab/action | Create a new lab from a lab plan. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "The lab services contributor role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f", - "name": "f69b8690-cc87-41d6-b77a-a4bc3c0a966f", - "permissions": [ - { - "actions": [ - "Microsoft.LabServices/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.LabServices/labPlans/createLab/action" - ], - "notDataActions": [] - } - ], - "roleName": "Lab Services Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Lab Services Reader --Enables you to view, but not change, all lab plans and lab resources. --[Learn more](/azure/lab-services/administrator-guide) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.LabServices](resource-provider-operations.md#microsoftlabservices)/*/read | Read lab services properties | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "The lab services reader role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", - "name": "2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", - "permissions": [ - { - "actions": [ - "Microsoft.LabServices/*/read", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Lab Services Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Monitor ---### Application Insights Component Contributor --Can manage Application Insights components --[Learn more](/azure/azure-monitor/app/resources-roles-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage classic alert rules | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/generateLiveToken/read | Live Metrics get token | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricAlerts/* | Create and manage new alert rules | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/components/* | Create and manage Insights components | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/scheduledqueryrules/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/topology/read | Read Topology | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/transactions/read | Read Transactions | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/webtests/* | Create and manage Insights web tests | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can manage Application Insights components", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", - "name": "ae349356-3a1b-4a5e-921d-050484c6347e", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/generateLiveToken/read", - "Microsoft.Insights/metricAlerts/*", - "Microsoft.Insights/components/*", - "Microsoft.Insights/scheduledqueryrules/*", - "Microsoft.Insights/topology/read", - "Microsoft.Insights/transactions/read", - "Microsoft.Insights/webtests/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Application Insights Component Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Application Insights Snapshot Debugger --Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the [Owner](#owner) or [Contributor](#contributor) roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. --[Learn more](/azure/azure-monitor/app/snapshot-debugger) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/components/*/read | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Gives user permission to use Application Insights Snapshot Debugger features", - "id": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", - "name": "08954f03-6346-4c2e-81c0-ec3a5cfae23b", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/components/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Application Insights Snapshot Debugger", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Monitoring Contributor --Can read all monitoring data and edit monitoring settings. See also [Get started with roles, permissions, and security with Azure Monitor](../azure-monitor/roles-permissions-security.md#built-in-monitoring-roles). --[Learn more](/azure/azure-monitor/roles-permissions-security) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.AlertsManagement](resource-provider-operations.md#microsoftalertsmanagement)/alerts/* | | -> | [Microsoft.AlertsManagement](resource-provider-operations.md#microsoftalertsmanagement)/alertsSummary/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/actiongroups/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/activityLogAlerts/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/AlertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/components/* | Create and manage Insights components | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/createNotifications/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/dataCollectionEndpoints/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/dataCollectionRules/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/dataCollectionRuleAssociations/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/DiagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/eventtypes/* | List Activity Log events (management events) in a subscription. This permission is applicable to both programmatic and portal access to the Activity Log. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/LogDefinitions/* | This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/metricalerts/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/MetricDefinitions/* | Read metric definitions (list of available metric types for a resource). | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Metrics/* | Read metrics for a resource. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/notificationStatus/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Register/Action | Register the Microsoft Insights provider | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/scheduledqueryrules/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/webtests/* | Create and manage Insights web tests | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooktemplates/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/privateLinkScopes/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/privateLinkScopeOperationStatuses/* | | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/write | Creates a new workspace or links to an existing workspace by providing the customer id from the existing workspace. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/intelligencepacks/* | Read/write/delete log analytics solution packs. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/savedSearches/* | Read/write/delete log analytics saved searches. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/search/action | Executes a search query | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/sharedKeys/action | Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/storageinsightconfigs/* | Read/write/delete log analytics storage insight configurations. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.AlertsManagement](resource-provider-operations.md#microsoftalertsmanagement)/smartDetectorAlertRules/* | | -> | [Microsoft.AlertsManagement](resource-provider-operations.md#microsoftalertsmanagement)/actionRules/* | | -> | [Microsoft.AlertsManagement](resource-provider-operations.md#microsoftalertsmanagement)/smartGroups/* | | -> | [Microsoft.AlertsManagement](resource-provider-operations.md#microsoftalertsmanagement)/migrateFromSmartDetection/* | | -> | [Microsoft.AlertsManagement](resource-provider-operations.md#microsoftalertsmanagement)/investigations/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can read all monitoring data and update monitoring settings.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "name": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.AlertsManagement/alerts/*", - "Microsoft.AlertsManagement/alertsSummary/*", - "Microsoft.Insights/actiongroups/*", - "Microsoft.Insights/activityLogAlerts/*", - "Microsoft.Insights/AlertRules/*", - "Microsoft.Insights/components/*", - "Microsoft.Insights/createNotifications/*", - "Microsoft.Insights/dataCollectionEndpoints/*", - "Microsoft.Insights/dataCollectionRules/*", - "Microsoft.Insights/dataCollectionRuleAssociations/*", - "Microsoft.Insights/DiagnosticSettings/*", - "Microsoft.Insights/eventtypes/*", - "Microsoft.Insights/LogDefinitions/*", - "Microsoft.Insights/metricalerts/*", - "Microsoft.Insights/MetricDefinitions/*", - "Microsoft.Insights/Metrics/*", - "Microsoft.Insights/notificationStatus/*", - "Microsoft.Insights/Register/Action", - "Microsoft.Insights/scheduledqueryrules/*", - "Microsoft.Insights/webtests/*", - "Microsoft.Insights/workbooks/*", - "Microsoft.Insights/workbooktemplates/*", - "Microsoft.Insights/privateLinkScopes/*", - "Microsoft.Insights/privateLinkScopeOperationStatuses/*", - "Microsoft.OperationalInsights/workspaces/write", - "Microsoft.OperationalInsights/workspaces/intelligencepacks/*", - "Microsoft.OperationalInsights/workspaces/savedSearches/*", - "Microsoft.OperationalInsights/workspaces/search/action", - "Microsoft.OperationalInsights/workspaces/sharedKeys/action", - "Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*", - "Microsoft.Support/*", - "Microsoft.AlertsManagement/smartDetectorAlertRules/*", - "Microsoft.AlertsManagement/actionRules/*", - "Microsoft.AlertsManagement/smartGroups/*", - "Microsoft.AlertsManagement/migrateFromSmartDetection/*", - "Microsoft.AlertsManagement/investigations/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Monitoring Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Monitoring Metrics Publisher --Enables publishing metrics against Azure resources --[Learn more](/azure/azure-monitor/insights/container-insights-update-metrics) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Register/Action | Register the Microsoft Insights provider | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Metrics/Write | Write metrics | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/Telemetry/Write | Write telemetry | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Enables publishing metrics against Azure resources", - "id": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", - "name": "3913510d-42f4-4e42-8a64-420c390055eb", - "permissions": [ - { - "actions": [ - "Microsoft.Insights/Register/Action", - "Microsoft.Support/*", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Insights/Metrics/Write", - "Microsoft.Insights/Telemetry/Write" - ], - "notDataActions": [] - } - ], - "roleName": "Monitoring Metrics Publisher", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Monitoring Reader --Can read all monitoring data (metrics, logs, etc.). See also [Get started with roles, permissions, and security with Azure Monitor](../azure-monitor/roles-permissions-security.md#built-in-monitoring-roles). --[Learn more](/azure/azure-monitor/roles-permissions-security) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/search/action | Executes a search query | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can read all monitoring data.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "name": "43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.OperationalInsights/workspaces/search/action", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Monitoring Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Workbook Contributor --Can save shared workbooks. --[Learn more](/azure/sentinel/tutorial-monitor-your-data) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/write | Create or update a workbook | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/delete | Delete a workbook | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/read | Read a workbook | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooks/revisions/read | Get the workbook revisions | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooktemplates/write | Create or update a workbook template | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooktemplates/delete | Delete a workbook template | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/workbooktemplates/read | Read a workbook template | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can save shared workbooks.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", - "name": "e8ddcd69-c73f-4f9f-9844-4100522f16ad", - "permissions": [ - { - "actions": [ - "Microsoft.Insights/workbooks/write", - "Microsoft.Insights/workbooks/delete", - "Microsoft.Insights/workbooks/read", - "Microsoft.Insights/workbooks/revisions/read", - "Microsoft.Insights/workbooktemplates/write", - "Microsoft.Insights/workbooktemplates/delete", - "Microsoft.Insights/workbooktemplates/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Workbook Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Workbook Reader --Can read workbooks. --[Learn more](/azure/sentinel/tutorial-monitor-your-data) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [microsoft.insights](resource-provider-operations.md#microsoftinsights)/workbooks/read | Read a workbook | -> | [microsoft.insights](resource-provider-operations.md#microsoftinsights)/workbooks/revisions/read | Get the workbook revisions | -> | [microsoft.insights](resource-provider-operations.md#microsoftinsights)/workbooktemplates/read | Read a workbook template | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can read workbooks.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d", - "name": "b279062a-9be3-42a0-92ae-8b3cf002ec4d", - "permissions": [ - { - "actions": [ - "microsoft.insights/workbooks/read", - "microsoft.insights/workbooks/revisions/read", - "microsoft.insights/workbooktemplates/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Workbook Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Management and governance ---### Automation Contributor --Manage Azure Automation resources and other resources using Azure Automation. --[Learn more](/azure/automation/automation-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/* | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/ActionGroups/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/ActivityLogAlerts/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/MetricAlerts/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/ScheduledQueryRules/* | | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | -> | [Microsoft.OperationalInsights](resource-provider-operations.md#microsoftoperationalinsights)/workspaces/sharedKeys/action | Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Manage azure automation resources and other resources using azure automation.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867", - "name": "f353d9bd-d4a6-484e-a77a-8050b599b867", - "permissions": [ - { - "actions": [ - "Microsoft.Automation/automationAccounts/*", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Insights/ActionGroups/*", - "Microsoft.Insights/ActivityLogAlerts/*", - "Microsoft.Insights/MetricAlerts/*", - "Microsoft.Insights/ScheduledQueryRules/*", - "Microsoft.Insights/diagnosticSettings/*", - "Microsoft.OperationalInsights/workspaces/sharedKeys/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Automation Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Automation Job Operator --Create and Manage Jobs using Automation Runbooks. --[Learn more](/azure/automation/automation-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/hybridRunbookWorkerGroups/read | Reads a Hybrid Runbook Worker Group | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/read | Gets an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/resume/action | Resumes an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/stop/action | Stops an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/streams/read | Gets an Azure Automation job stream | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/suspend/action | Suspends an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/write | Creates an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/output/read | Gets the output of a job | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Create and Manage Jobs using Automation Runbooks.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", - "name": "4fe576fe-1146-4730-92eb-48519fa6bf9f", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read", - "Microsoft.Automation/automationAccounts/jobs/read", - "Microsoft.Automation/automationAccounts/jobs/resume/action", - "Microsoft.Automation/automationAccounts/jobs/stop/action", - "Microsoft.Automation/automationAccounts/jobs/streams/read", - "Microsoft.Automation/automationAccounts/jobs/suspend/action", - "Microsoft.Automation/automationAccounts/jobs/write", - "Microsoft.Automation/automationAccounts/jobs/output/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Automation Job Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Automation Operator --Automation Operators are able to start, stop, suspend, and resume jobs --[Learn more](/azure/automation/automation-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/hybridRunbookWorkerGroups/read | Reads a Hybrid Runbook Worker Group | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/read | Gets an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/resume/action | Resumes an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/stop/action | Stops an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/streams/read | Gets an Azure Automation job stream | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/suspend/action | Suspends an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/write | Creates an Azure Automation job | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobSchedules/read | Gets an Azure Automation job schedule | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobSchedules/write | Creates an Azure Automation job schedule | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/linkedWorkspace/read | Gets the workspace linked to the automation account | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/read | Gets an Azure Automation account | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/runbooks/read | Gets an Azure Automation runbook | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/schedules/read | Gets an Azure Automation schedule asset | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/schedules/write | Creates or updates an Azure Automation schedule asset | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/jobs/output/read | Gets the output of a job | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Automation Operators are able to start, stop, suspend, and resume jobs", - "id": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", - "name": "d3881f73-407a-4167-8283-e981cbba0404", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read", - "Microsoft.Automation/automationAccounts/jobs/read", - "Microsoft.Automation/automationAccounts/jobs/resume/action", - "Microsoft.Automation/automationAccounts/jobs/stop/action", - "Microsoft.Automation/automationAccounts/jobs/streams/read", - "Microsoft.Automation/automationAccounts/jobs/suspend/action", - "Microsoft.Automation/automationAccounts/jobs/write", - "Microsoft.Automation/automationAccounts/jobSchedules/read", - "Microsoft.Automation/automationAccounts/jobSchedules/write", - "Microsoft.Automation/automationAccounts/linkedWorkspace/read", - "Microsoft.Automation/automationAccounts/read", - "Microsoft.Automation/automationAccounts/runbooks/read", - "Microsoft.Automation/automationAccounts/schedules/read", - "Microsoft.Automation/automationAccounts/schedules/write", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Automation/automationAccounts/jobs/output/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Automation Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Automation Runbook Operator --Read Runbook properties - to be able to create Jobs of the runbook. --[Learn more](/azure/automation/automation-role-based-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Automation](resource-provider-operations.md#microsoftautomation)/automationAccounts/runbooks/read | Gets an Azure Automation runbook | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read Runbook properties - to be able to create Jobs of the runbook.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", - "name": "5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Automation/automationAccounts/runbooks/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Automation Runbook Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Arc Enabled Kubernetes Cluster User Role --List cluster user credentials action. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/listClusterUserCredentials/action | List clusterUser credential(preview) | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/listClusterUserCredential/action | List clusterUser credential | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "List cluster user credentials action.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd", - "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd", - "permissions": [ - { - "actions": [ - "Microsoft.Resources/deployments/write", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Support/*", - "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Arc Enabled Kubernetes Cluster User Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Arc Kubernetes Admin --Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. --[Learn more](/azure/azure-arc/kubernetes/azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/controllerrevisions/read | Reads controllerrevisions | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/daemonsets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/deployments/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/replicasets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/statefulsets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Writes localsubjectaccessreviews | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/autoscaling/horizontalpodautoscalers/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/batch/cronjobs/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/batch/jobs/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/configmaps/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/endpoints/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/events.k8s.io/events/read | Reads events | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/events/read | Reads events | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/daemonsets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/deployments/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/ingresses/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/networkpolicies/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/replicasets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/limitranges/read | Reads limitranges | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/namespaces/read | Reads namespaces | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/ingresses/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/networkpolicies/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/persistentvolumeclaims/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/pods/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/policy/poddisruptionbudgets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/rbac.authorization.k8s.io/roles/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/resourcequotas/read | Reads resourcequotas | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/secrets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/serviceaccounts/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/services/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96", - "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/write", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read", - "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*", - "Microsoft.Kubernetes/connectedClusters/apps/deployments/*", - "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*", - "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*", - "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write", - "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*", - "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*", - "Microsoft.Kubernetes/connectedClusters/batch/jobs/*", - "Microsoft.Kubernetes/connectedClusters/configmaps/*", - "Microsoft.Kubernetes/connectedClusters/endpoints/*", - "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read", - "Microsoft.Kubernetes/connectedClusters/events/read", - "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*", - "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*", - "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*", - "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*", - "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*", - "Microsoft.Kubernetes/connectedClusters/limitranges/read", - "Microsoft.Kubernetes/connectedClusters/namespaces/read", - "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*", - "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*", - "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*", - "Microsoft.Kubernetes/connectedClusters/pods/*", - "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*", - "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*", - "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*", - "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", - "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", - "Microsoft.Kubernetes/connectedClusters/resourcequotas/read", - "Microsoft.Kubernetes/connectedClusters/secrets/*", - "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*", - "Microsoft.Kubernetes/connectedClusters/services/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Arc Kubernetes Admin", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Arc Kubernetes Cluster Admin --Lets you manage all resources in the cluster. --[Learn more](/azure/azure-arc/kubernetes/azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage all resources in the cluster.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2", - "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/write", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Kubernetes/connectedClusters/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Arc Kubernetes Cluster Admin", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Arc Kubernetes Viewer --Lets you view all resources in cluster/namespace, except secrets. --[Learn more](/azure/azure-arc/kubernetes/azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/controllerrevisions/read | Reads controllerrevisions | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/daemonsets/read | Reads daemonsets | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/deployments/read | Reads deployments | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/replicasets/read | Reads replicasets | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/statefulsets/read | Reads statefulsets | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/batch/cronjobs/read | Reads cronjobs | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/batch/jobs/read | Reads jobs | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/configmaps/read | Reads configmaps | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/endpoints/read | Reads endpoints | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/events.k8s.io/events/read | Reads events | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/events/read | Reads events | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/daemonsets/read | Reads daemonsets | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/deployments/read | Reads deployments | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/ingresses/read | Reads ingresses | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/networkpolicies/read | Reads networkpolicies | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/replicasets/read | Reads replicasets | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/limitranges/read | Reads limitranges | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/namespaces/read | Reads namespaces | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/ingresses/read | Reads ingresses | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/networkpolicies/read | Reads networkpolicies | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/persistentvolumeclaims/read | Reads persistentvolumeclaims | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/pods/read | Reads pods | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/read | Reads replicationcontrollers | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/read | Reads replicationcontrollers | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/resourcequotas/read | Reads resourcequotas | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/serviceaccounts/read | Reads serviceaccounts | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/services/read | Reads services | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you view all resources in cluster/namespace, except secrets.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4", - "name": "63f0a09d-1495-4db4-a681-037d84835eb4", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/write", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read", - "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read", - "Microsoft.Kubernetes/connectedClusters/apps/deployments/read", - "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read", - "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read", - "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read", - "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read", - "Microsoft.Kubernetes/connectedClusters/batch/jobs/read", - "Microsoft.Kubernetes/connectedClusters/configmaps/read", - "Microsoft.Kubernetes/connectedClusters/endpoints/read", - "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read", - "Microsoft.Kubernetes/connectedClusters/events/read", - "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read", - "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read", - "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read", - "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read", - "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read", - "Microsoft.Kubernetes/connectedClusters/limitranges/read", - "Microsoft.Kubernetes/connectedClusters/namespaces/read", - "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read", - "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read", - "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read", - "Microsoft.Kubernetes/connectedClusters/pods/read", - "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read", - "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read", - "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read", - "Microsoft.Kubernetes/connectedClusters/resourcequotas/read", - "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read", - "Microsoft.Kubernetes/connectedClusters/services/read" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Arc Kubernetes Viewer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Arc Kubernetes Writer --Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. --[Learn more](/azure/azure-arc/kubernetes/azure-rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/controllerrevisions/read | Reads controllerrevisions | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/daemonsets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/deployments/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/replicasets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/apps/statefulsets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/autoscaling/horizontalpodautoscalers/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/batch/cronjobs/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/batch/jobs/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/configmaps/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/endpoints/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/events.k8s.io/events/read | Reads events | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/events/read | Reads events | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/daemonsets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/deployments/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/ingresses/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/networkpolicies/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/extensions/replicasets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/limitranges/read | Reads limitranges | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/namespaces/read | Reads namespaces | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/ingresses/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/networkpolicies/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/persistentvolumeclaims/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/pods/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/policy/poddisruptionbudgets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/resourcequotas/read | Reads resourcequotas | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/secrets/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/serviceaccounts/* | | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/services/* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1", - "name": "5b999177-9696-4545-85c7-50de3797e5a1", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/write", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read", - "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*", - "Microsoft.Kubernetes/connectedClusters/apps/deployments/*", - "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*", - "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*", - "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*", - "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*", - "Microsoft.Kubernetes/connectedClusters/batch/jobs/*", - "Microsoft.Kubernetes/connectedClusters/configmaps/*", - "Microsoft.Kubernetes/connectedClusters/endpoints/*", - "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read", - "Microsoft.Kubernetes/connectedClusters/events/read", - "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*", - "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*", - "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*", - "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*", - "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*", - "Microsoft.Kubernetes/connectedClusters/limitranges/read", - "Microsoft.Kubernetes/connectedClusters/namespaces/read", - "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*", - "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*", - "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*", - "Microsoft.Kubernetes/connectedClusters/pods/*", - "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*", - "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", - "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", - "Microsoft.Kubernetes/connectedClusters/resourcequotas/read", - "Microsoft.Kubernetes/connectedClusters/secrets/*", - "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*", - "Microsoft.Kubernetes/connectedClusters/services/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Arc Kubernetes Writer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Connected Machine Onboarding --Can onboard Azure Connected Machines. --[Learn more](/azure/azure-arc/servers/onboard-service-principal) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/privateLinkScopes/read | Read any Azure Arc privateLinkScopes | -> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can onboard Azure Connected Machines.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", - "name": "b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", - "permissions": [ - { - "actions": [ - "Microsoft.HybridCompute/machines/read", - "Microsoft.HybridCompute/machines/write", - "Microsoft.HybridCompute/privateLinkScopes/read", - "Microsoft.GuestConfiguration/guestConfigurationAssignments/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Connected Machine Onboarding", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Connected Machine Resource Administrator --Can read, write, delete and re-onboard Azure Connected Machines. --[Learn more](/azure/azure-arc/servers/security-overview) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/privateLinkScopes/* | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/*/read | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/write | Installs or Updates an Azure Arc licenses | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/licenses/delete | Deletes an Azure Arc licenses | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can read, write, delete and re-onboard Azure Connected Machines.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", - "name": "cd570a14-e51a-42ad-bac8-bafd67325302", - "permissions": [ - { - "actions": [ - "Microsoft.HybridCompute/machines/read", - "Microsoft.HybridCompute/machines/write", - "Microsoft.HybridCompute/machines/delete", - "Microsoft.HybridCompute/machines/UpgradeExtensions/action", - "Microsoft.HybridCompute/machines/extensions/read", - "Microsoft.HybridCompute/machines/extensions/write", - "Microsoft.HybridCompute/machines/extensions/delete", - "Microsoft.HybridCompute/privateLinkScopes/*", - "Microsoft.HybridCompute/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.HybridCompute/licenses/write", - "Microsoft.HybridCompute/licenses/delete", - "Microsoft.HybridCompute/machines/licenseProfiles/read", - "Microsoft.HybridCompute/machines/licenseProfiles/write", - "Microsoft.HybridCompute/machines/licenseProfiles/delete" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Connected Machine Resource Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Connected Machine Resource Manager --Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group --[Learn more](/azure-stack/hci/deploy/deployment-azure-resource-manager-template) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/read | Gets the endpoint to the resource. | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/write | Update the endpoint to the target resource. | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/read | Gets the details about the service to the resource. | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/write | Update the service details in the service configurations of the target resource. | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/*/read | | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | -> | [Microsoft.HybridCompute](resource-provider-operations.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | -> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. | -> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/*/read | | -> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/write | Create new guest configuration assignment. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c", - "name": "f5819b54-e033-4d82-ac66-4fec3cbf3f4c", - "permissions": [ - { - "actions": [ - "Microsoft.HybridConnectivity/endpoints/read", - "Microsoft.HybridConnectivity/endpoints/write", - "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read", - "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write", - "Microsoft.HybridCompute/machines/read", - "Microsoft.HybridCompute/machines/write", - "Microsoft.HybridCompute/machines/delete", - "Microsoft.HybridCompute/machines/extensions/read", - "Microsoft.HybridCompute/machines/extensions/write", - "Microsoft.HybridCompute/machines/extensions/delete", - "Microsoft.HybridCompute/*/read", - "Microsoft.HybridCompute/machines/UpgradeExtensions/action", - "Microsoft.HybridCompute/machines/licenseProfiles/read", - "Microsoft.HybridCompute/machines/licenseProfiles/write", - "Microsoft.HybridCompute/machines/licenseProfiles/delete", - "Microsoft.GuestConfiguration/guestConfigurationAssignments/read", - "Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read", - "Microsoft.GuestConfiguration/guestConfigurationAssignments/write" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Connected Machine Resource Manager", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Resource Bridge Deployment Role --Azure Resource Bridge Deployment Role --[Learn more](/azure/azure-arc/resource-bridge/overview) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/Register/Action | Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources. | -> | Microsoft.ResourceConnector/register/action | Registers the subscription for Appliances resource provider and enables the creation of Appliance. | -> | Microsoft.ResourceConnector/appliances/read | Gets an Appliance resource | -> | Microsoft.ResourceConnector/appliances/write | Creates or Updates Appliance resource | -> | Microsoft.ResourceConnector/appliances/delete | Deletes Appliance resource | -> | Microsoft.ResourceConnector/locations/operationresults/read | Get result of Appliance operation | -> | Microsoft.ResourceConnector/locations/operationsstatus/read | Get result of Appliance operation | -> | Microsoft.ResourceConnector/appliances/listClusterUserCredential/action | Get an appliance cluster user credential | -> | Microsoft.ResourceConnector/appliances/listKeys/action | Get an appliance cluster customer user keys | -> | Microsoft.ResourceConnector/appliances/upgradeGraphs/read | Gets the upgrade graph of Appliance cluster | -> | Microsoft.ResourceConnector/telemetryconfig/read | Get Appliances telemetry config utilized by Appliances CLI | -> | Microsoft.ResourceConnector/operations/read | Gets list of Available Operations for Appliances | -> | Microsoft.ExtendedLocation/register/action | Registers the subscription for Custom Location resource provider and enables the creation of Custom Location. | -> | Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource | -> | Microsoft.ExtendedLocation/customLocations/read | Gets an Custom Location resource | -> | Microsoft.ExtendedLocation/customLocations/write | Creates or Updates Custom Location resource | -> | Microsoft.ExtendedLocation/customLocations/delete | Deletes Custom Location resource | -> | [Microsoft.HybridConnectivity](resource-provider-operations.md#microsofthybridconnectivity)/register/action | Register the subscription for Microsoft.HybridConnectivity | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/register/action | Registers Subscription with Microsoft.Kubernetes resource provider | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/register/action | Registers subscription to Microsoft.KubernetesConfiguration resource provider. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/write | Creates or updates extension resource. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/delete | Deletes extension instance resource. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/operations/read | Gets Async Operation status. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/namespaces/read | Get Namespace Resource | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/operations/read | Gets available operations of the Microsoft.KubernetesConfiguration resource provider. | -> | [Microsoft.GuestConfiguration](resource-provider-operations.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. | -> | Microsoft.HybridContainerService/register/action | Register the subscription for Microsoft.HybridContainerService | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Write | Creates/Updates storage containers resource | -> | [Microsoft.AzureStackHCI](resource-provider-operations.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Azure Resource Bridge Deployment Role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/7b1f81f9-4196-4058-8aae-762e593270df", - "name": "7b1f81f9-4196-4058-8aae-762e593270df", - "permissions": [ - { - "actions": [ - "Microsoft.AzureStackHCI/Register/Action", - "Microsoft.ResourceConnector/register/action", - "Microsoft.ResourceConnector/appliances/read", - "Microsoft.ResourceConnector/appliances/write", - "Microsoft.ResourceConnector/appliances/delete", - "Microsoft.ResourceConnector/locations/operationresults/read", - "Microsoft.ResourceConnector/locations/operationsstatus/read", - "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action", - "Microsoft.ResourceConnector/appliances/listKeys/action", - "Microsoft.ResourceConnector/appliances/upgradeGraphs/read", - "Microsoft.ResourceConnector/telemetryconfig/read", - "Microsoft.ResourceConnector/operations/read", - "Microsoft.ExtendedLocation/register/action", - "Microsoft.ExtendedLocation/customLocations/deploy/action", - "Microsoft.ExtendedLocation/customLocations/read", - "Microsoft.ExtendedLocation/customLocations/write", - "Microsoft.ExtendedLocation/customLocations/delete", - "Microsoft.HybridConnectivity/register/action", - "Microsoft.Kubernetes/register/action", - "Microsoft.KubernetesConfiguration/register/action", - "Microsoft.KubernetesConfiguration/extensions/write", - "Microsoft.KubernetesConfiguration/extensions/read", - "Microsoft.KubernetesConfiguration/extensions/delete", - "Microsoft.KubernetesConfiguration/extensions/operations/read", - "Microsoft.KubernetesConfiguration/namespaces/read", - "Microsoft.KubernetesConfiguration/operations/read", - "Microsoft.GuestConfiguration/guestConfigurationAssignments/read", - "Microsoft.HybridContainerService/register/action", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.AzureStackHCI/StorageContainers/Write", - "Microsoft.AzureStackHCI/StorageContainers/Read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Azure Resource Bridge Deployment Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Billing Reader --Allows read access to billing data --[Learn more](/azure/cost-management-billing/manage/manage-billing-access) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Billing](resource-provider-operations.md#microsoftbilling)/*/read | Read Billing information | -> | [Microsoft.Commerce](resource-provider-operations.md#microsoftcommerce)/*/read | | -> | [Microsoft.Consumption](resource-provider-operations.md#microsoftconsumption)/*/read | | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | [Microsoft.CostManagement](resource-provider-operations.md#microsoftcostmanagement)/*/read | | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows read access to billing data", - "id": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", - "name": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Billing/*/read", - "Microsoft.Commerce/*/read", - "Microsoft.Consumption/*/read", - "Microsoft.Management/managementGroups/read", - "Microsoft.CostManagement/*/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Billing Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Blueprint Contributor --Can manage blueprint definitions, but not assign them. --[Learn more](/azure/governance/blueprints/overview) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Blueprint](resource-provider-operations.md#microsoftblueprint)/blueprints/* | Create and manage blueprint definitions or blueprint artifacts. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can manage blueprint definitions, but not assign them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", - "name": "41077137-e803-4205-871c-5a86e6a753b4", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Blueprint/blueprints/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Blueprint Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Blueprint Operator --Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. --[Learn more](/azure/governance/blueprints/overview) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Blueprint](resource-provider-operations.md#microsoftblueprint)/blueprintAssignments/* | Create and manage blueprint assignments. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", - "name": "437d2ced-4a38-4302-8479-ed2bcb43d090", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Blueprint/blueprintAssignments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Blueprint Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cost Management Contributor --Can view costs and manage cost configuration (e.g. budgets, exports) --[Learn more](/azure/cost-management-billing/costs/understand-work-scopes) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Consumption](resource-provider-operations.md#microsoftconsumption)/* | | -> | [Microsoft.CostManagement](resource-provider-operations.md#microsoftcostmanagement)/* | | -> | [Microsoft.Billing](resource-provider-operations.md#microsoftbilling)/billingPeriods/read | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/configurations/read | Get configurations | -> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/recommendations/read | Reads recommendations | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | [Microsoft.Billing](resource-provider-operations.md#microsoftbilling)/billingProperty/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can view costs and manage cost configuration (e.g. budgets, exports)", - "id": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", - "name": "434105ed-43f6-45c7-a02f-909b2ba83430", - "permissions": [ - { - "actions": [ - "Microsoft.Consumption/*", - "Microsoft.CostManagement/*", - "Microsoft.Billing/billingPeriods/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Advisor/configurations/read", - "Microsoft.Advisor/recommendations/read", - "Microsoft.Management/managementGroups/read", - "Microsoft.Billing/billingProperty/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Cost Management Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Cost Management Reader --Can view cost data and configuration (e.g. budgets, exports) --[Learn more](/azure/cost-management-billing/costs/understand-work-scopes) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Consumption](resource-provider-operations.md#microsoftconsumption)/*/read | | -> | [Microsoft.CostManagement](resource-provider-operations.md#microsoftcostmanagement)/*/read | | -> | [Microsoft.Billing](resource-provider-operations.md#microsoftbilling)/billingPeriods/read | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/configurations/read | Get configurations | -> | [Microsoft.Advisor](resource-provider-operations.md#microsoftadvisor)/recommendations/read | Reads recommendations | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | [Microsoft.Billing](resource-provider-operations.md#microsoftbilling)/billingProperty/read | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can view cost data and configuration (e.g. budgets, exports)", - "id": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", - "name": "72fafb9e-0641-4937-9268-a91bfd8191a3", - "permissions": [ - { - "actions": [ - "Microsoft.Consumption/*/read", - "Microsoft.CostManagement/*/read", - "Microsoft.Billing/billingPeriods/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Advisor/configurations/read", - "Microsoft.Advisor/recommendations/read", - "Microsoft.Management/managementGroups/read", - "Microsoft.Billing/billingProperty/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Cost Management Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Hierarchy Settings Administrator --Allows users to edit and delete Hierarchy Settings --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/settings/write | Creates or updates management group hierarchy settings. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/settings/delete | Deletes management group hierarchy settings. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows users to edit and delete Hierarchy Settings", - "id": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", - "name": "350f8d15-c687-4448-8ae1-157740a3936d", - "permissions": [ - { - "actions": [ - "Microsoft.Management/managementGroups/settings/write", - "Microsoft.Management/managementGroups/settings/delete" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Hierarchy Settings Administrator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Kubernetes Agentless Operator --Grants Microsoft Defender for Cloud access to Azure Kubernetes Services --[Learn more](/azure/defender-for-cloud/defender-for-containers-architecture) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/write | Create or update trusted access role bindings for managed cluster | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/read | Get trusted access role bindings for managed cluster | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/delete | Delete trusted access role bindings for managed cluster | -> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | -> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/features/read | Gets the features of a subscription. | -> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. | -> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/register/action | Registers the feature for a subscription in a given resource provider. | -> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/pricings/securityoperators/read | Gets the security operators for the scope | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services", - "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6", - "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6", - "permissions": [ - { - "actions": [ - "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write", - "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read", - "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete", - "Microsoft.ContainerService/managedClusters/read", - "Microsoft.Features/features/read", - "Microsoft.Features/providers/features/read", - "Microsoft.Features/providers/features/register/action", - "Microsoft.Security/pricings/securityoperators/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Kubernetes Agentless Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Kubernetes Cluster - Azure Arc Onboarding --Role definition to authorize any user/service to create connectedClusters resource --[Learn more](/azure/azure-arc/kubernetes/connect-cluster) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/write | Creates or updates an deployment. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/Write | Writes connectedClusters | -> | [Microsoft.Kubernetes](resource-provider-operations.md#microsoftkubernetes)/connectedClusters/read | Read connectedClusters | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Role definition to authorize any user/service to create connectedClusters resource", - "id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", - "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/write", - "Microsoft.Resources/subscriptions/operationresults/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Kubernetes/connectedClusters/Write", - "Microsoft.Kubernetes/connectedClusters/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Kubernetes Cluster - Azure Arc Onboarding", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Kubernetes Extension Contributor --Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/write | Creates or updates extension resource. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/delete | Deletes extension instance resource. | -> | [Microsoft.KubernetesConfiguration](resource-provider-operations.md#microsoftkubernetesconfiguration)/extensions/operations/read | Gets Async Operation status. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations", - "id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717", - "name": "85cb6faf-e071-4c9b-8136-154b5a04f717", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.KubernetesConfiguration/extensions/write", - "Microsoft.KubernetesConfiguration/extensions/read", - "Microsoft.KubernetesConfiguration/extensions/delete", - "Microsoft.KubernetesConfiguration/extensions/operations/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Kubernetes Extension Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Managed Application Contributor Role --Allows for creating managed application resources. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.Solutions](resource-provider-operations.md#microsoftsolutions)/applications/* | | -> | [Microsoft.Solutions](resource-provider-operations.md#microsoftsolutions)/register/action | Register the subscription for Microsoft.Solutions | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows for creating managed application resources.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", - "name": "641177b8-a67a-45b9-a033-47bc880bb21e", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.Solutions/applications/*", - "Microsoft.Solutions/register/action", - "Microsoft.Resources/subscriptions/resourceGroups/*", - "Microsoft.Resources/deployments/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Managed Application Contributor Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Managed Application Operator Role --Lets you read and perform actions on Managed Application resources --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.Solutions](resource-provider-operations.md#microsoftsolutions)/applications/read | Lists all the applications within a subscription. | -> | [Microsoft.Solutions](resource-provider-operations.md#microsoftsolutions)/*/action | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you read and perform actions on Managed Application resources", - "id": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", - "name": "c7393b34-138c-406f-901b-d8cf2b17e6ae", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.Solutions/applications/read", - "Microsoft.Solutions/*/action" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Managed Application Operator Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Managed Applications Reader --Lets you read resources in a managed app and request JIT access. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Solutions](resource-provider-operations.md#microsoftsolutions)/jitRequests/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you read resources in a managed app and request JIT access.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", - "name": "b9331d33-8a36-4f8c-b097-4f54124fdb44", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Solutions/jitRequests/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Managed Applications Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Managed Services Registration assignment Delete Role --Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. --[Learn more](/azure/lighthouse/how-to/remove-delegation) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.ManagedServices](resource-provider-operations.md#microsoftmanagedservices)/registrationAssignments/read | Retrieves a list of Managed Services registration assignments. | -> | [Microsoft.ManagedServices](resource-provider-operations.md#microsoftmanagedservices)/registrationAssignments/delete | Removes Managed Services registration assignment. | -> | [Microsoft.ManagedServices](resource-provider-operations.md#microsoftmanagedservices)/operationStatuses/read | Reads the operation status for the resource. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", - "name": "91c1777a-f3dc-4fae-b103-61d183457e46", - "permissions": [ - { - "actions": [ - "Microsoft.ManagedServices/registrationAssignments/read", - "Microsoft.ManagedServices/registrationAssignments/delete", - "Microsoft.ManagedServices/operationStatuses/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Managed Services Registration assignment Delete Role", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Management Group Contributor --Management Group Contributor Role --[Learn more](/azure/governance/management-groups/overview) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/delete | Delete management group. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/subscriptions/delete | De-associates subscription from the management group. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/subscriptions/write | Associates existing subscription with the management group. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/write | Create or update a management group. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/subscriptions/read | Lists subscription under the given management group. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Management Group Contributor Role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", - "name": "5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", - "permissions": [ - { - "actions": [ - "Microsoft.Management/managementGroups/delete", - "Microsoft.Management/managementGroups/read", - "Microsoft.Management/managementGroups/subscriptions/delete", - "Microsoft.Management/managementGroups/subscriptions/write", - "Microsoft.Management/managementGroups/write", - "Microsoft.Management/managementGroups/subscriptions/read", - "Microsoft.Authorization/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Management Group Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Management Group Reader --Management Group Reader Role --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | -> | [Microsoft.Management](resource-provider-operations.md#microsoftmanagement)/managementGroups/subscriptions/read | Lists subscription under the given management group. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Management Group Reader Role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", - "name": "ac63b705-f282-497d-ac71-919bf39d939d", - "permissions": [ - { - "actions": [ - "Microsoft.Management/managementGroups/read", - "Microsoft.Management/managementGroups/subscriptions/read", - "Microsoft.Authorization/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Management Group Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### New Relic APM Account Contributor --Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | NewRelic.APM/accounts/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage New Relic Application Performance Management accounts and applications, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", - "name": "5d28c62d-5b37-4476-8438-e587778df237", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "NewRelic.APM/accounts/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "New Relic APM Account Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Policy Insights Data Writer (Preview) --Allows read access to resource policies and write access to resource component policy events. --[Learn more](/azure/governance/policy/concepts/policy-for-kubernetes) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyassignments/read | Get information about a policy assignment. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policydefinitions/read | Get information about a policy definition. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyexemptions/read | Get information about a policy exemption. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policysetdefinitions/read | Get information about a policy set definition. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.PolicyInsights](resource-provider-operations.md#microsoftpolicyinsights)/checkDataPolicyCompliance/action | Check the compliance status of a given component against data policies. | -> | [Microsoft.PolicyInsights](resource-provider-operations.md#microsoftpolicyinsights)/policyEvents/logDataEvents/action | Log the resource component policy events. | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows read access to resource policies and write access to resource component policy events.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", - "name": "66bb4e9e-b016-4a94-8249-4c0511c2be84", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/policyassignments/read", - "Microsoft.Authorization/policydefinitions/read", - "Microsoft.Authorization/policyexemptions/read", - "Microsoft.Authorization/policysetdefinitions/read" - ], - "notActions": [], - "dataActions": [ - "Microsoft.PolicyInsights/checkDataPolicyCompliance/action", - "Microsoft.PolicyInsights/policyEvents/logDataEvents/action" - ], - "notDataActions": [] - } - ], - "roleName": "Policy Insights Data Writer (Preview)", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Quota Request Operator --Read and create quota requests, get quota request status, and create support tickets. --[Learn more](/rest/api/reserved-vm-instances/quotaapi) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Capacity](resource-provider-operations.md#microsoftcapacity)/resourceProviders/locations/serviceLimits/read | Get the current service limit or quota of the specified resource and location | -> | [Microsoft.Capacity](resource-provider-operations.md#microsoftcapacity)/resourceProviders/locations/serviceLimits/write | Create service limit or quota for the specified resource and location | -> | [Microsoft.Capacity](resource-provider-operations.md#microsoftcapacity)/resourceProviders/locations/serviceLimitsRequests/read | Get any service limit request for the specified resource and location | -> | [Microsoft.Capacity](resource-provider-operations.md#microsoftcapacity)/register/action | Registers the Capacity resource provider and enables the creation of Capacity resources. | -> | [Microsoft.Quota](resource-provider-operations.md#microsoftquota)/usages/read | Get the usages for resource providers | -> | [Microsoft.Quota](resource-provider-operations.md#microsoftquota)/quotas/read | Get the current Service limit or quota of the specified resource | -> | [Microsoft.Quota](resource-provider-operations.md#microsoftquota)/quotas/write | Creates the service limit or quota request for the specified resource | -> | [Microsoft.Quota](resource-provider-operations.md#microsoftquota)/quotaRequests/read | Get any service limit request for the specified resource | -> | [Microsoft.Quota](resource-provider-operations.md#microsoftquota)/register/action | Register the subscription with Microsoft.Quota Resource Provider | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read and create quota requests, get quota request status, and create support tickets.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125", - "name": "0e5f05e5-9ab9-446b-b98d-1e2157c94125", - "permissions": [ - { - "actions": [ - "Microsoft.Capacity/resourceProviders/locations/serviceLimits/read", - "Microsoft.Capacity/resourceProviders/locations/serviceLimits/write", - "Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read", - "Microsoft.Capacity/register/action", - "Microsoft.Quota/usages/read", - "Microsoft.Quota/quotas/read", - "Microsoft.Quota/quotas/write", - "Microsoft.Quota/quotaRequests/read", - "Microsoft.Quota/register/action", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Quota Request Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Reservation Purchaser --Lets you purchase reservations --[Learn more](/azure/cost-management-billing/reservations/prepare-buy-reservation) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | -> | [Microsoft.Capacity](resource-provider-operations.md#microsoftcapacity)/catalogs/read | Read catalog of Reservation | -> | [Microsoft.Capacity](resource-provider-operations.md#microsoftcapacity)/register/action | Registers the Capacity resource provider and enables the creation of Capacity resources. | -> | [Microsoft.Compute](resource-provider-operations.md#microsoftcompute)/register/action | Registers Subscription with Microsoft.Compute resource provider | -> | [Microsoft.Consumption](resource-provider-operations.md#microsoftconsumption)/register/action | Register to Consumption RP | -> | [Microsoft.Consumption](resource-provider-operations.md#microsoftconsumption)/reservationRecommendationDetails/read | List Reservation Recommendation Details | -> | [Microsoft.Consumption](resource-provider-operations.md#microsoftconsumption)/reservationRecommendations/read | List single or shared recommendations for Reserved instances for a subscription. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.SQL](resource-provider-operations.md#microsoftsql)/register/action | Registers the subscription for the Microsoft SQL Database resource provider and enables the creation of Microsoft SQL Databases. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/supporttickets/write | Allows creating and updating a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you purchase reservations", - "id": "/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689", - "name": "f7b75c60-3036-4b75-91c3-6b41c27c1689", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/roleAssignments/read", - "Microsoft.Capacity/catalogs/read", - "Microsoft.Capacity/register/action", - "Microsoft.Compute/register/action", - "Microsoft.Consumption/register/action", - "Microsoft.Consumption/reservationRecommendationDetails/read", - "Microsoft.Consumption/reservationRecommendations/read", - "Microsoft.Resources/subscriptions/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.SQL/register/action", - "Microsoft.Support/supporttickets/write" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Reservation Purchaser", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Resource Policy Contributor --Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. --[Learn more](/azure/governance/policy/overview) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | */read | Read resources of all types, except secrets. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyassignments/* | Create and manage policy assignments | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policydefinitions/* | Create and manage policy definitions | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policyexemptions/* | Create and manage policy exemptions | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/policysetdefinitions/* | Create and manage policy sets | -> | [Microsoft.PolicyInsights](resource-provider-operations.md#microsoftpolicyinsights)/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "name": "36243c78-bf99-498c-9df9-86d9f8d28608", - "permissions": [ - { - "actions": [ - "*/read", - "Microsoft.Authorization/policyassignments/*", - "Microsoft.Authorization/policydefinitions/*", - "Microsoft.Authorization/policyexemptions/*", - "Microsoft.Authorization/policysetdefinitions/*", - "Microsoft.PolicyInsights/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Resource Policy Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Site Recovery Contributor --Lets you manage Site Recovery service except vault creation and role assignment --[Learn more](/azure/site-recovery/site-recovery-role-based-linked-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/allocateStamp/action | AllocateStamp is internal operation used by service | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/extendedInformation/* | Create and manage extended info related to vault | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/refreshContainers/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/* | Create and manage registered identities | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationAlertSettings/* | Create or Update replication alert settings | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationEvents/read | Read any Events | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/* | Create and manage replication fabrics | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationJobs/* | Create and manage replication jobs | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationPolicies/* | Create and manage replication policies | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/* | Create and manage recovery plans | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationVaultSettings/* | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/storageConfig/* | Create and manage storage configuration of Recovery Services vault | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/tokenInfo/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/vaultTokens/read | The Vault Token operation can be used to get Vault Token for vault level backend operations. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/* | Read alerts for the Recovery services vault | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/notificationConfiguration/read | | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationOperationStatus/read | Read any Vault Replication Operation Status | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage Site Recovery service except vault creation and role assignment", - "id": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", - "name": "6670b86e-a3f7-4917-ac9b-5d6ab1be4567", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.RecoveryServices/locations/allocatedStamp/read", - "Microsoft.RecoveryServices/locations/allocateStamp/action", - "Microsoft.RecoveryServices/Vaults/certificates/write", - "Microsoft.RecoveryServices/Vaults/extendedInformation/*", - "Microsoft.RecoveryServices/Vaults/read", - "Microsoft.RecoveryServices/Vaults/refreshContainers/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/*", - "Microsoft.RecoveryServices/vaults/replicationAlertSettings/*", - "Microsoft.RecoveryServices/vaults/replicationEvents/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/*", - "Microsoft.RecoveryServices/vaults/replicationJobs/*", - "Microsoft.RecoveryServices/vaults/replicationPolicies/*", - "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*", - "Microsoft.RecoveryServices/vaults/replicationVaultSettings/*", - "Microsoft.RecoveryServices/Vaults/storageConfig/*", - "Microsoft.RecoveryServices/Vaults/tokenInfo/read", - "Microsoft.RecoveryServices/Vaults/usages/read", - "Microsoft.RecoveryServices/Vaults/vaultTokens/read", - "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*", - "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/storageAccounts/read", - "Microsoft.RecoveryServices/vaults/replicationOperationStatus/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Site Recovery Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Site Recovery Operator --Lets you failover and failback but not perform other Site Recovery management operations --[Learn more](/azure/site-recovery/site-recovery-role-based-linked-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Network](resource-provider-operations.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/allocateStamp/action | AllocateStamp is internal operation used by service | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/refreshContainers/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationAlertSettings/read | Read any Alerts Settings | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationEvents/read | Read any Events | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/checkConsistency/action | Checks Consistency of the Fabric | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/read | Read any Fabrics | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/reassociateGateway/action | Reassociate Gateway | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/renewcertificate/action | Renew Certificate for Fabric | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationNetworks/read | Read any Networks | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read | Read any Network Mappings | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/read | Read any Protection Containers | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read | Read any Protectable Items | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action | Apply Recovery Point | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action | Failover Commit | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action | Planned Failover | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read | Read any Protected Items | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read | Read any Replication Recovery Points | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action | Repair replication | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action | ReProtect Protected Item | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action | Switch Protection Container | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action | Test Failover | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action | Test Failover Cleanup | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action | Failover | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action | Update Mobility Service | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read | Read any Protection Container Mappings | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationRecoveryServicesProviders/read | Read any Recovery Services Providers | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action | Refresh Provider | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationStorageClassifications/read | Read any Storage Classifications | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read | Read any Storage Classification Mappings | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationvCenters/read | Read any vCenters | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationJobs/* | Create and manage replication jobs | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationPolicies/read | Read any Policies | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/failoverCommit/action | Failover Commit Recovery Plan | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/plannedFailover/action | Planned Failover Recovery Plan | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/read | Read any Recovery Plans | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/reProtect/action | ReProtect Recovery Plan | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/testFailover/action | Test Failover Recovery Plan | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/testFailoverCleanup/action | Test Failover Cleanup Recovery Plan | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/unplannedFailover/action | Failover Recovery Plan | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationVaultSettings/read | Read any | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/* | Read alerts for the Recovery services vault | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/notificationConfiguration/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/storageConfig/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/tokenInfo/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/vaultTokens/read | The Vault Token operation can be used to get Vault Token for vault level backend operations. | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you failover and failback but not perform other Site Recovery management operations", - "id": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", - "name": "494ae006-db33-4328-bf46-533a6560a3ca", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.RecoveryServices/locations/allocatedStamp/read", - "Microsoft.RecoveryServices/locations/allocateStamp/action", - "Microsoft.RecoveryServices/Vaults/extendedInformation/read", - "Microsoft.RecoveryServices/Vaults/read", - "Microsoft.RecoveryServices/Vaults/refreshContainers/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", - "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read", - "Microsoft.RecoveryServices/vaults/replicationEvents/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read", - "Microsoft.RecoveryServices/vaults/replicationJobs/*", - "Microsoft.RecoveryServices/vaults/replicationPolicies/read", - "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action", - "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action", - "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read", - "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action", - "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action", - "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action", - "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action", - "Microsoft.RecoveryServices/vaults/replicationVaultSettings/read", - "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*", - "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read", - "Microsoft.RecoveryServices/Vaults/storageConfig/read", - "Microsoft.RecoveryServices/Vaults/tokenInfo/read", - "Microsoft.RecoveryServices/Vaults/usages/read", - "Microsoft.RecoveryServices/Vaults/vaultTokens/read", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Storage/storageAccounts/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Site Recovery Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Site Recovery Reader --Lets you view Site Recovery status but not perform other management operations --[Learn more](/azure/site-recovery/site-recovery-role-based-linked-access-control) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/notificationConfiguration/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/refreshContainers/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationAlertSettings/read | Read any Alerts Settings | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationEvents/read | Read any Events | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/read | Read any Fabrics | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationNetworks/read | Read any Networks | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read | Read any Network Mappings | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/read | Read any Protection Containers | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read | Read any Protectable Items | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read | Read any Protected Items | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read | Read any Replication Recovery Points | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read | Read any Protection Container Mappings | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationRecoveryServicesProviders/read | Read any Recovery Services Providers | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationStorageClassifications/read | Read any Storage Classifications | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read | Read any Storage Classification Mappings | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationvCenters/read | Read any vCenters | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationJobs/read | Read any Jobs | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationPolicies/read | Read any Policies | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/read | Read any Recovery Plans | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/vaults/replicationVaultSettings/read | Read any | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/storageConfig/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/tokenInfo/read | | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | -> | [Microsoft.RecoveryServices](resource-provider-operations.md#microsoftrecoveryservices)/Vaults/vaultTokens/read | The Vault Token operation can be used to get Vault Token for vault level backend operations. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you view Site Recovery status but not perform other management operations", - "id": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", - "name": "dbaa88c4-0c30-4179-9fb3-46319faa6149", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.RecoveryServices/locations/allocatedStamp/read", - "Microsoft.RecoveryServices/Vaults/extendedInformation/read", - "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", - "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read", - "Microsoft.RecoveryServices/Vaults/read", - "Microsoft.RecoveryServices/Vaults/refreshContainers/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", - "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", - "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read", - "Microsoft.RecoveryServices/vaults/replicationEvents/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read", - "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read", - "Microsoft.RecoveryServices/vaults/replicationJobs/read", - "Microsoft.RecoveryServices/vaults/replicationPolicies/read", - "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read", - "Microsoft.RecoveryServices/vaults/replicationVaultSettings/read", - "Microsoft.RecoveryServices/Vaults/storageConfig/read", - "Microsoft.RecoveryServices/Vaults/tokenInfo/read", - "Microsoft.RecoveryServices/Vaults/usages/read", - "Microsoft.RecoveryServices/Vaults/vaultTokens/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Site Recovery Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Support Request Contributor --Lets you create and manage Support requests --[Learn more](/azure/azure-portal/supportability/how-to-create-azure-support-request) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you create and manage Support requests", - "id": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", - "name": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Support Request Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Tag Contributor --Lets you manage tags on entities, without providing access to the entities themselves. --[Learn more](/azure/azure-resource-manager/management/tag-resources) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resources/read | Gets resources of a subscription. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/tags/* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage tags on entities, without providing access to the entities themselves.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", - "name": "4a9ae827-6dc8-4573-8ac7-8239d42aa03f", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/resourceGroups/resources/read", - "Microsoft.Resources/subscriptions/resources/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.Support/*", - "Microsoft.Resources/tags/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Tag Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Template Spec Contributor --Allows full access to Template Spec operations at the assigned scope. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/templateSpecs/* | Create and manage template specs and template spec versions | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows full access to Template Spec operations at the assigned scope.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b", - "name": "1c9b6475-caf0-4164-b5a1-2142a7116f4b", - "permissions": [ - { - "actions": [ - "Microsoft.Resources/templateSpecs/*", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Template Spec Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Template Spec Reader --Allows read access to Template Specs at the assigned scope. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/templateSpecs/*/read | Get or list template specs and template spec versions | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows read access to Template Specs at the assigned scope.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e", - "name": "392ae280-861d-42bd-9ea5-08ee6d83b80e", - "permissions": [ - { - "actions": [ - "Microsoft.Resources/templateSpecs/*/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Template Spec Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Virtual desktop infrastructure ---### Desktop Virtualization Application Group Contributor --Contributor of the Desktop Virtualization Application Group. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/applicationgroups/* | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read | Read hostpools/sessionhosts | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Contributor of the Desktop Virtualization Application Group.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8", - "name": "86240b0e-9422-4c43-887b-b61143f32ba8", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/applicationgroups/*", - "Microsoft.DesktopVirtualization/hostpools/read", - "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization Application Group Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization Application Group Reader --Reader of the Desktop Virtualization Application Group. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/applicationgroups/*/read | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/applicationgroups/read | Read applicationgroups | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read | Read hostpools/sessionhosts | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/read | Read a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Reader of the Desktop Virtualization Application Group.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", - "name": "aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/applicationgroups/*/read", - "Microsoft.DesktopVirtualization/applicationgroups/read", - "Microsoft.DesktopVirtualization/hostpools/read", - "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/read", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization Application Group Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization Contributor --Contributor of Desktop Virtualization. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Contributor of Desktop Virtualization.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387", - "name": "082f0a83-3be5-4ba1-904c-961cca79b387", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization Host Pool Contributor --Contributor of the Desktop Virtualization Host Pool. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Contributor of the Desktop Virtualization Host Pool.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc", - "name": "e307426c-f9b6-4e81-87de-d99efb3c32bc", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/hostpools/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization Host Pool Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization Host Pool Reader --Reader of the Desktop Virtualization Host Pool. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/*/read | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/read | Read a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Reader of the Desktop Virtualization Host Pool.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822", - "name": "ceadfde2-b300-400a-ab7b-6143895aa822", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/hostpools/*/read", - "Microsoft.DesktopVirtualization/hostpools/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/read", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization Host Pool Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization Reader --Reader of Desktop Virtualization. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/*/read | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/read | Read a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Reader of Desktop Virtualization.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868", - "name": "49a72310-ab8d-41df-bbb0-79b649203868", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/*/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/read", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization Session Host Operator --Operator of the Desktop Virtualization Session Host. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Operator of the Desktop Virtualization Session Host.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408", - "name": "2ad6aaab-ead9-4eaa-8ac5-da422f562408", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/hostpools/read", - "Microsoft.DesktopVirtualization/hostpools/sessionhosts/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization Session Host Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization User --Allows user to use the applications in an application group. --[Learn more](/azure/virtual-desktop/delegated-access-virtual-desktop) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/applicationGroups/useApplications/action | Use ApplicationGroup | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/appAttachPackages/useApplications/action | Allow user permissioning on app attach packages in an application group | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Allows user to use the applications in an application group.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", - "name": "1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.DesktopVirtualization/applicationGroups/useApplications/action", - "Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action" - ], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization User", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization User Session Operator --Operator of the Desktop Virtualization User Session. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read | Read hostpools/sessionhosts | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/* | | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Operator of the Desktop Virtualization Uesr Session.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", - "name": "ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/hostpools/read", - "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", - "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization User Session Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization Workspace Contributor --Contributor of the Desktop Virtualization Workspace. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/workspaces/* | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/applicationgroups/read | Read applicationgroups | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Contributor of the Desktop Virtualization Workspace.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b", - "name": "21efdde3-836f-432b-bf3d-3e8e734d4b2b", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/workspaces/*", - "Microsoft.DesktopVirtualization/applicationgroups/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization Workspace Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Desktop Virtualization Workspace Reader --Reader of the Desktop Virtualization Workspace. --[Learn more](/azure/virtual-desktop/rbac) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/workspaces/read | Read workspaces | -> | [Microsoft.DesktopVirtualization](resource-provider-operations.md#microsoftdesktopvirtualization)/applicationgroups/read | Read applicationgroups | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/read | Gets or lists deployments. | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/read | Read a classic metric alert | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Reader of the Desktop Virtualization Workspace.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", - "name": "0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", - "permissions": [ - { - "actions": [ - "Microsoft.DesktopVirtualization/workspaces/read", - "Microsoft.DesktopVirtualization/applicationgroups/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/read", - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Desktop Virtualization Workspace Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --## Other ---### Azure Digital Twins Data Owner --Full access role for Digital Twins data-plane --[Learn more](/azure/digital-twins/concepts-security) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/* | Read, create, update, or delete any Digital Twin | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/commands/* | Invoke any Command on a Digital Twin | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/relationships/* | Read, create, update, or delete any Digital Twin Relationship | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/eventroutes/* | Read, delete, create, or update any Event Route | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/jobs/* | | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/models/* | Read, create, update, or delete any Model | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/query/* | Query any Digital Twins Graph | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Full access role for Digital Twins data-plane", - "id": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", - "name": "bcd981a7-7f74-457b-83e1-cceb9e632ffe", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.DigitalTwins/digitaltwins/*", - "Microsoft.DigitalTwins/digitaltwins/commands/*", - "Microsoft.DigitalTwins/digitaltwins/relationships/*", - "Microsoft.DigitalTwins/eventroutes/*", - "Microsoft.DigitalTwins/jobs/*", - "Microsoft.DigitalTwins/models/*", - "Microsoft.DigitalTwins/query/*" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Digital Twins Data Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Azure Digital Twins Data Reader --Read-only role for Digital Twins data-plane properties --[Learn more](/azure/digital-twins/concepts-security) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/read | Read any Digital Twin | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/digitaltwins/relationships/read | Read any Digital Twin Relationship | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/eventroutes/read | Read any Event Route | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/jobs/import/read | Read any Bulk Import Job | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/jobs/imports/read | Read any Bulk Import Job | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/jobs/deletions/read | Read any Bulk Delete Job | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/models/read | Read any Model | -> | [Microsoft.DigitalTwins](resource-provider-operations.md#microsoftdigitaltwins)/query/action | Query any Digital Twins Graph | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Read-only role for Digital Twins data-plane properties", - "id": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", - "name": "d57506d4-4c8d-48b1-8587-93c323f6a5a3", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.DigitalTwins/digitaltwins/read", - "Microsoft.DigitalTwins/digitaltwins/relationships/read", - "Microsoft.DigitalTwins/eventroutes/read", - "Microsoft.DigitalTwins/jobs/import/read", - "Microsoft.DigitalTwins/jobs/imports/read", - "Microsoft.DigitalTwins/jobs/deletions/read", - "Microsoft.DigitalTwins/models/read", - "Microsoft.DigitalTwins/query/action" - ], - "notDataActions": [] - } - ], - "roleName": "Azure Digital Twins Data Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### BizTalk Contributor --Lets you manage BizTalk services, but not access to them. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | Microsoft.BizTalkServices/BizTalk/* | Create and manage BizTalk services | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage BizTalk services, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", - "name": "5e3c6656-6cfa-4708-81fe-0de47ac73342", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.BizTalkServices/BizTalk/*", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "BizTalk Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Grafana Admin --Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana. --[Learn more](/azure/managed-grafana/how-to-share-grafana-workspace) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Dashboard](resource-provider-operations.md#microsoftdashboard)/grafana/ActAsGrafanaAdmin/action | Act as Grafana Admin role | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Built-in Grafana admin role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41", - "name": "22926164-76b3-42b3-bc55-97df8dab3e41", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action" - ], - "notDataActions": [] - } - ], - "roleName": "Grafana Admin", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Grafana Editor --View and edit a Grafana instance, including its dashboards and alerts. --[Learn more](/azure/managed-grafana/how-to-share-grafana-workspace) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Dashboard](resource-provider-operations.md#microsoftdashboard)/grafana/ActAsGrafanaEditor/action | Act as Grafana Editor role | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Built-in Grafana Editor role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f", - "name": "a79a5197-3a5c-4973-a920-486035ffd60f", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action" - ], - "notDataActions": [] - } - ], - "roleName": "Grafana Editor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Grafana Viewer --View a Grafana instance, including its dashboards and alerts. --[Learn more](/azure/managed-grafana/how-to-share-grafana-workspace) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | *none* | | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.Dashboard](resource-provider-operations.md#microsoftdashboard)/grafana/ActAsGrafanaViewer/action | Act as Grafana Viewer role | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Built-in Grafana Viewer role", - "id": "/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769", - "name": "60921a7e-fef1-4a43-9b16-a26c52ad4769", - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action" - ], - "notDataActions": [] - } - ], - "roleName": "Grafana Viewer", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Load Test Contributor --View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. --[Learn more](/azure/load-testing/how-to-assign-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.LoadTestService](resource-provider-operations.md#microsoftloadtestservice)/*/read | Read load testing resources | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.LoadTestService](resource-provider-operations.md#microsoftloadtestservice)/loadtests/* | Create and manage load tests | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "View, create, update, delete and execute load tests. View and list load test resources but can not make any changes.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e", - "name": "749a398d-560b-491b-bb21-08924219302e", - "permissions": [ - { - "actions": [ - "Microsoft.LoadTestService/*/read", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Insights/alertRules/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.LoadTestService/loadtests/*" - ], - "notDataActions": [] - } - ], - "roleName": "Load Test Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Load Test Owner --Execute all operations on load test resources and load tests --[Learn more](/azure/load-testing/how-to-assign-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.LoadTestService](resource-provider-operations.md#microsoftloadtestservice)/* | Create and manage load testing resources | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.LoadTestService](resource-provider-operations.md#microsoftloadtestservice)/* | Create and manage load testing resources | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Execute all operations on load test resources and load tests", - "id": "/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6", - "name": "45bb0b16-2f0c-4e78-afaa-a07599b003f6", - "permissions": [ - { - "actions": [ - "Microsoft.LoadTestService/*", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Insights/alertRules/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.LoadTestService/*" - ], - "notDataActions": [] - } - ], - "roleName": "Load Test Owner", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Load Test Reader --View and list all load tests and load test resources but can not make any changes --[Learn more](/azure/load-testing/how-to-assign-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.LoadTestService](resource-provider-operations.md#microsoftloadtestservice)/*/read | Read load testing resources | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | [Microsoft.LoadTestService](resource-provider-operations.md#microsoftloadtestservice)/loadtests/readTest/action | Read Load Tests | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "View and list all load tests and load test resources but can not make any changes", - "id": "/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081", - "name": "3ae3fb29-0000-4ccd-bf80-542e7b26e081", - "permissions": [ - { - "actions": [ - "Microsoft.LoadTestService/*/read", - "Microsoft.Authorization/*/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Insights/alertRules/*" - ], - "notActions": [], - "dataActions": [ - "Microsoft.LoadTestService/loadtests/readTest/action" - ], - "notDataActions": [] - } - ], - "roleName": "Load Test Reader", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Scheduler Job Collections Contributor --Lets you manage Scheduler job collections, but not access to them. --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Insights](resource-provider-operations.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | -> | [Microsoft.ResourceHealth](resource-provider-operations.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | Microsoft.Scheduler/jobcollections/* | Create and manage job collections | -> | [Microsoft.Support](resource-provider-operations.md#microsoftsupport)/* | Create and update a support ticket | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Lets you manage Scheduler job collections, but not access to them.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", - "name": "188a0f2f-5c9e-469b-ae67-2aa5ce574b94", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Scheduler/jobcollections/*", - "Microsoft.Support/*" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Scheduler Job Collections Contributor", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` --### Services Hub Operator --Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. --[Learn more](/services-hub/health/sh-connector-roles) --> [!div class="mx-tableFixed"] -> | Actions | Description | -> | | | -> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | -> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/deployments/* | Create and manage a deployment | -> | [Microsoft.ServicesHub](resource-provider-operations.md#microsoftserviceshub)/connectors/write | Create or update a Services Hub Connector | -> | [Microsoft.ServicesHub](resource-provider-operations.md#microsoftserviceshub)/connectors/read | View or List Services Hub Connectors | -> | [Microsoft.ServicesHub](resource-provider-operations.md#microsoftserviceshub)/connectors/delete | Delete Services Hub Connectors | -> | [Microsoft.ServicesHub](resource-provider-operations.md#microsoftserviceshub)/connectors/checkAssessmentEntitlement/action | Lists the Assessment Entitlements for a given Services Hub Workspace | -> | [Microsoft.ServicesHub](resource-provider-operations.md#microsoftserviceshub)/supportOfferingEntitlement/read | View the Support Offering Entitlements for a given Services Hub Workspace | -> | [Microsoft.ServicesHub](resource-provider-operations.md#microsoftserviceshub)/workspaces/read | List the Services Hub Workspaces for a given User | -> | **NotActions** | | -> | *none* | | -> | **DataActions** | | -> | *none* | | -> | **NotDataActions** | | -> | *none* | | --```json -{ - "assignableScopes": [ - "/" - ], - "description": "Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors.", - "id": "/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b", - "name": "82200a5b-e217-47a5-b665-6d8765ee745b", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/deployments/*", - "Microsoft.ServicesHub/connectors/write", - "Microsoft.ServicesHub/connectors/read", - "Microsoft.ServicesHub/connectors/delete", - "Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action", - "Microsoft.ServicesHub/supportOfferingEntitlement/read", - "Microsoft.ServicesHub/workspaces/read" - ], - "notActions": [], - "dataActions": [], - "notDataActions": [] - } - ], - "roleName": "Services Hub Operator", - "roleType": "BuiltInRole", - "type": "Microsoft.Authorization/roleDefinitions" -} -``` +> | Built-in role | Description | ID | +> | | | | +> | <a name='azure-stack-hci-administrator'></a>[Azure Stack HCI Administrator](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-administrator) | Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader | bda0d508-adf1-4af0-9c28-88919fc3ae06 | +> | <a name='azure-stack-hci-device-management-role'></a>[Azure Stack HCI Device Management Role](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-device-management-role) | Microsoft.AzureStackHCI Device Management Role | 865ae368-6a45-4bd1-8fbf-0d5151f56fc1 | +> | <a name='azure-stack-hci-vm-contributor'></a>[Azure Stack HCI VM Contributor](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-vm-contributor) | Grants permissions to perform all VM actions | 874d1c73-6003-4e60-a13a-cb31ea190a85 | +> | <a name='azure-stack-hci-vm-reader'></a>[Azure Stack HCI VM Reader](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-vm-reader) | Grants permissions to view VMs | 4b3fe76c-f777-4d24-a2d7-b027b0f7b273 | +> | <a name='azure-stack-registration-owner'></a>[Azure Stack Registration Owner](./built-in-roles/hybrid-multicloud.md#azure-stack-registration-owner) | Lets you manage Azure Stack registrations. | 6f12a6df-dd06-4f3e-bcb1-ce8be600526a | ## Next steps -- [Assign Azure roles using the Azure portal](role-assignments-portal.md)-- [Azure custom roles](custom-roles.md)-- [Permissions in Microsoft Defender for Cloud](../defender-for-cloud/permissions.md)+- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) +- [Azure custom roles](/azure/role-based-access-control/custom-roles) +- [Permissions in Microsoft Defender for Cloud](/azure/defender-for-cloud/permissions) |
role-based-access-control | Ai Machine Learning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/ai-machine-learning.md | + + Title: Azure built-in roles for AI + machine learning - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the AI + machine learning category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for AI + machine learning ++This article lists the Azure built-in roles in the AI + machine learning category. +++## AzureML Compute Operator ++Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). ++[Learn more](/azure/machine-learning/how-to-assign-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/computes/* | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/notebooks/vm/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs).", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", + "name": "e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", + "permissions": [ + { + "actions": [ + "Microsoft.MachineLearningServices/workspaces/computes/*", + "Microsoft.MachineLearningServices/workspaces/notebooks/vm/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "AzureML Compute Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AzureML Data Scientist ++Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. ++[Learn more](/azure/machine-learning/how-to-assign-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/*/read | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/*/action | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/*/delete | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/*/write | | +> | **NotActions** | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/delete | Deletes the Machine Learning Services Workspace(s) | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/write | Creates or updates a Machine Learning Services Workspace(s) | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/computes/*/write | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/computes/*/delete | | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/computes/listKeys/action | List secrets for compute resources in Machine Learning Services Workspace | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/listKeys/action | List secrets for a Machine Learning Services Workspace | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/hubs/write | Creates or updates a Machine Learning Services Hub Workspace(s) | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/hubs/delete | Deletes the Machine Learning Services Hub Workspace(s) | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/featurestores/write | Creates or Updates the Machine Learning Services FeatureStore(s) | +> | [Microsoft.MachineLearningServices](../permissions/ai-machine-learning.md#microsoftmachinelearningservices)/workspaces/featurestores/delete | Deletes the Machine Learning Services FeatureStore(s) | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121", + "name": "f6c7c914-8db3-469d-8ca1-694a8f32e121", + "permissions": [ + { + "actions": [ + "Microsoft.MachineLearningServices/workspaces/*/read", + "Microsoft.MachineLearningServices/workspaces/*/action", + "Microsoft.MachineLearningServices/workspaces/*/delete", + "Microsoft.MachineLearningServices/workspaces/*/write" + ], + "notActions": [ + "Microsoft.MachineLearningServices/workspaces/delete", + "Microsoft.MachineLearningServices/workspaces/write", + "Microsoft.MachineLearningServices/workspaces/computes/*/write", + "Microsoft.MachineLearningServices/workspaces/computes/*/delete", + "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action", + "Microsoft.MachineLearningServices/workspaces/listKeys/action", + "Microsoft.MachineLearningServices/workspaces/hubs/write", + "Microsoft.MachineLearningServices/workspaces/hubs/delete", + "Microsoft.MachineLearningServices/workspaces/featurestores/write", + "Microsoft.MachineLearningServices/workspaces/featurestores/delete" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "AzureML Data Scientist", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Contributor ++Lets you create, read, update, delete and manage keys of Cognitive Services. ++[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/* | | +> | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/features/read | Gets the features of a subscription. | +> | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. | +> | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/providers/features/register/action | Registers the feature for a subscription in a given resource provider. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/logDefinitions/read | Read log definitions | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricdefinitions/read | Read metric definitions | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you create, read, update, delete and manage keys of Cognitive Services.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.CognitiveServices/*", + "Microsoft.Features/features/read", + "Microsoft.Features/providers/features/read", + "Microsoft.Features/providers/features/register/action", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/diagnosticSettings/*", + "Microsoft.Insights/logDefinitions/read", + "Microsoft.Insights/metricdefinitions/read", + "Microsoft.Insights/metrics/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Custom Vision Contributor ++Full access to the project, including the ability to view, create, edit, or delete projects. ++[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to the project, including the ability to view, create, edit, or delete projects.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVision/*" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Custom Vision Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Custom Vision Deployment ++Publish, unpublish or export models. Deployment can view the project but can't update. ++[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/predictions/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/iterations/publish/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/iterations/export/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/quicktest/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/classify/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/detect/* | | +> | **NotDataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Publish, unpublish or export models. Deployment can view the project but can't update.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVision/*/read", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*", + "Microsoft.CognitiveServices/accounts/CustomVision/classify/*", + "Microsoft.CognitiveServices/accounts/CustomVision/detect/*" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" + ] + } + ], + "roleName": "Cognitive Services Custom Vision Deployment", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Custom Vision Labeler ++View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. ++[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/predictions/query/action | Get images that were sent to your prediction endpoint. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/images/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/tags/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/images/suggested/* | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/tagsandregions/suggestions/action | This API will get suggested tags and regions for an array/batch of untagged images along with confidences for the tags. It returns an empty array if no tags are found. | +> | **NotDataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "name": "88424f51-ebe7-446f-bc41-7fa16989e96c", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVision/*/read", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" + ] + } + ], + "roleName": "Cognitive Services Custom Vision Labeler", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Custom Vision Reader ++Read-only actions in the project. Readers can't create or update the project. ++[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/predictions/query/action | Get images that were sent to your prediction endpoint. | +> | **NotDataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read-only actions in the project. Readers can't create or update the project.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "name": "93586559-c37d-4a6b-ba08-b9f0940c2d73", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVision/*/read", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" + ] + } + ], + "roleName": "Cognitive Services Custom Vision Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Custom Vision Trainer ++View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. ++[Learn more](/azure/ai-services/custom-vision-service/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/* | | +> | **NotDataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/action | Create a project. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/delete | Delete a specific project. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/import/action | Imports a project. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/CustomVision/projects/export/read | Exports a project. | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVision/*" + ], + "notDataActions": [ + "Microsoft.CognitiveServices/accounts/CustomVision/projects/action", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/delete", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action", + "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" + ] + } + ], + "roleName": "Cognitive Services Custom Vision Trainer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Data Reader (Preview) ++Lets you read Cognitive Services data. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you read Cognitive Services data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "name": "b59867f0-fa02-499b-be73-45a86b5b3e1c", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/*/read" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Data Reader (Preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Face Recognizer ++Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/detect/action | Detect human faces in an image, return face rectangles, and optionally with faceIds, landmarks, and attributes. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/verify/action | Verify whether two faces belong to a same person or whether one face belongs to a person. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/identify/action | 1-to-many identification to find the closest matches of the specific query person face from a person group or large person group. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/group/action | Divide candidate faces into groups based on face similarity. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/findsimilars/action | Given query face's faceId, to search the similar-looking faces from a faceId array, a face list or a large face list. faceId | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/detectliveness/multimodal/action | <p>Performs liveness detection on a target face in a sequence of infrared, color and/or depth images, and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs.</p> | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/detectliveness/singlemodal/action | <p>Performs liveness detection on a target face in a sequence of images of the same modality (e.g. color or infrared), and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs.</p> | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/detectlivenesswithverify/singlemodal/action | Detects liveness of a target face in a sequence of images of the same stream type (e.g. color) and then compares with VerifyImage to return confidence score for identity scenarios. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/*/sessions/action | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/*/sessions/delete | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/*/sessions/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/Face/*/sessions/audit/read | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7", + "name": "9894cab4-e18a-44aa-828b-cb588cd6f2d7", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/Face/detect/action", + "Microsoft.CognitiveServices/accounts/Face/verify/action", + "Microsoft.CognitiveServices/accounts/Face/identify/action", + "Microsoft.CognitiveServices/accounts/Face/group/action", + "Microsoft.CognitiveServices/accounts/Face/findsimilars/action", + "Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action", + "Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action", + "Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action", + "Microsoft.CognitiveServices/accounts/Face/*/sessions/action", + "Microsoft.CognitiveServices/accounts/Face/*/sessions/delete", + "Microsoft.CognitiveServices/accounts/Face/*/sessions/read", + "Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Face Recognizer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Metrics Advisor Administrator ++Full access to the project, including the system level configuration. ++[Learn more](/azure/ai-services/metrics-advisor/how-tos/alerts) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/MetricsAdvisor/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to the project, including the system level configuration.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", + "name": "cb43c632-a144-4ec5-977c-e80c4affc34a", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Metrics Advisor Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services OpenAI Contributor ++Full access including the ability to fine-tune, deploy and generate text ++[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/write | Writes deployments. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/deployments/delete | Deletes deployments. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/read | Gets all applicable policies under the account including default policies. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/write | Create or update a custom Responsible AI policy. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/raiPolicies/delete | Deletes a custom Responsible AI policy that's not referenced by an existing deployment. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/read | Reads commitment plans. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/write | Writes commitment plans. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/commitmentplans/delete | Deletes commitment plans. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access including the ability to fine-tune, deploy and generate text", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", + "name": "a001fd3d-188f-4b5d-821b-7da978bf7442", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.CognitiveServices/accounts/deployments/write", + "Microsoft.CognitiveServices/accounts/deployments/delete", + "Microsoft.CognitiveServices/accounts/raiPolicies/read", + "Microsoft.CognitiveServices/accounts/raiPolicies/write", + "Microsoft.CognitiveServices/accounts/raiPolicies/delete", + "Microsoft.CognitiveServices/accounts/commitmentplans/read", + "Microsoft.CognitiveServices/accounts/commitmentplans/write", + "Microsoft.CognitiveServices/accounts/commitmentplans/delete", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/OpenAI/*" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services OpenAI Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services OpenAI User ++Read access to view files, models, deployments. The ability to create completion and embedding calls. ++[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/completions/action | Create a completion from a chosen model | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/search/action | Search for the most relevant documents using the current engine. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/engines/generate/action | (Intended for browsers only.) Stream generated text from the model via GET request. This method is provided because the browser-native EventSource method can only send GET requests. It supports a more limited set of configuration options than the POST variant. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/search/action | Search for the most relevant documents using the current engine. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/completions/action | Create a completion from a chosen model. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/chat/completions/action | Creates a completion for the chat message | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/extensions/chat/completions/action | Creates a completion for the chat message with extensions | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/deployments/embeddings/action | Return the embeddings for a given prompt. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/OpenAI/images/generations/action | Create image generations. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Ability to view files, models, deployments. Readers are able to call inference operations such as chat completions and image generation.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", + "name": "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/OpenAI/*/read", + "Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action", + "Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action", + "Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action", + "Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action", + "Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action", + "Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action", + "Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action", + "Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action", + "Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services OpenAI User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services QnA Maker Editor ++Let's you create, edit, import and export a KB. You cannot publish or delete a KB. ++[Learn more](/azure/ai-services/qnamaker/) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/download/read | Download the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/alterations/read | Download alterations from runtime. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/alterations/write | Replace alterations data. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointkeys/refreshkeys/action | Re-generates an endpoint key. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointsettings/write | Update endpoint seettings for an endpoint. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/operations/read | Gets details of a specific long running operation. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/download/read | Download the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/alterations/read | Download alterations from runtime. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/alterations/write | Replace alterations data. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointkeys/read | Gets endpoint keys for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action | Re-generates an endpoint key. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointsettings/read | Gets endpoint settings for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointsettings/write | Update endpoint seettings for an endpoint. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/operations/read | Gets details of a specific long running operation. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read | Download the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/alterations/read | Download alterations from runtime. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/alterations/write | Replace alterations data. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action | Re-generates an endpoint key. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointsettings/write | Update endpoint seettings for an endpoint. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/operations/read | Gets details of a specific long running operation. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Let's you create, edit, import and export a KB. You cannot publish or delete a KB.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read", + "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read", + "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write", + "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write", + "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action", + "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action", + "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read", + "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write", + "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read", + "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action", + "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read", + "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write", + "Microsoft.CognitiveServices/accounts/QnAMaker/operations/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services QnA Maker Editor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services QnA Maker Reader ++Let's you read and test a KB only. ++[Learn more](/azure/ai-services/qnamaker/) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/download/read | Download the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/alterations/read | Download alterations from runtime. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/download/read | Download the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/alterations/read | Download alterations from runtime. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointkeys/read | Gets endpoint keys for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/QnAMaker.v2/endpointsettings/read | Gets endpoint settings for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read | Download the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/alterations/read | Download alterations from runtime. | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/TextAnalytics/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Let's you read and test a KB only.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "name": "466ccd10-b268-4a11-b098-b4849f024126", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read", + "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read", + "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action", + "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read", + "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read", + "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read", + "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read", + "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services QnA Maker Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services Usages Reader ++Minimal permission to view Cognitive Services usages. ++[Learn more](/azure/ai-services/openai/how-to/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/locations/usages/read | Read all usages data | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Minimal permission to view Cognitive Services usages.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/bba48692-92b0-4667-a9ad-c31c7b334ac2", + "name": "bba48692-92b0-4667-a9ad-c31c7b334ac2", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/locations/usages/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services Usages Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cognitive Services User ++Lets you read and list keys of Cognitive Services. ++[Learn more](/azure/ai-services/authentication) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/*/read | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/listkeys/action | List keys | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read | Read a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/diagnosticSettings/read | Read a resource diagnostic setting | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/logDefinitions/read | Read log definitions | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricdefinitions/read | Read metric definitions | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you read and list keys of Cognitive Services.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "name": "a97b65f3-24c7-4388-baec-2e87135dc908", + "permissions": [ + { + "actions": [ + "Microsoft.CognitiveServices/*/read", + "Microsoft.CognitiveServices/accounts/listkeys/action", + "Microsoft.Insights/alertRules/read", + "Microsoft.Insights/diagnosticSettings/read", + "Microsoft.Insights/logDefinitions/read", + "Microsoft.Insights/metricdefinitions/read", + "Microsoft.Insights/metrics/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.CognitiveServices/*" + ], + "notDataActions": [] + } + ], + "roleName": "Cognitive Services User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/analytics.md | + + Title: Azure built-in roles for Analytics - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Analytics category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Analytics ++This article lists the Azure built-in roles in the Analytics category. +++## Azure Event Hubs Data Owner ++Allows for full access to Azure Event Hubs resources. ++[Learn more](/azure/event-hubs/authenticate-application) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to Azure Event Hubs resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "name": "f526a384-b230-433a-b45c-95f59c4a2dec", + "permissions": [ + { + "actions": [ + "Microsoft.EventHub/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventHub/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Event Hubs Data Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Event Hubs Data Receiver ++Allows receive access to Azure Event Hubs resources. ++[Learn more](/azure/event-hubs/authenticate-application) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/*/eventhubs/consumergroups/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/*/receive/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows receive access to Azure Event Hubs resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "permissions": [ + { + "actions": [ + "Microsoft.EventHub/*/eventhubs/consumergroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventHub/*/receive/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Event Hubs Data Receiver", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Event Hubs Data Sender ++Allows send access to Azure Event Hubs resources. ++[Learn more](/azure/event-hubs/authenticate-application) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/*/eventhubs/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/*/send/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows send access to Azure Event Hubs resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "name": "2b629674-e913-4c01-ae53-ef4638d8f975", + "permissions": [ + { + "actions": [ + "Microsoft.EventHub/*/eventhubs/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventHub/*/send/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Event Hubs Data Sender", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Data Factory Contributor ++Create and manage data factories, as well as child resources within them. ++[Learn more](/azure/data-factory/concepts-roles-permissions) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.DataFactory](../permissions/databases.md#microsoftdatafactory)/dataFactories/* | Create and manage data factories, and child resources within them. | +> | [Microsoft.DataFactory](../permissions/databases.md#microsoftdatafactory)/factories/* | Create and manage data factories, and child resources within them. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/eventSubscriptions/write | Create or update an eventSubscription | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create and manage data factories, as well as child resources within them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "name": "673868aa-7521-48a0-acc6-0f60742d39f5", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.DataFactory/dataFactories/*", + "Microsoft.DataFactory/factories/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.EventGrid/eventSubscriptions/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Data Factory Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Data Purger ++Delete private data from a Log Analytics workspace. ++[Learn more](/azure/azure-monitor/logs/personal-data-mgmt) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/components/*/read | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/components/purge/action | Purging data from Application Insights | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/purge/action | Delete specified data by query from workspace. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can purge analytics data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "permissions": [ + { + "actions": [ + "Microsoft.Insights/components/*/read", + "Microsoft.Insights/components/purge/action", + "Microsoft.OperationalInsights/workspaces/*/read", + "Microsoft.OperationalInsights/workspaces/purge/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Data Purger", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## HDInsight Cluster Operator ++Lets you read and modify HDInsight cluster configurations. ++[Learn more](/azure/hdinsight/hdinsight-migrate-granular-access-cluster-configurations) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/*/read | | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusters/getGatewaySettings/action | Get gateway settings for HDInsight Cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusters/updateGatewaySettings/action | Update gateway settings for HDInsight Cluster | +> | [Microsoft.HDInsight](../permissions/analytics.md#microsofthdinsight)/clusters/configurations/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you read and modify HDInsight cluster configurations.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "name": "61ed4efc-fab3-44fd-b111-e24485cc132a", + "permissions": [ + { + "actions": [ + "Microsoft.HDInsight/*/read", + "Microsoft.HDInsight/clusters/getGatewaySettings/action", + "Microsoft.HDInsight/clusters/updateGatewaySettings/action", + "Microsoft.HDInsight/clusters/configurations/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Authorization/*/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "HDInsight Cluster Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## HDInsight Domain Services Contributor ++Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package ++[Learn more](/azure/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AAD](../permissions/identity.md#microsoftaad)/*/read | | +> | [Microsoft.AAD](../permissions/identity.md#microsoftaad)/domainServices/*/read | | +> | [Microsoft.AAD](../permissions/identity.md#microsoftaad)/domainServices/oucontainer/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "name": "8d8d5a11-05d3-4bda-a417-a08778121c7c", + "permissions": [ + { + "actions": [ + "Microsoft.AAD/*/read", + "Microsoft.AAD/domainServices/*/read", + "Microsoft.AAD/domainServices/oucontainer/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "HDInsight Domain Services Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Log Analytics Contributor ++Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. ++[Learn more](/azure/azure-monitor/logs/manage-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.ClassicCompute](../permissions/compute.md#microsoftclassiccompute)/virtualMachines/extensions/* | | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/* | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/* | | +> | [Microsoft.OperationsManagement](../permissions/monitor.md#microsoftoperationsmanagement)/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/* | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.ClassicCompute/virtualMachines/extensions/*", + "Microsoft.ClassicStorage/storageAccounts/listKeys/action", + "Microsoft.Compute/virtualMachines/extensions/*", + "Microsoft.HybridCompute/machines/extensions/write", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/diagnosticSettings/*", + "Microsoft.OperationalInsights/*", + "Microsoft.OperationsManagement/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", + "Microsoft.Storage/storageAccounts/listKeys/action", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Log Analytics Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Log Analytics Reader ++Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. ++[Learn more](/azure/azure-monitor/logs/manage-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/search/action | Executes a search query | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/sharedKeys/read | Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "name": "73c42c96-874c-492b-b04d-ab87d138a893", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.OperationalInsights/workspaces/analytics/query/action", + "Microsoft.OperationalInsights/workspaces/search/action", + "Microsoft.Support/*" + ], + "notActions": [ + "Microsoft.OperationalInsights/workspaces/sharedKeys/read" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Log Analytics Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Schema Registry Contributor (Preview) ++Read, write, and delete Schema Registry groups and schemas. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/namespaces/schemagroups/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/namespaces/schemas/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read, write, and delete Schema Registry groups and schemas.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25", + "name": "5dffeca3-4936-4216-b2bc-10343a5abb25", + "permissions": [ + { + "actions": [ + "Microsoft.EventHub/namespaces/schemagroups/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventHub/namespaces/schemas/*" + ], + "notDataActions": [] + } + ], + "roleName": "Schema Registry Contributor (Preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Schema Registry Reader (Preview) ++Read and list Schema Registry groups and schemas. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/namespaces/schemagroups/read | Get list of SchemaGroup Resource Descriptions | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.EventHub](../permissions/analytics.md#microsofteventhub)/namespaces/schemas/read | Retrieve schemas | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read and list Schema Registry groups and schemas.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", + "name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", + "permissions": [ + { + "actions": [ + "Microsoft.EventHub/namespaces/schemagroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventHub/namespaces/schemas/read" + ], + "notDataActions": [] + } + ], + "roleName": "Schema Registry Reader (Preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Stream Analytics Query Tester ++Lets you perform query testing without creating a stream analytics job first ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.StreamAnalytics](../permissions/analytics.md#microsoftstreamanalytics)/locations/TestQuery/action | Test Query for Stream Analytics Resource Provider | +> | [Microsoft.StreamAnalytics](../permissions/analytics.md#microsoftstreamanalytics)/locations/OperationResults/read | Read Stream Analytics Operation Result | +> | [Microsoft.StreamAnalytics](../permissions/analytics.md#microsoftstreamanalytics)/locations/SampleInput/action | Sample Input for Stream Analytics Resource Provider | +> | [Microsoft.StreamAnalytics](../permissions/analytics.md#microsoftstreamanalytics)/locations/CompileQuery/action | Compile Query for Stream Analytics Resource Provider | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you perform query testing without creating a stream analytics job first", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", + "name": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", + "permissions": [ + { + "actions": [ + "Microsoft.StreamAnalytics/locations/TestQuery/action", + "Microsoft.StreamAnalytics/locations/OperationResults/read", + "Microsoft.StreamAnalytics/locations/SampleInput/action", + "Microsoft.StreamAnalytics/locations/CompileQuery/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Stream Analytics Query Tester", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Compute | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/compute.md | + + Title: Azure built-in roles for Compute - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Compute category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Compute ++This article lists the Azure built-in roles in the Compute category. +++## Classic Virtual Machine Contributor ++Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.ClassicCompute](../permissions/compute.md#microsoftclassiccompute)/domainNames/* | Create and manage classic compute domain names | +> | [Microsoft.ClassicCompute](../permissions/compute.md#microsoftclassiccompute)/virtualMachines/* | Create and manage virtual machines | +> | [Microsoft.ClassicNetwork](../permissions/networking.md#microsoftclassicnetwork)/networkSecurityGroups/join/action | | +> | [Microsoft.ClassicNetwork](../permissions/networking.md#microsoftclassicnetwork)/reservedIps/link/action | Link a reserved Ip | +> | [Microsoft.ClassicNetwork](../permissions/networking.md#microsoftclassicnetwork)/reservedIps/read | Gets the reserved Ips | +> | [Microsoft.ClassicNetwork](../permissions/networking.md#microsoftclassicnetwork)/virtualNetworks/join/action | Joins the virtual network. | +> | [Microsoft.ClassicNetwork](../permissions/networking.md#microsoftclassicnetwork)/virtualNetworks/read | Get the virtual network. | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/disks/read | Returns the storage account disk. | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/images/read | Returns the storage account image. (Deprecated. Use 'Microsoft.ClassicStorage/storageAccounts/vmImages') | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/read | Return the storage account with the given account. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.ClassicCompute/domainNames/*", + "Microsoft.ClassicCompute/virtualMachines/*", + "Microsoft.ClassicNetwork/networkSecurityGroups/join/action", + "Microsoft.ClassicNetwork/reservedIps/link/action", + "Microsoft.ClassicNetwork/reservedIps/read", + "Microsoft.ClassicNetwork/virtualNetworks/join/action", + "Microsoft.ClassicNetwork/virtualNetworks/read", + "Microsoft.ClassicStorage/storageAccounts/disks/read", + "Microsoft.ClassicStorage/storageAccounts/images/read", + "Microsoft.ClassicStorage/storageAccounts/listKeys/action", + "Microsoft.ClassicStorage/storageAccounts/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Classic Virtual Machine Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Data Operator for Managed Disks ++Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/download/action | Perform read data operations on Disk SAS Uri | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/upload/action | Perform write data operations on Disk SAS Uri | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/snapshots/download/action | Perform read data operations on Snapshot SAS Uri | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/snapshots/upload/action | Perform write data operations on Snapshot SAS Uri | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e", + "name": "959f8984-c045-4866-89c7-12bf9737be2e", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Compute/disks/download/action", + "Microsoft.Compute/disks/upload/action", + "Microsoft.Compute/snapshots/download/action", + "Microsoft.Compute/snapshots/upload/action" + ], + "notDataActions": [] + } + ], + "roleName": "Data Operator for Managed Disks", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Application Group Contributor ++Contributor of the Desktop Virtualization Application Group. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/applicationgroups/* | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read | Read hostpools/sessionhosts | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Contributor of the Desktop Virtualization Application Group.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8", + "name": "86240b0e-9422-4c43-887b-b61143f32ba8", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/applicationgroups/*", + "Microsoft.DesktopVirtualization/hostpools/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Application Group Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Application Group Reader ++Reader of the Desktop Virtualization Application Group. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/applicationgroups/*/read | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/applicationgroups/read | Read applicationgroups | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read | Read hostpools/sessionhosts | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read | Read a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Reader of the Desktop Virtualization Application Group.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", + "name": "aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/applicationgroups/*/read", + "Microsoft.DesktopVirtualization/applicationgroups/read", + "Microsoft.DesktopVirtualization/hostpools/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Application Group Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Contributor ++Contributor of Desktop Virtualization. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Contributor of Desktop Virtualization.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387", + "name": "082f0a83-3be5-4ba1-904c-961cca79b387", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Host Pool Contributor ++Contributor of the Desktop Virtualization Host Pool. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Contributor of the Desktop Virtualization Host Pool.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc", + "name": "e307426c-f9b6-4e81-87de-d99efb3c32bc", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/hostpools/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Host Pool Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Host Pool Reader ++Reader of the Desktop Virtualization Host Pool. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/*/read | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read | Read a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Reader of the Desktop Virtualization Host Pool.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822", + "name": "ceadfde2-b300-400a-ab7b-6143895aa822", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/hostpools/*/read", + "Microsoft.DesktopVirtualization/hostpools/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Host Pool Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Reader ++Reader of Desktop Virtualization. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/*/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read | Read a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Reader of Desktop Virtualization.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868", + "name": "49a72310-ab8d-41df-bbb0-79b649203868", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Session Host Operator ++Operator of the Desktop Virtualization Session Host. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Operator of the Desktop Virtualization Session Host.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408", + "name": "2ad6aaab-ead9-4eaa-8ac5-da422f562408", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/hostpools/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Session Host Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization User ++Allows user to use the applications in an application group. ++[Learn more](/azure/virtual-desktop/delegated-access-virtual-desktop) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/applicationGroups/useApplications/action | Use ApplicationGroup | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/appAttachPackages/useApplications/action | Allow user permissioning on app attach packages in an application group | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows user to use the applications in an application group.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "name": "1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.DesktopVirtualization/applicationGroups/useApplications/action", + "Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action" + ], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization User Session Operator ++Operator of the Desktop Virtualization User Session. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/read | Read hostpools | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/read | Read hostpools/sessionhosts | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/hostpools/sessionhosts/usersessions/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Operator of the Desktop Virtualization Uesr Session.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", + "name": "ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/hostpools/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization User Session Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Workspace Contributor ++Contributor of the Desktop Virtualization Workspace. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/workspaces/* | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/applicationgroups/read | Read applicationgroups | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Contributor of the Desktop Virtualization Workspace.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b", + "name": "21efdde3-836f-432b-bf3d-3e8e734d4b2b", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/workspaces/*", + "Microsoft.DesktopVirtualization/applicationgroups/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Workspace Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Desktop Virtualization Workspace Reader ++Reader of the Desktop Virtualization Workspace. ++[Learn more](/azure/virtual-desktop/rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/workspaces/read | Read workspaces | +> | [Microsoft.DesktopVirtualization](../permissions/compute.md#microsoftdesktopvirtualization)/applicationgroups/read | Read applicationgroups | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read | Read a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Reader of the Desktop Virtualization Workspace.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", + "name": "0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", + "permissions": [ + { + "actions": [ + "Microsoft.DesktopVirtualization/workspaces/read", + "Microsoft.DesktopVirtualization/applicationgroups/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Desktop Virtualization Workspace Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Disk Backup Reader ++Provides permission to backup vault to perform disk backup. ++[Learn more](/azure/backup/disk-backup-faq) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read | Get the properties of a Disk | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides permission to backup vault to perform disk backup.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", + "name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Compute/disks/read", + "Microsoft.Compute/disks/beginGetAccess/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Disk Backup Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Disk Pool Operator ++Provide permission to StoragePool Resource Provider to manage disks added to a disk pool. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read | Get the properties of a Disk | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840", + "name": "60fc6e62-5479-42d4-8bf4-67625fcc2840", + "permissions": [ + { + "actions": [ + "Microsoft.Compute/disks/write", + "Microsoft.Compute/disks/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Disk Pool Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Disk Restore Operator ++Provides permission to backup vault to perform disk restore. ++[Learn more](/azure/backup/restore-managed-disks) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read | Get the properties of a Disk | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides permission to backup vault to perform disk restore.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13", + "name": "b50d9833-a0cb-478e-945f-707fcc997c13", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Compute/disks/write", + "Microsoft.Compute/disks/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Disk Restore Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Disk Snapshot Contributor ++Provides permission to backup vault to manage disk snapshots. ++[Learn more](/azure/backup/backup-managed-disks) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/snapshots/delete | Delete a Snapshot | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/snapshots/write | Create a new Snapshot or update an existing one | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/snapshots/read | Get the properties of a Snapshot | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/snapshots/beginGetAccess/action | Get the SAS URI of the Snapshot for blob access | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/snapshots/endGetAccess/action | Revoke the SAS URI of the Snapshot | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/write | Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/delete | Deletes an existing storage account. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides permission to backup vault to manage disk snapshots.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce", + "name": "7efff54f-a5b4-42b5-a1c5-5411624893ce", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Compute/snapshots/delete", + "Microsoft.Compute/snapshots/write", + "Microsoft.Compute/snapshots/read", + "Microsoft.Compute/snapshots/beginGetAccess/action", + "Microsoft.Compute/snapshots/endGetAccess/action", + "Microsoft.Compute/disks/beginGetAccess/action", + "Microsoft.Storage/storageAccounts/listkeys/action", + "Microsoft.Storage/storageAccounts/write", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Storage/storageAccounts/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Disk Snapshot Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Virtual Machine Administrator Login ++View Virtual Machines in the portal and login as administrator ++[Learn more](/entra/identity/devices/howto-vm-sign-in-azure-ad-windows) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/*/read | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/*/read | | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/listCredentials/action | Gets the endpoint access credentials to the resource. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/login/action | Log in to a virtual machine as a regular user | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/loginAsAdmin/action | Log in to a virtual machine with Windows administrator or Linux root user privileges | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/login/action | Log in to an Azure Arc machine as a regular user | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/loginAsAdmin/action | Log in to an Azure Arc machine with Windows administrator or Linux root user privilege | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View Virtual Machines in the portal and login as administrator", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "name": "1c0163c0-47e6-4577-8991-ea5c82e286e4", + "permissions": [ + { + "actions": [ + "Microsoft.Network/publicIPAddresses/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Compute/virtualMachines/*/read", + "Microsoft.HybridCompute/machines/*/read", + "Microsoft.HybridConnectivity/endpoints/listCredentials/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Compute/virtualMachines/login/action", + "Microsoft.Compute/virtualMachines/loginAsAdmin/action", + "Microsoft.HybridCompute/machines/login/action", + "Microsoft.HybridCompute/machines/loginAsAdmin/action" + ], + "notDataActions": [] + } + ], + "roleName": "Virtual Machine Administrator Login", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Virtual Machine Contributor ++Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. ++[Learn more](/azure/architecture/reference-architectures/n-tier/linux-vm) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/* | Create and manage compute availability sets | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/* | Create and manage compute locations | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/* | Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachineScaleSets/* | Create and manage virtual machine scale sets | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/cloudServices/* | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read | Get the properties of a Disk | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/delete | Deletes the Disk | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/schedules/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/applicationGateways/backendAddressPools/join/action | Joins an application gateway backend address pool. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNatPools/join/action | Joins a load balancer inbound NAT pool. Not alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/probes/join/action | Allows using probes of a load balancer. For example, with this permission healthProbe property of VM scale set can reference the probe. Not alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/locations/* | Create and manage network locations | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/* | Create and manage network interfaces | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/join/action | Joins a public IP address. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/*/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/read | Returns all Protection Policies | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/write | Creates Protection Policy | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | Microsoft.SerialConsole/serialPorts/connect/action | Connect to a serial port | +> | [Microsoft.SqlVirtualMachine](../permissions/databases.md#microsoftsqlvirtualmachine)/* | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Compute/availabilitySets/*", + "Microsoft.Compute/locations/*", + "Microsoft.Compute/virtualMachines/*", + "Microsoft.Compute/virtualMachineScaleSets/*", + "Microsoft.Compute/cloudServices/*", + "Microsoft.Compute/disks/write", + "Microsoft.Compute/disks/read", + "Microsoft.Compute/disks/delete", + "Microsoft.DevTestLab/schedules/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Network/applicationGateways/backendAddressPools/join/action", + "Microsoft.Network/loadBalancers/backendAddressPools/join/action", + "Microsoft.Network/loadBalancers/inboundNatPools/join/action", + "Microsoft.Network/loadBalancers/inboundNatRules/join/action", + "Microsoft.Network/loadBalancers/probes/join/action", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/locations/*", + "Microsoft.Network/networkInterfaces/*", + "Microsoft.Network/networkSecurityGroups/join/action", + "Microsoft.Network/networkSecurityGroups/read", + "Microsoft.Network/publicIPAddresses/join/action", + "Microsoft.Network/publicIPAddresses/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.RecoveryServices/locations/*", + "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write", + "Microsoft.RecoveryServices/Vaults/backupPolicies/read", + "Microsoft.RecoveryServices/Vaults/backupPolicies/write", + "Microsoft.RecoveryServices/Vaults/read", + "Microsoft.RecoveryServices/Vaults/usages/read", + "Microsoft.RecoveryServices/Vaults/write", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.SerialConsole/serialPorts/connect/action", + "Microsoft.SqlVirtualMachine/*", + "Microsoft.Storage/storageAccounts/listKeys/action", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Virtual Machine Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Virtual Machine Data Access Administrator (preview) ++Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/*/read | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/*/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | +> | **Condition** | | +> | ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) | Add or remove role assignments for the following roles:<br/>Virtual Machine Administrator Login<br/>Virtual Machine User Login | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-4b70-9f1e-c350c4c9ad04", + "name": "66f75aeb-eabe-4b70-9f1e-c350c4c9ad04", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Management/managementGroups/read", + "Microsoft.Network/publicIPAddresses/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Compute/virtualMachines/*/read", + "Microsoft.HybridCompute/machines/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [], + "conditionVersion": "2.0", + "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52}))" + } + ], + "roleName": "Virtual Machine Data Access Administrator (preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Virtual Machine Local User Login ++View Virtual Machines in the portal and login as a local user configured on the arc server ++[Learn more](/azure/azure-arc/servers/ssh-arc-troubleshoot) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/*/read | | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/listCredentials/action | Gets the endpoint access credentials to the resource. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View Virtual Machines in the portal and login as a local user configured on the arc server", + "id": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525", + "name": "602da2ba-a5c2-41da-b01d-5360126ab525", + "permissions": [ + { + "actions": [ + "Microsoft.HybridCompute/machines/*/read", + "Microsoft.HybridConnectivity/endpoints/listCredentials/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Virtual Machine Local User Login", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Virtual Machine User Login ++View Virtual Machines in the portal and login as a regular user. ++[Learn more](/entra/identity/devices/howto-vm-sign-in-azure-ad-windows) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/*/read | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/*/read | | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/listCredentials/action | Gets the endpoint access credentials to the resource. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/login/action | Log in to a virtual machine as a regular user | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/login/action | Log in to an Azure Arc machine as a regular user | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View Virtual Machines in the portal and login as a regular user.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "name": "fb879df8-f326-4884-b1cf-06f3ad86be52", + "permissions": [ + { + "actions": [ + "Microsoft.Network/publicIPAddresses/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Compute/virtualMachines/*/read", + "Microsoft.HybridCompute/machines/*/read", + "Microsoft.HybridConnectivity/endpoints/listCredentials/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Compute/virtualMachines/login/action", + "Microsoft.HybridCompute/machines/login/action" + ], + "notDataActions": [] + } + ], + "roleName": "Virtual Machine User Login", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Windows Admin Center Administrator Login ++Let's you manage the OS of your resource via Windows Admin Center as an administrator. ++[Learn more](/windows-server/manage/windows-admin-center/azure/manage-vm) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/*/read | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/* | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/upgradeExtensions/action | Upgrades Extensions on Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkWatchers/securityGroupView/action | View the configured and effective network security group rules applied on a VM. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/securityRules/read | Gets a security rule definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/securityRules/write | Creates a security rule or updates an existing security rule | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/write | Update the endpoint to the target resource. | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/read | Gets the endpoint to the resource. | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/write | Update the service details in the service configurations of the target resource. | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/read | Gets the details about the service to the resource. | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/listManagedProxyDetails/action | Fetches the managed proxy details | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/patchAssessmentResults/latest/read | Retrieves the summary of the latest patch assessment operation | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/patchAssessmentResults/latest/softwarePatches/read | Retrieves list of patches assessed during the last patch assessment operation | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/patchInstallationResults/read | Retrieves the summary of the latest patch installation operation | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/patchInstallationResults/softwarePatches/read | Retrieves list of patches attempted to be installed during the last patch installation operation | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/read | Get the properties of a virtual machine extension | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/instanceView/read | Gets the detailed runtime status of the virtual machine and its resources | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/runCommands/read | Get the properties of a virtual machine run command | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/vmSizes/read | Lists available sizes the virtual machine can be updated to | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/publishers/artifacttypes/types/read | Get the properties of a VMExtension Type | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/publishers/artifacttypes/types/versions/read | Get the properties of a VMExtension Version | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/diskAccesses/read | Get the properties of DiskAccess resource | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/images/read | Gets the properties of Gallery Image | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/images/read | Get the properties of the Image | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/Read | Gets clusters | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/ArcSettings/Read | Gets arc resource of HCI cluster | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Read | Gets extension resource of HCI cluster | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Write | Create or update extension resource of HCI cluster | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/ArcSettings/Extensions/Delete | Delete extension resources of HCI cluster | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Operations/Read | Gets operations | +> | Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read | Read virtualmachines | +> | Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write | Write extension resource | +> | Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read | Gets extension resource | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/WACLoginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/WACloginAsAdmin/Action | Manage OS of HCI resource via Windows Admin Center as an administrator | +> | Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Let's you manage the OS of your resource via Windows Admin Center as an administrator.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f", + "name": "a6333a3e-0164-44c3-b281-7a577aff287f", + "permissions": [ + { + "actions": [ + "Microsoft.HybridCompute/machines/*/read", + "Microsoft.HybridCompute/machines/extensions/*", + "Microsoft.HybridCompute/machines/upgradeExtensions/action", + "Microsoft.HybridCompute/operations/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/publicIPAddresses/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/networkSecurityGroups/read", + "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", + "Microsoft.Network/networkWatchers/securityGroupView/action", + "Microsoft.Network/networkSecurityGroups/securityRules/read", + "Microsoft.Network/networkSecurityGroups/securityRules/write", + "Microsoft.HybridConnectivity/endpoints/write", + "Microsoft.HybridConnectivity/endpoints/read", + "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write", + "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read", + "Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read", + "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read", + "Microsoft.Compute/virtualMachines/patchInstallationResults/read", + "Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read", + "Microsoft.Compute/virtualMachines/extensions/read", + "Microsoft.Compute/virtualMachines/instanceView/read", + "Microsoft.Compute/virtualMachines/runCommands/read", + "Microsoft.Compute/virtualMachines/vmSizes/read", + "Microsoft.Compute/locations/publishers/artifacttypes/types/read", + "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read", + "Microsoft.Compute/diskAccesses/read", + "Microsoft.Compute/galleries/images/read", + "Microsoft.Compute/images/read", + "Microsoft.AzureStackHCI/Clusters/Read", + "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read", + "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read", + "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write", + "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete", + "Microsoft.AzureStackHCI/Operations/Read", + "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read", + "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write", + "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.HybridCompute/machines/WACLoginAsAdmin/action", + "Microsoft.Compute/virtualMachines/WACloginAsAdmin/action", + "Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action", + "Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action" + ], + "notDataActions": [] + } + ], + "roleName": "Windows Admin Center Administrator Login", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/containers.md | + + Title: Azure built-in roles for Containers - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Containers category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Containers ++This article lists the Azure built-in roles in the Containers category. +++## AcrDelete ++Delete repositories, tags, or manifests from a container registry. ++[Learn more](/azure/container-registry/container-registry-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/artifacts/delete | Delete artifact in a container registry. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "acr delete", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerRegistry/registries/artifacts/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "AcrDelete", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AcrImageSigner ++Push trusted images to or pull trusted images from a container registry enabled for content trust. ++[Learn more](/azure/container-registry/container-registry-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/sign/write | Push/Pull content trust metadata for a container registry. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/trustedCollections/write | Allows push or publish of trusted collections of container registry content. This is similar to Microsoft.ContainerRegistry/registries/sign/write action except that this is a data action | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "acr image signer", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "name": "6cef56e8-d556-48e5-a04f-b8e64114680f", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerRegistry/registries/sign/write" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerRegistry/registries/trustedCollections/write" + ], + "notDataActions": [] + } + ], + "roleName": "AcrImageSigner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AcrPull ++Pull artifacts from a container registry. ++[Learn more](/azure/container-registry/container-registry-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/pull/read | Pull or Get images from a container registry. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "acr pull", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerRegistry/registries/pull/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "AcrPull", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AcrPush ++Push artifacts to or pull artifacts from a container registry. ++[Learn more](/azure/container-registry/container-registry-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/pull/read | Pull or Get images from a container registry. | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/push/write | Push or Write images to a container registry. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "acr push", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "name": "8311e382-0749-4cb8-b61a-304f252e45ec", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerRegistry/registries/pull/read", + "Microsoft.ContainerRegistry/registries/push/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "AcrPush", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AcrQuarantineReader ++Pull quarantined images from a container registry. ++[Learn more](/azure/container-registry/container-registry-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/quarantine/read | Pull or Get quarantined images from container registry | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/quarantinedArtifacts/read | Allows pull or get of the quarantined artifacts from container registry. This is similar to Microsoft.ContainerRegistry/registries/quarantine/read except that it is a data action | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "acr quarantine data reader", + "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "name": "cdda3590-29a3-44f6-95f2-9f980659eb04", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerRegistry/registries/quarantine/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read" + ], + "notDataActions": [] + } + ], + "roleName": "AcrQuarantineReader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## AcrQuarantineWriter ++Push quarantined images to or pull quarantined images from a container registry. ++[Learn more](/azure/container-registry/container-registry-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/quarantine/read | Pull or Get quarantined images from container registry | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/quarantine/write | Write/Modify quarantine state of quarantined images | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/quarantinedArtifacts/read | Allows pull or get of the quarantined artifacts from container registry. This is similar to Microsoft.ContainerRegistry/registries/quarantine/read except that it is a data action | +> | [Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/quarantinedArtifacts/write | Allows write or update of the quarantine state of quarantined artifacts. This is similar to Microsoft.ContainerRegistry/registries/quarantine/write action except that it is a data action | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "acr quarantine data writer", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerRegistry/registries/quarantine/read", + "Microsoft.ContainerRegistry/registries/quarantine/write" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read", + "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write" + ], + "notDataActions": [] + } + ], + "roleName": "AcrQuarantineWriter", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Arc Enabled Kubernetes Cluster User Role ++List cluster user credentials action. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/listClusterUserCredentials/action | List clusterUser credential(preview) | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/listClusterUserCredential/action | List clusterUser credential | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "List cluster user credentials action.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd", + "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd", + "permissions": [ + { + "actions": [ + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Support/*", + "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Arc Enabled Kubernetes Cluster User Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Arc Kubernetes Admin ++Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. ++[Learn more](/azure/azure-arc/kubernetes/azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/controllerrevisions/read | Reads controllerrevisions | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/daemonsets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/deployments/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/replicasets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/statefulsets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Writes localsubjectaccessreviews | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/autoscaling/horizontalpodautoscalers/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/batch/cronjobs/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/batch/jobs/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/configmaps/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/endpoints/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/events.k8s.io/events/read | Reads events | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/events/read | Reads events | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/daemonsets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/deployments/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/ingresses/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/networkpolicies/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/replicasets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/limitranges/read | Reads limitranges | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/namespaces/read | Reads namespaces | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/ingresses/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/networkpolicies/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/persistentvolumeclaims/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/pods/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/policy/poddisruptionbudgets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/rbac.authorization.k8s.io/roles/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/resourcequotas/read | Reads resourcequotas | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/secrets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/serviceaccounts/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/services/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96", + "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read", + "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*", + "Microsoft.Kubernetes/connectedClusters/apps/deployments/*", + "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*", + "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*", + "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write", + "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*", + "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*", + "Microsoft.Kubernetes/connectedClusters/batch/jobs/*", + "Microsoft.Kubernetes/connectedClusters/configmaps/*", + "Microsoft.Kubernetes/connectedClusters/endpoints/*", + "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read", + "Microsoft.Kubernetes/connectedClusters/events/read", + "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*", + "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*", + "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*", + "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*", + "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*", + "Microsoft.Kubernetes/connectedClusters/limitranges/read", + "Microsoft.Kubernetes/connectedClusters/namespaces/read", + "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*", + "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*", + "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*", + "Microsoft.Kubernetes/connectedClusters/pods/*", + "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*", + "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*", + "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*", + "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", + "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", + "Microsoft.Kubernetes/connectedClusters/resourcequotas/read", + "Microsoft.Kubernetes/connectedClusters/secrets/*", + "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*", + "Microsoft.Kubernetes/connectedClusters/services/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Arc Kubernetes Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Arc Kubernetes Cluster Admin ++Lets you manage all resources in the cluster. ++[Learn more](/azure/azure-arc/kubernetes/azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage all resources in the cluster.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2", + "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Kubernetes/connectedClusters/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Arc Kubernetes Cluster Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Arc Kubernetes Viewer ++Lets you view all resources in cluster/namespace, except secrets. ++[Learn more](/azure/azure-arc/kubernetes/azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/controllerrevisions/read | Reads controllerrevisions | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/daemonsets/read | Reads daemonsets | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/deployments/read | Reads deployments | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/replicasets/read | Reads replicasets | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/statefulsets/read | Reads statefulsets | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/batch/cronjobs/read | Reads cronjobs | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/batch/jobs/read | Reads jobs | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/configmaps/read | Reads configmaps | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/endpoints/read | Reads endpoints | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/events.k8s.io/events/read | Reads events | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/events/read | Reads events | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/daemonsets/read | Reads daemonsets | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/deployments/read | Reads deployments | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/ingresses/read | Reads ingresses | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/networkpolicies/read | Reads networkpolicies | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/replicasets/read | Reads replicasets | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/limitranges/read | Reads limitranges | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/namespaces/read | Reads namespaces | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/ingresses/read | Reads ingresses | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/networkpolicies/read | Reads networkpolicies | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/persistentvolumeclaims/read | Reads persistentvolumeclaims | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/pods/read | Reads pods | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/read | Reads replicationcontrollers | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/read | Reads replicationcontrollers | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/resourcequotas/read | Reads resourcequotas | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/serviceaccounts/read | Reads serviceaccounts | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/services/read | Reads services | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you view all resources in cluster/namespace, except secrets.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4", + "name": "63f0a09d-1495-4db4-a681-037d84835eb4", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read", + "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read", + "Microsoft.Kubernetes/connectedClusters/apps/deployments/read", + "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read", + "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read", + "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read", + "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read", + "Microsoft.Kubernetes/connectedClusters/batch/jobs/read", + "Microsoft.Kubernetes/connectedClusters/configmaps/read", + "Microsoft.Kubernetes/connectedClusters/endpoints/read", + "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read", + "Microsoft.Kubernetes/connectedClusters/events/read", + "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read", + "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read", + "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read", + "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read", + "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read", + "Microsoft.Kubernetes/connectedClusters/limitranges/read", + "Microsoft.Kubernetes/connectedClusters/namespaces/read", + "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read", + "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read", + "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read", + "Microsoft.Kubernetes/connectedClusters/pods/read", + "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read", + "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read", + "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read", + "Microsoft.Kubernetes/connectedClusters/resourcequotas/read", + "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read", + "Microsoft.Kubernetes/connectedClusters/services/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Arc Kubernetes Viewer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Arc Kubernetes Writer ++Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. ++[Learn more](/azure/azure-arc/kubernetes/azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/controllerrevisions/read | Reads controllerrevisions | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/daemonsets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/deployments/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/replicasets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/apps/statefulsets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/autoscaling/horizontalpodautoscalers/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/batch/cronjobs/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/batch/jobs/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/configmaps/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/endpoints/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/events.k8s.io/events/read | Reads events | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/events/read | Reads events | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/daemonsets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/deployments/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/ingresses/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/networkpolicies/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/extensions/replicasets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/limitranges/read | Reads limitranges | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/namespaces/read | Reads namespaces | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/ingresses/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/networking.k8s.io/networkpolicies/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/persistentvolumeclaims/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/pods/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/policy/poddisruptionbudgets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/replicationcontrollers/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/resourcequotas/read | Reads resourcequotas | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/secrets/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/serviceaccounts/* | | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/services/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1", + "name": "5b999177-9696-4545-85c7-50de3797e5a1", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read", + "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*", + "Microsoft.Kubernetes/connectedClusters/apps/deployments/*", + "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*", + "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*", + "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*", + "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*", + "Microsoft.Kubernetes/connectedClusters/batch/jobs/*", + "Microsoft.Kubernetes/connectedClusters/configmaps/*", + "Microsoft.Kubernetes/connectedClusters/endpoints/*", + "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read", + "Microsoft.Kubernetes/connectedClusters/events/read", + "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*", + "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*", + "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*", + "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*", + "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*", + "Microsoft.Kubernetes/connectedClusters/limitranges/read", + "Microsoft.Kubernetes/connectedClusters/namespaces/read", + "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*", + "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*", + "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*", + "Microsoft.Kubernetes/connectedClusters/pods/*", + "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*", + "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", + "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", + "Microsoft.Kubernetes/connectedClusters/resourcequotas/read", + "Microsoft.Kubernetes/connectedClusters/secrets/*", + "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*", + "Microsoft.Kubernetes/connectedClusters/services/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Arc Kubernetes Writer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Fleet Manager RBAC Admin ++This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/read | Get fleet | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/controllerrevisions/read | Reads controllerrevisions | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/daemonsets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/deployments/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/statefulsets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Writes localsubjectaccessreviews | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/autoscaling/horizontalpodautoscalers/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/batch/cronjobs/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/batch/jobs/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/configmaps/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/endpoints/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/events.k8s.io/events/read | Reads events | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/events/read | Reads events | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/daemonsets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/deployments/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/ingresses/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/networkpolicies/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/limitranges/read | Reads limitranges | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/namespaces/read | Reads namespaces | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/networking.k8s.io/ingresses/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/networking.k8s.io/networkpolicies/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/persistentvolumeclaims/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/policy/poddisruptionbudgets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/rbac.authorization.k8s.io/rolebindings/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/rbac.authorization.k8s.io/roles/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/resourcequotas/read | Reads resourcequotas | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/secrets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/serviceaccounts/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/services/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "This role grants admin access - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba", + "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ContainerService/fleets/read", + "Microsoft.ContainerService/fleets/listCredentials/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerService/fleets/apps/controllerrevisions/read", + "Microsoft.ContainerService/fleets/apps/daemonsets/*", + "Microsoft.ContainerService/fleets/apps/deployments/*", + "Microsoft.ContainerService/fleets/apps/statefulsets/*", + "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write", + "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*", + "Microsoft.ContainerService/fleets/batch/cronjobs/*", + "Microsoft.ContainerService/fleets/batch/jobs/*", + "Microsoft.ContainerService/fleets/configmaps/*", + "Microsoft.ContainerService/fleets/endpoints/*", + "Microsoft.ContainerService/fleets/events.k8s.io/events/read", + "Microsoft.ContainerService/fleets/events/read", + "Microsoft.ContainerService/fleets/extensions/daemonsets/*", + "Microsoft.ContainerService/fleets/extensions/deployments/*", + "Microsoft.ContainerService/fleets/extensions/ingresses/*", + "Microsoft.ContainerService/fleets/extensions/networkpolicies/*", + "Microsoft.ContainerService/fleets/limitranges/read", + "Microsoft.ContainerService/fleets/namespaces/read", + "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*", + "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*", + "Microsoft.ContainerService/fleets/persistentvolumeclaims/*", + "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*", + "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*", + "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*", + "Microsoft.ContainerService/fleets/replicationcontrollers/*", + "Microsoft.ContainerService/fleets/replicationcontrollers/*", + "Microsoft.ContainerService/fleets/resourcequotas/read", + "Microsoft.ContainerService/fleets/secrets/*", + "Microsoft.ContainerService/fleets/serviceaccounts/*", + "Microsoft.ContainerService/fleets/services/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Fleet Manager RBAC Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Fleet Manager RBAC Cluster Admin ++Lets you manage all resources in the fleet manager cluster. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/read | Get fleet | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage all resources in the fleet manager cluster.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", + "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ContainerService/fleets/read", + "Microsoft.ContainerService/fleets/listCredentials/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerService/fleets/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Fleet Manager RBAC Reader ++Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/read | Get fleet | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/controllerrevisions/read | Reads controllerrevisions | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/daemonsets/read | Reads daemonsets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/deployments/read | Reads deployments | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/statefulsets/read | Reads statefulsets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/batch/cronjobs/read | Reads cronjobs | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/batch/jobs/read | Reads jobs | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/configmaps/read | Reads configmaps | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/endpoints/read | Reads endpoints | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/events.k8s.io/events/read | Reads events | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/events/read | Reads events | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/daemonsets/read | Reads daemonsets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/deployments/read | Reads deployments | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/ingresses/read | Reads ingresses | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/networkpolicies/read | Reads networkpolicies | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/limitranges/read | Reads limitranges | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/namespaces/read | Reads namespaces | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/networking.k8s.io/ingresses/read | Reads ingresses | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/networking.k8s.io/networkpolicies/read | Reads networkpolicies | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/persistentvolumeclaims/read | Reads persistentvolumeclaims | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/replicationcontrollers/read | Reads replicationcontrollers | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/replicationcontrollers/read | Reads replicationcontrollers | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/resourcequotas/read | Reads resourcequotas | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/serviceaccounts/read | Reads serviceaccounts | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/services/read | Reads services | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80", + "name": "30b27cfc-9c84-438e-b0ce-70e35255df80", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ContainerService/fleets/read", + "Microsoft.ContainerService/fleets/listCredentials/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerService/fleets/apps/controllerrevisions/read", + "Microsoft.ContainerService/fleets/apps/daemonsets/read", + "Microsoft.ContainerService/fleets/apps/deployments/read", + "Microsoft.ContainerService/fleets/apps/statefulsets/read", + "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read", + "Microsoft.ContainerService/fleets/batch/cronjobs/read", + "Microsoft.ContainerService/fleets/batch/jobs/read", + "Microsoft.ContainerService/fleets/configmaps/read", + "Microsoft.ContainerService/fleets/endpoints/read", + "Microsoft.ContainerService/fleets/events.k8s.io/events/read", + "Microsoft.ContainerService/fleets/events/read", + "Microsoft.ContainerService/fleets/extensions/daemonsets/read", + "Microsoft.ContainerService/fleets/extensions/deployments/read", + "Microsoft.ContainerService/fleets/extensions/ingresses/read", + "Microsoft.ContainerService/fleets/extensions/networkpolicies/read", + "Microsoft.ContainerService/fleets/limitranges/read", + "Microsoft.ContainerService/fleets/namespaces/read", + "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read", + "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read", + "Microsoft.ContainerService/fleets/persistentvolumeclaims/read", + "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read", + "Microsoft.ContainerService/fleets/replicationcontrollers/read", + "Microsoft.ContainerService/fleets/replicationcontrollers/read", + "Microsoft.ContainerService/fleets/resourcequotas/read", + "Microsoft.ContainerService/fleets/serviceaccounts/read", + "Microsoft.ContainerService/fleets/services/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Fleet Manager RBAC Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Fleet Manager RBAC Writer ++Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/read | Get fleet | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/controllerrevisions/read | Reads controllerrevisions | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/daemonsets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/deployments/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/apps/statefulsets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/autoscaling/horizontalpodautoscalers/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/batch/cronjobs/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/batch/jobs/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/configmaps/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/endpoints/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/events.k8s.io/events/read | Reads events | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/events/read | Reads events | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/daemonsets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/deployments/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/ingresses/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/extensions/networkpolicies/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/limitranges/read | Reads limitranges | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/namespaces/read | Reads namespaces | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/networking.k8s.io/ingresses/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/networking.k8s.io/networkpolicies/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/persistentvolumeclaims/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/policy/poddisruptionbudgets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/resourcequotas/read | Reads resourcequotas | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/secrets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/serviceaccounts/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/services/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683", + "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ContainerService/fleets/read", + "Microsoft.ContainerService/fleets/listCredentials/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerService/fleets/apps/controllerrevisions/read", + "Microsoft.ContainerService/fleets/apps/daemonsets/*", + "Microsoft.ContainerService/fleets/apps/deployments/*", + "Microsoft.ContainerService/fleets/apps/statefulsets/*", + "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*", + "Microsoft.ContainerService/fleets/batch/cronjobs/*", + "Microsoft.ContainerService/fleets/batch/jobs/*", + "Microsoft.ContainerService/fleets/configmaps/*", + "Microsoft.ContainerService/fleets/endpoints/*", + "Microsoft.ContainerService/fleets/events.k8s.io/events/read", + "Microsoft.ContainerService/fleets/events/read", + "Microsoft.ContainerService/fleets/extensions/daemonsets/*", + "Microsoft.ContainerService/fleets/extensions/deployments/*", + "Microsoft.ContainerService/fleets/extensions/ingresses/*", + "Microsoft.ContainerService/fleets/extensions/networkpolicies/*", + "Microsoft.ContainerService/fleets/limitranges/read", + "Microsoft.ContainerService/fleets/namespaces/read", + "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*", + "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*", + "Microsoft.ContainerService/fleets/persistentvolumeclaims/*", + "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*", + "Microsoft.ContainerService/fleets/replicationcontrollers/*", + "Microsoft.ContainerService/fleets/replicationcontrollers/*", + "Microsoft.ContainerService/fleets/resourcequotas/read", + "Microsoft.ContainerService/fleets/secrets/*", + "Microsoft.ContainerService/fleets/serviceaccounts/*", + "Microsoft.ContainerService/fleets/services/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Fleet Manager RBAC Writer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Service Cluster Admin Role ++List cluster admin credential action. ++[Learn more](/azure/aks/control-kubeconfig-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/listClusterAdminCredential/action | List the clusterAdmin credential of a managed cluster | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/accessProfiles/listCredential/action | Get a managed cluster access profile by role name using list credential | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/runcommand/action | Run user issued command against managed kubernetes server. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "List cluster admin credential action.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action", + "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action", + "Microsoft.ContainerService/managedClusters/read", + "Microsoft.ContainerService/managedClusters/runcommand/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Service Cluster Admin Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Service Cluster Monitoring User ++List cluster monitoring user credential action. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/listClusterMonitoringUserCredential/action | List the clusterMonitoringUser credential of a managed cluster | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "List cluster monitoring user credential action.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6", + "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action", + "Microsoft.ContainerService/managedClusters/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Service Cluster Monitoring User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Service Cluster User Role ++List cluster user credential action. ++[Learn more](/azure/aks/control-kubeconfig-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "List cluster user credential action.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", + "Microsoft.ContainerService/managedClusters/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Service Cluster User Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Service Contributor Role ++Grants access to read and write Azure Kubernetes Service clusters ++[Learn more](/azure/aks/concepts-identity) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/write | Creates a new managed cluster or updates an existing one | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants access to read and write Azure Kubernetes Service clusters", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerService/managedClusters/read", + "Microsoft.ContainerService/managedClusters/write", + "Microsoft.Resources/deployments/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Service Contributor Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Service RBAC Admin ++Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. ++[Learn more](/azure/aks/manage-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/* | | +> | **NotDataActions** | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/resourcequotas/write | Writes resourcequotas | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/resourcequotas/delete | Deletes resourcequotas | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/namespaces/write | Writes namespaces | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/namespaces/delete | Deletes namespaces | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7", + "name": "3498e952-d568-435e-9b2c-8d77e338d7f7", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerService/managedClusters/*" + ], + "notDataActions": [ + "Microsoft.ContainerService/managedClusters/resourcequotas/write", + "Microsoft.ContainerService/managedClusters/resourcequotas/delete", + "Microsoft.ContainerService/managedClusters/namespaces/write", + "Microsoft.ContainerService/managedClusters/namespaces/delete" + ] + } + ], + "roleName": "Azure Kubernetes Service RBAC Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Service RBAC Cluster Admin ++Lets you manage all resources in the cluster. ++[Learn more](/azure/aks/manage-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage all resources in the cluster.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", + "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerService/managedClusters/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Service RBAC Cluster Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Service RBAC Reader ++Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. ++[Learn more](/azure/aks/manage-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/controllerrevisions/read | Reads controllerrevisions | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/daemonsets/read | Reads daemonsets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/deployments/read | Reads deployments | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/replicasets/read | Reads replicasets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/statefulsets/read | Reads statefulsets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/batch/cronjobs/read | Reads cronjobs | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/batch/jobs/read | Reads jobs | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/configmaps/read | Reads configmaps | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/discovery.k8s.io/endpointslices/read | Reads endpointslices | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/endpoints/read | Reads endpoints | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/events.k8s.io/events/read | Reads events | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/events/read | Reads events | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/daemonsets/read | Reads daemonsets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/deployments/read | Reads deployments | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/ingresses/read | Reads ingresses | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/networkpolicies/read | Reads networkpolicies | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/replicasets/read | Reads replicasets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/limitranges/read | Reads limitranges | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/metrics.k8s.io/pods/read | Reads pods | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/metrics.k8s.io/nodes/read | Reads nodes | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/namespaces/read | Reads namespaces | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/networking.k8s.io/ingresses/read | Reads ingresses | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/networking.k8s.io/networkpolicies/read | Reads networkpolicies | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/persistentvolumeclaims/read | Reads persistentvolumeclaims | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/pods/read | Reads pods | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/replicationcontrollers/read | Reads replicationcontrollers | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/resourcequotas/read | Reads resourcequotas | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/serviceaccounts/read | Reads serviceaccounts | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/services/read | Reads services | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db", + "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read", + "Microsoft.ContainerService/managedClusters/apps/daemonsets/read", + "Microsoft.ContainerService/managedClusters/apps/deployments/read", + "Microsoft.ContainerService/managedClusters/apps/replicasets/read", + "Microsoft.ContainerService/managedClusters/apps/statefulsets/read", + "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read", + "Microsoft.ContainerService/managedClusters/batch/cronjobs/read", + "Microsoft.ContainerService/managedClusters/batch/jobs/read", + "Microsoft.ContainerService/managedClusters/configmaps/read", + "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read", + "Microsoft.ContainerService/managedClusters/endpoints/read", + "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read", + "Microsoft.ContainerService/managedClusters/events/read", + "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read", + "Microsoft.ContainerService/managedClusters/extensions/deployments/read", + "Microsoft.ContainerService/managedClusters/extensions/ingresses/read", + "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read", + "Microsoft.ContainerService/managedClusters/extensions/replicasets/read", + "Microsoft.ContainerService/managedClusters/limitranges/read", + "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read", + "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read", + "Microsoft.ContainerService/managedClusters/namespaces/read", + "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read", + "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read", + "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read", + "Microsoft.ContainerService/managedClusters/pods/read", + "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read", + "Microsoft.ContainerService/managedClusters/replicationcontrollers/read", + "Microsoft.ContainerService/managedClusters/resourcequotas/read", + "Microsoft.ContainerService/managedClusters/serviceaccounts/read", + "Microsoft.ContainerService/managedClusters/services/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Service RBAC Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Kubernetes Service RBAC Writer ++Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. ++[Learn more](/azure/aks/manage-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/controllerrevisions/read | Reads controllerrevisions | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/daemonsets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/deployments/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/replicasets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/apps/statefulsets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/autoscaling/horizontalpodautoscalers/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/batch/cronjobs/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/coordination.k8s.io/leases/read | Reads leases | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/coordination.k8s.io/leases/write | Writes leases | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/coordination.k8s.io/leases/delete | Deletes leases | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/discovery.k8s.io/endpointslices/read | Reads endpointslices | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/batch/jobs/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/configmaps/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/endpoints/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/events.k8s.io/events/read | Reads events | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/events/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/daemonsets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/deployments/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/ingresses/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/networkpolicies/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/extensions/replicasets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/limitranges/read | Reads limitranges | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/metrics.k8s.io/pods/read | Reads pods | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/metrics.k8s.io/nodes/read | Reads nodes | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/namespaces/read | Reads namespaces | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/networking.k8s.io/ingresses/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/networking.k8s.io/networkpolicies/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/persistentvolumeclaims/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/pods/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/policy/poddisruptionbudgets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/replicationcontrollers/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/resourcequotas/read | Reads resourcequotas | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/secrets/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/serviceaccounts/* | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/services/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", + "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read", + "Microsoft.ContainerService/managedClusters/apps/daemonsets/*", + "Microsoft.ContainerService/managedClusters/apps/deployments/*", + "Microsoft.ContainerService/managedClusters/apps/replicasets/*", + "Microsoft.ContainerService/managedClusters/apps/statefulsets/*", + "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*", + "Microsoft.ContainerService/managedClusters/batch/cronjobs/*", + "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read", + "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write", + "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete", + "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read", + "Microsoft.ContainerService/managedClusters/batch/jobs/*", + "Microsoft.ContainerService/managedClusters/configmaps/*", + "Microsoft.ContainerService/managedClusters/endpoints/*", + "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read", + "Microsoft.ContainerService/managedClusters/events/*", + "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*", + "Microsoft.ContainerService/managedClusters/extensions/deployments/*", + "Microsoft.ContainerService/managedClusters/extensions/ingresses/*", + "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*", + "Microsoft.ContainerService/managedClusters/extensions/replicasets/*", + "Microsoft.ContainerService/managedClusters/limitranges/read", + "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read", + "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read", + "Microsoft.ContainerService/managedClusters/namespaces/read", + "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*", + "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*", + "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*", + "Microsoft.ContainerService/managedClusters/pods/*", + "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*", + "Microsoft.ContainerService/managedClusters/replicationcontrollers/*", + "Microsoft.ContainerService/managedClusters/resourcequotas/read", + "Microsoft.ContainerService/managedClusters/secrets/*", + "Microsoft.ContainerService/managedClusters/serviceaccounts/*", + "Microsoft.ContainerService/managedClusters/services/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Kubernetes Service RBAC Writer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Kubernetes Agentless Operator ++Grants Microsoft Defender for Cloud access to Azure Kubernetes Services ++[Learn more](/azure/defender-for-cloud/defender-for-containers-architecture) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/write | Create or update trusted access role bindings for managed cluster | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/read | Get trusted access role bindings for managed cluster | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/delete | Delete trusted access role bindings for managed cluster | +> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster | +> | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/features/read | Gets the features of a subscription. | +> | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. | +> | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/providers/features/register/action | Registers the feature for a subscription in a given resource provider. | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/pricings/securityoperators/read | Gets the security operators for the scope | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services", + "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6", + "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6", + "permissions": [ + { + "actions": [ + "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write", + "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read", + "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete", + "Microsoft.ContainerService/managedClusters/read", + "Microsoft.Features/features/read", + "Microsoft.Features/providers/features/read", + "Microsoft.Features/providers/features/register/action", + "Microsoft.Security/pricings/securityoperators/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Kubernetes Agentless Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Kubernetes Cluster - Azure Arc Onboarding ++Role definition to authorize any user/service to create connectedClusters resource ++[Learn more](/azure/azure-arc/kubernetes/connect-cluster) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/Write | Writes connectedClusters | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/connectedClusters/read | Read connectedClusters | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role definition to authorize any user/service to create connectedClusters resource", + "id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Kubernetes/connectedClusters/Write", + "Microsoft.Kubernetes/connectedClusters/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Kubernetes Cluster - Azure Arc Onboarding", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Kubernetes Extension Contributor ++Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/write | Creates or updates extension resource. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/delete | Deletes extension instance resource. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/operations/read | Gets Async Operation status. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations", + "id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717", + "name": "85cb6faf-e071-4c9b-8136-154b5a04f717", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.KubernetesConfiguration/extensions/write", + "Microsoft.KubernetesConfiguration/extensions/read", + "Microsoft.KubernetesConfiguration/extensions/delete", + "Microsoft.KubernetesConfiguration/extensions/operations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Kubernetes Extension Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Databases | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/databases.md | + + Title: Azure built-in roles for Databases - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Databases category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Databases ++This article lists the Azure built-in roles in the Databases category. +++## Azure Connected SQL Server Onboarding ++Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. ++[Learn more](/sql/sql-server/azure-arc/connect) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | Microsoft.AzureArcData/sqlServerInstances/read | Retrieves a SQL Server Instance resource | +> | Microsoft.AzureArcData/sqlServerInstances/write | Updates a SQL Server Instance resource | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508", + "name": "e8113dce-c529-4d33-91fa-e9b972617508", + "permissions": [ + { + "actions": [ + "Microsoft.AzureArcData/sqlServerInstances/read", + "Microsoft.AzureArcData/sqlServerInstances/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Connected SQL Server Onboarding", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cosmos DB Account Reader Role ++Can read Azure Cosmos DB account data. See [DocumentDB Account Contributor](#documentdb-account-contributor) for managing Azure Cosmos DB accounts. ++[Learn more](/azure/cosmos-db/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/*/read | Read any collection | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/readonlykeys/action | Reads the database account readonly keys. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/MetricDefinitions/read | Read metric definitions | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Metrics/read | Read metrics | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read Azure Cosmos DB Accounts data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.DocumentDB/*/read", + "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action", + "Microsoft.Insights/MetricDefinitions/read", + "Microsoft.Insights/Metrics/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Cosmos DB Account Reader Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cosmos DB Operator ++Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. ++[Learn more](/azure/cosmos-db/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DocumentDb](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | +> | **NotActions** | | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/dataTransferJobs/* | | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/readonlyKeys/* | | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/regenerateKey/* | | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/listKeys/* | | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/listConnectionStrings/* | | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/sqlRoleDefinitions/write | Create or update a SQL Role Definition | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/sqlRoleDefinitions/delete | Delete a SQL Role Definition | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/sqlRoleAssignments/write | Create or update a SQL Role Assignment | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/sqlRoleAssignments/delete | Delete a SQL Role Assignment | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/mongodbRoleDefinitions/write | Create or update a Mongo Role Definition | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/mongodbRoleDefinitions/delete | Delete a MongoDB Role Definition | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/mongodbUserDefinitions/write | Create or update a MongoDB User Definition | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/mongodbUserDefinitions/delete | Delete a MongoDB User Definition | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "name": "230815da-be43-4aae-9cb4-875f7bd000aa", + "permissions": [ + { + "actions": [ + "Microsoft.DocumentDb/databaseAccounts/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Authorization/*/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" + ], + "notActions": [ + "Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*", + "Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*", + "Microsoft.DocumentDB/databaseAccounts/regenerateKey/*", + "Microsoft.DocumentDB/databaseAccounts/listKeys/*", + "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*", + "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write", + "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete", + "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write", + "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete", + "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write", + "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete", + "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write", + "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Cosmos DB Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## CosmosBackupOperator ++Can submit restore request for a Cosmos DB database or a container for an account ++[Learn more](/azure/cosmos-db/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/backup/action | Submit a request to configure backup | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/restore/action | Submit a restore request | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can submit restore request for a Cosmos DB database or a container for an account", + "id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "permissions": [ + { + "actions": [ + "Microsoft.DocumentDB/databaseAccounts/backup/action", + "Microsoft.DocumentDB/databaseAccounts/restore/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "CosmosBackupOperator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## CosmosRestoreOperator ++Can perform restore action for Cosmos DB database account with continuous backup mode ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/locations/restorableDatabaseAccounts/restore/action | Submit a restore request | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/locations/restorableDatabaseAccounts/*/read | | +> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/locations/restorableDatabaseAccounts/read | Read a restorable database account or List all the restorable database accounts | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can perform restore action for Cosmos DB database account with continuous backup mode", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f", + "name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f", + "permissions": [ + { + "actions": [ + "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action", + "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read", + "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "CosmosRestoreOperator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## DocumentDB Account Contributor ++Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. ++[Learn more](/azure/cosmos-db/role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.DocumentDb](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/* | Create and manage Azure Cosmos DB accounts | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage DocumentDB accounts, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "name": "5bd9cd88-fe45-4216-938b-f97437e15450", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.DocumentDb/databaseAccounts/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "DocumentDB Account Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Redis Cache Contributor ++Lets you manage Redis caches, but not access to them. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Cache](../permissions/databases.md#microsoftcache)/register/action | Registers the 'Microsoft.Cache' resource provider with a subscription | +> | [Microsoft.Cache](../permissions/databases.md#microsoftcache)/redis/* | Create and manage Redis caches | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage Redis caches, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "name": "e0f68234-74aa-48ed-b826-c38b57376e17", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Cache/register/action", + "Microsoft.Cache/redis/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Redis Cache Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SQL DB Contributor ++Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. ++[Learn more](/azure/data-share/concepts-roles-permissions) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/locations/*/read | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/* | Create and manage SQL databases | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/read | Return the list of servers or gets the properties for the specified server. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | +> | **NotActions** | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/ledgerDigestUploads/write | Enable uploading ledger digests | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/ledgerDigestUploads/disable/action | Disable uploading ledger digests | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/currentSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/recommendedSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/securityAlertPolicies/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/securityAlertPolicies/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/auditingSettings/* | Edit audit settings | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/auditRecords/read | Retrieve the database blob audit records | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/currentSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/dataMaskingPolicies/* | Edit data masking policies | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/extendedAuditingSettings/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/recommendedSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/schemas/tables/columns/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/securityAlertPolicies/* | Edit security alert policies | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/securityMetrics/* | Edit security metrics | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/vulnerabilityAssessmentScans/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/vulnerabilityAssessmentSettings/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/vulnerabilityAssessments/* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Sql/locations/*/read", + "Microsoft.Sql/servers/databases/*", + "Microsoft.Sql/servers/read", + "Microsoft.Support/*", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read" + ], + "notActions": [ + "Microsoft.Sql/servers/databases/ledgerDigestUploads/write", + "Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action", + "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*", + "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*", + "Microsoft.Sql/managedInstances/securityAlertPolicies/*", + "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*", + "Microsoft.Sql/servers/databases/auditingSettings/*", + "Microsoft.Sql/servers/databases/auditRecords/read", + "Microsoft.Sql/servers/databases/currentSensitivityLabels/*", + "Microsoft.Sql/servers/databases/dataMaskingPolicies/*", + "Microsoft.Sql/servers/databases/extendedAuditingSettings/*", + "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*", + "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*", + "Microsoft.Sql/servers/databases/securityAlertPolicies/*", + "Microsoft.Sql/servers/databases/securityMetrics/*", + "Microsoft.Sql/servers/databases/sensitivityLabels/*", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*", + "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*", + "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*", + "Microsoft.Sql/servers/vulnerabilityAssessments/*" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "SQL DB Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SQL Managed Instance Contributor ++Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/* | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/locations/*/read | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/locations/instanceFailoverGroups/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/* | | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/* | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | +> | **NotActions** | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/azureADOnlyAuthentications/delete | Deletes a specific managed server Azure Active Directory only authentication object | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/azureADOnlyAuthentications/write | Adds or updates a specific managed server Azure Active Directory only authentication object | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "permissions": [ + { + "actions": [ + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Network/networkSecurityGroups/*", + "Microsoft.Network/routeTables/*", + "Microsoft.Sql/locations/*/read", + "Microsoft.Sql/locations/instanceFailoverGroups/*", + "Microsoft.Sql/managedInstances/*", + "Microsoft.Support/*", + "Microsoft.Network/virtualNetworks/subnets/*", + "Microsoft.Network/virtualNetworks/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read" + ], + "notActions": [ + "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete", + "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "SQL Managed Instance Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SQL Security Manager ++Lets you manage the security-related policies of SQL servers and databases, but not access to them. ++[Learn more](/azure/azure-sql/database/azure-defender-for-sql) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/locations/administratorAzureAsyncOperation/read | Gets the Managed instance azure async administrator operations result. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/advancedThreatProtectionSettings/read | Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/advancedThreatProtectionSettings/write | Change the managed instance Advanced Threat Protection settings for a given managed instance | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/advancedThreatProtectionSettings/read | Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given managed database | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/advancedThreatProtectionSettings/read | Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/advancedThreatProtectionSettings/write | Change the managed instance Advanced Threat Protection settings for a given managed instance | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/advancedThreatProtectionSettings/read | Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given managed database | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/currentSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/recommendedSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/securityAlertPolicies/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/securityAlertPolicies/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/transparentDataEncryption/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/serverConfigurationOptions/read | Gets properties for the specified Azure SQL Managed Instance Server Configuration Option. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/serverConfigurationOptions/write | Updates Azure SQL Managed Instance's Server Configuration Option properties for the specified instance. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/locations/serverConfigurationOptionAzureAsyncOperation/read | Gets the status of Azure SQL Managed Instance Server Configuration Option Azure async operation. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/auditingSettings/* | Create and manage SQL server auditing setting | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/extendedAuditingSettings/read | Retrieve details of the extended server blob auditing policy configured on a given server | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/auditingSettings/* | Create and manage SQL server database auditing settings | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/auditRecords/read | Retrieve the database blob audit records | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/currentSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/dataMaskingPolicies/* | Create and manage SQL server database data masking policies | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/extendedAuditingSettings/read | Retrieve details of the extended blob auditing policy configured on a given database | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/read | Return the list of databases or gets the properties for the specified database. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/recommendedSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/schemas/read | Get a database schema. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/schemas/tables/columns/read | Get a database column. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/schemas/tables/columns/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/schemas/tables/read | Get a database table. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/securityAlertPolicies/* | Create and manage SQL server database security alert policies | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/securityMetrics/* | Create and manage SQL server database security metrics | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/transparentDataEncryption/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/sqlvulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/vulnerabilityAssessmentScans/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/vulnerabilityAssessmentSettings/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/devOpsAuditingSettings/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/firewallRules/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/read | Return the list of servers or gets the properties for the specified server. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/securityAlertPolicies/* | Create and manage SQL server security alert policies | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/sqlvulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/vulnerabilityAssessments/* | | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/azureADOnlyAuthentications/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/read | Return the list of managed instances or gets the properties for the specified managed instance. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/azureADOnlyAuthentications/* | | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/sqlVulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/administrators/read | Gets a list of managed instance administrators. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/administrators/read | Gets a specific Azure Active Directory administrator object | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/ledgerDigestUploads/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/locations/ledgerDigestUploadsAzureAsyncOperation/read | Gets in-progress operations of ledger digest upload settings | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/locations/ledgerDigestUploadsOperationResults/read | Gets in-progress operations of ledger digest upload settings | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/externalPolicyBasedAuthorizations/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Sql/locations/administratorAzureAsyncOperation/read", + "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read", + "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write", + "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read", + "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write", + "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read", + "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write", + "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read", + "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write", + "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*", + "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*", + "Microsoft.Sql/servers/advancedThreatProtectionSettings/read", + "Microsoft.Sql/servers/advancedThreatProtectionSettings/write", + "Microsoft.Sql/managedInstances/securityAlertPolicies/*", + "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*", + "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*", + "Microsoft.Sql/managedInstances/serverConfigurationOptions/read", + "Microsoft.Sql/managedInstances/serverConfigurationOptions/write", + "Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read", + "Microsoft.Sql/servers/advancedThreatProtectionSettings/read", + "Microsoft.Sql/servers/advancedThreatProtectionSettings/write", + "Microsoft.Sql/servers/auditingSettings/*", + "Microsoft.Sql/servers/extendedAuditingSettings/read", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write", + "Microsoft.Sql/servers/databases/auditingSettings/*", + "Microsoft.Sql/servers/databases/auditRecords/read", + "Microsoft.Sql/servers/databases/currentSensitivityLabels/*", + "Microsoft.Sql/servers/databases/dataMaskingPolicies/*", + "Microsoft.Sql/servers/databases/extendedAuditingSettings/read", + "Microsoft.Sql/servers/databases/read", + "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*", + "Microsoft.Sql/servers/databases/schemas/read", + "Microsoft.Sql/servers/databases/schemas/tables/columns/read", + "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*", + "Microsoft.Sql/servers/databases/schemas/tables/read", + "Microsoft.Sql/servers/databases/securityAlertPolicies/*", + "Microsoft.Sql/servers/databases/securityMetrics/*", + "Microsoft.Sql/servers/databases/sensitivityLabels/*", + "Microsoft.Sql/servers/databases/transparentDataEncryption/*", + "Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*", + "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*", + "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*", + "Microsoft.Sql/servers/devOpsAuditingSettings/*", + "Microsoft.Sql/servers/firewallRules/*", + "Microsoft.Sql/servers/read", + "Microsoft.Sql/servers/securityAlertPolicies/*", + "Microsoft.Sql/servers/sqlvulnerabilityAssessments/*", + "Microsoft.Sql/servers/vulnerabilityAssessments/*", + "Microsoft.Support/*", + "Microsoft.Sql/servers/azureADOnlyAuthentications/*", + "Microsoft.Sql/managedInstances/read", + "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*", + "Microsoft.Security/sqlVulnerabilityAssessments/*", + "Microsoft.Sql/managedInstances/administrators/read", + "Microsoft.Sql/servers/administrators/read", + "Microsoft.Sql/servers/databases/ledgerDigestUploads/*", + "Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read", + "Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read", + "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "SQL Security Manager", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SQL Server Contributor ++Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. ++[Learn more](/azure/azure-sql/database/authentication-aad-configure) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/locations/*/read | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/* | Create and manage SQL servers | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | +> | **NotActions** | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/currentSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/recommendedSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/securityAlertPolicies/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/databases/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/securityAlertPolicies/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/managedInstances/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/auditingSettings/* | Edit SQL server auditing settings | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/auditingSettings/* | Edit SQL server database auditing settings | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/auditRecords/read | Retrieve the database blob audit records | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/currentSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/dataMaskingPolicies/* | Edit SQL server database data masking policies | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/extendedAuditingSettings/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/recommendedSensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/schemas/tables/columns/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/securityAlertPolicies/* | Edit SQL server database security alert policies | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/securityMetrics/* | Edit SQL server database security metrics | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/sensitivityLabels/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/vulnerabilityAssessmentScans/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/vulnerabilityAssessmentSettings/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/devOpsAuditingSettings/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/extendedAuditingSettings/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/securityAlertPolicies/* | Edit SQL server security alert policies | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/vulnerabilityAssessments/* | | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/azureADOnlyAuthentications/delete | Deletes a specific server Azure Active Directory only authentication object | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/azureADOnlyAuthentications/write | Adds or updates a specific server Azure Active Directory only authentication object | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/externalPolicyBasedAuthorizations/delete | Deletes a specific server external policy based authorization property | +> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/externalPolicyBasedAuthorizations/write | Adds or updates a specific server external policy based authorization property | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Sql/locations/*/read", + "Microsoft.Sql/servers/*", + "Microsoft.Support/*", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read" + ], + "notActions": [ + "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*", + "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*", + "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*", + "Microsoft.Sql/managedInstances/securityAlertPolicies/*", + "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*", + "Microsoft.Sql/servers/auditingSettings/*", + "Microsoft.Sql/servers/databases/auditingSettings/*", + "Microsoft.Sql/servers/databases/auditRecords/read", + "Microsoft.Sql/servers/databases/currentSensitivityLabels/*", + "Microsoft.Sql/servers/databases/dataMaskingPolicies/*", + "Microsoft.Sql/servers/databases/extendedAuditingSettings/*", + "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*", + "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*", + "Microsoft.Sql/servers/databases/securityAlertPolicies/*", + "Microsoft.Sql/servers/databases/securityMetrics/*", + "Microsoft.Sql/servers/databases/sensitivityLabels/*", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*", + "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*", + "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*", + "Microsoft.Sql/servers/devOpsAuditingSettings/*", + "Microsoft.Sql/servers/extendedAuditingSettings/*", + "Microsoft.Sql/servers/securityAlertPolicies/*", + "Microsoft.Sql/servers/vulnerabilityAssessments/*", + "Microsoft.Sql/servers/azureADOnlyAuthentications/delete", + "Microsoft.Sql/servers/azureADOnlyAuthentications/write", + "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete", + "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "SQL Server Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Devops | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/devops.md | + + Title: Azure built-in roles for DevOps - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the DevOps category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for DevOps ++This article lists the Azure built-in roles in the DevOps category. +++## DevTest Labs User ++Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. ++[Learn more](/azure/devtest-labs/devtest-lab-add-devtest-user) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/read | Get the properties of an availability set | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/*/read | Read the properties of a virtual machine (VM sizes, runtime status, VM extensions, etc.) | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/deallocate/action | Powers off the virtual machine and releases the compute resources | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/restart/action | Restarts the virtual machine | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/start/action | Starts the virtual machine | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/*/read | Read the properties of a lab | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/claimAnyVm/action | Claim a random claimable virtual machine in the lab. | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/createEnvironment/action | Create virtual machines in a lab. | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/ensureCurrentUserProfile/action | Ensure the current user has a valid profile in the lab. | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/formulas/delete | Delete formulas. | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/formulas/read | Read formulas. | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/formulas/write | Add or modify formulas. | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/policySets/evaluatePolicies/action | Evaluates lab policy. | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/virtualMachines/claim/action | Take ownership of an existing virtual machine | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/virtualmachines/listApplicableSchedules/action | Lists the applicable start/stop schedules, if any. | +> | [Microsoft.DevTestLab](../permissions/devops.md#microsoftdevtestlab)/labs/virtualMachines/getRdpFileContents/action | Gets a string that represents the contents of the RDP file for the virtual machine | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/*/read | Read the properties of a network interface (for example, all the load balancers that the network interface is a part of) | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/join/action | Joins a Virtual Machine to a network interface. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/*/read | Read the properties of a public IP address | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/join/action | Joins a public IP address. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/read | Gets a public IP address definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | +> | **NotActions** | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/vmSizes/read | Lists available sizes the virtual machine can be updated to | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "name": "76283e04-6283-4c54-8f91-bcf1374a3c64", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Compute/availabilitySets/read", + "Microsoft.Compute/virtualMachines/*/read", + "Microsoft.Compute/virtualMachines/deallocate/action", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Compute/virtualMachines/restart/action", + "Microsoft.Compute/virtualMachines/start/action", + "Microsoft.DevTestLab/*/read", + "Microsoft.DevTestLab/labs/claimAnyVm/action", + "Microsoft.DevTestLab/labs/createEnvironment/action", + "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action", + "Microsoft.DevTestLab/labs/formulas/delete", + "Microsoft.DevTestLab/labs/formulas/read", + "Microsoft.DevTestLab/labs/formulas/write", + "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action", + "Microsoft.DevTestLab/labs/virtualMachines/claim/action", + "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action", + "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action", + "Microsoft.Network/loadBalancers/backendAddressPools/join/action", + "Microsoft.Network/loadBalancers/inboundNatRules/join/action", + "Microsoft.Network/networkInterfaces/*/read", + "Microsoft.Network/networkInterfaces/join/action", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/write", + "Microsoft.Network/publicIPAddresses/*/read", + "Microsoft.Network/publicIPAddresses/join/action", + "Microsoft.Network/publicIPAddresses/read", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/storageAccounts/listKeys/action" + ], + "notActions": [ + "Microsoft.Compute/virtualMachines/vmSizes/read" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "DevTest Labs User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Lab Assistant ++Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. ++[Learn more](/azure/lab-services/administrator-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/read | Get the properties of a lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/read | Get the properties of a user. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/invite/action | Send email invitation to a user to join the lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/start/action | Start a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/stop/action | Stop and deallocate a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/reimage/action | Reimage a virtual machine to the last published image. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/redeploy/action | Redeploy a virtual machine to a different compute node. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/locations/usages/read | Get Usage in a location | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "The lab assistant role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1", + "name": "ce40b423-cede-4313-a93f-9b28290b72e1", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.LabServices/labPlans/images/read", + "Microsoft.LabServices/labPlans/read", + "Microsoft.LabServices/labs/read", + "Microsoft.LabServices/labs/schedules/read", + "Microsoft.LabServices/labs/users/read", + "Microsoft.LabServices/labs/users/invite/action", + "Microsoft.LabServices/labs/virtualMachines/read", + "Microsoft.LabServices/labs/virtualMachines/start/action", + "Microsoft.LabServices/labs/virtualMachines/stop/action", + "Microsoft.LabServices/labs/virtualMachines/reimage/action", + "Microsoft.LabServices/labs/virtualMachines/redeploy/action", + "Microsoft.LabServices/locations/usages/read", + "Microsoft.LabServices/skus/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Lab Assistant", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Lab Contributor ++Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. ++[Learn more](/azure/lab-services/administrator-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/saveImage/action | Create an image from a virtual machine in the gallery attached to the lab plan. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/read | Get the properties of a lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/write | Create new or update an existing lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/delete | Delete the lab and all its users, schedules and virtual machines. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/publish/action | Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/syncGroup/action | Updates the list of users from the Active Directory group assigned to the lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/schedules/write | Create new or update an existing schedule. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/schedules/delete | Delete the schedule. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/read | Get the properties of a user. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/write | Create new or update an existing user. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/delete | Delete the user. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/invite/action | Send email invitation to a user to join the lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/start/action | Start a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/stop/action | Stop and deallocate a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/reimage/action | Reimage a virtual machine to the last published image. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/redeploy/action | Redeploy a virtual machine to a different compute node. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/resetPassword/action | Reset local user's password on a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/locations/usages/read | Get Usage in a location | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/createLab/action | Create a new lab from a lab plan. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "The lab contributor role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270", + "name": "5daaa2af-1fe8-407c-9122-bba179798270", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.LabServices/labPlans/images/read", + "Microsoft.LabServices/labPlans/read", + "Microsoft.LabServices/labPlans/saveImage/action", + "Microsoft.LabServices/labs/read", + "Microsoft.LabServices/labs/write", + "Microsoft.LabServices/labs/delete", + "Microsoft.LabServices/labs/publish/action", + "Microsoft.LabServices/labs/syncGroup/action", + "Microsoft.LabServices/labs/schedules/read", + "Microsoft.LabServices/labs/schedules/write", + "Microsoft.LabServices/labs/schedules/delete", + "Microsoft.LabServices/labs/users/read", + "Microsoft.LabServices/labs/users/write", + "Microsoft.LabServices/labs/users/delete", + "Microsoft.LabServices/labs/users/invite/action", + "Microsoft.LabServices/labs/virtualMachines/read", + "Microsoft.LabServices/labs/virtualMachines/start/action", + "Microsoft.LabServices/labs/virtualMachines/stop/action", + "Microsoft.LabServices/labs/virtualMachines/reimage/action", + "Microsoft.LabServices/labs/virtualMachines/redeploy/action", + "Microsoft.LabServices/labs/virtualMachines/resetPassword/action", + "Microsoft.LabServices/locations/usages/read", + "Microsoft.LabServices/skus/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.LabServices/labPlans/createLab/action" + ], + "notDataActions": [] + } + ], + "roleName": "Lab Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Lab Creator ++Lets you create new labs under your Azure Lab Accounts. ++[Learn more](/azure/lab-services/administrator-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labAccounts/*/read | | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labAccounts/createLab/action | Create a lab in a lab account. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labAccounts/getPricingAndAvailability/action | Get the pricing and availability of combinations of sizes, geographies, and operating systems for the lab account. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labAccounts/getRestrictionsAndUsage/action | Get core restrictions and usage for this subscription | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/saveImage/action | Create an image from a virtual machine in the gallery attached to the lab plan. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/read | Get the properties of a lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/read | Get the properties of a user. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/locations/usages/read | Get Usage in a location | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/createLab/action | Create a new lab from a lab plan. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you create new labs under your Azure Lab Accounts.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "name": "b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.LabServices/labAccounts/*/read", + "Microsoft.LabServices/labAccounts/createLab/action", + "Microsoft.LabServices/labAccounts/getPricingAndAvailability/action", + "Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action", + "Microsoft.Insights/alertRules/*", + "Microsoft.LabServices/labPlans/images/read", + "Microsoft.LabServices/labPlans/read", + "Microsoft.LabServices/labPlans/saveImage/action", + "Microsoft.LabServices/labs/read", + "Microsoft.LabServices/labs/schedules/read", + "Microsoft.LabServices/labs/users/read", + "Microsoft.LabServices/labs/virtualMachines/read", + "Microsoft.LabServices/locations/usages/read", + "Microsoft.LabServices/skus/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.LabServices/labPlans/createLab/action" + ], + "notDataActions": [] + } + ], + "roleName": "Lab Creator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Lab Operator ++Gives you limited ability to manage existing labs. ++[Learn more](/azure/lab-services/administrator-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/images/read | Get the properties of an image. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/read | Get the properties of a lab plan. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/saveImage/action | Create an image from a virtual machine in the gallery attached to the lab plan. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/publish/action | Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/read | Get the properties of a lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/schedules/read | Get the properties of a schedule. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/schedules/write | Create new or update an existing schedule. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/schedules/delete | Delete the schedule. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/read | Get the properties of a user. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/write | Create new or update an existing user. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/delete | Delete the user. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/users/invite/action | Send email invitation to a user to join the lab. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/read | Get the properties of a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/start/action | Start a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/stop/action | Stop and deallocate a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/reimage/action | Reimage a virtual machine to the last published image. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/redeploy/action | Redeploy a virtual machine to a different compute node. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labs/virtualMachines/resetPassword/action | Reset local user's password on a virtual machine. | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/locations/usages/read | Get Usage in a location | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/skus/read | Get the properties of a Lab Services SKU. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "The lab operator role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d", + "name": "a36e6959-b6be-4b12-8e9f-ef4b474d304d", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.LabServices/labPlans/images/read", + "Microsoft.LabServices/labPlans/read", + "Microsoft.LabServices/labPlans/saveImage/action", + "Microsoft.LabServices/labs/publish/action", + "Microsoft.LabServices/labs/read", + "Microsoft.LabServices/labs/schedules/read", + "Microsoft.LabServices/labs/schedules/write", + "Microsoft.LabServices/labs/schedules/delete", + "Microsoft.LabServices/labs/users/read", + "Microsoft.LabServices/labs/users/write", + "Microsoft.LabServices/labs/users/delete", + "Microsoft.LabServices/labs/users/invite/action", + "Microsoft.LabServices/labs/virtualMachines/read", + "Microsoft.LabServices/labs/virtualMachines/start/action", + "Microsoft.LabServices/labs/virtualMachines/stop/action", + "Microsoft.LabServices/labs/virtualMachines/reimage/action", + "Microsoft.LabServices/labs/virtualMachines/redeploy/action", + "Microsoft.LabServices/labs/virtualMachines/resetPassword/action", + "Microsoft.LabServices/locations/usages/read", + "Microsoft.LabServices/skus/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Lab Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Lab Services Contributor ++Enables you to fully control all Lab Services scenarios in the resource group. ++[Learn more](/azure/lab-services/administrator-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/* | Create and manage lab services components | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/labPlans/createLab/action | Create a new lab from a lab plan. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "The lab services contributor role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f", + "name": "f69b8690-cc87-41d6-b77a-a4bc3c0a966f", + "permissions": [ + { + "actions": [ + "Microsoft.LabServices/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.LabServices/labPlans/createLab/action" + ], + "notDataActions": [] + } + ], + "roleName": "Lab Services Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Lab Services Reader ++Enables you to view, but not change, all lab plans and lab resources. ++[Learn more](/azure/lab-services/administrator-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.LabServices](../permissions/devops.md#microsoftlabservices)/*/read | Read lab services properties | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "The lab services reader role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", + "name": "2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", + "permissions": [ + { + "actions": [ + "Microsoft.LabServices/*/read", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Lab Services Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Load Test Contributor ++View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. ++[Learn more](/azure/load-testing/how-to-assign-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.LoadTestService](../permissions/devops.md#microsoftloadtestservice)/*/read | Read load testing resources | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.LoadTestService](../permissions/devops.md#microsoftloadtestservice)/loadtests/* | Create and manage load tests | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View, create, update, delete and execute load tests. View and list load test resources but can not make any changes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e", + "name": "749a398d-560b-491b-bb21-08924219302e", + "permissions": [ + { + "actions": [ + "Microsoft.LoadTestService/*/read", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Insights/alertRules/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.LoadTestService/loadtests/*" + ], + "notDataActions": [] + } + ], + "roleName": "Load Test Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Load Test Owner ++Execute all operations on load test resources and load tests ++[Learn more](/azure/load-testing/how-to-assign-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.LoadTestService](../permissions/devops.md#microsoftloadtestservice)/* | Create and manage load testing resources | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.LoadTestService](../permissions/devops.md#microsoftloadtestservice)/* | Create and manage load testing resources | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Execute all operations on load test resources and load tests", + "id": "/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6", + "name": "45bb0b16-2f0c-4e78-afaa-a07599b003f6", + "permissions": [ + { + "actions": [ + "Microsoft.LoadTestService/*", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Insights/alertRules/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.LoadTestService/*" + ], + "notDataActions": [] + } + ], + "roleName": "Load Test Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Load Test Reader ++View and list all load tests and load test resources but can not make any changes ++[Learn more](/azure/load-testing/how-to-assign-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.LoadTestService](../permissions/devops.md#microsoftloadtestservice)/*/read | Read load testing resources | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.LoadTestService](../permissions/devops.md#microsoftloadtestservice)/loadtests/readTest/action | Read Load Tests | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View and list all load tests and load test resources but can not make any changes", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081", + "name": "3ae3fb29-0000-4ccd-bf80-542e7b26e081", + "permissions": [ + { + "actions": [ + "Microsoft.LoadTestService/*/read", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Insights/alertRules/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.LoadTestService/loadtests/readTest/action" + ], + "notDataActions": [] + } + ], + "roleName": "Load Test Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | General | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/general.md | + + Title: Azure built-in roles for General - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the General category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for General ++This article lists the Azure built-in roles in the General category. +++## Contributor ++Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. ++[Learn more](/azure/role-based-access-control/rbac-and-directory-admin-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | * | Create and manage resources of all types | +> | **NotActions** | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/Delete | Delete roles, policy assignments, policy definitions and policy set definitions | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/Write | Create roles, role assignments, policy assignments, policy definitions and policy set definitions | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/elevateAccess/Action | Grants the caller User Access Administrator access at the tenant scope | +> | [Microsoft.Blueprint](../permissions/management-and-governance.md#microsoftblueprint)/blueprintAssignments/write | Create or update any blueprint assignments | +> | [Microsoft.Blueprint](../permissions/management-and-governance.md#microsoftblueprint)/blueprintAssignments/delete | Delete any blueprint assignments | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/share/action | Shares a Gallery to different scopes | +> | [Microsoft.Purview](../permissions/management-and-governance.md#microsoftpurview)/consents/write | Create or Update a Consent Resource. | +> | [Microsoft.Purview](../permissions/management-and-governance.md#microsoftpurview)/consents/delete | Delete the Consent Resource. | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "name": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "permissions": [ + { + "actions": [ + "*" + ], + "notActions": [ + "Microsoft.Authorization/*/Delete", + "Microsoft.Authorization/*/Write", + "Microsoft.Authorization/elevateAccess/Action", + "Microsoft.Blueprint/blueprintAssignments/write", + "Microsoft.Blueprint/blueprintAssignments/delete", + "Microsoft.Compute/galleries/share/action", + "Microsoft.Purview/consents/write", + "Microsoft.Purview/consents/delete" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Owner ++Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. ++[Learn more](/azure/role-based-access-control/rbac-and-directory-admin-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | * | Create and manage resources of all types | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "permissions": [ + { + "actions": [ + "*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Reader ++View all resources, but does not allow you to make any changes. ++[Learn more](/azure/role-based-access-control/rbac-and-directory-admin-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "View all resources, but does not allow you to make any changes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7", + "permissions": [ + { + "actions": [ + "*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Role Based Access Control Administrator ++Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168", + "name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete", + "*/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Role Based Access Control Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## User Access Administrator ++Lets you manage user access to Azure resources. ++[Learn more](/azure/role-based-access-control/rbac-and-directory-admin-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/* | Manage authorization | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage user access to Azure resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.Authorization/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "User Access Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Hybrid Multicloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/hybrid-multicloud.md | + + Title: Azure built-in roles for Hybrid + multicloud - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Hybrid + multicloud category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Hybrid + multicloud ++This article lists the Azure built-in roles in the Hybrid + multicloud category. +++## Azure Stack HCI Administrator ++Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader ++[Learn more](/azure-stack/hci/manage/assign-vm-rbac-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/register/action | Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources. | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Unregister/Action | Unregisters the subscription for the Azure Stack HCI resource provider. | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/clusters/* | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/register/action | Registers the subscription for the Microsoft.HybridCompute Resource Provider | +> | [Microsoft.GuestConfiguration](../permissions/management-and-governance.md#microsoftguestconfiguration)/register/action | Registers the subscription for the Microsoft.GuestConfiguration resource provider. | +> | [Microsoft.GuestConfiguration](../permissions/management-and-governance.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/write | Creates or updates a resource group. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/delete | Deletes a resource group and all its resources. | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/register/action | Register the subscription for Microsoft.HybridConnectivity | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/installPatches/action | Installs patches on any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/read | Reads any Azure Arc runcommands | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/write | Installs or Updates an Azure Arc runcommands | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/delete | Deletes an Azure Arc runcommands | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/read | Reads any Azure Arc licenses | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/write | Installs or Updates an Azure Arc licenses | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/delete | Deletes an Azure Arc licenses | +> | Microsoft.ResourceConnector/register/action | Registers the subscription for Appliances resource provider and enables the creation of Appliance. | +> | Microsoft.ResourceConnector/appliances/read | Gets an Appliance resource | +> | Microsoft.ResourceConnector/appliances/write | Creates or Updates Appliance resource | +> | Microsoft.ResourceConnector/appliances/delete | Deletes Appliance resource | +> | Microsoft.ResourceConnector/locations/operationresults/read | Get result of Appliance operation | +> | Microsoft.ResourceConnector/locations/operationsstatus/read | Get result of Appliance operation | +> | Microsoft.ResourceConnector/appliances/listClusterUserCredential/action | Get an appliance cluster user credential | +> | Microsoft.ResourceConnector/appliances/listKeys/action | Get an appliance cluster customer user keys | +> | Microsoft.ResourceConnector/operations/read | Gets list of Available Operations for Appliances | +> | Microsoft.ExtendedLocation/register/action | Registers the subscription for Custom Location resource provider and enables the creation of Custom Location. | +> | Microsoft.ExtendedLocation/customLocations/read | Gets an Custom Location resource | +> | Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource | +> | Microsoft.ExtendedLocation/customLocations/write | Creates or Updates Custom Location resource | +> | Microsoft.ExtendedLocation/customLocations/delete | Deletes Custom Location resource | +> | Microsoft.EdgeMarketplace/offers/read | Get a Offer | +> | Microsoft.EdgeMarketplace/publishers/read | Get a Publisher | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/register/action | Registers Subscription with Microsoft.Kubernetes resource provider | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/register/action | Registers subscription to Microsoft.KubernetesConfiguration resource provider. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/write | Creates or updates extension resource. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/delete | Deletes extension instance resource. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/operations/read | Gets Async Operation status. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/namespaces/read | Get Namespace Resource | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/operations/read | Gets available operations of the Microsoft.KubernetesConfiguration resource provider. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/StorageContainers/Write | Creates/Updates storage containers resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource | +> | Microsoft.HybridContainerService/register/action | Register the subscription for Microsoft.HybridContainerService | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | +> | **Condition** | | +> | ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) | Add or remove role assignments for the following roles:<br/>Azure Connected Machine Resource Manager<br/>Azure Connected Machine Resource Administrator<br/>Azure Connected Machine Onboarding<br/>Azure Stack HCI VM Reader<br/>Azure Stack HCI VM Contributor<br/>Azure Stack HCI Device Management Role<br/>Azure Resource Bridge Deployment Role<br/>Key Vault Secrets User | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader", + "id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06", + "name": "bda0d508-adf1-4af0-9c28-88919fc3ae06", + "permissions": [ + { + "actions": [ + "Microsoft.AzureStackHCI/register/action", + "Microsoft.AzureStackHCI/Unregister/Action", + "Microsoft.AzureStackHCI/clusters/*", + "Microsoft.HybridCompute/register/action", + "Microsoft.GuestConfiguration/register/action", + "Microsoft.GuestConfiguration/guestConfigurationAssignments/read", + "Microsoft.Resources/subscriptions/resourceGroups/write", + "Microsoft.Resources/subscriptions/resourceGroups/delete", + "Microsoft.HybridConnectivity/register/action", + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Management/managementGroups/read", + "Microsoft.Support/*", + "Microsoft.AzureStackHCI/*", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/write", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/machines/write", + "Microsoft.HybridCompute/machines/delete", + "Microsoft.HybridCompute/machines/UpgradeExtensions/action", + "Microsoft.HybridCompute/machines/assessPatches/action", + "Microsoft.HybridCompute/machines/installPatches/action", + "Microsoft.HybridCompute/machines/extensions/read", + "Microsoft.HybridCompute/machines/extensions/write", + "Microsoft.HybridCompute/machines/extensions/delete", + "Microsoft.HybridCompute/operations/read", + "Microsoft.HybridCompute/locations/operationresults/read", + "Microsoft.HybridCompute/locations/operationstatus/read", + "Microsoft.HybridCompute/machines/patchAssessmentResults/read", + "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read", + "Microsoft.HybridCompute/machines/patchInstallationResults/read", + "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read", + "Microsoft.HybridCompute/locations/updateCenterOperationResults/read", + "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read", + "Microsoft.HybridCompute/osType/agentVersions/read", + "Microsoft.HybridCompute/osType/agentVersions/latest/read", + "Microsoft.HybridCompute/machines/runcommands/read", + "Microsoft.HybridCompute/machines/runcommands/write", + "Microsoft.HybridCompute/machines/runcommands/delete", + "Microsoft.HybridCompute/machines/licenseProfiles/read", + "Microsoft.HybridCompute/machines/licenseProfiles/write", + "Microsoft.HybridCompute/machines/licenseProfiles/delete", + "Microsoft.HybridCompute/licenses/read", + "Microsoft.HybridCompute/licenses/write", + "Microsoft.HybridCompute/licenses/delete", + "Microsoft.ResourceConnector/register/action", + "Microsoft.ResourceConnector/appliances/read", + "Microsoft.ResourceConnector/appliances/write", + "Microsoft.ResourceConnector/appliances/delete", + "Microsoft.ResourceConnector/locations/operationresults/read", + "Microsoft.ResourceConnector/locations/operationsstatus/read", + "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action", + "Microsoft.ResourceConnector/appliances/listKeys/action", + "Microsoft.ResourceConnector/operations/read", + "Microsoft.ExtendedLocation/register/action", + "Microsoft.ExtendedLocation/customLocations/read", + "Microsoft.ExtendedLocation/customLocations/deploy/action", + "Microsoft.ExtendedLocation/customLocations/write", + "Microsoft.ExtendedLocation/customLocations/delete", + "Microsoft.EdgeMarketplace/offers/read", + "Microsoft.EdgeMarketplace/publishers/read", + "Microsoft.Kubernetes/register/action", + "Microsoft.KubernetesConfiguration/register/action", + "Microsoft.KubernetesConfiguration/extensions/write", + "Microsoft.KubernetesConfiguration/extensions/read", + "Microsoft.KubernetesConfiguration/extensions/delete", + "Microsoft.KubernetesConfiguration/extensions/operations/read", + "Microsoft.KubernetesConfiguration/namespaces/read", + "Microsoft.KubernetesConfiguration/operations/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.AzureStackHCI/StorageContainers/Write", + "Microsoft.AzureStackHCI/StorageContainers/Read", + "Microsoft.HybridContainerService/register/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [], + "conditionVersion": "2.0", + "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6}))" + } + ], + "roleName": "Azure Stack HCI Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Stack HCI Device Management Role ++Microsoft.AzureStackHCI Device Management Role ++[Learn more](/azure-stack/hci/deploy/deployment-azure-resource-manager-template) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/* | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/EdgeDevices/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Microsoft.AzureStackHCI Device Management Role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/865ae368-6a45-4bd1-8fbf-0d5151f56fc1", + "name": "865ae368-6a45-4bd1-8fbf-0d5151f56fc1", + "permissions": [ + { + "actions": [ + "Microsoft.AzureStackHCI/Clusters/*", + "Microsoft.AzureStackHCI/EdgeDevices/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Stack HCI Device Management Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Stack HCI VM Contributor ++Grants permissions to perform all VM actions ++[Learn more](/azure-stack/hci/manage/assign-vm-rbac-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/VirtualMachines/* | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/* | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/NetworkInterfaces/* | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/VirtualHardDisks/* | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/VirtualNetworks/Read | Gets/Lists virtual networks resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/VirtualNetworks/join/action | Joins virtual networks resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/LogicalNetworks/Read | Gets/Lists logical networks resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/LogicalNetworks/join/action | Joins logical networks resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/GalleryImages/Read | Gets/Lists gallery images resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/GalleryImages/deploy/action | Deploys gallery images resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/StorageContainers/deploy/action | Deploys storage containers resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/MarketplaceGalleryImages/Read | Gets/Lists market place gallery images resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/MarketPlaceGalleryImages/deploy/action | Deploys market place gallery images resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/Read | Gets clusters | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Clusters/ArcSettings/Read | Gets arc resource of HCI cluster | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/delete | Deletes a deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/cancel/action | Cancels a deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action | Validates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/whatIf/action | Predicts template deployment changes. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/installPatches/action | Installs patches on any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/operations/read | Read all Operations for Azure Arc for Servers | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/read | Reads any Azure Arc runcommands | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/write | Installs or Updates an Azure Arc runcommands | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/runcommands/delete | Deletes an Azure Arc runcommands | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/read | Reads any Azure Arc licenses | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/write | Installs or Updates an Azure Arc licenses | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/delete | Deletes an Azure Arc licenses | +> | Microsoft.ExtendedLocation/customLocations/Read | Gets an Custom Location resource | +> | Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants permissions to perform all VM actions", + "id": "/providers/Microsoft.Authorization/roleDefinitions/874d1c73-6003-4e60-a13a-cb31ea190a85", + "name": "874d1c73-6003-4e60-a13a-cb31ea190a85", + "permissions": [ + { + "actions": [ + "Microsoft.AzureStackHCI/VirtualMachines/*", + "Microsoft.AzureStackHCI/virtualMachineInstances/*", + "Microsoft.AzureStackHCI/NetworkInterfaces/*", + "Microsoft.AzureStackHCI/VirtualHardDisks/*", + "Microsoft.AzureStackHCI/VirtualNetworks/Read", + "Microsoft.AzureStackHCI/VirtualNetworks/join/action", + "Microsoft.AzureStackHCI/LogicalNetworks/Read", + "Microsoft.AzureStackHCI/LogicalNetworks/join/action", + "Microsoft.AzureStackHCI/GalleryImages/Read", + "Microsoft.AzureStackHCI/GalleryImages/deploy/action", + "Microsoft.AzureStackHCI/StorageContainers/Read", + "Microsoft.AzureStackHCI/StorageContainers/deploy/action", + "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read", + "Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action", + "Microsoft.AzureStackHCI/Clusters/Read", + "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/delete", + "Microsoft.Resources/deployments/cancel/action", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/deployments/whatIf/action", + "Microsoft.Resources/deployments/exportTemplate/action", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/operationstatuses/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/write", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/machines/write", + "Microsoft.HybridCompute/machines/delete", + "Microsoft.HybridCompute/machines/UpgradeExtensions/action", + "Microsoft.HybridCompute/machines/assessPatches/action", + "Microsoft.HybridCompute/machines/installPatches/action", + "Microsoft.HybridCompute/machines/extensions/read", + "Microsoft.HybridCompute/machines/extensions/write", + "Microsoft.HybridCompute/machines/extensions/delete", + "Microsoft.HybridCompute/operations/read", + "Microsoft.HybridCompute/locations/operationresults/read", + "Microsoft.HybridCompute/locations/operationstatus/read", + "Microsoft.HybridCompute/machines/patchAssessmentResults/read", + "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read", + "Microsoft.HybridCompute/machines/patchInstallationResults/read", + "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read", + "Microsoft.HybridCompute/locations/updateCenterOperationResults/read", + "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read", + "Microsoft.HybridCompute/osType/agentVersions/read", + "Microsoft.HybridCompute/osType/agentVersions/latest/read", + "Microsoft.HybridCompute/machines/runcommands/read", + "Microsoft.HybridCompute/machines/runcommands/write", + "Microsoft.HybridCompute/machines/runcommands/delete", + "Microsoft.HybridCompute/machines/licenseProfiles/read", + "Microsoft.HybridCompute/machines/licenseProfiles/write", + "Microsoft.HybridCompute/machines/licenseProfiles/delete", + "Microsoft.HybridCompute/licenses/read", + "Microsoft.HybridCompute/licenses/write", + "Microsoft.HybridCompute/licenses/delete", + "Microsoft.ExtendedLocation/customLocations/Read", + "Microsoft.ExtendedLocation/customLocations/deploy/action", + "Microsoft.KubernetesConfiguration/extensions/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Stack HCI VM Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Stack HCI VM Reader ++Grants permissions to view VMs ++[Learn more](/azure-stack/hci/manage/assign-vm-rbac-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/VirtualMachines/Read | Gets/Lists virtual machine resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/virtualMachineInstances/Read | Gets/Lists virtual machine instance resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/VirtualMachines/Extensions/Read | Gets/Lists virtual machine extensions resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/VirtualNetworks/Read | Gets/Lists virtual networks resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/LogicalNetworks/Read | Gets/Lists logical networks resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/NetworkInterfaces/Read | Gets/Lists network interfaces resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/VirtualHardDisks/Read | Gets/Lists virtual hard disk resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/GalleryImages/Read | Gets/Lists gallery images resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/MarketplaceGalleryImages/Read | Gets/Lists market place gallery images resource | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants permissions to view VMs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4b3fe76c-f777-4d24-a2d7-b027b0f7b273", + "name": "4b3fe76c-f777-4d24-a2d7-b027b0f7b273", + "permissions": [ + { + "actions": [ + "Microsoft.AzureStackHCI/VirtualMachines/Read", + "Microsoft.AzureStackHCI/virtualMachineInstances/Read", + "Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read", + "Microsoft.AzureStackHCI/VirtualNetworks/Read", + "Microsoft.AzureStackHCI/LogicalNetworks/Read", + "Microsoft.AzureStackHCI/NetworkInterfaces/Read", + "Microsoft.AzureStackHCI/VirtualHardDisks/Read", + "Microsoft.AzureStackHCI/StorageContainers/Read", + "Microsoft.AzureStackHCI/GalleryImages/Read", + "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/exportTemplate/action", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/operationstatuses/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read", + "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/operationresults/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Stack HCI VM Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Stack Registration Owner ++Lets you manage Azure Stack registrations. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AzureStack](../permissions/hybrid-multicloud.md#microsoftazurestack)/edgeSubscriptions/read | | +> | [Microsoft.AzureStack](../permissions/hybrid-multicloud.md#microsoftazurestack)/registrations/products/*/action | | +> | [Microsoft.AzureStack](../permissions/hybrid-multicloud.md#microsoftazurestack)/registrations/products/read | Gets the properties of an Azure Stack Marketplace product | +> | [Microsoft.AzureStack](../permissions/hybrid-multicloud.md#microsoftazurestack)/registrations/read | Gets the properties of an Azure Stack registration | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage Azure Stack registrations.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "permissions": [ + { + "actions": [ + "Microsoft.AzureStack/edgeSubscriptions/read", + "Microsoft.AzureStack/registrations/products/*/action", + "Microsoft.AzureStack/registrations/products/read", + "Microsoft.AzureStack/registrations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Stack Registration Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/identity.md | + + Title: Azure built-in roles for Identity - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Identity category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Identity ++This article lists the Azure built-in roles in the Identity category. +++## Domain Services Contributor ++Can manage Azure AD Domain Services and related network configurations ++[Learn more](/entra/identity/domain-services/tutorial-create-instance) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/delete | Deletes a deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/cancel/action | Cancels a deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action | Validates an deployment. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/whatIf/action | Predicts template deployment changes. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/exportTemplate/action | Export template for a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Write | Create or update a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Delete | Delete a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Activated/Action | Classic metric alert activated | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Resolved/Action | Classic metric alert resolved | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Throttled/Action | Classic metric alert rule throttled | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Logs/Read | Reading data from all your logs | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Metrics/Read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/DiagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/DiagnosticSettingsCategories/Read | Read diagnostic settings categories | +> | [Microsoft.AAD](../permissions/identity.md#microsoftaad)/register/action | Register Domain Service | +> | [Microsoft.AAD](../permissions/identity.md#microsoftaad)/unregister/action | Unregister Domain Service | +> | [Microsoft.AAD](../permissions/identity.md#microsoftaad)/domainServices/* | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/register/action | Registers the subscription | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/unregister/action | Unregisters the subscription | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/write | Creates a virtual network or updates an existing virtual network | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/delete | Deletes a virtual network | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/peer/action | Peers a virtual network with another virtual network | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/join/action | Joins a virtual network. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/delete | Deletes a virtual network subnet | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/virtualNetworkPeerings/read | Gets a virtual network peering definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/virtualNetworkPeerings/write | Creates a virtual network peering or updates an existing virtual network peering | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/virtualNetworkPeerings/delete | Deletes a virtual network peering | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings of Virtual Network | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the PingMesh | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/azureFirewalls/read | Get Azure Firewall | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/ddosProtectionPlans/read | Gets a DDoS Protection Plan | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/ddosProtectionPlans/join/action | Joins a DDoS Protection Plan. Not alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/delete | Deletes a load balancer | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/*/read | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/natGateways/join/action | Joins a NAT Gateway | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/delete | Deletes a network interface | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/join/action | Joins a Virtual Machine to a network interface. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/write | Creates a network security group or updates an existing network security group | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/delete | Deletes a network security group | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/securityRules/read | Gets a security rule definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/securityRules/write | Creates a security rule or updates an existing security rule | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/securityRules/delete | Deletes a security rule | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/read | Gets a route table definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/write | Creates a route table or Updates an existing route table | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/delete | Deletes a route table definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/join/action | Joins a route table. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/routes/read | Gets a route definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/routes/write | Creates a route or Updates an existing route | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/routes/delete | Deletes a route definition | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can manage Azure AD Domain Services and related network configurations", + "id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2", + "name": "eeaeda52-9324-47f6-8069-5d5bade478b2", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/write", + "Microsoft.Resources/deployments/delete", + "Microsoft.Resources/deployments/cancel/action", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Resources/deployments/whatIf/action", + "Microsoft.Resources/deployments/exportTemplate/action", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/operationstatuses/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Insights/AlertRules/Write", + "Microsoft.Insights/AlertRules/Delete", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Activated/Action", + "Microsoft.Insights/AlertRules/Resolved/Action", + "Microsoft.Insights/AlertRules/Throttled/Action", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Insights/Logs/Read", + "Microsoft.Insights/Metrics/Read", + "Microsoft.Insights/DiagnosticSettings/*", + "Microsoft.Insights/DiagnosticSettingsCategories/Read", + "Microsoft.AAD/register/action", + "Microsoft.AAD/unregister/action", + "Microsoft.AAD/domainServices/*", + "Microsoft.Network/register/action", + "Microsoft.Network/unregister/action", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/write", + "Microsoft.Network/virtualNetworks/delete", + "Microsoft.Network/virtualNetworks/peer/action", + "Microsoft.Network/virtualNetworks/join/action", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/write", + "Microsoft.Network/virtualNetworks/subnets/delete", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", + "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", + "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", + "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read", + "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read", + "Microsoft.Network/azureFirewalls/read", + "Microsoft.Network/ddosProtectionPlans/read", + "Microsoft.Network/ddosProtectionPlans/join/action", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/loadBalancers/delete", + "Microsoft.Network/loadBalancers/*/read", + "Microsoft.Network/loadBalancers/backendAddressPools/join/action", + "Microsoft.Network/loadBalancers/inboundNatRules/join/action", + "Microsoft.Network/natGateways/join/action", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/write", + "Microsoft.Network/networkInterfaces/delete", + "Microsoft.Network/networkInterfaces/join/action", + "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", + "Microsoft.Network/networkSecurityGroups/read", + "Microsoft.Network/networkSecurityGroups/write", + "Microsoft.Network/networkSecurityGroups/delete", + "Microsoft.Network/networkSecurityGroups/join/action", + "Microsoft.Network/networkSecurityGroups/securityRules/read", + "Microsoft.Network/networkSecurityGroups/securityRules/write", + "Microsoft.Network/networkSecurityGroups/securityRules/delete", + "Microsoft.Network/routeTables/read", + "Microsoft.Network/routeTables/write", + "Microsoft.Network/routeTables/delete", + "Microsoft.Network/routeTables/join/action", + "Microsoft.Network/routeTables/routes/read", + "Microsoft.Network/routeTables/routes/write", + "Microsoft.Network/routeTables/routes/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Domain Services Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Domain Services Reader ++Can view Azure AD Domain Services and related network configurations ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Read | Read a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/Incidents/Read | Read a classic metric alert incident | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Logs/Read | Reading data from all your logs | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/DiagnosticSettings/read | Read a resource diagnostic setting | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/DiagnosticSettingsCategories/Read | Read diagnostic settings categories | +> | [Microsoft.AAD](../permissions/identity.md#microsoftaad)/domainServices/*/read | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/virtualNetworkPeerings/read | Gets a virtual network peering definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings of Virtual Network | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the PingMesh | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/azureFirewalls/read | Get Azure Firewall | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/ddosProtectionPlans/read | Gets a DDoS Protection Plan | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/read | Gets a load balancer definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/*/read | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/natGateways/read | Gets a Nat Gateway Definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/read | Gets a network security group definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/securityRules/read | Gets a security rule definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/read | Gets a route table definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/routes/read | Gets a route definition | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can view Azure AD Domain Services and related network configurations", + "id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb", + "name": "361898ef-9ed1-48c2-849c-a832951106bb", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/read", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/deployments/operationstatuses/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Insights/AlertRules/Read", + "Microsoft.Insights/AlertRules/Incidents/Read", + "Microsoft.Insights/Logs/Read", + "Microsoft.Insights/Metrics/read", + "Microsoft.Insights/DiagnosticSettings/read", + "Microsoft.Insights/DiagnosticSettingsCategories/Read", + "Microsoft.AAD/domainServices/*/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", + "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read", + "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read", + "Microsoft.Network/azureFirewalls/read", + "Microsoft.Network/ddosProtectionPlans/read", + "Microsoft.Network/loadBalancers/read", + "Microsoft.Network/loadBalancers/*/read", + "Microsoft.Network/natGateways/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", + "Microsoft.Network/networkSecurityGroups/read", + "Microsoft.Network/networkSecurityGroups/securityRules/read", + "Microsoft.Network/routeTables/read", + "Microsoft.Network/routeTables/routes/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Domain Services Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Managed Identity Contributor ++Create, Read, Update, and Delete User Assigned Identity ++[Learn more](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ManagedIdentity](../permissions/identity.md#microsoftmanagedidentity)/userAssignedIdentities/read | Gets an existing user assigned identity | +> | [Microsoft.ManagedIdentity](../permissions/identity.md#microsoftmanagedidentity)/userAssignedIdentities/write | Creates a new user assigned identity or updates the tags associated with an existing user assigned identity | +> | [Microsoft.ManagedIdentity](../permissions/identity.md#microsoftmanagedidentity)/userAssignedIdentities/delete | Deletes an existing user assigned identity | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create, Read, Update, and Delete User Assigned Identity", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "permissions": [ + { + "actions": [ + "Microsoft.ManagedIdentity/userAssignedIdentities/read", + "Microsoft.ManagedIdentity/userAssignedIdentities/write", + "Microsoft.ManagedIdentity/userAssignedIdentities/delete", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Managed Identity Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Managed Identity Operator ++Read and Assign User Assigned Identity ++[Learn more](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ManagedIdentity](../permissions/identity.md#microsoftmanagedidentity)/userAssignedIdentities/*/read | | +> | [Microsoft.ManagedIdentity](../permissions/identity.md#microsoftmanagedidentity)/userAssignedIdentities/*/assign/action | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read and Assign User Assigned Identity", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "name": "f1a07417-d97a-45cb-824c-7a7467783830", + "permissions": [ + { + "actions": [ + "Microsoft.ManagedIdentity/userAssignedIdentities/*/read", + "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Managed Identity Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/integration.md | + + Title: Azure built-in roles for Integration - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Integration category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Integration ++This article lists the Azure built-in roles in the Integration category. +++## API Management Service Contributor ++Can manage service and the APIs ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/* | Create and manage API Management service | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can manage service and the APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "name": "312a565d-c81f-4fd8-895a-4e21e48d571c", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Service Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## API Management Service Operator Role ++Can manage service but not the APIs ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/*/read | Read API Management Service instances | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/backup/action | Backup API Management Service to the specified container in a user provided storage account | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/delete | Delete API Management Service instance | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/managedeployments/action | Change SKU/units, add/remove regional deployments of API Management Service | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/restore/action | Restore API Management Service from the specified container in a user provided storage account | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/updatecertificate/action | Upload TLS/SSL certificate for an API Management Service | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/updatehostname/action | Setup, update or remove custom domain names for an API Management Service | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/write | Create or Update API Management Service instance | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/users/keys/read | Get keys associated with user | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can manage service but not the APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/*/read", + "Microsoft.ApiManagement/service/backup/action", + "Microsoft.ApiManagement/service/delete", + "Microsoft.ApiManagement/service/managedeployments/action", + "Microsoft.ApiManagement/service/read", + "Microsoft.ApiManagement/service/restore/action", + "Microsoft.ApiManagement/service/updatecertificate/action", + "Microsoft.ApiManagement/service/updatehostname/action", + "Microsoft.ApiManagement/service/write", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [ + "Microsoft.ApiManagement/service/users/keys/read" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Service Operator Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## API Management Service Reader Role ++Read-only access to service and APIs ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/*/read | Read API Management Service instances | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/users/keys/read | Get keys associated with user | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read-only access to service and APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "name": "71522526-b88f-4d52-b57f-d31fc3546d0d", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/*/read", + "Microsoft.ApiManagement/service/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [ + "Microsoft.ApiManagement/service/users/keys/read" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Service Reader Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## API Management Service Workspace API Developer ++Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/tags/read | Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/tags/apiLinks/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/tags/operationLinks/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/tags/productLinks/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/products/read | Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/products/apiLinks/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/9565a273-41b9-4368-97d2-aeb0c976a9b3", + "name": "9565a273-41b9-4368-97d2-aeb0c976a9b3", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/tags/read", + "Microsoft.ApiManagement/service/tags/apiLinks/*", + "Microsoft.ApiManagement/service/tags/operationLinks/*", + "Microsoft.ApiManagement/service/tags/productLinks/*", + "Microsoft.ApiManagement/service/products/read", + "Microsoft.ApiManagement/service/products/apiLinks/*", + "Microsoft.ApiManagement/service/read", + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Service Workspace API Developer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## API Management Service Workspace API Product Manager ++Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/users/read | Lists a collection of registered users in the specified service instance. or Gets the details of the user specified by its identifier. | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/tags/read | Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/tags/apiLinks/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/tags/operationLinks/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/tags/productLinks/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/products/read | Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/products/apiLinks/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/groups/read | Lists a collection of groups defined within a service instance. or Gets the details of the group specified by its identifier. | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/groups/users/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/read | Read metadata for an API Management Service instance | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da", + "name": "d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/users/read", + "Microsoft.ApiManagement/service/tags/read", + "Microsoft.ApiManagement/service/tags/apiLinks/*", + "Microsoft.ApiManagement/service/tags/operationLinks/*", + "Microsoft.ApiManagement/service/tags/productLinks/*", + "Microsoft.ApiManagement/service/products/read", + "Microsoft.ApiManagement/service/products/apiLinks/*", + "Microsoft.ApiManagement/service/groups/read", + "Microsoft.ApiManagement/service/groups/users/*", + "Microsoft.ApiManagement/service/read", + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Service Workspace API Product Manager", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## API Management Workspace API Developer ++Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/*/read | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/apis/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/apiVersionSets/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/policies/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/schemas/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/products/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/policyFragments/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/namedValues/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/tags/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/56328988-075d-4c6a-8766-d93edd6725b6", + "name": "56328988-075d-4c6a-8766-d93edd6725b6", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/workspaces/*/read", + "Microsoft.ApiManagement/service/workspaces/apis/*", + "Microsoft.ApiManagement/service/workspaces/apiVersionSets/*", + "Microsoft.ApiManagement/service/workspaces/policies/*", + "Microsoft.ApiManagement/service/workspaces/schemas/*", + "Microsoft.ApiManagement/service/workspaces/products/*", + "Microsoft.ApiManagement/service/workspaces/policyFragments/*", + "Microsoft.ApiManagement/service/workspaces/namedValues/*", + "Microsoft.ApiManagement/service/workspaces/tags/*", + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Workspace API Developer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## API Management Workspace API Product Manager ++Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/*/read | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/products/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/subscriptions/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/groups/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/tags/* | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/notifications/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/73c2c328-d004-4c5e-938c-35c6f5679a1f", + "name": "73c2c328-d004-4c5e-938c-35c6f5679a1f", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/workspaces/*/read", + "Microsoft.ApiManagement/service/workspaces/products/*", + "Microsoft.ApiManagement/service/workspaces/subscriptions/*", + "Microsoft.ApiManagement/service/workspaces/groups/*", + "Microsoft.ApiManagement/service/workspaces/tags/*", + "Microsoft.ApiManagement/service/workspaces/notifications/*", + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Workspace API Product Manager", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## API Management Workspace Contributor ++Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0c34c906-8d99-4cb7-8bb7-33f5b0a1a799", + "name": "0c34c906-8d99-4cb7-8bb7-33f5b0a1a799", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/workspaces/*", + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Workspace Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## API Management Workspace Reader ++Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. ++[Learn more](/azure/api-management/api-management-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ApiManagement](../permissions/integration.md#microsoftapimanagement)/service/workspaces/*/read | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2", + "name": "ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2", + "permissions": [ + { + "actions": [ + "Microsoft.ApiManagement/service/workspaces/*/read", + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "API Management Workspace Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## App Configuration Data Owner ++Allows full access to App Configuration data. ++[Learn more](/azure/azure-app-configuration/concept-enable-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/configurationStores/*/read | | +> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/configurationStores/*/write | | +> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/configurationStores/*/delete | | +> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/configurationStores/*/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows full access to App Configuration data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AppConfiguration/configurationStores/*/read", + "Microsoft.AppConfiguration/configurationStores/*/write", + "Microsoft.AppConfiguration/configurationStores/*/delete", + "Microsoft.AppConfiguration/configurationStores/*/action" + ], + "notDataActions": [] + } + ], + "roleName": "App Configuration Data Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## App Configuration Data Reader ++Allows read access to App Configuration data. ++[Learn more](/azure/azure-app-configuration/concept-enable-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/configurationStores/*/read | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows read access to App Configuration data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "name": "516239f1-63e1-4d78-a4de-a74fb236a071", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AppConfiguration/configurationStores/*/read" + ], + "notDataActions": [] + } + ], + "roleName": "App Configuration Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Relay Listener ++Allows for listen access to Azure Relay resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Relay](../permissions/integration.md#microsoftrelay)/*/wcfRelays/read | | +> | [Microsoft.Relay](../permissions/integration.md#microsoftrelay)/*/hybridConnections/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Relay](../permissions/integration.md#microsoftrelay)/*/listen/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for listen access to Azure Relay resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d", + "name": "26e0b698-aa6d-4085-9386-aadae190014d", + "permissions": [ + { + "actions": [ + "Microsoft.Relay/*/wcfRelays/read", + "Microsoft.Relay/*/hybridConnections/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Relay/*/listen/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Relay Listener", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Relay Owner ++Allows for full access to Azure Relay resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Relay](../permissions/integration.md#microsoftrelay)/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Relay](../permissions/integration.md#microsoftrelay)/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to Azure Relay resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38", + "name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38", + "permissions": [ + { + "actions": [ + "Microsoft.Relay/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Relay/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Relay Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Relay Sender ++Allows for send access to Azure Relay resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Relay](../permissions/integration.md#microsoftrelay)/*/wcfRelays/read | | +> | [Microsoft.Relay](../permissions/integration.md#microsoftrelay)/*/hybridConnections/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Relay](../permissions/integration.md#microsoftrelay)/*/send/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for send access to Azure Relay resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d", + "name": "26baccc8-eea7-41f1-98f4-1762cc7f685d", + "permissions": [ + { + "actions": [ + "Microsoft.Relay/*/wcfRelays/read", + "Microsoft.Relay/*/hybridConnections/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Relay/*/send/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Relay Sender", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Service Bus Data Owner ++Allows for full access to Azure Service Bus resources. ++[Learn more](/azure/service-bus-messaging/authenticate-application) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to Azure Service Bus resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "name": "090c5cfd-751d-490a-894a-3ce6f1109419", + "permissions": [ + { + "actions": [ + "Microsoft.ServiceBus/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ServiceBus/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Service Bus Data Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Service Bus Data Receiver ++Allows for receive access to Azure Service Bus resources. ++[Learn more](/azure/service-bus-messaging/authenticate-application) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/*/queues/read | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/*/topics/read | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/*/topics/subscriptions/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/*/receive/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for receive access to Azure Service Bus resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "permissions": [ + { + "actions": [ + "Microsoft.ServiceBus/*/queues/read", + "Microsoft.ServiceBus/*/topics/read", + "Microsoft.ServiceBus/*/topics/subscriptions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ServiceBus/*/receive/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Service Bus Data Receiver", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Service Bus Data Sender ++Allows for send access to Azure Service Bus resources. ++[Learn more](/azure/service-bus-messaging/authenticate-application) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/*/queues/read | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/*/topics/read | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/*/topics/subscriptions/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.ServiceBus](../permissions/integration.md#microsoftservicebus)/*/send/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for send access to Azure Service Bus resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "permissions": [ + { + "actions": [ + "Microsoft.ServiceBus/*/queues/read", + "Microsoft.ServiceBus/*/topics/read", + "Microsoft.ServiceBus/*/topics/subscriptions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.ServiceBus/*/send/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Service Bus Data Sender", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## BizTalk Contributor ++Lets you manage BizTalk services, but not access to them. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | Microsoft.BizTalkServices/BizTalk/* | Create and manage BizTalk services | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage BizTalk services, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "name": "5e3c6656-6cfa-4708-81fe-0de47ac73342", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.BizTalkServices/BizTalk/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "BizTalk Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## EventGrid Contributor ++Lets you manage EventGrid operations. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/* | Create and manage Event Grid resources | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage EventGrid operations.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de", + "name": "1e241071-0855-49ea-94dc-649edcd759de", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.EventGrid/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "EventGrid Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## EventGrid Data Sender ++Allows send access to event grid events. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/topics/read | Read a topic | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/domains/read | Read a domain | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/partnerNamespaces/read | Read a partner namespace | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/namespaces/read | Read a namespace | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/events/send/action | Send events to topics | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows send access to event grid events.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7", + "name": "d5a91429-5739-47e2-a06b-3470a27159e7", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.EventGrid/topics/read", + "Microsoft.EventGrid/domains/read", + "Microsoft.EventGrid/partnerNamespaces/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.EventGrid/namespaces/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.EventGrid/events/send/action" + ], + "notDataActions": [] + } + ], + "roleName": "EventGrid Data Sender", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## EventGrid EventSubscription Contributor ++Lets you manage EventGrid event subscription operations. ++[Learn more](/azure/event-grid/security-authorization) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/eventSubscriptions/* | Create and manage regional event subscriptions | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/locations/eventSubscriptions/read | List regional event subscriptions | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage EventGrid event subscription operations.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.EventGrid/eventSubscriptions/*", + "Microsoft.EventGrid/topicTypes/eventSubscriptions/read", + "Microsoft.EventGrid/locations/eventSubscriptions/read", + "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "EventGrid EventSubscription Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## EventGrid EventSubscription Reader ++Lets you read EventGrid event subscriptions. ++[Learn more](/azure/event-grid/security-authorization) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/eventSubscriptions/read | Read an eventSubscription | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/locations/eventSubscriptions/read | List regional event subscriptions | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you read EventGrid event subscriptions.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "name": "2414bbcf-6497-4faf-8c65-045460748405", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.EventGrid/eventSubscriptions/read", + "Microsoft.EventGrid/topicTypes/eventSubscriptions/read", + "Microsoft.EventGrid/locations/eventSubscriptions/read", + "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "EventGrid EventSubscription Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## FHIR Data Contributor ++Role allows user or principal full access to FHIR Data ++[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/* | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/* | | +> | **NotDataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role allows user or principal full access to FHIR Data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "name": "5a1fc7df-4bf1-4951-a576-89034ee01acd", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/services/fhir/resources/*", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*" + ], + "notDataActions": [ + "Microsoft.HealthcareApis/services/fhir/resources/smart/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action" + ] + } + ], + "roleName": "FHIR Data Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## FHIR Data Exporter ++Role allows user or principal to read and export FHIR Data ++[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/export/action | Export operation ($export). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/export/action | Export operation ($export). | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role allows user or principal to read and export FHIR Data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "name": "3db33094-8700-4567-8da5-1501d4e7e843", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/services/fhir/resources/read", + "Microsoft.HealthcareApis/services/fhir/resources/export/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action" + ], + "notDataActions": [] + } + ], + "roleName": "FHIR Data Exporter", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## FHIR Data Importer ++Role allows user or principal to read and import FHIR Data ++[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/import/action | Import FHIR resources in batch. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role allows user or principal to read and import FHIR Data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b", + "name": "4465e953-8ced-4406-a58e-0f6e3f3b530b", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action" + ], + "notDataActions": [] + } + ], + "roleName": "FHIR Data Importer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## FHIR Data Reader ++Role allows user or principal to read FHIR Data ++[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role allows user or principal to read FHIR Data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/services/fhir/resources/read", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read" + ], + "notDataActions": [] + } + ], + "roleName": "FHIR Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## FHIR Data Writer ++Role allows user or principal to read and write FHIR Data ++[Learn more](/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/write | Write FHIR resources (includes create and update). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/delete | Delete FHIR resources (soft delete). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/export/action | Export operation ($export). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/resourceValidate/action | Validate operation ($validate). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/reindex/action | Allows user to run Reindex job to index any search parameters that haven't yet been indexed. | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/convertData/action | Data convert operation ($convert-data) | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/editProfileDefinitions/action | Allows user to perform Create Update Delete operations on profile resources. | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/services/fhir/resources/import/action | Import FHIR resources in batch. | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/write | Write FHIR resources (includes create and update). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/delete | Delete FHIR resources (soft delete). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/export/action | Export operation ($export). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/resourceValidate/action | Validate operation ($validate). | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/reindex/action | Allows user to run Reindex job to index any search parameters that haven't yet been indexed. | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/convertData/action | Data convert operation ($convert-data) | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/editProfileDefinitions/action | Allows user to perform Create Update Delete operations on profile resources. | +> | [Microsoft.HealthcareApis](../permissions/integration.md#microsofthealthcareapis)/workspaces/fhirservices/resources/import/action | Import FHIR resources in batch. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Role allows user or principal to read and write FHIR Data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "name": "3f88fce4-5892-4214-ae73-ba5294559913", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.HealthcareApis/services/fhir/resources/read", + "Microsoft.HealthcareApis/services/fhir/resources/write", + "Microsoft.HealthcareApis/services/fhir/resources/delete", + "Microsoft.HealthcareApis/services/fhir/resources/export/action", + "Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action", + "Microsoft.HealthcareApis/services/fhir/resources/reindex/action", + "Microsoft.HealthcareApis/services/fhir/resources/convertData/action", + "Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action", + "Microsoft.HealthcareApis/services/fhir/resources/import/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/write", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action", + "Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action" + ], + "notDataActions": [] + } + ], + "roleName": "FHIR Data Writer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Integration Service Environment Contributor ++Lets you manage integration service environments, but not access to them. ++[Learn more](/azure/logic-apps/add-artifacts-integration-service-environment-ise) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/integrationServiceEnvironments/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage integration service environments, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Support/*", + "Microsoft.Logic/integrationServiceEnvironments/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Integration Service Environment Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Integration Service Environment Developer ++Allows developers to create and update workflows, integration accounts and API connections in integration service environments. ++[Learn more](/azure/logic-apps/add-artifacts-integration-service-environment-ise) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/integrationServiceEnvironments/read | Reads the integration service environment. | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/integrationServiceEnvironments/*/join/action | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Support/*", + "Microsoft.Logic/integrationServiceEnvironments/read", + "Microsoft.Logic/integrationServiceEnvironments/*/join/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Integration Service Environment Developer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Intelligent Systems Account Contributor ++Lets you manage Intelligent Systems accounts, but not access to them. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | Microsoft.IntelligentSystems/accounts/* | Create and manage intelligent systems accounts | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage Intelligent Systems accounts, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "name": "03a6d094-3444-4b3d-88af-7477090a9e5e", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.IntelligentSystems/accounts/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Intelligent Systems Account Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Logic App Contributor ++Lets you manage logic apps, but not change access to them. ++[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/read | Return the storage account with the given account. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricAlerts/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/logdefinitions/* | This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/* | Read metric definitions (list of available metric types for a resource). | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/* | Manages Logic Apps resources. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connectionGateways/* | Create and manages a Connection Gateway. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connections/* | Create and manages a Connection. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/customApis/* | Creates and manages a Custom API. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/join/action | Joins an App Service Plan | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/functions/listSecrets/action | List Function secrets. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage logic app, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "name": "87a39d53-fc1b-424a-814c-f7e04687dc9e", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.ClassicStorage/storageAccounts/listKeys/action", + "Microsoft.ClassicStorage/storageAccounts/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/metricAlerts/*", + "Microsoft.Insights/diagnosticSettings/*", + "Microsoft.Insights/logdefinitions/*", + "Microsoft.Insights/metricDefinitions/*", + "Microsoft.Logic/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/storageAccounts/listkeys/action", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Support/*", + "Microsoft.Web/connectionGateways/*", + "Microsoft.Web/connections/*", + "Microsoft.Web/customApis/*", + "Microsoft.Web/serverFarms/join/action", + "Microsoft.Web/serverFarms/read", + "Microsoft.Web/sites/functions/listSecrets/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Logic App Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Logic App Operator ++Lets you read, enable, and disable logic apps, but not edit or update them. ++[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/*/read | Read Insights alert rules | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricAlerts/*/read | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/diagnosticSettings/*/read | Gets diagnostic settings for Logic Apps | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/*/read | Gets the available metrics for Logic Apps. | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/*/read | Reads Logic Apps resources. | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/workflows/disable/action | Disables the workflow. | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/workflows/enable/action | Enables the workflow. | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/workflows/validate/action | Validates the workflow. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connections/*/read | Read Connections. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/customApis/*/read | Read Custom API. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you read, enable and disable logic app.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*/read", + "Microsoft.Insights/metricAlerts/*/read", + "Microsoft.Insights/diagnosticSettings/*/read", + "Microsoft.Insights/metricDefinitions/*/read", + "Microsoft.Logic/*/read", + "Microsoft.Logic/workflows/disable/action", + "Microsoft.Logic/workflows/enable/action", + "Microsoft.Logic/workflows/validate/action", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Web/connectionGateways/*/read", + "Microsoft.Web/connections/*/read", + "Microsoft.Web/customApis/*/read", + "Microsoft.Web/serverFarms/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Logic App Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Logic Apps Standard Contributor (Preview) ++You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership. ++[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/certificates/* | Create and manage a certificate. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connectionGateways/* | Create and manages a Connection Gateway. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connections/* | Create and manages a Connection. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/customApis/* | Creates and manages a Custom API. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/listSitesAssignedToHostName/read | Get names of sites assigned to hostname. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/* | Create and manage an App Service Plan. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/* | Create and manage a web app. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ad710c24-b039-4e85-a019-deb4a06e8570", + "name": "ad710c24-b039-4e85-a019-deb4a06e8570", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Web/certificates/*", + "Microsoft.Web/connectionGateways/*", + "Microsoft.Web/connections/*", + "Microsoft.Web/customApis/*", + "Microsoft.Web/listSitesAssignedToHostName/read", + "Microsoft.Web/serverFarms/*", + "Microsoft.Web/sites/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Logic Apps Standard Contributor (Preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Logic Apps Standard Developer (Preview) ++You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope. ++[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connections/* | Create and manages a Connection. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/customApis/* | Creates and manages a Custom API. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/config/appsettings/read | Get Web App settings. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/config/list/Action | List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/config/Read | Get Web App configuration settings | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/config/Write | Update Web App's configuration settings | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/config/web/appsettings/delete | Delete Web Apps App Setting | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/config/web/appsettings/read | Get Web App Single App setting. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/config/web/appsettings/write | Create or Update Web App Single App setting | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/deployWorkflowArtifacts/action | Create the artifacts in a Logic App. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/hostruntime/* | Get or list hostruntime artifacts for the web app or function app. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/listworkflowsconnections/action | List logic app's connections by its ID in a Logic App. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/publish/Action | Publish a Web App | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/Read | Get the properties of a Web App | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/config/appsettings/read | Get Web App Slot's single App setting. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/config/appsettings/write | Create or Update Web App Slot's Single App setting | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/config/list/Action | List Web App Slot's security sensitive settings, such as publishing credentials, app settings and connection strings | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/config/Read | Get Web App Slot's configuration settings | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/config/web/appsettings/delete | Delete Web App Slot's App Setting | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/deployWorkflowArtifacts/action | Create the artifacts in a deployment slot in a Logic App. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/listworkflowsconnections/action | List logic app's connections by its ID in a deployment slot in a Logic App. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/publish/Action | Publish a Web App Slot | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/workflows/* | | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/workflowsconfiguration/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/523776ba-4eb2-4600-a3c8-f2dc93da4bdb", + "name": "523776ba-4eb2-4600-a3c8-f2dc93da4bdb", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Web/connectionGateways/*/read", + "Microsoft.Web/connections/*", + "Microsoft.Web/customApis/*", + "Microsoft.Web/serverFarms/read", + "microsoft.web/sites/config/appsettings/read", + "Microsoft.Web/sites/config/list/Action", + "Microsoft.Web/sites/config/Read", + "microsoft.web/sites/config/Write", + "microsoft.web/sites/config/web/appsettings/delete", + "microsoft.web/sites/config/web/appsettings/read", + "microsoft.web/sites/config/web/appsettings/write", + "microsoft.web/sites/deployWorkflowArtifacts/action", + "microsoft.web/sites/hostruntime/*", + "microsoft.web/sites/listworkflowsconnections/action", + "Microsoft.Web/sites/publish/Action", + "Microsoft.Web/sites/Read", + "microsoft.web/sites/slots/config/appsettings/read", + "microsoft.web/sites/slots/config/appsettings/write", + "Microsoft.Web/sites/slots/config/list/Action", + "Microsoft.Web/sites/slots/config/Read", + "microsoft.web/sites/slots/config/web/appsettings/delete", + "microsoft.web/sites/slots/deployWorkflowArtifacts/action", + "microsoft.web/sites/slots/listworkflowsconnections/action", + "Microsoft.Web/sites/slots/publish/Action", + "microsoft.web/sites/slots/workflows/read", + "microsoft.web/sites/slots/workflowsconfiguration/read", + "microsoft.web/sites/workflows/*", + "microsoft.web/sites/workflowsconfiguration/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Logic Apps Standard Developer (Preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Logic Apps Standard Operator (Preview) ++You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings. ++[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connections/*/read | Read Connections. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/customApis/*/read | Read Custom API. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/applySlotConfig/Action | Apply web app slot configuration from target slot to the current web app | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/config/Read | Get Web App configuration settings | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/hostruntime/* | Get or list hostruntime artifacts for the web app or function app. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/Read | Get the properties of a Web App | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/restart/Action | Restart a Web App | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/config/Read | Get Web App Slot's configuration settings | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/restart/Action | Restart a Web App Slot | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/slotsswap/Action | Swap Web App deployment slots | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/start/Action | Start a Web App Slot | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/stop/Action | Stop a Web App Slot | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slotsdiffs/Action | Get differences in configuration between web app and slots | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/slotsswap/Action | Swap Web App deployment slots | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/start/Action | Start a Web App | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/stop/Action | Stop a Web App | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/workflows/read | List the workflows in a Logic App. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/workflowsconfiguration/read | Get logic app's configuration information by its ID in a Logic App. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/write | Create a new Web App or update an existing one | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b70c96e9-66fe-4c09-b6e7-c98e69c98555", + "name": "b70c96e9-66fe-4c09-b6e7-c98e69c98555", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Web/connectionGateways/*/read", + "Microsoft.Web/connections/*/read", + "Microsoft.Web/customApis/*/read", + "Microsoft.Web/serverFarms/read", + "Microsoft.Web/sites/applySlotConfig/Action", + "Microsoft.Web/sites/config/Read", + "microsoft.web/sites/hostruntime/*", + "Microsoft.Web/sites/Read", + "Microsoft.Web/sites/restart/Action", + "Microsoft.Web/sites/slots/config/Read", + "Microsoft.Web/sites/slots/restart/Action", + "Microsoft.Web/sites/slots/slotsswap/Action", + "Microsoft.Web/sites/slots/start/Action", + "Microsoft.Web/sites/slots/stop/Action", + "microsoft.web/sites/slots/workflows/read", + "microsoft.web/sites/slots/workflowsconfiguration/read", + "Microsoft.Web/sites/slotsdiffs/Action", + "Microsoft.Web/sites/slotsswap/Action", + "Microsoft.Web/sites/start/Action", + "Microsoft.Web/sites/stop/Action", + "microsoft.web/sites/workflows/read", + "microsoft.web/sites/workflowsconfiguration/read", + "Microsoft.Web/sites/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Logic Apps Standard Operator (Preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Logic Apps Standard Reader (Preview) ++You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. ++[Learn more](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/operations/read | Gets or lists deployment operations. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connectionGateways/*/read | Read Connection Gateways. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/connections/*/read | Read Connections. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/customApis/*/read | Read Custom API. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/triggers/read | List Web Apps Hostruntime Workflow Triggers. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/runs/read | List Web Apps Hostruntime Workflow Runs. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/workflows/read | List the workflows in a Logic App. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/workflowsconfiguration/read | Get logic app's configuration information by its ID in a Logic App. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. | +> | [microsoft.web](../permissions/web-and-mobile.md#microsoftweb)/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4accf36b-2c05-432f-91c8-5c532dff4c73", + "name": "4accf36b-2c05-432f-91c8-5c532dff4c73", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/operations/read", + "Microsoft.Resources/subscriptions/operationresults/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Web/connectionGateways/*/read", + "Microsoft.Web/connections/*/read", + "Microsoft.Web/customApis/*/read", + "Microsoft.Web/serverFarms/read", + "microsoft.web/sites/hostruntime/webhooks/api/workflows/triggers/read", + "microsoft.web/sites/hostruntime/webhooks/api/workflows/runs/read", + "microsoft.web/sites/workflows/read", + "microsoft.web/sites/workflowsconfiguration/read", + "microsoft.web/sites/slots/workflows/read", + "microsoft.web/sites/slots/workflowsconfiguration/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Logic Apps Standard Reader (Preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Scheduler Job Collections Contributor ++Lets you manage Scheduler job collections, but not access to them. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | Microsoft.Scheduler/jobcollections/* | Create and manage job collections | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage Scheduler job collections, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "name": "188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Scheduler/jobcollections/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Scheduler Job Collections Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Services Hub Operator ++Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. ++[Learn more](/services-hub/health/sh-connector-roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.ServicesHub](../permissions/integration.md#microsoftserviceshub)/connectors/write | Create or update a Services Hub Connector | +> | [Microsoft.ServicesHub](../permissions/integration.md#microsoftserviceshub)/connectors/read | View or List Services Hub Connectors | +> | [Microsoft.ServicesHub](../permissions/integration.md#microsoftserviceshub)/connectors/delete | Delete Services Hub Connectors | +> | [Microsoft.ServicesHub](../permissions/integration.md#microsoftserviceshub)/connectors/checkAssessmentEntitlement/action | Lists the Assessment Entitlements for a given Services Hub Workspace | +> | [Microsoft.ServicesHub](../permissions/integration.md#microsoftserviceshub)/supportOfferingEntitlement/read | View the Support Offering Entitlements for a given Services Hub Workspace | +> | [Microsoft.ServicesHub](../permissions/integration.md#microsoftserviceshub)/workspaces/read | List the Services Hub Workspaces for a given User | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b", + "name": "82200a5b-e217-47a5-b665-6d8765ee745b", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.ServicesHub/connectors/write", + "Microsoft.ServicesHub/connectors/read", + "Microsoft.ServicesHub/connectors/delete", + "Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action", + "Microsoft.ServicesHub/supportOfferingEntitlement/read", + "Microsoft.ServicesHub/workspaces/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Services Hub Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Internet Of Things | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/internet-of-things.md | + + Title: Azure built-in roles for Internet of Things - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Internet of Things category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Internet of Things ++This article lists the Azure built-in roles in the Internet of Things category. +++## Azure Digital Twins Data Owner ++Full access role for Digital Twins data-plane ++[Learn more](/azure/digital-twins/concepts-security) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/digitaltwins/* | Read, create, update, or delete any Digital Twin | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/digitaltwins/commands/* | Invoke any Command on a Digital Twin | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/digitaltwins/relationships/* | Read, create, update, or delete any Digital Twin Relationship | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/eventroutes/* | Read, delete, create, or update any Event Route | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/jobs/* | | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/models/* | Read, create, update, or delete any Model | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/query/* | Query any Digital Twins Graph | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access role for Digital Twins data-plane", + "id": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "name": "bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.DigitalTwins/digitaltwins/*", + "Microsoft.DigitalTwins/digitaltwins/commands/*", + "Microsoft.DigitalTwins/digitaltwins/relationships/*", + "Microsoft.DigitalTwins/eventroutes/*", + "Microsoft.DigitalTwins/jobs/*", + "Microsoft.DigitalTwins/models/*", + "Microsoft.DigitalTwins/query/*" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Digital Twins Data Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Digital Twins Data Reader ++Read-only role for Digital Twins data-plane properties ++[Learn more](/azure/digital-twins/concepts-security) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/digitaltwins/read | Read any Digital Twin | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/digitaltwins/relationships/read | Read any Digital Twin Relationship | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/eventroutes/read | Read any Event Route | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/jobs/import/read | Read any Bulk Import Job | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/jobs/imports/read | Read any Bulk Import Job | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/jobs/deletions/read | Read any Bulk Delete Job | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/models/read | Read any Model | +> | [Microsoft.DigitalTwins](../permissions/internet-of-things.md#microsoftdigitaltwins)/query/action | Query any Digital Twins Graph | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read-only role for Digital Twins data-plane properties", + "id": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "name": "d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.DigitalTwins/digitaltwins/read", + "Microsoft.DigitalTwins/digitaltwins/relationships/read", + "Microsoft.DigitalTwins/eventroutes/read", + "Microsoft.DigitalTwins/jobs/import/read", + "Microsoft.DigitalTwins/jobs/imports/read", + "Microsoft.DigitalTwins/jobs/deletions/read", + "Microsoft.DigitalTwins/models/read", + "Microsoft.DigitalTwins/query/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Digital Twins Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Device Update Administrator ++Gives you full access to management and content operations ++[Learn more](/azure/iot-hub-device-update/device-update-control-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/write | Performs a write operation related to updates | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/delete | Performs a delete operation related to updates | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/management/read | Performs a read operation related to management | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/management/write | Performs a write operation related to management | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/management/delete | Performs a delete operation related to management | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Gives you full access to management and content operations", + "id": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a", + "name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Insights/alertRules/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.DeviceUpdate/accounts/instances/updates/read", + "Microsoft.DeviceUpdate/accounts/instances/updates/write", + "Microsoft.DeviceUpdate/accounts/instances/updates/delete", + "Microsoft.DeviceUpdate/accounts/instances/management/read", + "Microsoft.DeviceUpdate/accounts/instances/management/write", + "Microsoft.DeviceUpdate/accounts/instances/management/delete" + ], + "notDataActions": [] + } + ], + "roleName": "Device Update Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Device Update Content Administrator ++Gives you full access to content operations ++[Learn more](/azure/iot-hub-device-update/device-update-control-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/write | Performs a write operation related to updates | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/delete | Performs a delete operation related to updates | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Gives you full access to content operations", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98", + "name": "0378884a-3af5-44ab-8323-f5b22f9f3c98", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Insights/alertRules/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.DeviceUpdate/accounts/instances/updates/read", + "Microsoft.DeviceUpdate/accounts/instances/updates/write", + "Microsoft.DeviceUpdate/accounts/instances/updates/delete" + ], + "notDataActions": [] + } + ], + "roleName": "Device Update Content Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Device Update Content Reader ++Gives you read access to content operations, but does not allow making changes ++[Learn more](/azure/iot-hub-device-update/device-update-control-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Gives you read access to content operations, but does not allow making changes", + "id": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", + "name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Insights/alertRules/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.DeviceUpdate/accounts/instances/updates/read" + ], + "notDataActions": [] + } + ], + "roleName": "Device Update Content Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Device Update Deployments Administrator ++Gives you full access to management operations ++[Learn more](/azure/iot-hub-device-update/device-update-control-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/management/read | Performs a read operation related to management | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/management/write | Performs a write operation related to management | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/management/delete | Performs a delete operation related to management | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Gives you full access to management operations", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432", + "name": "e4237640-0e3d-4a46-8fda-70bc94856432", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Insights/alertRules/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.DeviceUpdate/accounts/instances/management/read", + "Microsoft.DeviceUpdate/accounts/instances/management/write", + "Microsoft.DeviceUpdate/accounts/instances/management/delete", + "Microsoft.DeviceUpdate/accounts/instances/updates/read" + ], + "notDataActions": [] + } + ], + "roleName": "Device Update Deployments Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Device Update Deployments Reader ++Gives you read access to management operations, but does not allow making changes ++[Learn more](/azure/iot-hub-device-update/device-update-control-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/management/read | Performs a read operation related to management | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Gives you read access to management operations, but does not allow making changes", + "id": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f", + "name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Insights/alertRules/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.DeviceUpdate/accounts/instances/management/read", + "Microsoft.DeviceUpdate/accounts/instances/updates/read" + ], + "notDataActions": [] + } + ], + "roleName": "Device Update Deployments Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Device Update Reader ++Gives you read access to management and content operations, but does not allow making changes ++[Learn more](/azure/iot-hub-device-update/device-update-control-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/updates/read | Performs a read operation related to updates | +> | [Microsoft.DeviceUpdate](../permissions/internet-of-things.md#microsoftdeviceupdate)/accounts/instances/management/read | Performs a read operation related to management | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Gives you read access to management and content operations, but does not allow making changes", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", + "name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Insights/alertRules/*" + ], + "notActions": [], + "dataActions": [ + "Microsoft.DeviceUpdate/accounts/instances/updates/read", + "Microsoft.DeviceUpdate/accounts/instances/management/read" + ], + "notDataActions": [] + } + ], + "roleName": "Device Update Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## IoT Hub Data Contributor ++Allows for full access to IoT Hub data plane operations. ++[Learn more](/azure/iot-hub/iot-hub-dev-guide-azure-ad-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Devices](../permissions/internet-of-things.md#microsoftdevices)/IotHubs/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to IoT Hub data plane operations.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f", + "name": "4fc6c259-987e-4a07-842e-c321cc9d413f", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Devices/IotHubs/*" + ], + "notDataActions": [] + } + ], + "roleName": "IoT Hub Data Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## IoT Hub Data Reader ++Allows for full read access to IoT Hub data-plane properties ++[Learn more](/azure/iot-hub/iot-hub-dev-guide-azure-ad-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Devices](../permissions/internet-of-things.md#microsoftdevices)/IotHubs/*/read | | +> | [Microsoft.Devices](../permissions/internet-of-things.md#microsoftdevices)/IotHubs/fileUpload/notifications/action | Receive, complete, or abandon file upload notifications | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full read access to IoT Hub data-plane properties", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3", + "name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Devices/IotHubs/*/read", + "Microsoft.Devices/IotHubs/fileUpload/notifications/action" + ], + "notDataActions": [] + } + ], + "roleName": "IoT Hub Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## IoT Hub Registry Contributor ++Allows for full access to IoT Hub device registry. ++[Learn more](/azure/iot-hub/iot-hub-dev-guide-azure-ad-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Devices](../permissions/internet-of-things.md#microsoftdevices)/IotHubs/devices/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to IoT Hub device registry.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47", + "name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Devices/IotHubs/devices/*" + ], + "notDataActions": [] + } + ], + "roleName": "IoT Hub Registry Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## IoT Hub Twin Contributor ++Allows for read and write access to all IoT Hub device and module twins. ++[Learn more](/azure/iot-hub/iot-hub-dev-guide-azure-ad-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Devices](../permissions/internet-of-things.md#microsoftdevices)/IotHubs/twins/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read and write access to all IoT Hub device and module twins.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c", + "name": "494bdba2-168f-4f31-a0a1-191d2f7c028c", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Devices/IotHubs/twins/*" + ], + "notDataActions": [] + } + ], + "roleName": "IoT Hub Twin Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Management And Governance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/management-and-governance.md | + + Title: Azure built-in roles for Management and governance - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Management and governance category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Management and governance ++This article lists the Azure built-in roles in the Management and governance category. +++## Automation Contributor ++Manage Azure Automation resources and other resources using Azure Automation. ++[Learn more](/azure/automation/automation-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/ActionGroups/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/ActivityLogAlerts/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/MetricAlerts/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/ScheduledQueryRules/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/sharedKeys/action | Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Manage azure automation resources and other resources using azure automation.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867", + "name": "f353d9bd-d4a6-484e-a77a-8050b599b867", + "permissions": [ + { + "actions": [ + "Microsoft.Automation/automationAccounts/*", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Insights/ActionGroups/*", + "Microsoft.Insights/ActivityLogAlerts/*", + "Microsoft.Insights/MetricAlerts/*", + "Microsoft.Insights/ScheduledQueryRules/*", + "Microsoft.Insights/diagnosticSettings/*", + "Microsoft.OperationalInsights/workspaces/sharedKeys/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Automation Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Automation Job Operator ++Create and Manage Jobs using Automation Runbooks. ++[Learn more](/azure/automation/automation-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/hybridRunbookWorkerGroups/read | Reads a Hybrid Runbook Worker Group | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/read | Gets an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/resume/action | Resumes an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/stop/action | Stops an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/streams/read | Gets an Azure Automation job stream | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/suspend/action | Suspends an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/write | Creates an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/output/read | Gets the output of a job | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create and Manage Jobs using Automation Runbooks.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "name": "4fe576fe-1146-4730-92eb-48519fa6bf9f", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read", + "Microsoft.Automation/automationAccounts/jobs/read", + "Microsoft.Automation/automationAccounts/jobs/resume/action", + "Microsoft.Automation/automationAccounts/jobs/stop/action", + "Microsoft.Automation/automationAccounts/jobs/streams/read", + "Microsoft.Automation/automationAccounts/jobs/suspend/action", + "Microsoft.Automation/automationAccounts/jobs/write", + "Microsoft.Automation/automationAccounts/jobs/output/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Automation Job Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Automation Operator ++Automation Operators are able to start, stop, suspend, and resume jobs ++[Learn more](/azure/automation/automation-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/hybridRunbookWorkerGroups/read | Reads a Hybrid Runbook Worker Group | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/read | Gets an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/resume/action | Resumes an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/stop/action | Stops an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/streams/read | Gets an Azure Automation job stream | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/suspend/action | Suspends an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/write | Creates an Azure Automation job | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobSchedules/read | Gets an Azure Automation job schedule | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobSchedules/write | Creates an Azure Automation job schedule | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/linkedWorkspace/read | Gets the workspace linked to the automation account | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/read | Gets an Azure Automation account | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/runbooks/read | Gets an Azure Automation runbook | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/schedules/read | Gets an Azure Automation schedule asset | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/schedules/write | Creates or updates an Azure Automation schedule asset | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/jobs/output/read | Gets the output of a job | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Automation Operators are able to start, stop, suspend, and resume jobs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "name": "d3881f73-407a-4167-8283-e981cbba0404", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read", + "Microsoft.Automation/automationAccounts/jobs/read", + "Microsoft.Automation/automationAccounts/jobs/resume/action", + "Microsoft.Automation/automationAccounts/jobs/stop/action", + "Microsoft.Automation/automationAccounts/jobs/streams/read", + "Microsoft.Automation/automationAccounts/jobs/suspend/action", + "Microsoft.Automation/automationAccounts/jobs/write", + "Microsoft.Automation/automationAccounts/jobSchedules/read", + "Microsoft.Automation/automationAccounts/jobSchedules/write", + "Microsoft.Automation/automationAccounts/linkedWorkspace/read", + "Microsoft.Automation/automationAccounts/read", + "Microsoft.Automation/automationAccounts/runbooks/read", + "Microsoft.Automation/automationAccounts/schedules/read", + "Microsoft.Automation/automationAccounts/schedules/write", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Automation/automationAccounts/jobs/output/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Automation Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Automation Runbook Operator ++Read Runbook properties - to be able to create Jobs of the runbook. ++[Learn more](/azure/automation/automation-role-based-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Automation](../permissions/management-and-governance.md#microsoftautomation)/automationAccounts/runbooks/read | Gets an Azure Automation runbook | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read Runbook properties - to be able to create Jobs of the runbook.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "name": "5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Automation/automationAccounts/runbooks/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Automation Runbook Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Connected Machine Onboarding ++Can onboard Azure Connected Machines. ++[Learn more](/azure/azure-arc/servers/onboard-service-principal) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/privateLinkScopes/read | Read any Azure Arc privateLinkScopes | +> | [Microsoft.GuestConfiguration](../permissions/management-and-governance.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can onboard Azure Connected Machines.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "name": "b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "permissions": [ + { + "actions": [ + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/machines/write", + "Microsoft.HybridCompute/privateLinkScopes/read", + "Microsoft.GuestConfiguration/guestConfigurationAssignments/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Connected Machine Onboarding", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Connected Machine Resource Administrator ++Can read, write, delete and re-onboard Azure Connected Machines. ++[Learn more](/azure/azure-arc/servers/security-overview) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/privateLinkScopes/* | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/*/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/write | Installs or Updates an Azure Arc licenses | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/licenses/delete | Deletes an Azure Arc licenses | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read, write, delete and re-onboard Azure Connected Machines.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "name": "cd570a14-e51a-42ad-bac8-bafd67325302", + "permissions": [ + { + "actions": [ + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/machines/write", + "Microsoft.HybridCompute/machines/delete", + "Microsoft.HybridCompute/machines/UpgradeExtensions/action", + "Microsoft.HybridCompute/machines/extensions/read", + "Microsoft.HybridCompute/machines/extensions/write", + "Microsoft.HybridCompute/machines/extensions/delete", + "Microsoft.HybridCompute/privateLinkScopes/*", + "Microsoft.HybridCompute/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.HybridCompute/licenses/write", + "Microsoft.HybridCompute/licenses/delete", + "Microsoft.HybridCompute/machines/licenseProfiles/read", + "Microsoft.HybridCompute/machines/licenseProfiles/write", + "Microsoft.HybridCompute/machines/licenseProfiles/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Connected Machine Resource Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Connected Machine Resource Manager ++Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group ++[Learn more](/azure-stack/hci/deploy/deployment-azure-resource-manager-template) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/read | Gets the endpoint to the resource. | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/write | Update the endpoint to the target resource. | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/read | Gets the details about the service to the resource. | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/endpoints/serviceConfigurations/write | Update the service details in the service configurations of the target resource. | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/read | Read any Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/write | Writes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/delete | Deletes an Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/read | Reads any Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/write | Installs or Updates an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/extensions/delete | Deletes an Azure Arc extensions | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/*/read | | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | +> | [Microsoft.HybridCompute](../permissions/hybrid-multicloud.md#microsofthybridcompute)/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | +> | [Microsoft.GuestConfiguration](../permissions/management-and-governance.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. | +> | [Microsoft.GuestConfiguration](../permissions/management-and-governance.md#microsoftguestconfiguration)/guestConfigurationAssignments/*/read | | +> | [Microsoft.GuestConfiguration](../permissions/management-and-governance.md#microsoftguestconfiguration)/guestConfigurationAssignments/write | Create new guest configuration assignment. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c", + "name": "f5819b54-e033-4d82-ac66-4fec3cbf3f4c", + "permissions": [ + { + "actions": [ + "Microsoft.HybridConnectivity/endpoints/read", + "Microsoft.HybridConnectivity/endpoints/write", + "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read", + "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write", + "Microsoft.HybridCompute/machines/read", + "Microsoft.HybridCompute/machines/write", + "Microsoft.HybridCompute/machines/delete", + "Microsoft.HybridCompute/machines/extensions/read", + "Microsoft.HybridCompute/machines/extensions/write", + "Microsoft.HybridCompute/machines/extensions/delete", + "Microsoft.HybridCompute/*/read", + "Microsoft.HybridCompute/machines/UpgradeExtensions/action", + "Microsoft.HybridCompute/machines/licenseProfiles/read", + "Microsoft.HybridCompute/machines/licenseProfiles/write", + "Microsoft.HybridCompute/machines/licenseProfiles/delete", + "Microsoft.GuestConfiguration/guestConfigurationAssignments/read", + "Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read", + "Microsoft.GuestConfiguration/guestConfigurationAssignments/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Connected Machine Resource Manager", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Resource Bridge Deployment Role ++Azure Resource Bridge Deployment Role ++[Learn more](/azure/azure-arc/resource-bridge/overview) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/Register/Action | Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources. | +> | Microsoft.ResourceConnector/register/action | Registers the subscription for Appliances resource provider and enables the creation of Appliance. | +> | Microsoft.ResourceConnector/appliances/read | Gets an Appliance resource | +> | Microsoft.ResourceConnector/appliances/write | Creates or Updates Appliance resource | +> | Microsoft.ResourceConnector/appliances/delete | Deletes Appliance resource | +> | Microsoft.ResourceConnector/locations/operationresults/read | Get result of Appliance operation | +> | Microsoft.ResourceConnector/locations/operationsstatus/read | Get result of Appliance operation | +> | Microsoft.ResourceConnector/appliances/listClusterUserCredential/action | Get an appliance cluster user credential | +> | Microsoft.ResourceConnector/appliances/listKeys/action | Get an appliance cluster customer user keys | +> | Microsoft.ResourceConnector/appliances/upgradeGraphs/read | Gets the upgrade graph of Appliance cluster | +> | Microsoft.ResourceConnector/telemetryconfig/read | Get Appliances telemetry config utilized by Appliances CLI | +> | Microsoft.ResourceConnector/operations/read | Gets list of Available Operations for Appliances | +> | Microsoft.ExtendedLocation/register/action | Registers the subscription for Custom Location resource provider and enables the creation of Custom Location. | +> | Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource | +> | Microsoft.ExtendedLocation/customLocations/read | Gets an Custom Location resource | +> | Microsoft.ExtendedLocation/customLocations/write | Creates or Updates Custom Location resource | +> | Microsoft.ExtendedLocation/customLocations/delete | Deletes Custom Location resource | +> | [Microsoft.HybridConnectivity](../permissions/hybrid-multicloud.md#microsofthybridconnectivity)/register/action | Register the subscription for Microsoft.HybridConnectivity | +> | [Microsoft.Kubernetes](../permissions/containers.md#microsoftkubernetes)/register/action | Registers Subscription with Microsoft.Kubernetes resource provider | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/register/action | Registers subscription to Microsoft.KubernetesConfiguration resource provider. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/write | Creates or updates extension resource. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/read | Gets extension instance resource. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/delete | Deletes extension instance resource. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/extensions/operations/read | Gets Async Operation status. | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/namespaces/read | Get Namespace Resource | +> | [Microsoft.KubernetesConfiguration](../permissions/containers.md#microsoftkubernetesconfiguration)/operations/read | Gets available operations of the Microsoft.KubernetesConfiguration resource provider. | +> | [Microsoft.GuestConfiguration](../permissions/management-and-governance.md#microsoftguestconfiguration)/guestConfigurationAssignments/read | Get guest configuration assignment. | +> | Microsoft.HybridContainerService/register/action | Register the subscription for Microsoft.HybridContainerService | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/StorageContainers/Write | Creates/Updates storage containers resource | +> | [Microsoft.AzureStackHCI](../permissions/hybrid-multicloud.md#microsoftazurestackhci)/StorageContainers/Read | Gets/Lists storage containers resource | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Azure Resource Bridge Deployment Role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7b1f81f9-4196-4058-8aae-762e593270df", + "name": "7b1f81f9-4196-4058-8aae-762e593270df", + "permissions": [ + { + "actions": [ + "Microsoft.AzureStackHCI/Register/Action", + "Microsoft.ResourceConnector/register/action", + "Microsoft.ResourceConnector/appliances/read", + "Microsoft.ResourceConnector/appliances/write", + "Microsoft.ResourceConnector/appliances/delete", + "Microsoft.ResourceConnector/locations/operationresults/read", + "Microsoft.ResourceConnector/locations/operationsstatus/read", + "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action", + "Microsoft.ResourceConnector/appliances/listKeys/action", + "Microsoft.ResourceConnector/appliances/upgradeGraphs/read", + "Microsoft.ResourceConnector/telemetryconfig/read", + "Microsoft.ResourceConnector/operations/read", + "Microsoft.ExtendedLocation/register/action", + "Microsoft.ExtendedLocation/customLocations/deploy/action", + "Microsoft.ExtendedLocation/customLocations/read", + "Microsoft.ExtendedLocation/customLocations/write", + "Microsoft.ExtendedLocation/customLocations/delete", + "Microsoft.HybridConnectivity/register/action", + "Microsoft.Kubernetes/register/action", + "Microsoft.KubernetesConfiguration/register/action", + "Microsoft.KubernetesConfiguration/extensions/write", + "Microsoft.KubernetesConfiguration/extensions/read", + "Microsoft.KubernetesConfiguration/extensions/delete", + "Microsoft.KubernetesConfiguration/extensions/operations/read", + "Microsoft.KubernetesConfiguration/namespaces/read", + "Microsoft.KubernetesConfiguration/operations/read", + "Microsoft.GuestConfiguration/guestConfigurationAssignments/read", + "Microsoft.HybridContainerService/register/action", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.AzureStackHCI/StorageContainers/Write", + "Microsoft.AzureStackHCI/StorageContainers/Read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Resource Bridge Deployment Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Billing Reader ++Allows read access to billing data ++[Learn more](/azure/cost-management-billing/manage/manage-billing-access) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Billing](../permissions/management-and-governance.md#microsoftbilling)/*/read | Read Billing information | +> | [Microsoft.Commerce](../permissions/management-and-governance.md#microsoftcommerce)/*/read | | +> | [Microsoft.Consumption](../permissions/management-and-governance.md#microsoftconsumption)/*/read | | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | [Microsoft.CostManagement](../permissions/management-and-governance.md#microsoftcostmanagement)/*/read | | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows read access to billing data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "name": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Billing/*/read", + "Microsoft.Commerce/*/read", + "Microsoft.Consumption/*/read", + "Microsoft.Management/managementGroups/read", + "Microsoft.CostManagement/*/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Billing Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Blueprint Contributor ++Can manage blueprint definitions, but not assign them. ++[Learn more](/azure/governance/blueprints/overview) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Blueprint](../permissions/management-and-governance.md#microsoftblueprint)/blueprints/* | Create and manage blueprint definitions or blueprint artifacts. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can manage blueprint definitions, but not assign them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "name": "41077137-e803-4205-871c-5a86e6a753b4", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Blueprint/blueprints/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Blueprint Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Blueprint Operator ++Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. ++[Learn more](/azure/governance/blueprints/overview) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Blueprint](../permissions/management-and-governance.md#microsoftblueprint)/blueprintAssignments/* | Create and manage blueprint assignments. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "name": "437d2ced-4a38-4302-8479-ed2bcb43d090", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Blueprint/blueprintAssignments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Blueprint Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cost Management Contributor ++Can view costs and manage cost configuration (e.g. budgets, exports) ++[Learn more](/azure/cost-management-billing/costs/understand-work-scopes) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Consumption](../permissions/management-and-governance.md#microsoftconsumption)/* | | +> | [Microsoft.CostManagement](../permissions/management-and-governance.md#microsoftcostmanagement)/* | | +> | [Microsoft.Billing](../permissions/management-and-governance.md#microsoftbilling)/billingPeriods/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/configurations/read | Get configurations | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/read | Reads recommendations | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | [Microsoft.Billing](../permissions/management-and-governance.md#microsoftbilling)/billingProperty/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can view costs and manage cost configuration (e.g. budgets, exports)", + "id": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "name": "434105ed-43f6-45c7-a02f-909b2ba83430", + "permissions": [ + { + "actions": [ + "Microsoft.Consumption/*", + "Microsoft.CostManagement/*", + "Microsoft.Billing/billingPeriods/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Advisor/configurations/read", + "Microsoft.Advisor/recommendations/read", + "Microsoft.Management/managementGroups/read", + "Microsoft.Billing/billingProperty/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Cost Management Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Cost Management Reader ++Can view cost data and configuration (e.g. budgets, exports) ++[Learn more](/azure/cost-management-billing/costs/understand-work-scopes) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Consumption](../permissions/management-and-governance.md#microsoftconsumption)/*/read | | +> | [Microsoft.CostManagement](../permissions/management-and-governance.md#microsoftcostmanagement)/*/read | | +> | [Microsoft.Billing](../permissions/management-and-governance.md#microsoftbilling)/billingPeriods/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/configurations/read | Get configurations | +> | [Microsoft.Advisor](../permissions/management-and-governance.md#microsoftadvisor)/recommendations/read | Reads recommendations | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | [Microsoft.Billing](../permissions/management-and-governance.md#microsoftbilling)/billingProperty/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can view cost data and configuration (e.g. budgets, exports)", + "id": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "name": "72fafb9e-0641-4937-9268-a91bfd8191a3", + "permissions": [ + { + "actions": [ + "Microsoft.Consumption/*/read", + "Microsoft.CostManagement/*/read", + "Microsoft.Billing/billingPeriods/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Advisor/configurations/read", + "Microsoft.Advisor/recommendations/read", + "Microsoft.Management/managementGroups/read", + "Microsoft.Billing/billingProperty/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Cost Management Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Hierarchy Settings Administrator ++Allows users to edit and delete Hierarchy Settings ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/settings/write | Creates or updates management group hierarchy settings. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/settings/delete | Deletes management group hierarchy settings. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows users to edit and delete Hierarchy Settings", + "id": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "name": "350f8d15-c687-4448-8ae1-157740a3936d", + "permissions": [ + { + "actions": [ + "Microsoft.Management/managementGroups/settings/write", + "Microsoft.Management/managementGroups/settings/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Hierarchy Settings Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Managed Application Contributor Role ++Allows for creating managed application resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/applications/* | | +> | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/register/action | Register the subscription for Microsoft.Solutions | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for creating managed application resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "name": "641177b8-a67a-45b9-a033-47bc880bb21e", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.Solutions/applications/*", + "Microsoft.Solutions/register/action", + "Microsoft.Resources/subscriptions/resourceGroups/*", + "Microsoft.Resources/deployments/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Managed Application Contributor Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Managed Application Operator Role ++Lets you read and perform actions on Managed Application resources ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/applications/read | Lists all the applications within a subscription. | +> | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/*/action | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you read and perform actions on Managed Application resources", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "name": "c7393b34-138c-406f-901b-d8cf2b17e6ae", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.Solutions/applications/read", + "Microsoft.Solutions/*/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Managed Application Operator Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Managed Applications Reader ++Lets you read resources in a managed app and request JIT access. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/jitRequests/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you read resources in a managed app and request JIT access.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "name": "b9331d33-8a36-4f8c-b097-4f54124fdb44", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Solutions/jitRequests/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Managed Applications Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Managed Services Registration assignment Delete Role ++Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. ++[Learn more](/azure/lighthouse/how-to/remove-delegation) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ManagedServices](../permissions/management-and-governance.md#microsoftmanagedservices)/registrationAssignments/read | Retrieves a list of Managed Services registration assignments. | +> | [Microsoft.ManagedServices](../permissions/management-and-governance.md#microsoftmanagedservices)/registrationAssignments/delete | Removes Managed Services registration assignment. | +> | [Microsoft.ManagedServices](../permissions/management-and-governance.md#microsoftmanagedservices)/operationStatuses/read | Reads the operation status for the resource. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "name": "91c1777a-f3dc-4fae-b103-61d183457e46", + "permissions": [ + { + "actions": [ + "Microsoft.ManagedServices/registrationAssignments/read", + "Microsoft.ManagedServices/registrationAssignments/delete", + "Microsoft.ManagedServices/operationStatuses/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Managed Services Registration assignment Delete Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Management Group Contributor ++Management Group Contributor Role ++[Learn more](/azure/governance/management-groups/overview) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/delete | Delete management group. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/subscriptions/delete | De-associates subscription from the management group. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/subscriptions/write | Associates existing subscription with the management group. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/write | Create or update a management group. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/subscriptions/read | Lists subscription under the given management group. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Management Group Contributor Role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "name": "5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "permissions": [ + { + "actions": [ + "Microsoft.Management/managementGroups/delete", + "Microsoft.Management/managementGroups/read", + "Microsoft.Management/managementGroups/subscriptions/delete", + "Microsoft.Management/managementGroups/subscriptions/write", + "Microsoft.Management/managementGroups/write", + "Microsoft.Management/managementGroups/subscriptions/read", + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Management Group Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Management Group Reader ++Management Group Reader Role ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/subscriptions/read | Lists subscription under the given management group. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Management Group Reader Role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "name": "ac63b705-f282-497d-ac71-919bf39d939d", + "permissions": [ + { + "actions": [ + "Microsoft.Management/managementGroups/read", + "Microsoft.Management/managementGroups/subscriptions/read", + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Management Group Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## New Relic APM Account Contributor ++Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | NewRelic.APM/accounts/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage New Relic Application Performance Management accounts and applications, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "name": "5d28c62d-5b37-4476-8438-e587778df237", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "NewRelic.APM/accounts/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "New Relic APM Account Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Policy Insights Data Writer (Preview) ++Allows read access to resource policies and write access to resource component policy events. ++[Learn more](/azure/governance/policy/concepts/policy-for-kubernetes) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policyassignments/read | Get information about a policy assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policydefinitions/read | Get information about a policy definition. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policyexemptions/read | Get information about a policy exemption. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policysetdefinitions/read | Get information about a policy set definition. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.PolicyInsights](../permissions/management-and-governance.md#microsoftpolicyinsights)/checkDataPolicyCompliance/action | Check the compliance status of a given component against data policies. | +> | [Microsoft.PolicyInsights](../permissions/management-and-governance.md#microsoftpolicyinsights)/policyEvents/logDataEvents/action | Log the resource component policy events. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows read access to resource policies and write access to resource component policy events.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "name": "66bb4e9e-b016-4a94-8249-4c0511c2be84", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/policyassignments/read", + "Microsoft.Authorization/policydefinitions/read", + "Microsoft.Authorization/policyexemptions/read", + "Microsoft.Authorization/policysetdefinitions/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.PolicyInsights/checkDataPolicyCompliance/action", + "Microsoft.PolicyInsights/policyEvents/logDataEvents/action" + ], + "notDataActions": [] + } + ], + "roleName": "Policy Insights Data Writer (Preview)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Quota Request Operator ++Read and create quota requests, get quota request status, and create support tickets. ++[Learn more](/rest/api/reserved-vm-instances/quotaapi) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Capacity](../permissions/management-and-governance.md#microsoftcapacity)/resourceProviders/locations/serviceLimits/read | Get the current service limit or quota of the specified resource and location | +> | [Microsoft.Capacity](../permissions/management-and-governance.md#microsoftcapacity)/resourceProviders/locations/serviceLimits/write | Create service limit or quota for the specified resource and location | +> | [Microsoft.Capacity](../permissions/management-and-governance.md#microsoftcapacity)/resourceProviders/locations/serviceLimitsRequests/read | Get any service limit request for the specified resource and location | +> | [Microsoft.Capacity](../permissions/management-and-governance.md#microsoftcapacity)/register/action | Registers the Capacity resource provider and enables the creation of Capacity resources. | +> | [Microsoft.Quota](../permissions/general.md#microsoftquota)/usages/read | Get the usages for resource providers | +> | [Microsoft.Quota](../permissions/general.md#microsoftquota)/quotas/read | Get the current Service limit or quota of the specified resource | +> | [Microsoft.Quota](../permissions/general.md#microsoftquota)/quotas/write | Creates the service limit or quota request for the specified resource | +> | [Microsoft.Quota](../permissions/general.md#microsoftquota)/quotaRequests/read | Get any service limit request for the specified resource | +> | [Microsoft.Quota](../permissions/general.md#microsoftquota)/register/action | Register the subscription with Microsoft.Quota Resource Provider | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read and create quota requests, get quota request status, and create support tickets.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125", + "name": "0e5f05e5-9ab9-446b-b98d-1e2157c94125", + "permissions": [ + { + "actions": [ + "Microsoft.Capacity/resourceProviders/locations/serviceLimits/read", + "Microsoft.Capacity/resourceProviders/locations/serviceLimits/write", + "Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read", + "Microsoft.Capacity/register/action", + "Microsoft.Quota/usages/read", + "Microsoft.Quota/quotas/read", + "Microsoft.Quota/quotas/write", + "Microsoft.Quota/quotaRequests/read", + "Microsoft.Quota/register/action", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Quota Request Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Reservation Purchaser ++Lets you purchase reservations ++[Learn more](/azure/cost-management-billing/reservations/prepare-buy-reservation) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Capacity](../permissions/management-and-governance.md#microsoftcapacity)/catalogs/read | Read catalog of Reservation | +> | [Microsoft.Capacity](../permissions/management-and-governance.md#microsoftcapacity)/register/action | Registers the Capacity resource provider and enables the creation of Capacity resources. | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/register/action | Registers Subscription with Microsoft.Compute resource provider | +> | [Microsoft.Consumption](../permissions/management-and-governance.md#microsoftconsumption)/register/action | Register to Consumption RP | +> | [Microsoft.Consumption](../permissions/management-and-governance.md#microsoftconsumption)/reservationRecommendationDetails/read | List Reservation Recommendation Details | +> | [Microsoft.Consumption](../permissions/management-and-governance.md#microsoftconsumption)/reservationRecommendations/read | List single or shared recommendations for Reserved instances for a subscription. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.SQL](../permissions/databases.md#microsoftsql)/register/action | Registers the subscription for the Microsoft SQL Database resource provider and enables the creation of Microsoft SQL Databases. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/supporttickets/write | Allows creating and updating a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you purchase reservations", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689", + "name": "f7b75c60-3036-4b75-91c3-6b41c27c1689", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Capacity/catalogs/read", + "Microsoft.Capacity/register/action", + "Microsoft.Compute/register/action", + "Microsoft.Consumption/register/action", + "Microsoft.Consumption/reservationRecommendationDetails/read", + "Microsoft.Consumption/reservationRecommendations/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.SQL/register/action", + "Microsoft.Support/supporttickets/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Reservation Purchaser", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Resource Policy Contributor ++Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. ++[Learn more](/azure/governance/policy/overview) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policyassignments/* | Create and manage policy assignments | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policydefinitions/* | Create and manage policy definitions | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policyexemptions/* | Create and manage policy exemptions | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policysetdefinitions/* | Create and manage policy sets | +> | [Microsoft.PolicyInsights](../permissions/management-and-governance.md#microsoftpolicyinsights)/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "name": "36243c78-bf99-498c-9df9-86d9f8d28608", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.Authorization/policyassignments/*", + "Microsoft.Authorization/policydefinitions/*", + "Microsoft.Authorization/policyexemptions/*", + "Microsoft.Authorization/policysetdefinitions/*", + "Microsoft.PolicyInsights/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Resource Policy Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Site Recovery Contributor ++Lets you manage Site Recovery service except vault creation and role assignment ++[Learn more](/azure/site-recovery/site-recovery-role-based-linked-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/allocateStamp/action | AllocateStamp is internal operation used by service | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/* | Create and manage extended info related to vault | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/refreshContainers/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/* | Create and manage registered identities | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationAlertSettings/* | Create or Update replication alert settings | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationEvents/read | Read any Events | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/* | Create and manage replication fabrics | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationJobs/* | Create and manage replication jobs | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationPolicies/* | Create and manage replication policies | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/* | Create and manage recovery plans | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationVaultSettings/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/storageConfig/* | Create and manage storage configuration of Recovery Services vault | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/tokenInfo/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/vaultTokens/read | The Vault Token operation can be used to get Vault Token for vault level backend operations. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/* | Read alerts for the Recovery services vault | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/notificationConfiguration/read | | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationOperationStatus/read | Read any Vault Replication Operation Status | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage Site Recovery service except vault creation and role assignment", + "id": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "name": "6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.RecoveryServices/locations/allocatedStamp/read", + "Microsoft.RecoveryServices/locations/allocateStamp/action", + "Microsoft.RecoveryServices/Vaults/certificates/write", + "Microsoft.RecoveryServices/Vaults/extendedInformation/*", + "Microsoft.RecoveryServices/Vaults/read", + "Microsoft.RecoveryServices/Vaults/refreshContainers/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/*", + "Microsoft.RecoveryServices/vaults/replicationAlertSettings/*", + "Microsoft.RecoveryServices/vaults/replicationEvents/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/*", + "Microsoft.RecoveryServices/vaults/replicationJobs/*", + "Microsoft.RecoveryServices/vaults/replicationPolicies/*", + "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*", + "Microsoft.RecoveryServices/vaults/replicationVaultSettings/*", + "Microsoft.RecoveryServices/Vaults/storageConfig/*", + "Microsoft.RecoveryServices/Vaults/tokenInfo/read", + "Microsoft.RecoveryServices/Vaults/usages/read", + "Microsoft.RecoveryServices/Vaults/vaultTokens/read", + "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*", + "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.RecoveryServices/vaults/replicationOperationStatus/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Site Recovery Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Site Recovery Operator ++Lets you failover and failback but not perform other Site Recovery management operations ++[Learn more](/azure/site-recovery/site-recovery-role-based-linked-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/allocateStamp/action | AllocateStamp is internal operation used by service | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/refreshContainers/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationAlertSettings/read | Read any Alerts Settings | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationEvents/read | Read any Events | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/checkConsistency/action | Checks Consistency of the Fabric | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/read | Read any Fabrics | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/reassociateGateway/action | Reassociate Gateway | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/renewcertificate/action | Renew Certificate for Fabric | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationNetworks/read | Read any Networks | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read | Read any Network Mappings | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/read | Read any Protection Containers | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read | Read any Protectable Items | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action | Apply Recovery Point | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action | Failover Commit | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action | Planned Failover | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read | Read any Protected Items | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read | Read any Replication Recovery Points | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action | Repair replication | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action | ReProtect Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action | Switch Protection Container | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action | Test Failover | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action | Test Failover Cleanup | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action | Failover | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action | Update Mobility Service | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read | Read any Protection Container Mappings | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationRecoveryServicesProviders/read | Read any Recovery Services Providers | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action | Refresh Provider | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationStorageClassifications/read | Read any Storage Classifications | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read | Read any Storage Classification Mappings | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationvCenters/read | Read any vCenters | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationJobs/* | Create and manage replication jobs | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationPolicies/read | Read any Policies | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/failoverCommit/action | Failover Commit Recovery Plan | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/plannedFailover/action | Planned Failover Recovery Plan | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/read | Read any Recovery Plans | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/reProtect/action | ReProtect Recovery Plan | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/testFailover/action | Test Failover Recovery Plan | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/testFailoverCleanup/action | Test Failover Cleanup Recovery Plan | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/unplannedFailover/action | Failover Recovery Plan | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationVaultSettings/read | Read any | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/* | Read alerts for the Recovery services vault | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/notificationConfiguration/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/storageConfig/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/tokenInfo/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/vaultTokens/read | The Vault Token operation can be used to get Vault Token for vault level backend operations. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you failover and failback but not perform other Site Recovery management operations", + "id": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "name": "494ae006-db33-4328-bf46-533a6560a3ca", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.RecoveryServices/locations/allocatedStamp/read", + "Microsoft.RecoveryServices/locations/allocateStamp/action", + "Microsoft.RecoveryServices/Vaults/extendedInformation/read", + "Microsoft.RecoveryServices/Vaults/read", + "Microsoft.RecoveryServices/Vaults/refreshContainers/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", + "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read", + "Microsoft.RecoveryServices/vaults/replicationEvents/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read", + "Microsoft.RecoveryServices/vaults/replicationJobs/*", + "Microsoft.RecoveryServices/vaults/replicationPolicies/read", + "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action", + "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action", + "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read", + "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action", + "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action", + "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action", + "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action", + "Microsoft.RecoveryServices/vaults/replicationVaultSettings/read", + "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*", + "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read", + "Microsoft.RecoveryServices/Vaults/storageConfig/read", + "Microsoft.RecoveryServices/Vaults/tokenInfo/read", + "Microsoft.RecoveryServices/Vaults/usages/read", + "Microsoft.RecoveryServices/Vaults/vaultTokens/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Site Recovery Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Site Recovery Reader ++Lets you view Site Recovery status but not perform other management operations ++[Learn more](/azure/site-recovery/site-recovery-role-based-linked-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/notificationConfiguration/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/refreshContainers/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationAlertSettings/read | Read any Alerts Settings | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationEvents/read | Read any Events | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/read | Read any Fabrics | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationNetworks/read | Read any Networks | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read | Read any Network Mappings | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/read | Read any Protection Containers | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read | Read any Protectable Items | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read | Read any Protected Items | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read | Read any Replication Recovery Points | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read | Read any Protection Container Mappings | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationRecoveryServicesProviders/read | Read any Recovery Services Providers | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationStorageClassifications/read | Read any Storage Classifications | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read | Read any Storage Classification Mappings | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationFabrics/replicationvCenters/read | Read any vCenters | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationJobs/read | Read any Jobs | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationPolicies/read | Read any Policies | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationRecoveryPlans/read | Read any Recovery Plans | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/replicationVaultSettings/read | Read any | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/storageConfig/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/tokenInfo/read | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/vaultTokens/read | The Vault Token operation can be used to get Vault Token for vault level backend operations. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you view Site Recovery status but not perform other management operations", + "id": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "name": "dbaa88c4-0c30-4179-9fb3-46319faa6149", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.RecoveryServices/locations/allocatedStamp/read", + "Microsoft.RecoveryServices/Vaults/extendedInformation/read", + "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", + "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read", + "Microsoft.RecoveryServices/Vaults/read", + "Microsoft.RecoveryServices/Vaults/refreshContainers/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", + "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read", + "Microsoft.RecoveryServices/vaults/replicationEvents/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read", + "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read", + "Microsoft.RecoveryServices/vaults/replicationJobs/read", + "Microsoft.RecoveryServices/vaults/replicationPolicies/read", + "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read", + "Microsoft.RecoveryServices/vaults/replicationVaultSettings/read", + "Microsoft.RecoveryServices/Vaults/storageConfig/read", + "Microsoft.RecoveryServices/Vaults/tokenInfo/read", + "Microsoft.RecoveryServices/Vaults/usages/read", + "Microsoft.RecoveryServices/Vaults/vaultTokens/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Site Recovery Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Support Request Contributor ++Lets you create and manage Support requests ++[Learn more](/azure/azure-portal/supportability/how-to-create-azure-support-request) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you create and manage Support requests", + "id": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "name": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Support Request Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Tag Contributor ++Lets you manage tags on entities, without providing access to the entities themselves. ++[Learn more](/azure/azure-resource-manager/management/tag-resources) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resources/read | Gets resources of a subscription. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/tags/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage tags on entities, without providing access to the entities themselves.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "name": "4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/resourceGroups/resources/read", + "Microsoft.Resources/subscriptions/resources/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Support/*", + "Microsoft.Resources/tags/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Tag Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Template Spec Contributor ++Allows full access to Template Spec operations at the assigned scope. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/templateSpecs/* | Create and manage template specs and template spec versions | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows full access to Template Spec operations at the assigned scope.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b", + "name": "1c9b6475-caf0-4164-b5a1-2142a7116f4b", + "permissions": [ + { + "actions": [ + "Microsoft.Resources/templateSpecs/*", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Template Spec Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Template Spec Reader ++Allows read access to Template Specs at the assigned scope. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/templateSpecs/*/read | Get or list template specs and template spec versions | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows read access to Template Specs at the assigned scope.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e", + "name": "392ae280-861d-42bd-9ea5-08ee6d83b80e", + "permissions": [ + { + "actions": [ + "Microsoft.Resources/templateSpecs/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Template Spec Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Mixed Reality | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/mixed-reality.md | + + Title: Azure built-in roles for Mixed reality - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Mixed reality category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Mixed reality ++This article lists the Azure built-in roles in the Mixed reality category. +++## Remote Rendering Administrator ++Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering ++[Learn more](/azure/remote-rendering/how-tos/authentication) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/action | Start asset conversion | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/read | Get asset conversion properties | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/convert/delete | Stop asset conversion | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/read | Get session properties | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/action | Start sessions | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/delete | Stop sessions | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/render/read | Connect to a session | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.MixedReality/RemoteRenderingAccounts/convert/action", + "Microsoft.MixedReality/RemoteRenderingAccounts/convert/read", + "Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete", + "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read", + "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action", + "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete", + "Microsoft.MixedReality/RemoteRenderingAccounts/render/read", + "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read" + ], + "notDataActions": [] + } + ], + "roleName": "Remote Rendering Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Remote Rendering Client ++Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. ++[Learn more](/azure/remote-rendering/how-tos/authentication) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/read | Get session properties | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/action | Start sessions | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/managesessions/delete | Stop sessions | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/render/read | Connect to a session | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "name": "d39065c4-c120-43c9-ab0a-63eed9795f0a", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read", + "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action", + "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete", + "Microsoft.MixedReality/RemoteRenderingAccounts/render/read", + "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read" + ], + "notDataActions": [] + } + ], + "roleName": "Remote Rendering Client", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Spatial Anchors Account Contributor ++Lets you manage spatial anchors in your account, but not delete them ++[Learn more](/azure/spatial-anchors/concepts/authentication) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/create/action | Create spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/write | Update spatial anchors properties | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage spatial anchors in your account, but not delete them", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action", + "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/write" + ], + "notDataActions": [] + } + ], + "roleName": "Spatial Anchors Account Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Spatial Anchors Account Owner ++Lets you manage spatial anchors in your account, including deleting them ++[Learn more](/azure/spatial-anchors/concepts/authentication) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/create/action | Create spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/delete | Delete spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/write | Update spatial anchors properties | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage spatial anchors in your account, including deleting them", + "id": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "name": "70bbe301-9835-447d-afdd-19eb3167307c", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action", + "Microsoft.MixedReality/SpatialAnchorsAccounts/delete", + "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/write" + ], + "notDataActions": [] + } + ], + "roleName": "Spatial Anchors Account Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Spatial Anchors Account Reader ++Lets you locate and read properties of spatial anchors in your account ++[Learn more](/azure/spatial-anchors/concepts/authentication) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/query/read | Locate spatial anchors | +> | [Microsoft.MixedReality](../permissions/mixed-reality.md#microsoftmixedreality)/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you locate and read properties of spatial anchors in your account", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "name": "5d51204f-eb77-4b1c-b86a-2ec626c49413", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read", + "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read" + ], + "notDataActions": [] + } + ], + "roleName": "Spatial Anchors Account Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/monitor.md | + + Title: Azure built-in roles for Monitor - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Monitor category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Monitor ++This article lists the Azure built-in roles in the Monitor category. +++## Application Insights Component Contributor ++Can manage Application Insights components ++[Learn more](/azure/azure-monitor/app/resources-roles-access-control) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage classic alert rules | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/generateLiveToken/read | Live Metrics get token | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricAlerts/* | Create and manage new alert rules | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/components/* | Create and manage Insights components | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/scheduledqueryrules/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/topology/read | Read Topology | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/transactions/read | Read Transactions | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/webtests/* | Create and manage Insights web tests | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can manage Application Insights components", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "name": "ae349356-3a1b-4a5e-921d-050484c6347e", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/generateLiveToken/read", + "Microsoft.Insights/metricAlerts/*", + "Microsoft.Insights/components/*", + "Microsoft.Insights/scheduledqueryrules/*", + "Microsoft.Insights/topology/read", + "Microsoft.Insights/transactions/read", + "Microsoft.Insights/webtests/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Application Insights Component Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Application Insights Snapshot Debugger ++Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the [Owner](/azure/role-based-access-control/built-in-roles#owner) or [Contributor](/azure/role-based-access-control/built-in-roles#contributor) roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. ++[Learn more](/azure/azure-monitor/app/snapshot-debugger) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/components/*/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Gives user permission to use Application Insights Snapshot Debugger features", + "id": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "name": "08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/components/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Application Insights Snapshot Debugger", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Grafana Admin ++Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana. ++[Learn more](/azure/managed-grafana/how-to-share-grafana-workspace) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Dashboard](../permissions/monitor.md#microsoftdashboard)/grafana/ActAsGrafanaAdmin/action | Act as Grafana Admin role | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Built-in Grafana admin role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41", + "name": "22926164-76b3-42b3-bc55-97df8dab3e41", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action" + ], + "notDataActions": [] + } + ], + "roleName": "Grafana Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Grafana Editor ++View and edit a Grafana instance, including its dashboards and alerts. ++[Learn more](/azure/managed-grafana/how-to-share-grafana-workspace) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Dashboard](../permissions/monitor.md#microsoftdashboard)/grafana/ActAsGrafanaEditor/action | Act as Grafana Editor role | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Built-in Grafana Editor role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f", + "name": "a79a5197-3a5c-4973-a920-486035ffd60f", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action" + ], + "notDataActions": [] + } + ], + "roleName": "Grafana Editor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Grafana Viewer ++View a Grafana instance, including its dashboards and alerts. ++[Learn more](/azure/managed-grafana/how-to-share-grafana-workspace) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Dashboard](../permissions/monitor.md#microsoftdashboard)/grafana/ActAsGrafanaViewer/action | Act as Grafana Viewer role | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Built-in Grafana Viewer role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769", + "name": "60921a7e-fef1-4a43-9b16-a26c52ad4769", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action" + ], + "notDataActions": [] + } + ], + "roleName": "Grafana Viewer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Monitoring Contributor ++Can read all monitoring data and edit monitoring settings. See also [Get started with roles, permissions, and security with Azure Monitor](/azure/azure-monitor/roles-permissions-security#built-in-monitoring-roles). ++[Learn more](/azure/azure-monitor/roles-permissions-security) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.AlertsManagement](../permissions/monitor.md#microsoftalertsmanagement)/alerts/* | | +> | [Microsoft.AlertsManagement](../permissions/monitor.md#microsoftalertsmanagement)/alertsSummary/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/actiongroups/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/activityLogAlerts/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/components/* | Create and manage Insights components | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/createNotifications/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/dataCollectionEndpoints/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/dataCollectionRules/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/dataCollectionRuleAssociations/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/DiagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/eventtypes/* | List Activity Log events (management events) in a subscription. This permission is applicable to both programmatic and portal access to the Activity Log. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/LogDefinitions/* | This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricalerts/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/MetricDefinitions/* | Read metric definitions (list of available metric types for a resource). | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Metrics/* | Read metrics for a resource. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/notificationStatus/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Register/Action | Register the Microsoft Insights provider | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/scheduledqueryrules/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/webtests/* | Create and manage Insights web tests | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooks/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooktemplates/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/privateLinkScopes/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/privateLinkScopeOperationStatuses/* | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/write | Creates a new workspace or links to an existing workspace by providing the customer id from the existing workspace. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/intelligencepacks/* | Read/write/delete log analytics solution packs. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/savedSearches/* | Read/write/delete log analytics saved searches. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/search/action | Executes a search query | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/sharedKeys/action | Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/storageinsightconfigs/* | Read/write/delete log analytics storage insight configurations. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.AlertsManagement](../permissions/monitor.md#microsoftalertsmanagement)/smartDetectorAlertRules/* | | +> | [Microsoft.AlertsManagement](../permissions/monitor.md#microsoftalertsmanagement)/actionRules/* | | +> | [Microsoft.AlertsManagement](../permissions/monitor.md#microsoftalertsmanagement)/smartGroups/* | | +> | [Microsoft.AlertsManagement](../permissions/monitor.md#microsoftalertsmanagement)/migrateFromSmartDetection/* | | +> | [Microsoft.AlertsManagement](../permissions/monitor.md#microsoftalertsmanagement)/investigations/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read all monitoring data and update monitoring settings.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "name": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.AlertsManagement/alerts/*", + "Microsoft.AlertsManagement/alertsSummary/*", + "Microsoft.Insights/actiongroups/*", + "Microsoft.Insights/activityLogAlerts/*", + "Microsoft.Insights/AlertRules/*", + "Microsoft.Insights/components/*", + "Microsoft.Insights/createNotifications/*", + "Microsoft.Insights/dataCollectionEndpoints/*", + "Microsoft.Insights/dataCollectionRules/*", + "Microsoft.Insights/dataCollectionRuleAssociations/*", + "Microsoft.Insights/DiagnosticSettings/*", + "Microsoft.Insights/eventtypes/*", + "Microsoft.Insights/LogDefinitions/*", + "Microsoft.Insights/metricalerts/*", + "Microsoft.Insights/MetricDefinitions/*", + "Microsoft.Insights/Metrics/*", + "Microsoft.Insights/notificationStatus/*", + "Microsoft.Insights/Register/Action", + "Microsoft.Insights/scheduledqueryrules/*", + "Microsoft.Insights/webtests/*", + "Microsoft.Insights/workbooks/*", + "Microsoft.Insights/workbooktemplates/*", + "Microsoft.Insights/privateLinkScopes/*", + "Microsoft.Insights/privateLinkScopeOperationStatuses/*", + "Microsoft.OperationalInsights/workspaces/write", + "Microsoft.OperationalInsights/workspaces/intelligencepacks/*", + "Microsoft.OperationalInsights/workspaces/savedSearches/*", + "Microsoft.OperationalInsights/workspaces/search/action", + "Microsoft.OperationalInsights/workspaces/sharedKeys/action", + "Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*", + "Microsoft.Support/*", + "Microsoft.AlertsManagement/smartDetectorAlertRules/*", + "Microsoft.AlertsManagement/actionRules/*", + "Microsoft.AlertsManagement/smartGroups/*", + "Microsoft.AlertsManagement/migrateFromSmartDetection/*", + "Microsoft.AlertsManagement/investigations/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Monitoring Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Monitoring Metrics Publisher ++Enables publishing metrics against Azure resources ++[Learn more](/azure/azure-monitor/insights/container-insights-update-metrics) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Register/Action | Register the Microsoft Insights provider | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Metrics/Write | Write metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/Telemetry/Write | Write telemetry | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Enables publishing metrics against Azure resources", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "name": "3913510d-42f4-4e42-8a64-420c390055eb", + "permissions": [ + { + "actions": [ + "Microsoft.Insights/Register/Action", + "Microsoft.Support/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Insights/Metrics/Write", + "Microsoft.Insights/Telemetry/Write" + ], + "notDataActions": [] + } + ], + "roleName": "Monitoring Metrics Publisher", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Monitoring Reader ++Can read all monitoring data (metrics, logs, etc.). See also [Get started with roles, permissions, and security with Azure Monitor](/azure/azure-monitor/roles-permissions-security#built-in-monitoring-roles). ++[Learn more](/azure/azure-monitor/roles-permissions-security) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/search/action | Executes a search query | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read all monitoring data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "name": "43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.OperationalInsights/workspaces/search/action", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Monitoring Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Workbook Contributor ++Can save shared workbooks. ++[Learn more](/azure/sentinel/tutorial-monitor-your-data) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooks/write | Create or update a workbook | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooks/delete | Delete a workbook | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooks/read | Read a workbook | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooks/revisions/read | Get the workbook revisions | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooktemplates/write | Create or update a workbook template | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooktemplates/delete | Delete a workbook template | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooktemplates/read | Read a workbook template | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can save shared workbooks.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "name": "e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "permissions": [ + { + "actions": [ + "Microsoft.Insights/workbooks/write", + "Microsoft.Insights/workbooks/delete", + "Microsoft.Insights/workbooks/read", + "Microsoft.Insights/workbooks/revisions/read", + "Microsoft.Insights/workbooktemplates/write", + "Microsoft.Insights/workbooktemplates/delete", + "Microsoft.Insights/workbooktemplates/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Workbook Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Workbook Reader ++Can read workbooks. ++[Learn more](/azure/sentinel/tutorial-monitor-your-data) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [microsoft.insights](../permissions/monitor.md#microsoftinsights)/workbooks/read | Read a workbook | +> | [microsoft.insights](../permissions/monitor.md#microsoftinsights)/workbooks/revisions/read | Get the workbook revisions | +> | [microsoft.insights](../permissions/monitor.md#microsoftinsights)/workbooktemplates/read | Read a workbook template | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read workbooks.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d", + "name": "b279062a-9be3-42a0-92ae-8b3cf002ec4d", + "permissions": [ + { + "actions": [ + "microsoft.insights/workbooks/read", + "microsoft.insights/workbooks/revisions/read", + "microsoft.insights/workbooktemplates/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Workbook Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Networking | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/networking.md | + + Title: Azure built-in roles for Networking - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Networking category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Networking ++This article lists the Azure built-in roles in the Networking category. +++## Azure Front Door Domain Contributor ++For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/profileresults/customdomainresults/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/customdomains/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/customdomains/write | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/customdomains/delete | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8", + "name": "0ab34830-df19-4f8c-b84e-aa85b8afa6e8", + "permissions": [ + { + "actions": [ + "Microsoft.Cdn/operationresults/profileresults/customdomainresults/read", + "Microsoft.Cdn/profiles/customdomains/read", + "Microsoft.Cdn/profiles/customdomains/write", + "Microsoft.Cdn/profiles/customdomains/delete", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Front Door Domain Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Front Door Domain Reader ++For internal use within Azure. Can view Azure Front Door domains, but can't make changes. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/profileresults/customdomainresults/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/customdomains/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "For internal use within Azure. Can view Azure Front Door domains, but can't make changes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f", + "name": "0f99d363-226e-4dca-9920-b807cf8e1a5f", + "permissions": [ + { + "actions": [ + "Microsoft.Cdn/operationresults/profileresults/customdomainresults/read", + "Microsoft.Cdn/profiles/customdomains/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Front Door Domain Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Front Door Profile Reader ++Can view AFD standard and premium profiles and their endpoints, but can't make changes. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/edgenodes/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/* | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/*/read | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/queryloganalyticsmetrics/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/queryloganalyticsrankings/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/querywafloganalyticsmetrics/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/querywafloganalyticsrankings/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/Usages/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/afdendpoints/Usages/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/origingroups/Usages/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/rulesets/Usages/action | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can view AFD standard and premium profiles and their endpoints, but can't make changes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/662802e2-50f6-46b0-aed2-e834bacc6d12", + "name": "662802e2-50f6-46b0-aed2-e834bacc6d12", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Cdn/edgenodes/read", + "Microsoft.Cdn/operationresults/*", + "Microsoft.Cdn/profiles/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action", + "Microsoft.Cdn/profiles/queryloganalyticsmetrics/action", + "Microsoft.Cdn/profiles/queryloganalyticsrankings/action", + "Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action", + "Microsoft.Cdn/profiles/querywafloganalyticsrankings/action", + "Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action", + "Microsoft.Cdn/profiles/Usages/action", + "Microsoft.Cdn/profiles/afdendpoints/Usages/action", + "Microsoft.Cdn/profiles/origingroups/Usages/action", + "Microsoft.Cdn/profiles/rulesets/Usages/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Front Door Profile Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Front Door Secret Contributor ++For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/profileresults/secretresults/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/secrets/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/secrets/write | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/secrets/delete | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5", + "name": "3f2eb865-5811-4578-b90a-6fc6fa0df8e5", + "permissions": [ + { + "actions": [ + "Microsoft.Cdn/operationresults/profileresults/secretresults/read", + "Microsoft.Cdn/profiles/secrets/read", + "Microsoft.Cdn/profiles/secrets/write", + "Microsoft.Cdn/profiles/secrets/delete", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Front Door Secret Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Front Door Secret Reader ++For internal use within Azure. Can view Azure Front Door secrets, but can't make changes. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/profileresults/secretresults/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/secrets/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "For internal use within Azure. Can view Azure Front Door secrets, but can't make changes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca", + "name": "0db238c4-885e-4c4f-a933-aa2cef684fca", + "permissions": [ + { + "actions": [ + "Microsoft.Cdn/operationresults/profileresults/secretresults/read", + "Microsoft.Cdn/profiles/secrets/read", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Azure Front Door Secret Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## CDN Endpoint Contributor ++Can manage CDN endpoints, but can't grant access to other users. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/edgenodes/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/* | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/endpoints/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can manage CDN endpoints, but can't grant access to other users.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Cdn/edgenodes/read", + "Microsoft.Cdn/operationresults/*", + "Microsoft.Cdn/profiles/endpoints/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "CDN Endpoint Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## CDN Endpoint Reader ++Can view CDN endpoints, but can't make changes. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/edgenodes/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/* | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/endpoints/*/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/afdendpoints/validateCustomDomain/action | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can view CDN endpoints, but can't make changes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Cdn/edgenodes/read", + "Microsoft.Cdn/operationresults/*", + "Microsoft.Cdn/profiles/endpoints/*/read", + "Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "CDN Endpoint Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## CDN Profile Contributor ++Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. ++[Learn more](/azure/cdn/cdn-app-dev-net) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/edgenodes/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/* | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "name": "ec156ff8-a8d1-4d15-830c-5b80698ca432", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Cdn/edgenodes/read", + "Microsoft.Cdn/operationresults/*", + "Microsoft.Cdn/profiles/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "CDN Profile Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## CDN Profile Reader ++Can view CDN profiles and their endpoints, but can't make changes. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/edgenodes/read | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/operationresults/* | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/*/read | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/afdendpoints/validateCustomDomain/action | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/CheckResourceUsage/action | | +> | [Microsoft.Cdn](../permissions/networking.md#microsoftcdn)/profiles/endpoints/CheckResourceUsage/action | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can view CDN profiles and their endpoints, but can't make changes.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "name": "8f96442b-4075-438f-813d-ad51ab4019af", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Cdn/edgenodes/read", + "Microsoft.Cdn/operationresults/*", + "Microsoft.Cdn/profiles/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Cdn/profiles/CheckResourceUsage/action", + "Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "CDN Profile Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Classic Network Contributor ++Lets you manage classic networks, but not access to them. ++[Learn more](/azure/virtual-network/virtual-network-manage-peering) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.ClassicNetwork](../permissions/networking.md#microsoftclassicnetwork)/* | Create and manage classic networks | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage classic networks, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.ClassicNetwork/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Classic Network Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## DNS Zone Contributor ++Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. ++[Learn more](/azure/dns/dns-protect-zones-recordsets) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/dnsZones/* | Create and manage DNS zones and records | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "name": "befefa01-2a29-4197-83a8-272ff33ce314", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Network/dnsZones/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "DNS Zone Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Network Contributor ++Lets you manage networks, but not access to them. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/* | Create and manage networks | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage networks, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "name": "4d97b98b-1d4f-4787-a291-c67834d212e7", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Network/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Network Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Private DNS Zone Contributor ++Lets you manage private DNS zone resources, but not the virtual networks they are linked to. ++[Learn more](/azure/dns/dns-protect-private-zones-recordsets) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/privateDnsZones/* | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/privateDnsOperationResults/* | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/privateDnsOperationStatuses/* | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/join/action | Joins a virtual network. Not Alertable. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "permissions": [ + { + "actions": [ + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Network/privateDnsZones/*", + "Microsoft.Network/privateDnsOperationResults/*", + "Microsoft.Network/privateDnsOperationStatuses/*", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/join/action", + "Microsoft.Authorization/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Private DNS Zone Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Traffic Manager Contributor ++Lets you manage Traffic Manager profiles, but does not let you control who has access to them. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/trafficManagerProfiles/* | | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Network/trafficManagerProfiles/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Traffic Manager Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/security.md | + + Title: Azure built-in roles for Security - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Security category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Security ++This article lists the Azure built-in roles in the Security category. +++## App Compliance Automation Administrator ++Create, read, download, modify and delete reports objects and related other resource objects. ++[Learn more](/microsoft-365-app-certification/docs/automate-certification-with-acat) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.AppComplianceAutomation](../permissions/security.md#microsoftappcomplianceautomation)/* | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/write | Returns the result of put blob service properties | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileservices/write | Put file service properties | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/write | Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the blob service | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | +> | [Microsoft.PolicyInsights](../permissions/management-and-governance.md#microsoftpolicyinsights)/policyStates/queryResults/action | Query information about policy states. | +> | [Microsoft.PolicyInsights](../permissions/management-and-governance.md#microsoftpolicyinsights)/policyStates/triggerEvaluation/action | Triggers a new compliance evaluation for the selected scope. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/resources/read | Get the list of resources based upon filters. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resources/read | Gets resources of a subscription. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/delete | Deletes a resource group and all its resources. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/write | Creates or updates a resource group. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/tags/read | Gets all the tags on a resource. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/validate/action | Validates an deployment. | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/automations/read | Gets the automations for the scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/write | Creates or updates an deployment. | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/automations/delete | Deletes the automation for the scope | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/automations/write | Creates or updates the automation for the scope | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/register/action | Registers the subscription for Azure Security Center | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/unregister/action | Unregisters the subscription from Azure Security Center | +> | */read | Read resources of all types, except secrets. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create, read, download, modify and delete reports objects and related other resource objects.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2", + "name": "0f37683f-2463-46b6-9ce7-9b788b988ba2", + "permissions": [ + { + "actions": [ + "Microsoft.AppComplianceAutomation/*", + "Microsoft.Storage/storageAccounts/blobServices/write", + "Microsoft.Storage/storageAccounts/fileservices/write", + "Microsoft.Storage/storageAccounts/listKeys/action", + "Microsoft.Storage/storageAccounts/write", + "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/write", + "Microsoft.Storage/storageAccounts/blobServices/read", + "Microsoft.PolicyInsights/policyStates/queryResults/action", + "Microsoft.PolicyInsights/policyStates/triggerEvaluation/action", + "Microsoft.Resources/resources/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/resourceGroups/resources/read", + "Microsoft.Resources/subscriptions/resources/read", + "Microsoft.Resources/subscriptions/resourceGroups/delete", + "Microsoft.Resources/subscriptions/resourceGroups/write", + "Microsoft.Resources/tags/read", + "Microsoft.Resources/deployments/validate/action", + "Microsoft.Security/automations/read", + "Microsoft.Resources/deployments/write", + "Microsoft.Security/automations/delete", + "Microsoft.Security/automations/write", + "Microsoft.Security/register/action", + "Microsoft.Security/unregister/action", + "*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "App Compliance Automation Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## App Compliance Automation Reader ++Read, download the reports objects and related other resource objects. ++[Learn more](/microsoft-365-app-certification/docs/automate-certification-with-acat) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | */read | Read resources of all types, except secrets. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read, download the reports objects and related other resource objects.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e", + "name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e", + "permissions": [ + { + "actions": [ + "*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "App Compliance Automation Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Attestation Contributor ++Can read write or delete the attestation provider instance ++[Learn more](/azure/attestation/quickstart-powershell) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | Microsoft.Attestation/attestationProviders/attestation/read | Gets the attestation service status. | +> | Microsoft.Attestation/attestationProviders/attestation/write | Adds attestation service. | +> | Microsoft.Attestation/attestationProviders/attestation/delete | Removes attestation service. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read write or delete the attestation provider instance", + "id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "permissions": [ + { + "actions": [ + "Microsoft.Attestation/attestationProviders/attestation/read", + "Microsoft.Attestation/attestationProviders/attestation/write", + "Microsoft.Attestation/attestationProviders/attestation/delete" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Attestation Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Attestation Reader ++Can read the attestation provider properties ++[Learn more](/azure/attestation/troubleshoot-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | Microsoft.Attestation/attestationProviders/attestation/read | Gets the attestation service status. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can read the attestation provider properties", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "permissions": [ + { + "actions": [ + "Microsoft.Attestation/attestationProviders/attestation/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Attestation Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Administrator ++Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/locations/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483", + "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.KeyVault/checkNameAvailability/read", + "Microsoft.KeyVault/deletedVaults/read", + "Microsoft.KeyVault/locations/*/read", + "Microsoft.KeyVault/vaults/*/read", + "Microsoft.KeyVault/operations/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/*" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Certificate User ++Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/certificates/read | List certificates in a specified key vault, or get information about a certificate. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/secrets/getSecret/action | Gets the value of a secret. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba", + "name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/certificates/read", + "Microsoft.KeyVault/vaults/secrets/getSecret/action", + "Microsoft.KeyVault/vaults/secrets/readMetadata/action", + "Microsoft.KeyVault/vaults/keys/read" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Certificate User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Certificates Officer ++Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/locations/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/certificatecas/* | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/certificates/* | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/certificatecontacts/write | Manage Certificate Contact | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985", + "name": "a4417e6f-fecd-4de8-b567-7b0420556985", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.KeyVault/checkNameAvailability/read", + "Microsoft.KeyVault/deletedVaults/read", + "Microsoft.KeyVault/locations/*/read", + "Microsoft.KeyVault/vaults/*/read", + "Microsoft.KeyVault/operations/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/certificatecas/*", + "Microsoft.KeyVault/vaults/certificates/*", + "Microsoft.KeyVault/vaults/certificatecontacts/write" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Certificates Officer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Contributor ++Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. ++[Learn more](/azure/key-vault/general/security-features) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/* | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/locations/deletedVaults/purge/action | Purge a soft deleted key vault | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/hsmPools/* | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/managedHsms/* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage key vaults, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "name": "f25e0fa2-a7c8-4377-a976-54943a77a395", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.KeyVault/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [ + "Microsoft.KeyVault/locations/deletedVaults/purge/action", + "Microsoft.KeyVault/hsmPools/*", + "Microsoft.KeyVault/managedHsms/*" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Key Vault Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Crypto Officer ++Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/locations/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/* | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keyrotationpolicies/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603", + "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.KeyVault/checkNameAvailability/read", + "Microsoft.KeyVault/deletedVaults/read", + "Microsoft.KeyVault/locations/*/read", + "Microsoft.KeyVault/vaults/*/read", + "Microsoft.KeyVault/operations/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/keys/*", + "Microsoft.KeyVault/vaults/keyrotationpolicies/*" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Crypto Officer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Crypto Service Encryption User ++Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/eventSubscriptions/write | Create or update an eventSubscription | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/eventSubscriptions/read | Read an eventSubscription | +> | [Microsoft.EventGrid](../permissions/integration.md#microsofteventgrid)/eventSubscriptions/delete | Delete an eventSubscription | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6", + "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6", + "permissions": [ + { + "actions": [ + "Microsoft.EventGrid/eventSubscriptions/write", + "Microsoft.EventGrid/eventSubscriptions/read", + "Microsoft.EventGrid/eventSubscriptions/delete" + ], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/keys/read", + "Microsoft.KeyVault/vaults/keys/wrap/action", + "Microsoft.KeyVault/vaults/keys/unwrap/action" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Crypto Service Encryption User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Crypto Service Release User ++Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/release/action | Release a key using public part of KEK from attestation token. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/08bbd89e-9f13-488c-ac41-acfcb10c90ab", + "name": "08bbd89e-9f13-488c-ac41-acfcb10c90ab", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/keys/release/action" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Crypto Service Release User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Crypto User ++Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/update/action | Updates the specified attributes associated with the given key. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/backup/action | Creates the backup file of a key. The file can used to restore the key in a Key Vault of same subscription. Restrictions may apply. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/encrypt/action | Encrypts plaintext with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/decrypt/action | Decrypts ciphertext with a key. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/sign/action | Signs a message digest (hash) with a key. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/keys/verify/action | Verifies the signature of a message digest (hash) with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424", + "name": "12338af0-0e69-4776-bea7-57ae8d297424", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/keys/read", + "Microsoft.KeyVault/vaults/keys/update/action", + "Microsoft.KeyVault/vaults/keys/backup/action", + "Microsoft.KeyVault/vaults/keys/encrypt/action", + "Microsoft.KeyVault/vaults/keys/decrypt/action", + "Microsoft.KeyVault/vaults/keys/wrap/action", + "Microsoft.KeyVault/vaults/keys/unwrap/action", + "Microsoft.KeyVault/vaults/keys/sign/action", + "Microsoft.KeyVault/vaults/keys/verify/action" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Crypto User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Data Access Administrator ++Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | +> | **Condition** | | +> | ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) | Add or remove role assignments for the following roles:<br/>Key Vault Administrator<br/>Key Vault Certificates Officer<br/>Key Vault Crypto Officer<br/>Key Vault Crypto Service Encryption User<br/>Key Vault Crypto User<br/>Key Vault Reader<br/>Key Vault Secrets Officer<br/>Key Vault Secrets User | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8", + "name": "8b54135c-b56d-4d72-a534-26097cfdc8d8", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/subscriptions/read", + "Microsoft.Management/managementGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*", + "Microsoft.KeyVault/vaults/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [], + "conditionVersion": "2.0", + "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))" + } + ], + "roleName": "Key Vault Data Access Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Reader ++Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/locations/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2", + "name": "21090545-7ca7-4776-b22c-e363652d74d2", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.KeyVault/checkNameAvailability/read", + "Microsoft.KeyVault/deletedVaults/read", + "Microsoft.KeyVault/locations/*/read", + "Microsoft.KeyVault/vaults/*/read", + "Microsoft.KeyVault/operations/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/*/read", + "Microsoft.KeyVault/vaults/secrets/readMetadata/action" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Secrets Officer ++Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/deletedVaults/read | View the properties of soft deleted key vaults | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/locations/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/*/read | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/operations/read | Lists operations available on Microsoft.KeyVault resource provider | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/secrets/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7", + "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.KeyVault/checkNameAvailability/read", + "Microsoft.KeyVault/deletedVaults/read", + "Microsoft.KeyVault/locations/*/read", + "Microsoft.KeyVault/vaults/*/read", + "Microsoft.KeyVault/operations/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/secrets/*" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Secrets Officer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Key Vault Secrets User ++Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. ++[Learn more](/azure/key-vault/general/rbac-guide) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/secrets/getSecret/action | Gets the value of a secret. | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6", + "name": "4633458b-17de-408a-b874-0445c86b69e6", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/secrets/getSecret/action", + "Microsoft.KeyVault/vaults/secrets/readMetadata/action" + ], + "notDataActions": [] + } + ], + "roleName": "Key Vault Secrets User", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Managed HSM contributor ++Lets you manage managed HSM pools, but not access to them. ++[Learn more](/azure/key-vault/managed-hsm/secure-your-managed-hsm) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/managedHSMs/* | | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/deletedManagedHsms/read | View the properties of a deleted managed hsm | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/locations/deletedManagedHsms/read | View the properties of a deleted managed hsm | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/locations/deletedManagedHsms/purge/action | Purge a soft deleted managed hsm | +> | [Microsoft.KeyVault](../permissions/security.md#microsoftkeyvault)/locations/managedHsmOperationResults/read | Check the result of a long run operation | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage managed HSM pools, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d", + "name": "18500a29-7fe2-46b2-a342-b16a415e101d", + "permissions": [ + { + "actions": [ + "Microsoft.KeyVault/managedHSMs/*", + "Microsoft.KeyVault/deletedManagedHsms/read", + "Microsoft.KeyVault/locations/deletedManagedHsms/read", + "Microsoft.KeyVault/locations/deletedManagedHsms/purge/action", + "Microsoft.KeyVault/locations/managedHsmOperationResults/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Managed HSM contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Microsoft Sentinel Automation Contributor ++Microsoft Sentinel Automation Contributor ++[Learn more](/azure/sentinel/roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/workflows/triggers/read | Reads the trigger. | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/workflows/triggers/listCallbackUrl/action | Gets the callback URL for trigger. | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/workflows/runs/read | Reads the workflow run. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/triggers/read | List Web Apps Hostruntime Workflow Triggers. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | Get Web Apps Hostruntime Workflow Trigger Uri. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/runs/read | List Web Apps Hostruntime Workflow Runs. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Microsoft Sentinel Automation Contributor", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a", + "name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Logic/workflows/triggers/read", + "Microsoft.Logic/workflows/triggers/listCallbackUrl/action", + "Microsoft.Logic/workflows/runs/read", + "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read", + "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action", + "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Microsoft Sentinel Automation Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Microsoft Sentinel Contributor ++Microsoft Sentinel Contributor ++[Learn more](/azure/sentinel/roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/* | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/savedSearches/* | | +> | [Microsoft.OperationsManagement](../permissions/monitor.md#microsoftoperationsmanagement)/solutions/read | Get existing OMS solution | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/query/*/read | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get data source under a workspace. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/querypacks/*/read | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooks/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/myworkbooks/read | Read a private Workbook | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/ConfidentialWatchlists/* | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/query/ConfidentialWatchlist/* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Microsoft Sentinel Contributor", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "name": "ab8e14d6-4a74-4a29-9ba8-549422addade", + "permissions": [ + { + "actions": [ + "Microsoft.SecurityInsights/*", + "Microsoft.OperationalInsights/workspaces/analytics/query/action", + "Microsoft.OperationalInsights/workspaces/*/read", + "Microsoft.OperationalInsights/workspaces/savedSearches/*", + "Microsoft.OperationsManagement/solutions/read", + "Microsoft.OperationalInsights/workspaces/query/read", + "Microsoft.OperationalInsights/workspaces/query/*/read", + "Microsoft.OperationalInsights/workspaces/dataSources/read", + "Microsoft.OperationalInsights/querypacks/*/read", + "Microsoft.Insights/workbooks/*", + "Microsoft.Insights/myworkbooks/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [ + "Microsoft.SecurityInsights/ConfidentialWatchlists/*", + "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Microsoft Sentinel Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Microsoft Sentinel Playbook Operator ++Microsoft Sentinel Playbook Operator ++[Learn more](/azure/sentinel/roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/workflows/read | Reads the workflow. | +> | [Microsoft.Logic](../permissions/integration.md#microsoftlogic)/workflows/triggers/listCallbackUrl/action | Gets the callback URL for trigger. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | Get Web Apps Hostruntime Workflow Trigger Uri. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/read | Get the properties of a Web App | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Microsoft Sentinel Playbook Operator", + "id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5", + "name": "51d6186e-6489-4900-b93f-92e23144cca5", + "permissions": [ + { + "actions": [ + "Microsoft.Logic/workflows/read", + "Microsoft.Logic/workflows/triggers/listCallbackUrl/action", + "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action", + "Microsoft.Web/sites/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Microsoft Sentinel Playbook Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Microsoft Sentinel Reader ++Microsoft Sentinel Reader ++[Learn more](/azure/sentinel/roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/*/read | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/dataConnectorsCheckRequirements/action | Check user authorization and license | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/LinkedServices/read | Get linked services under given workspace. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/savedSearches/read | Gets a saved search query. | +> | [Microsoft.OperationsManagement](../permissions/monitor.md#microsoftoperationsmanagement)/solutions/read | Get existing OMS solution | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/query/*/read | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/querypacks/*/read | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get data source under a workspace. | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooks/read | Read a workbook | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/myworkbooks/read | Read a private Workbook | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/templateSpecs/*/read | Get or list template specs and template spec versions | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/ConfidentialWatchlists/* | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/query/ConfidentialWatchlist/* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Microsoft Sentinel Reader", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "permissions": [ + { + "actions": [ + "Microsoft.SecurityInsights/*/read", + "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action", + "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action", + "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action", + "Microsoft.OperationalInsights/workspaces/analytics/query/action", + "Microsoft.OperationalInsights/workspaces/*/read", + "Microsoft.OperationalInsights/workspaces/LinkedServices/read", + "Microsoft.OperationalInsights/workspaces/savedSearches/read", + "Microsoft.OperationsManagement/solutions/read", + "Microsoft.OperationalInsights/workspaces/query/read", + "Microsoft.OperationalInsights/workspaces/query/*/read", + "Microsoft.OperationalInsights/querypacks/*/read", + "Microsoft.OperationalInsights/workspaces/dataSources/read", + "Microsoft.Insights/workbooks/read", + "Microsoft.Insights/myworkbooks/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/templateSpecs/*/read", + "Microsoft.Support/*" + ], + "notActions": [ + "Microsoft.SecurityInsights/ConfidentialWatchlists/*", + "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Microsoft Sentinel Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Microsoft Sentinel Responder ++Microsoft Sentinel Responder ++[Learn more](/azure/sentinel/roles) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/*/read | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/dataConnectorsCheckRequirements/action | Check user authorization and license | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/automationRules/* | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/cases/* | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/incidents/* | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/entities/runPlaybook/action | Run playbook on entity | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/threatIntelligence/bulkTag/action | Bulk Tags Threat Intelligence | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/threatIntelligence/indicators/replaceTags/action | Replace Tags of Threat Intelligence Indicator | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get data source under a workspace. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/savedSearches/read | Gets a saved search query. | +> | [Microsoft.OperationsManagement](../permissions/monitor.md#microsoftoperationsmanagement)/solutions/read | Get existing OMS solution | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/query/read | Run queries over the data in the workspace | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/query/*/read | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/dataSources/read | Get data source under a workspace. | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/querypacks/*/read | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/workbooks/read | Read a workbook | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/myworkbooks/read | Read a private Workbook | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/cases/*/Delete | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/incidents/*/Delete | | +> | [Microsoft.SecurityInsights](../permissions/security.md#microsoftsecurityinsights)/ConfidentialWatchlists/* | | +> | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/query/ConfidentialWatchlist/* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Microsoft Sentinel Responder", + "id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "permissions": [ + { + "actions": [ + "Microsoft.SecurityInsights/*/read", + "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action", + "Microsoft.SecurityInsights/automationRules/*", + "Microsoft.SecurityInsights/cases/*", + "Microsoft.SecurityInsights/incidents/*", + "Microsoft.SecurityInsights/entities/runPlaybook/action", + "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action", + "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action", + "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action", + "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action", + "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action", + "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action", + "Microsoft.OperationalInsights/workspaces/analytics/query/action", + "Microsoft.OperationalInsights/workspaces/*/read", + "Microsoft.OperationalInsights/workspaces/dataSources/read", + "Microsoft.OperationalInsights/workspaces/savedSearches/read", + "Microsoft.OperationsManagement/solutions/read", + "Microsoft.OperationalInsights/workspaces/query/read", + "Microsoft.OperationalInsights/workspaces/query/*/read", + "Microsoft.OperationalInsights/workspaces/dataSources/read", + "Microsoft.OperationalInsights/querypacks/*/read", + "Microsoft.Insights/workbooks/read", + "Microsoft.Insights/myworkbooks/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [ + "Microsoft.SecurityInsights/cases/*/Delete", + "Microsoft.SecurityInsights/incidents/*/Delete", + "Microsoft.SecurityInsights/ConfidentialWatchlists/*", + "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Microsoft Sentinel Responder", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Security Admin ++View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.<br><br>For Microsoft Defender for IoT, see [Azure user roles for OT and Enterprise IoT monitoring](/azure/defender-for-iot/organizations/roles-azure). ++[Learn more](/azure/defender-for-cloud/permissions) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policyAssignments/* | Create and manage policy assignments | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policyDefinitions/* | Create and manage policy definitions | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policyExemptions/* | Create and manage policy exemptions | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policySetDefinitions/* | Create and manage policy sets | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | [Microsoft.operationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/* | Create and manage security components and policies | +> | [Microsoft.IoTSecurity](../permissions/internet-of-things.md#microsoftiotsecurity)/* | | +> | Microsoft.IoTFirmwareDefense/* | | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Security Admin Role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Authorization/policyAssignments/*", + "Microsoft.Authorization/policyDefinitions/*", + "Microsoft.Authorization/policyExemptions/*", + "Microsoft.Authorization/policySetDefinitions/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Management/managementGroups/read", + "Microsoft.operationalInsights/workspaces/*/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Security/*", + "Microsoft.IoTSecurity/*", + "Microsoft.IoTFirmwareDefense/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Security Admin", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Security Assessment Contributor ++Lets you push assessments to Microsoft Defender for Cloud ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/assessments/write | Create or update security assessments on your subscription | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you push assessments to Security Center", + "id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "permissions": [ + { + "actions": [ + "Microsoft.Security/assessments/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Security Assessment Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Security Manager (Legacy) ++This is a legacy role. Please use Security Admin instead. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.ClassicCompute](../permissions/compute.md#microsoftclassiccompute)/*/read | Read configuration information classic virtual machines | +> | [Microsoft.ClassicCompute](../permissions/compute.md#microsoftclassiccompute)/virtualMachines/*/write | Write configuration for classic virtual machines | +> | [Microsoft.ClassicNetwork](../permissions/networking.md#microsoftclassicnetwork)/*/read | Read configuration information about classic network | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/* | Create and manage security components and policies | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "This is a legacy role. Please use Security Administrator instead", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.ClassicCompute/*/read", + "Microsoft.ClassicCompute/virtualMachines/*/write", + "Microsoft.ClassicNetwork/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Security/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Security Manager (Legacy)", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Security Reader ++View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.<br><br>For Microsoft Defender for IoT, see [Azure user roles for OT and Enterprise IoT monitoring](/azure/defender-for-iot/organizations/roles-azure). ++[Learn more](/azure/defender-for-cloud/permissions) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read | Read a classic metric alert | +> | [Microsoft.operationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/*/read | View log analytics data | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/*/read | | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/*/read | Read security components and policies | +> | [Microsoft.IoTSecurity](../permissions/internet-of-things.md#microsoftiotsecurity)/*/read | | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/*/read | | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/iotDefenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/iotDefenderSettings/downloadManagerActivation/action | Download manager activation file with subscription quota data | +> | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/iotSensors/downloadResetPassword/action | Downloads reset password file for IoT Sensors | +> | [Microsoft.IoTSecurity](../permissions/internet-of-things.md#microsoftiotsecurity)/defenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information | +> | [Microsoft.IoTSecurity](../permissions/internet-of-things.md#microsoftiotsecurity)/defenderSettings/downloadManagerActivation/action | Download manager activation file | +> | [Microsoft.Management](../permissions/management-and-governance.md#microsoftmanagement)/managementGroups/read | List management groups for the authenticated user. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Security Reader Role", + "id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/read", + "Microsoft.operationalInsights/workspaces/*/read", + "Microsoft.Resources/deployments/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Security/*/read", + "Microsoft.IoTSecurity/*/read", + "Microsoft.Support/*/read", + "Microsoft.Security/iotDefenderSettings/packageDownloads/action", + "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action", + "Microsoft.Security/iotSensors/downloadResetPassword/action", + "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action", + "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action", + "Microsoft.Management/managementGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Security Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/storage.md | + + Title: Azure built-in roles for Storage - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Storage category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Storage ++This article lists the Azure built-in roles in the Storage category. +++## Avere Contributor ++Can create and manage an Avere vFXT cluster. ++[Learn more](/azure/avere-vfxt/avere-vfxt-deploy-plan) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/*/read | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/availabilitySets/* | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/proximityPlacementGroups/* | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/* | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/* | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/*/read | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/* | | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/*/read | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/* | Create and manage storage accounts | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can create and manage an Avere vFXT cluster.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Compute/*/read", + "Microsoft.Compute/availabilitySets/*", + "Microsoft.Compute/proximityPlacementGroups/*", + "Microsoft.Compute/virtualMachines/*", + "Microsoft.Compute/disks/*", + "Microsoft.Network/*/read", + "Microsoft.Network/networkInterfaces/*", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", + "Microsoft.Network/networkSecurityGroups/join/action", + "Microsoft.Resources/deployments/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/*/read", + "Microsoft.Storage/storageAccounts/*", + "Microsoft.Support/*", + "Microsoft.Resources/subscriptions/resourceGroups/resources/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" + ], + "notDataActions": [] + } + ], + "roleName": "Avere Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Avere Operator ++Used by the Avere vFXT cluster to manage the cluster ++[Learn more](/azure/avere-vfxt/avere-vfxt-manage-cluster) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/read | Get the properties of a virtual machine | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/read | Gets a network interface definition. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkInterfaces/write | Creates a network interface or updates an existing network interface. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/delete | Returns the result of deleting a container | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Used by the Avere vFXT cluster to manage the cluster", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "permissions": [ + { + "actions": [ + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Network/networkInterfaces/read", + "Microsoft.Network/networkInterfaces/write", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/networkSecurityGroups/join/action", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/delete", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/write" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" + ], + "notDataActions": [] + } + ], + "roleName": "Avere Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Backup Contributor ++Lets you manage backup service, but can't create vaults and give access to others ++[Learn more](/azure/backup/backup-rbac-rs-vault) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/operationResults/* | Manage results of operation on backup management | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/* | Create and manage backup containers inside backup fabrics of Recovery Services vault | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobs/* | Create and manage backup jobs | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobsExport/action | Export Jobs | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperationResults/* | Create and manage Results of backup management operations | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/* | Create and manage backup policies | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectableItems/* | Create and manage items which can be backed up | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectedItems/* | Create and manage backed up items | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionContainers/* | Create and manage containers holding backup items | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupSecurityPIN/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/certificates/* | Create and manage certificates related to backup in Recovery Services vault | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/* | Create and manage extended info related to vault | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/* | Create and manage registered identities | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/* | Create and manage usage of Recovery Services vault | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupstorageconfig/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupconfig/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupValidateOperation/action | Validate Operation on Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/operationStatus/read | Gets Operation Status for a given Operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupPreValidateProtection/action | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupValidateFeatures/action | Validate Features | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/write | Resolves the alert. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/operations/read | Operation returns the list of Operations for a Resource Provider | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/operationStatus/read | Gets Operation Status for a given Operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionIntents/read | List all backup Protection Intents | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/write | Creates a Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/delete | Deletes the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/undelete/action | Perform undelete of soft-deleted Backup Instance. Backup Instance moves from SoftDeleted to ProtectionStopped state. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupPolicies/write | Creates Backup Policy | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupPolicies/delete | Deletes the Backup Policy | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/write | Update BackupVault operation updates an Azure resource of type 'Backup Vault' | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/checkNameAvailability/action | Checks if the requested BackupVault Name is Available | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/validateForBackup/action | Validates for backup of Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/operations/read | Operation returns the list of Operations for a Resource Provider | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage backup service,but can't create vaults and give access to others", + "id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "name": "5e467623-bb1f-42f4-a55d-6e525e11384b", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.RecoveryServices/locations/*", + "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*", + "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action", + "Microsoft.RecoveryServices/Vaults/backupJobs/*", + "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", + "Microsoft.RecoveryServices/Vaults/backupOperationResults/*", + "Microsoft.RecoveryServices/Vaults/backupPolicies/*", + "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*", + "Microsoft.RecoveryServices/Vaults/backupProtectedItems/*", + "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*", + "Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*", + "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", + "Microsoft.RecoveryServices/Vaults/certificates/*", + "Microsoft.RecoveryServices/Vaults/extendedInformation/*", + "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", + "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", + "Microsoft.RecoveryServices/Vaults/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/*", + "Microsoft.RecoveryServices/Vaults/usages/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*", + "Microsoft.RecoveryServices/Vaults/backupconfig/*", + "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action", + "Microsoft.RecoveryServices/Vaults/write", + "Microsoft.RecoveryServices/Vaults/backupOperations/read", + "Microsoft.RecoveryServices/Vaults/backupEngines/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read", + "Microsoft.RecoveryServices/vaults/operationStatus/read", + "Microsoft.RecoveryServices/vaults/operationResults/read", + "Microsoft.RecoveryServices/locations/backupStatus/action", + "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action", + "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", + "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", + "Microsoft.RecoveryServices/operations/read", + "Microsoft.RecoveryServices/locations/operationStatus/read", + "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", + "Microsoft.Support/*", + "Microsoft.DataProtection/locations/getBackupStatus/action", + "Microsoft.DataProtection/backupVaults/backupInstances/write", + "Microsoft.DataProtection/backupVaults/backupInstances/delete", + "Microsoft.DataProtection/backupVaults/backupInstances/read", + "Microsoft.DataProtection/backupVaults/backupInstances/read", + "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", + "Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action", + "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", + "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", + "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action", + "Microsoft.DataProtection/backupVaults/backupPolicies/write", + "Microsoft.DataProtection/backupVaults/backupPolicies/delete", + "Microsoft.DataProtection/backupVaults/backupPolicies/read", + "Microsoft.DataProtection/backupVaults/backupPolicies/read", + "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", + "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", + "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", + "Microsoft.DataProtection/backupVaults/write", + "Microsoft.DataProtection/backupVaults/read", + "Microsoft.DataProtection/backupVaults/operationResults/read", + "Microsoft.DataProtection/backupVaults/operationStatus/read", + "Microsoft.DataProtection/locations/checkNameAvailability/action", + "Microsoft.DataProtection/locations/checkFeatureSupport/action", + "Microsoft.DataProtection/backupVaults/read", + "Microsoft.DataProtection/backupVaults/read", + "Microsoft.DataProtection/locations/operationStatus/read", + "Microsoft.DataProtection/locations/operationResults/read", + "Microsoft.DataProtection/backupVaults/validateForBackup/action", + "Microsoft.DataProtection/operations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Backup Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Backup Operator ++Lets you manage backup services, except removal of backup, vault creation and giving access to others ++[Learn more](/azure/backup/backup-rbac-rs-vault) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/operationResults/read | Returns status of the operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobs/* | Create and manage backup jobs | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobsExport/action | Export Jobs | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperationResults/* | Create and manage Results of backup management operations | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/read | Returns all Protection Policies | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectableItems/* | Create and manage items which can be backed up | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/write | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/write | The Register Service Container operation can be used to register a container with Recovery Service. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupstorageconfig/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupValidateOperation/action | Validate Operation on Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupTriggerValidateOperation/action | Validate Operation on Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupValidateOperationResults/read | Validate Operation on Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupValidateOperationsStatuses/read | Validate Operation on Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/write | Creates a registered container | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupPreValidateProtection/action | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupValidateFeatures/action | Validate Features | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrossRegionRestore/action | Trigger Cross region restore. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/write | Resolves the alert. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/operations/read | Operation returns the list of Operations for a Resource Provider | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/operationStatus/read | Gets Operation Status for a given Operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionIntents/read | List all backup Protection Intents | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/operations/read | Operation returns the list of Operations for a Resource Provider | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/validateForBackup/action | Validates for backup of Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others", + "id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "name": "00c29273-979b-4161-815c-10b084fb9324", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action", + "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action", + "Microsoft.RecoveryServices/Vaults/backupJobs/*", + "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", + "Microsoft.RecoveryServices/Vaults/backupOperationResults/*", + "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read", + "Microsoft.RecoveryServices/Vaults/backupPolicies/read", + "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*", + "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read", + "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read", + "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", + "Microsoft.RecoveryServices/Vaults/certificates/write", + "Microsoft.RecoveryServices/Vaults/extendedInformation/read", + "Microsoft.RecoveryServices/Vaults/extendedInformation/write", + "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", + "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", + "Microsoft.RecoveryServices/Vaults/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/write", + "Microsoft.RecoveryServices/Vaults/usages/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*", + "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action", + "Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action", + "Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read", + "Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read", + "Microsoft.RecoveryServices/Vaults/backupOperations/read", + "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action", + "Microsoft.RecoveryServices/Vaults/backupEngines/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write", + "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read", + "Microsoft.RecoveryServices/locations/backupStatus/action", + "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action", + "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", + "Microsoft.RecoveryServices/locations/backupAadProperties/read", + "Microsoft.RecoveryServices/locations/backupCrrJobs/action", + "Microsoft.RecoveryServices/locations/backupCrrJob/action", + "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action", + "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read", + "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read", + "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", + "Microsoft.RecoveryServices/operations/read", + "Microsoft.RecoveryServices/locations/operationStatus/read", + "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", + "Microsoft.Support/*", + "Microsoft.DataProtection/backupVaults/backupInstances/read", + "Microsoft.DataProtection/backupVaults/backupInstances/read", + "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", + "Microsoft.DataProtection/backupVaults/backupPolicies/read", + "Microsoft.DataProtection/backupVaults/backupPolicies/read", + "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", + "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", + "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", + "Microsoft.DataProtection/backupVaults/read", + "Microsoft.DataProtection/backupVaults/operationResults/read", + "Microsoft.DataProtection/backupVaults/operationStatus/read", + "Microsoft.DataProtection/backupVaults/read", + "Microsoft.DataProtection/backupVaults/read", + "Microsoft.DataProtection/locations/operationStatus/read", + "Microsoft.DataProtection/locations/operationResults/read", + "Microsoft.DataProtection/operations/read", + "Microsoft.DataProtection/backupVaults/validateForBackup/action", + "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", + "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", + "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action", + "Microsoft.DataProtection/locations/checkFeatureSupport/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Backup Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Backup Reader ++Can view backup services, but can't make changes ++[Learn more](/azure/backup/backup-rbac-rs-vault) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/operationResults/read | Returns status of the operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobs/read | Returns all Job Objects | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupJobsExport/action | Export Jobs | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/read | Returns all Protection Policies | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringConfigurations/* | | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/monitoringAlerts/write | Resolves the alert. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/operations/read | Operation returns the list of Operations for a Resource Provider | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/operationStatus/read | Gets Operation Status for a given Operation | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/backupProtectionIntents/read | List all backup Protection Intents | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupValidateFeatures/action | Validate Features | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. | +> | [Microsoft.RecoveryServices](../permissions/management-and-governance.md#microsoftrecoveryservices)/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/write | Creates a Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/read | Returns all Backup Instances | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupPolicies/read | Returns all Backup Policies | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/backupVaults/validateForBackup/action | Validates for backup of Backup Instance | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/operations/read | Operation returns the list of Operations for a Resource Provider | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | +> | [Microsoft.DataProtection](../permissions/management-and-governance.md#microsoftdataprotection)/locations/checkFeatureSupport/action | Validates if a feature is supported | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Can view backup services, but can't make changes", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "name": "a795c7a0-d4a2-40c1-ae25-d81f01202912", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.RecoveryServices/locations/allocatedStamp/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read", + "Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read", + "Microsoft.RecoveryServices/Vaults/backupJobs/read", + "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", + "Microsoft.RecoveryServices/Vaults/backupOperationResults/read", + "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read", + "Microsoft.RecoveryServices/Vaults/backupPolicies/read", + "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read", + "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read", + "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", + "Microsoft.RecoveryServices/Vaults/extendedInformation/read", + "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", + "Microsoft.RecoveryServices/Vaults/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", + "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", + "Microsoft.RecoveryServices/Vaults/backupstorageconfig/read", + "Microsoft.RecoveryServices/Vaults/backupconfig/read", + "Microsoft.RecoveryServices/Vaults/backupOperations/read", + "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read", + "Microsoft.RecoveryServices/Vaults/backupEngines/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read", + "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read", + "Microsoft.RecoveryServices/locations/backupStatus/action", + "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", + "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", + "Microsoft.RecoveryServices/operations/read", + "Microsoft.RecoveryServices/locations/operationStatus/read", + "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", + "Microsoft.RecoveryServices/Vaults/usages/read", + "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", + "Microsoft.RecoveryServices/locations/backupCrrJobs/action", + "Microsoft.RecoveryServices/locations/backupCrrJob/action", + "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read", + "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read", + "Microsoft.DataProtection/locations/getBackupStatus/action", + "Microsoft.DataProtection/backupVaults/backupInstances/write", + "Microsoft.DataProtection/backupVaults/backupInstances/read", + "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", + "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", + "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", + "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", + "Microsoft.DataProtection/backupVaults/backupPolicies/read", + "Microsoft.DataProtection/backupVaults/backupPolicies/read", + "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", + "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", + "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", + "Microsoft.DataProtection/backupVaults/read", + "Microsoft.DataProtection/backupVaults/operationResults/read", + "Microsoft.DataProtection/backupVaults/operationStatus/read", + "Microsoft.DataProtection/backupVaults/read", + "Microsoft.DataProtection/backupVaults/read", + "Microsoft.DataProtection/locations/operationStatus/read", + "Microsoft.DataProtection/locations/operationResults/read", + "Microsoft.DataProtection/backupVaults/validateForBackup/action", + "Microsoft.DataProtection/operations/read", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action", + "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action", + "Microsoft.DataProtection/locations/checkFeatureSupport/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Backup Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Classic Storage Account Contributor ++Lets you manage classic storage accounts, but not access to them. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/* | Create and manage storage accounts | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage classic storage accounts, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.ClassicStorage/storageAccounts/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Classic Storage Account Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Classic Storage Account Key Operator Service Role ++Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts ++[Learn more](/azure/key-vault/secrets/overview-storage-keys) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/listkeys/action | Lists the access keys for the storage accounts. | +> | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/regeneratekey/action | Regenerates the existing access keys for the storage account. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts", + "id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "permissions": [ + { + "actions": [ + "Microsoft.ClassicStorage/storageAccounts/listkeys/action", + "Microsoft.ClassicStorage/storageAccounts/regeneratekey/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Classic Storage Account Key Operator Service Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Data Box Contributor ++Lets you manage everything under Data Box Service except giving access to others. ++[Learn more](/azure/databox/data-box-logs) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Databox](../permissions/storage.md#microsoftdatabox)/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage everything under Data Box Service except giving access to others.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "name": "add466c9-e687-43fc-8d98-dfcf8d720be5", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Databox/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Data Box Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Data Box Reader ++Lets you manage Data Box Service except creating order or editing order details and giving access to others. ++[Learn more](/azure/databox/data-box-logs) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Databox](../permissions/storage.md#microsoftdatabox)/*/read | | +> | [Microsoft.Databox](../permissions/storage.md#microsoftdatabox)/jobs/listsecrets/action | | +> | [Microsoft.Databox](../permissions/storage.md#microsoftdatabox)/jobs/listcredentials/action | Lists the unencrypted credentials related to the order. | +> | [Microsoft.Databox](../permissions/storage.md#microsoftdatabox)/locations/availableSkus/action | This method returns the list of available skus. | +> | [Microsoft.Databox](../permissions/storage.md#microsoftdatabox)/locations/validateInputs/action | This method does all type of validations. | +> | [Microsoft.Databox](../permissions/storage.md#microsoftdatabox)/locations/regionConfiguration/action | This method returns the configurations for the region. | +> | [Microsoft.Databox](../permissions/storage.md#microsoftdatabox)/locations/validateAddress/action | Validates the shipping address and provides alternate addresses if any. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Databox/*/read", + "Microsoft.Databox/jobs/listsecrets/action", + "Microsoft.Databox/jobs/listcredentials/action", + "Microsoft.Databox/locations/availableSkus/action", + "Microsoft.Databox/locations/validateInputs/action", + "Microsoft.Databox/locations/regionConfiguration/action", + "Microsoft.Databox/locations/validateAddress/action", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Data Box Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Data Lake Analytics Developer ++Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. ++[Learn more](/azure/data-lake-analytics/data-lake-analytics-manage-use-portal) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | Microsoft.BigAnalytics/accounts/* | | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/* | | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | Microsoft.BigAnalytics/accounts/Delete | | +> | Microsoft.BigAnalytics/accounts/TakeOwnership/action | | +> | Microsoft.BigAnalytics/accounts/Write | | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/Delete | Delete a DataLakeAnalytics account. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/TakeOwnership/action | Grant permissions to cancel jobs submitted by other users. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/Write | Create or update a DataLakeAnalytics account. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/dataLakeStoreAccounts/Write | Create or update a linked DataLakeStore account of a DataLakeAnalytics account. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/dataLakeStoreAccounts/Delete | Unlink a DataLakeStore account from a DataLakeAnalytics account. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/storageAccounts/Write | Create or update a linked Storage account of a DataLakeAnalytics account. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/storageAccounts/Delete | Unlink a Storage account from a DataLakeAnalytics account. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/firewallRules/Write | Create or update a firewall rule. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/firewallRules/Delete | Delete a firewall rule. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/computePolicies/Write | Create or update a compute policy. | +> | [Microsoft.DataLakeAnalytics](../permissions/analytics.md#microsoftdatalakeanalytics)/accounts/computePolicies/Delete | Delete a compute policy. | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "name": "47b7735b-770e-4598-a7da-8b91488b4c88", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.BigAnalytics/accounts/*", + "Microsoft.DataLakeAnalytics/accounts/*", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [ + "Microsoft.BigAnalytics/accounts/Delete", + "Microsoft.BigAnalytics/accounts/TakeOwnership/action", + "Microsoft.BigAnalytics/accounts/Write", + "Microsoft.DataLakeAnalytics/accounts/Delete", + "Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action", + "Microsoft.DataLakeAnalytics/accounts/Write", + "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write", + "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete", + "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write", + "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete", + "Microsoft.DataLakeAnalytics/accounts/firewallRules/Write", + "Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete", + "Microsoft.DataLakeAnalytics/accounts/computePolicies/Write", + "Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Data Lake Analytics Developer", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Defender for Storage Data Scanner ++Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/tags/write | Returns the result of writing blob tags | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/tags/read | Returns the result of reading blob tags | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", + "name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read" + ], + "notDataActions": [] + } + ], + "roleName": "Defender for Storage Data Scanner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Elastic SAN Owner ++Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/* | | +> | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/locations/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access", + "id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406", + "name": "80dcbedb-47ef-405d-95bd-188a1b4ac406", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ElasticSan/elasticSans/*", + "Microsoft.ElasticSan/locations/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Elastic SAN Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Elastic SAN Reader ++Allows for control path read access to Azure Elastic SAN ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/*/read | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for control path read access to Azure Elastic SAN", + "id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca", + "name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ElasticSan/elasticSans/*/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Elastic SAN Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Elastic SAN Volume Group Owner ++Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Get information about a role assignment. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleDefinitions/read | Get information about a role definition. | +> | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/elasticSans/volumeGroups/* | | +> | [Microsoft.ElasticSan](../permissions/storage.md#microsoftelasticsan)/locations/asyncoperations/read | Polls the status of an asynchronous operation. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23", + "name": "a8281131-f312-4f34-8d98-ae12be9f0d23", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleDefinitions/read", + "Microsoft.ElasticSan/elasticSans/volumeGroups/*", + "Microsoft.ElasticSan/locations/asyncoperations/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Elastic SAN Volume Group Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Reader and Data Access ++Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/ListAccountSas/action | Returns the Account SAS token for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "name": "c12c1c16-33a1-487b-954d-41c89c60f349", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/listKeys/action", + "Microsoft.Storage/storageAccounts/ListAccountSas/action", + "Microsoft.Storage/storageAccounts/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Reader and Data Access", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Account Backup Contributor ++Lets you perform backup and restore operations using Azure Backup on the storage account. ++[Learn more](/azure/backup/blob-backup-configure-manage) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/locks/read | Gets locks at the specified scope. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/locks/write | Add locks at the specified scope. | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/locks/delete | Delete locks at the specified scope. | +> | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/features/read | Gets the features of a subscription. | +> | [Microsoft.Features](../permissions/management-and-governance.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/operations/read | Polls the status of an asynchronous operation. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/delete | Delete object replication policy | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/read | List object replication policies | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/write | Create or update object replication policy | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | Create object replication restore point marker | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Returns list of containers | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Returns the result of put blob container | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/read | Returns blob service properties or statistics | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/write | Returns the result of put blob service properties | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/restoreBlobRanges/action | Restore blob ranges to the state of the specified time | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you perform backup and restore operations using Azure Backup on the storage account.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", + "name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Authorization/locks/read", + "Microsoft.Authorization/locks/write", + "Microsoft.Authorization/locks/delete", + "Microsoft.Features/features/read", + "Microsoft.Features/providers/features/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/operations/read", + "Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete", + "Microsoft.Storage/storageAccounts/objectReplicationPolicies/read", + "Microsoft.Storage/storageAccounts/objectReplicationPolicies/write", + "Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/write", + "Microsoft.Storage/storageAccounts/blobServices/read", + "Microsoft.Storage/storageAccounts/blobServices/write", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Storage/storageAccounts/restoreBlobRanges/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Storage Account Backup Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Account Contributor ++Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. ++[Learn more](/azure/storage/common/storage-auth-aad) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server | +> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/* | Create and manage storage accounts | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "name": "17d1049b-9a84-46fb-8f53-869881c3d3ab", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/diagnosticSettings/*", + "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Storage/storageAccounts/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Storage Account Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Account Key Operator Service Role ++Permits listing and regenerating storage account access keys. ++[Learn more](/azure/storage/common/storage-account-keys-manage) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/regeneratekey/action | Regenerates the access keys for the specified storage account. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts", + "id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "name": "81a9662b-bebf-436f-a333-f67b29880f12", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/listkeys/action", + "Microsoft.Storage/storageAccounts/regeneratekey/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Storage Account Key Operator Service Role", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Blob Data Contributor ++Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). ++[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/delete | Delete a container. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Return a container or a list of containers. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/write | Modify a container's metadata or properties. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/delete | Delete a blob. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/write | Write to a blob. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/move/action | Moves the blob from one path to another | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/add/action | Returns the result of adding blob content | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read, write and delete access to Azure Storage blob containers and data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/delete", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/write", + "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" + ], + "notDataActions": [] + } + ], + "roleName": "Storage Blob Data Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Blob Data Owner ++Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). ++[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/* | Full permissions on containers. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/* | Full permissions on blobs. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/*", + "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*" + ], + "notDataActions": [] + } + ], + "roleName": "Storage Blob Data Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Blob Data Reader ++Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). ++[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/read | Return a container or a list of containers. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read access to Azure Storage blob containers and data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/read", + "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" + ], + "notDataActions": [] + } + ], + "roleName": "Storage Blob Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Blob Delegator ++Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). ++[Learn more](/rest/api/storageservices/get-user-delegation-key) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for generation of a user delegation key which can be used to sign SAS tokens", + "id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Storage Blob Delegator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage File Data Privileged Contributor ++Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Sematics Privilege | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/writeFileBackupSemantics/action | Write File Backup Sematics Privilege | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd", + "name": "69566ab7-960f-475b-8e7c-b3118f30c6bd", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete", + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action", + "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action", + "Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action" + ], + "notDataActions": [] + } + ], + "roleName": "Storage File Data Privileged Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage File Data Privileged Reader ++Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Sematics Privilege | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Customer has read access on Azure Storage file shares.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d", + "name": "b8eda974-7b85-4f76-af95-65846b26df6d", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", + "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action" + ], + "notDataActions": [] + } + ], + "roleName": "Storage File Data Privileged Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage File Data SMB Share Contributor ++Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. ++[Learn more](/azure/storage/files/storage-files-identity-auth-active-directory-enable) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete" + ], + "notDataActions": [] + } + ], + "roleName": "Storage File Data SMB Share Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage File Data SMB Share Elevated Contributor ++Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. ++[Learn more](/azure/storage/files/storage-files-identity-auth-active-directory-enable) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "name": "a7264617-510b-434b-a828-9731dc254ea7", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete", + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action" + ], + "notDataActions": [] + } + ], + "roleName": "Storage File Data SMB Share Elevated Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage File Data SMB Share Reader ++Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. ++[Learn more](/azure/storage/files/storage-files-identity-auth-active-directory-enable) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read access to Azure File Share over SMB", + "id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "name": "aba4ae5f-2193-4029-9191-0cb91df5e314", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read" + ], + "notDataActions": [] + } + ], + "roleName": "Storage File Data SMB Share Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Queue Data Contributor ++Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). ++[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/delete | Delete a queue. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/read | Return a queue or a list of queues. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/write | Modify queue metadata or properties. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/delete | Delete one or more messages from a queue. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/write | Add a message to a queue. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/process/action | Returns the result of processing a message | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read, write, and delete access to Azure Storage queues and queue messages", + "id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/queueServices/queues/delete", + "Microsoft.Storage/storageAccounts/queueServices/queues/read", + "Microsoft.Storage/storageAccounts/queueServices/queues/write" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete", + "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read", + "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write", + "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action" + ], + "notDataActions": [] + } + ], + "roleName": "Storage Queue Data Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Queue Data Message Processor ++Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). ++[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/read | Peek a message. | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/process/action | Retrieve and delete a message. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for peek, receive, and delete access to Azure Storage queue messages", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "name": "8a0f0c08-91a1-4084-bc3d-661d67233fed", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read", + "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action" + ], + "notDataActions": [] + } + ], + "roleName": "Storage Queue Data Message Processor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Queue Data Message Sender ++Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). ++[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/add/action | Add a message to a queue. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for sending of Azure Storage queue messages", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action" + ], + "notDataActions": [] + } + ], + "roleName": "Storage Queue Data Message Sender", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Queue Data Reader ++Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authenticate-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations). ++[Learn more](/azure/storage/common/storage-auth-aad-rbac-portal) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/read | Returns a queue or a list of queues. | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read access to Azure Storage queues and queue messages", + "id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "name": "19e7f393-937e-4f77-808e-94535e297925", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/queueServices/queues/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read" + ], + "notDataActions": [] + } + ], + "roleName": "Storage Queue Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Table Data Contributor ++Allows for read, write and delete access to Azure Storage tables and entities ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/read | Query tables | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/write | Create tables | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/delete | Delete tables | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/read | Query table entities | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/write | Insert, merge, or replace table entities | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/delete | Delete table entities | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/add/action | Insert table entities | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/update/action | Merge or update table entities | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read, write and delete access to Azure Storage tables and entities", + "id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", + "name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/tableServices/tables/read", + "Microsoft.Storage/storageAccounts/tableServices/tables/write", + "Microsoft.Storage/storageAccounts/tableServices/tables/delete" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read", + "Microsoft.Storage/storageAccounts/tableServices/tables/entities/write", + "Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete", + "Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action", + "Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action" + ], + "notDataActions": [] + } + ], + "roleName": "Storage Table Data Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Storage Table Data Reader ++Allows for read access to Azure Storage tables and entities ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/read | Query tables | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/tableServices/tables/entities/read | Query table entities | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allows for read access to Azure Storage tables and entities", + "id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6", + "name": "76199698-9eea-4c19-bc75-cec21354c6b6", + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/tableServices/tables/read" + ], + "notActions": [], + "dataActions": [ + "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read" + ], + "notDataActions": [] + } + ], + "roleName": "Storage Table Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Web And Mobile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles/web-and-mobile.md | + + Title: Azure built-in roles for Web and Mobile - Azure RBAC +description: This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Web and Mobile category. It lists Actions, NotActions, DataActions, and NotDataActions. ++++++ Last updated : 02/07/2024++++# Azure built-in roles for Web and Mobile ++This article lists the Azure built-in roles in the Web and Mobile category. +++## Azure Maps Data Contributor ++Grants access to read, write, and delete access to map related data from an Azure maps account. ++[Learn more](/azure/azure-maps/azure-maps-authentication) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Maps](../permissions/web-and-mobile.md#microsoftmaps)/accounts/*/read | | +> | [Microsoft.Maps](../permissions/web-and-mobile.md#microsoftmaps)/accounts/*/write | | +> | [Microsoft.Maps](../permissions/web-and-mobile.md#microsoftmaps)/accounts/*/delete | | +> | [Microsoft.Maps](../permissions/web-and-mobile.md#microsoftmaps)/accounts/*/action | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants access to read, write, and delete access to map related data from an Azure maps account.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Maps/accounts/*/read", + "Microsoft.Maps/accounts/*/write", + "Microsoft.Maps/accounts/*/delete", + "Microsoft.Maps/accounts/*/action" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Maps Data Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Maps Data Reader ++Grants access to read map related data from an Azure maps account. ++[Learn more](/azure/azure-maps/azure-maps-authentication) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Maps](../permissions/web-and-mobile.md#microsoftmaps)/accounts/*/read | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants access to read map related data from an Azure maps account.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Maps/accounts/*/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Maps Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Spring Cloud Config Server Contributor ++Allow read, write and delete access to Azure Spring Cloud Config Server ++[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AppPlatform](../permissions/web-and-mobile.md#microsoftappplatform)/Spring/configService/read | Read the configuration content(for example, application.yaml) for a specific Azure Spring Apps service instance | +> | [Microsoft.AppPlatform](../permissions/web-and-mobile.md#microsoftappplatform)/Spring/configService/write | Write config server content for a specific Azure Spring Apps service instance | +> | [Microsoft.AppPlatform](../permissions/web-and-mobile.md#microsoftappplatform)/Spring/configService/delete | Delete config server content for a specific Azure Spring Apps service instance | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allow read, write and delete access to Azure Spring Cloud Config Server", + "id": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", + "name": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/configService/read", + "Microsoft.AppPlatform/Spring/configService/write", + "Microsoft.AppPlatform/Spring/configService/delete" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Cloud Config Server Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Spring Cloud Config Server Reader ++Allow read access to Azure Spring Cloud Config Server ++[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AppPlatform](../permissions/web-and-mobile.md#microsoftappplatform)/Spring/configService/read | Read the configuration content(for example, application.yaml) for a specific Azure Spring Apps service instance | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allow read access to Azure Spring Cloud Config Server", + "id": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7", + "name": "d04c6db6-4947-4782-9e91-30a88feb7be7", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/configService/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Cloud Config Server Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Spring Cloud Data Reader ++Allow read access to Azure Spring Cloud Data ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AppPlatform](../permissions/web-and-mobile.md#microsoftappplatform)/Spring/*/read | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allow read access to Azure Spring Cloud Data", + "id": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c", + "name": "b5537268-8956-4941-a8f0-646150406f0c", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/*/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Cloud Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Spring Cloud Service Registry Contributor ++Allow read, write and delete access to Azure Spring Cloud Service Registry ++[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AppPlatform](../permissions/web-and-mobile.md#microsoftappplatform)/Spring/eurekaService/read | Read the user app(s) registration information for a specific Azure Spring Apps service instance | +> | [Microsoft.AppPlatform](../permissions/web-and-mobile.md#microsoftappplatform)/Spring/eurekaService/write | Write the user app(s) registration information for a specific Azure Spring Apps service instance | +> | [Microsoft.AppPlatform](../permissions/web-and-mobile.md#microsoftappplatform)/Spring/eurekaService/delete | Delete the user app registration information for a specific Azure Spring Apps service instance | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allow read, write and delete access to Azure Spring Cloud Service Registry", + "id": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1", + "name": "f5880b48-c26d-48be-b172-7927bfa1c8f1", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/eurekaService/read", + "Microsoft.AppPlatform/Spring/eurekaService/write", + "Microsoft.AppPlatform/Spring/eurekaService/delete" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Cloud Service Registry Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Azure Spring Cloud Service Registry Reader ++Allow read access to Azure Spring Cloud Service Registry ++[Learn more](/azure/spring-apps/basic-standard/how-to-access-data-plane-azure-ad-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.AppPlatform](../permissions/web-and-mobile.md#microsoftappplatform)/Spring/eurekaService/read | Read the user app(s) registration information for a specific Azure Spring Apps service instance | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Allow read access to Azure Spring Cloud Service Registry", + "id": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65", + "name": "cff1b556-2399-4e7e-856d-a8f754be7b65", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.AppPlatform/Spring/eurekaService/read" + ], + "notDataActions": [] + } + ], + "roleName": "Azure Spring Cloud Service Registry Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Media Services Account Administrator ++Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/*/read | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/streamingLocators/listPaths/action | List Paths | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/write | Create or Update any Media Services Account | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/delete | Delete any Media Services Account | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/privateEndpointConnectionsApproval/action | Approve Private Endpoint Connections | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/privateEndpointConnections/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466", + "name": "054126f8-9a2b-4f1c-a9ad-eca461f08466", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Media/mediaservices/*/read", + "Microsoft.Media/mediaservices/assets/listStreamingLocators/action", + "Microsoft.Media/mediaservices/streamingLocators/listPaths/action", + "Microsoft.Media/mediaservices/write", + "Microsoft.Media/mediaservices/delete", + "Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action", + "Microsoft.Media/mediaservices/privateEndpointConnections/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Media Services Account Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Media Services Live Events Administrator ++Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/*/read | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/assets/* | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/assets/assetfilters/* | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/streamingLocators/* | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/liveEvents/* | | +> | **NotActions** | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/assets/getEncryptionKey/action | Get Asset Encryption Key | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/streamingLocators/listContentKeys/action | List Content Keys | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77", + "name": "532bc159-b25e-42c0-969e-a1d439f60d77", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Media/mediaservices/*/read", + "Microsoft.Media/mediaservices/assets/*", + "Microsoft.Media/mediaservices/assets/assetfilters/*", + "Microsoft.Media/mediaservices/streamingLocators/*", + "Microsoft.Media/mediaservices/liveEvents/*" + ], + "notActions": [ + "Microsoft.Media/mediaservices/assets/getEncryptionKey/action", + "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Media Services Live Events Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Media Services Media Operator ++Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/*/read | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/assets/* | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/assets/assetfilters/* | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/streamingLocators/* | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/transforms/jobs/* | | +> | **NotActions** | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/assets/getEncryptionKey/action | Get Asset Encryption Key | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/streamingLocators/listContentKeys/action | List Content Keys | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c", + "name": "e4395492-1534-4db2-bedf-88c14621589c", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Media/mediaservices/*/read", + "Microsoft.Media/mediaservices/assets/*", + "Microsoft.Media/mediaservices/assets/assetfilters/*", + "Microsoft.Media/mediaservices/streamingLocators/*", + "Microsoft.Media/mediaservices/transforms/jobs/*" + ], + "notActions": [ + "Microsoft.Media/mediaservices/assets/getEncryptionKey/action", + "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Media Services Media Operator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Media Services Policy Administrator ++Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/*/read | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/streamingLocators/listPaths/action | List Paths | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/accountFilters/* | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/streamingPolicies/* | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/contentKeyPolicies/* | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/transforms/* | | +> | **NotActions** | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action | Get Policy Properties With Secrets | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae", + "name": "c4bba371-dacd-4a26-b320-7250bca963ae", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Media/mediaservices/*/read", + "Microsoft.Media/mediaservices/assets/listStreamingLocators/action", + "Microsoft.Media/mediaservices/streamingLocators/listPaths/action", + "Microsoft.Media/mediaservices/accountFilters/*", + "Microsoft.Media/mediaservices/streamingPolicies/*", + "Microsoft.Media/mediaservices/contentKeyPolicies/*", + "Microsoft.Media/mediaservices/transforms/*" + ], + "notActions": [ + "Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Media Services Policy Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Media Services Streaming Endpoints Administrator ++Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metrics/read | Read metrics | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/metricDefinitions/read | Read metric definitions | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/*/read | | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/streamingLocators/listPaths/action | List Paths | +> | [Microsoft.Media](../permissions/web-and-mobile.md#microsoftmedia)/mediaservices/streamingEndpoints/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804", + "name": "99dba123-b5fe-44d5-874c-ced7199a5804", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/metrics/read", + "Microsoft.Insights/metricDefinitions/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Media/mediaservices/*/read", + "Microsoft.Media/mediaservices/assets/listStreamingLocators/action", + "Microsoft.Media/mediaservices/streamingLocators/listPaths/action", + "Microsoft.Media/mediaservices/streamingEndpoints/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Media Services Streaming Endpoints Administrator", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Search Index Data Contributor ++Grants full access to Azure Cognitive Search index data. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Search](../permissions/web-and-mobile.md#microsoftsearch)/searchServices/indexes/documents/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants full access to Azure Cognitive Search index data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7", + "name": "8ebe5a00-799e-43f5-93ac-243d3dce84a7", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Search/searchServices/indexes/documents/*" + ], + "notDataActions": [] + } + ], + "roleName": "Search Index Data Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Search Index Data Reader ++Grants read access to Azure Cognitive Search index data. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.Search](../permissions/web-and-mobile.md#microsoftsearch)/searchServices/indexes/documents/read | Read documents or suggested query terms from an index. | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Grants read access to Azure Cognitive Search index data.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f", + "name": "1407120a-92aa-4202-b7e9-c0e197c71c8f", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.Search/searchServices/indexes/documents/read" + ], + "notDataActions": [] + } + ], + "roleName": "Search Index Data Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Search Service Contributor ++Lets you manage Search services, but not access to them. ++[Learn more](/azure/search/search-security-rbac) ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Search](../permissions/web-and-mobile.md#microsoftsearch)/searchServices/* | Create and manage search services | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage Search services, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Search/searchServices/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Search Service Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SignalR AccessKey Reader ++Read SignalR Service Access Keys ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/*/read | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/listkeys/action | View the value of SignalR access keys in the management portal or through API | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read SignalR Service Access Keys", + "id": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "name": "04165923-9d83-45d5-8227-78b77b0a687e", + "permissions": [ + { + "actions": [ + "Microsoft.SignalRService/*/read", + "Microsoft.SignalRService/SignalR/listkeys/action", + "Microsoft.Authorization/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "SignalR AccessKey Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SignalR App Server ++Lets your app server access SignalR Service with AAD auth options. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/auth/accessKey/action | Generate an AccessKey for signing AccessTokens, the key will expire in 90 minutes by default | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/serverConnection/write | Start a server connection | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/clientConnection/write | Close client connection | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets your app server access SignalR Service with AAD auth options.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7", + "name": "420fcaa2-552c-430f-98ca-3264be4806c7", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.SignalRService/SignalR/auth/accessKey/action", + "Microsoft.SignalRService/SignalR/serverConnection/write", + "Microsoft.SignalRService/SignalR/clientConnection/write" + ], + "notDataActions": [] + } + ], + "roleName": "SignalR App Server", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SignalR REST API Owner ++Full access to Azure SignalR Service REST APIs ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/auth/clientToken/action | Generate an AccessToken for client to connect to ASRS, the token will expire in 5 minutes by default | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/hub/* | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/group/* | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/clientConnection/* | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/user/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to Azure SignalR Service REST APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521", + "name": "fd53cd77-2268-407a-8f46-7e7863d0f521", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.SignalRService/SignalR/auth/clientToken/action", + "Microsoft.SignalRService/SignalR/hub/*", + "Microsoft.SignalRService/SignalR/group/*", + "Microsoft.SignalRService/SignalR/clientConnection/*", + "Microsoft.SignalRService/SignalR/user/*" + ], + "notDataActions": [] + } + ], + "roleName": "SignalR REST API Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SignalR REST API Reader ++Read-only access to Azure SignalR Service REST APIs ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/group/read | Check group existence or user existence in group | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/clientConnection/read | Check client connection existence | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/user/read | Check user existence | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Read-only access to Azure SignalR Service REST APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035", + "name": "ddde6b66-c0df-4114-a159-3618637b3035", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.SignalRService/SignalR/group/read", + "Microsoft.SignalRService/SignalR/clientConnection/read", + "Microsoft.SignalRService/SignalR/user/read" + ], + "notDataActions": [] + } + ], + "roleName": "SignalR REST API Reader", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SignalR Service Owner ++Full access to Azure SignalR Service REST APIs ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | *none* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/SignalR/* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Full access to Azure SignalR Service REST APIs", + "id": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3", + "name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3", + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.SignalRService/SignalR/*" + ], + "notDataActions": [] + } + ], + "roleName": "SignalR Service Owner", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## SignalR/Web PubSub Contributor ++Create, Read, Update, and Delete SignalR service resources ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.SignalRService](../permissions/web-and-mobile.md#microsoftsignalrservice)/* | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Create, Read, Update, and Delete SignalR service resources", + "id": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "permissions": [ + { + "actions": [ + "Microsoft.SignalRService/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "SignalR/Web PubSub Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Web Plan Contributor ++Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/* | Create and manage server farms | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/hostingEnvironments/Join/Action | Joins an App Service Environment | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/autoscalesettings/* | | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage the web plans for websites, but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Web/serverFarms/*", + "Microsoft.Web/hostingEnvironments/Join/Action", + "Microsoft.Insights/autoscalesettings/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Web Plan Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Website Contributor ++Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC. ++> [!div class="mx-tableFixed"] +> | Actions | Description | +> | | | +> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert | +> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/components/* | Create and manage Insights components | +> | [Microsoft.ResourceHealth](../permissions/general.md#microsoftresourcehealth)/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment | +> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/certificates/* | Create and manage website certificates | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/listSitesAssignedToHostName/read | Get names of sites assigned to hostname. | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/join/action | Joins an App Service Plan | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/serverFarms/read | Get the properties on an App Service Plan | +> | [Microsoft.Web](../permissions/web-and-mobile.md#microsoftweb)/sites/* | Create and manage websites (site creation also requires write permissions to the associated App Service Plan) | +> | **NotActions** | | +> | *none* | | +> | **DataActions** | | +> | *none* | | +> | **NotDataActions** | | +> | *none* | | ++```json +{ + "assignableScopes": [ + "/" + ], + "description": "Lets you manage websites (not web plans), but not access to them.", + "id": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "name": "de139f84-1756-47ae-9be6-808fbbe84772", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Insights/components/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Web/certificates/*", + "Microsoft.Web/listSitesAssignedToHostName/read", + "Microsoft.Web/serverFarms/join/action", + "Microsoft.Web/serverFarms/read", + "Microsoft.Web/sites/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "roleName": "Website Contributor", + "roleType": "BuiltInRole", + "type": "Microsoft.Authorization/roleDefinitions" +} +``` ++## Next steps ++- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) |
role-based-access-control | Ai Machine Learning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/ai-machine-learning.md | + + Title: Azure permissions for AI + machine learning - Azure RBAC +description: Lists the permissions for the Azure resource providers in the AI + machine learning category. +++++ Last updated : 02/07/2024++++# Azure permissions for AI + machine learning ++This article lists the permissions for the Azure resource providers in the AI + machine learning category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.BotService ++Azure service: [Azure Bot Service](/azure/bot-service/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.BotService/register/action | Subscription Registration Action | +> | Microsoft.BotService/listqnamakerendpointkeys/action | List QnAMaker Keys | +> | Microsoft.BotService/checknameavailability/action | Check Name Availability of a Bot | +> | Microsoft.BotService/listauthserviceproviders/action | List Auth Service Providers | +> | Microsoft.BotService/botServices/read | Read a Bot Service | +> | Microsoft.BotService/botServices/write | Write a Bot Service | +> | Microsoft.BotService/botServices/delete | Delete a Bot Service | +> | Microsoft.BotService/botServices/createemailsigninurl/action | Create a sign in url for email channel modern auth | +> | Microsoft.BotService/botServices/privateEndpointConnectionsApproval/action | Approval for creating a Private Endpoint | +> | Microsoft.BotService/botServices/joinPerimeter/action | Description for action of Join Perimeter | +> | Microsoft.BotService/botServices/channels/read | Read a Bot Service Channel | +> | Microsoft.BotService/botServices/channels/write | Write a Bot Service Channel | +> | Microsoft.BotService/botServices/channels/delete | Delete a Bot Service Channel | +> | Microsoft.BotService/botServices/channels/listchannelwithkeys/action | List Botservice channels with secrets | +> | Microsoft.BotService/botServices/channels/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.BotService/botServices/channels/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/botServices/channels/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for <Name of the resource> | +> | Microsoft.BotService/botServices/channels/providers/Microsoft.Insights/metricDefinitions/read | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/botServices/connections/read | Read a Bot Service Connection | +> | Microsoft.BotService/botServices/connections/write | Write a Bot Service Connection | +> | Microsoft.BotService/botServices/connections/delete | Delete a Bot Service Connection | +> | Microsoft.BotService/botServices/connections/listwithsecrets/write | Write a Bot Service Connection List | +> | Microsoft.BotService/botServices/connections/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.BotService/botServices/connections/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/botServices/connections/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for <Name of the resource> | +> | Microsoft.BotService/botServices/connections/providers/Microsoft.Insights/metricDefinitions/read | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/botServices/networkSecurityPerimeterAssociationProxies/read | Read a Network Security Perimeter Association Proxies resource | +> | Microsoft.BotService/botServices/networkSecurityPerimeterAssociationProxies/write | Write a Network Security Perimeter Association Proxies resource | +> | Microsoft.BotService/botServices/networkSecurityPerimeterAssociationProxies/delete | Delete a Network Security Perimeter Association Proxies resource | +> | Microsoft.BotService/botServices/networkSecurityPerimeterConfigurations/read | Read a Network Security Perimeter Configurations resource | +> | Microsoft.BotService/botServices/networkSecurityPerimeterConfigurations/reconcile/action | Reconcile a Network Security Perimeter Configurations resource | +> | Microsoft.BotService/botServices/privateEndpointConnectionProxies/read | Read a connection proxy resource | +> | Microsoft.BotService/botServices/privateEndpointConnectionProxies/write | Write a connection proxy resource | +> | Microsoft.BotService/botServices/privateEndpointConnectionProxies/delete | Delete a connection proxy resource | +> | Microsoft.BotService/botServices/privateEndpointConnectionProxies/validate/action | Validate a connection proxy resource | +> | Microsoft.BotService/botServices/privateEndpointConnections/read | Read a Private Endpoint Connections Resource | +> | Microsoft.BotService/botServices/privateEndpointConnections/write | Write a Private Endpoint Connections Resource | +> | Microsoft.BotService/botServices/privateEndpointConnections/delete | Delete a Private Endpoint Connections Resource | +> | Microsoft.BotService/botServices/privateLinkResources/read | Read a Private Links Resource | +> | Microsoft.BotService/botServices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.BotService/botServices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/botServices/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for <Name of the resource> | +> | Microsoft.BotService/botServices/providers/Microsoft.Insights/metricDefinitions/read | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/checknameavailability/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.BotService/checknameavailability/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/checknameavailability/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for <Name of the resource> | +> | Microsoft.BotService/checknameavailability/providers/Microsoft.Insights/metricDefinitions/read | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/hostsettings/read | Get the settings needed to host bot service | +> | Microsoft.BotService/hostsettings/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.BotService/hostsettings/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/hostsettings/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for <Name of the resource> | +> | Microsoft.BotService/hostsettings/providers/Microsoft.Insights/metricDefinitions/read | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/listauthserviceproviders/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.BotService/listauthserviceproviders/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/listauthserviceproviders/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for <Name of the resource> | +> | Microsoft.BotService/listauthserviceproviders/providers/Microsoft.Insights/metricDefinitions/read | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/listqnamakerendpointkeys/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.BotService/listqnamakerendpointkeys/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/listqnamakerendpointkeys/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for <Name of the resource> | +> | Microsoft.BotService/listqnamakerendpointkeys/providers/Microsoft.Insights/metricDefinitions/read | Creates or updates the diagnostic setting for the resource | +> | Microsoft.BotService/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action | Notify Network Security Perimeter Updates Available | +> | Microsoft.BotService/locations/operationresults/read | Read the status of an asynchronous operation | +> | Microsoft.BotService/operationresults/read | Read the status of an asynchronous operation | +> | Microsoft.BotService/Operations/read | Read the operations for all resource types | ++## Microsoft.CognitiveServices ++Azure service: [Cognitive Services](/azure/cognitive-services/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.CognitiveServices/register/action | Subscription Registration Action | +> | Microsoft.CognitiveServices/register/action | Registers Subscription for Cognitive Services | +> | Microsoft.CognitiveServices/checkDomainAvailability/action | Reads available SKUs for a subscription. | +> | Microsoft.CognitiveServices/accounts/read | Reads API accounts. | +> | Microsoft.CognitiveServices/accounts/write | Writes API Accounts. | +> | Microsoft.CognitiveServices/accounts/delete | Deletes API accounts | +> | Microsoft.CognitiveServices/accounts/joinPerimeter/action | Allow to join CognitiveServices account to an given perimeter. | +> | Microsoft.CognitiveServices/accounts/listKeys/action | List keys | +> | Microsoft.CognitiveServices/accounts/regenerateKey/action | Regenerate Key | +> | Microsoft.CognitiveServices/accounts/commitmentplans/read | Reads commitment plans. | +> | Microsoft.CognitiveServices/accounts/commitmentplans/write | Writes commitment plans. | +> | Microsoft.CognitiveServices/accounts/commitmentplans/delete | Deletes commitment plans. | +> | Microsoft.CognitiveServices/accounts/deployments/read | Reads deployments. | +> | Microsoft.CognitiveServices/accounts/deployments/write | Writes deployments. | +> | Microsoft.CognitiveServices/accounts/deployments/delete | Deletes deployments. | +> | Microsoft.CognitiveServices/accounts/encryptionScopes/read | Reads an Encryption Scope. | +> | Microsoft.CognitiveServices/accounts/encryptionScopes/write | Writes an Encryption Scope. | +> | Microsoft.CognitiveServices/accounts/encryptionScopes/delete | Deletes an Encryption Scope. | +> | Microsoft.CognitiveServices/accounts/models/read | Reads available models. | +> | Microsoft.CognitiveServices/accounts/networkSecurityPerimeterAssociationProxies/read | Reads a network security perimeter association. | +> | Microsoft.CognitiveServices/accounts/networkSecurityPerimeterAssociationProxies/write | Writes a network security perimeter association. | +> | Microsoft.CognitiveServices/accounts/networkSecurityPerimeterAssociationProxies/delete | Deletes a network security perimeter association. | +> | Microsoft.CognitiveServices/accounts/networkSecurityPerimeterConfigurations/read | Read effective Network Security Perimeters configuration | +> | Microsoft.CognitiveServices/accounts/networkSecurityPerimeterConfigurations/reconcile/action | Reconcile effective Network Security Perimeters configuration | +> | Microsoft.CognitiveServices/accounts/privateEndpointConnectionProxies/read | Reads private endpoint connection proxies (internal use only). | +> | Microsoft.CognitiveServices/accounts/privateEndpointConnectionProxies/write | Writes private endpoint connection proxies (internal use only). | +> | Microsoft.CognitiveServices/accounts/privateEndpointConnectionProxies/delete | Deletes a private endpoint connections. | +> | Microsoft.CognitiveServices/accounts/privateEndpointConnectionProxies/validate/action | Validates private endpoint connection proxies (internal use only). | +> | Microsoft.CognitiveServices/accounts/privateEndpointConnections/read | Reads private endpoint connections. | +> | Microsoft.CognitiveServices/accounts/privateEndpointConnections/write | Writes a private endpoint connections. | +> | Microsoft.CognitiveServices/accounts/privateEndpointConnections/delete | Deletes a private endpoint connections. | +> | Microsoft.CognitiveServices/accounts/privateLinkResources/read | Reads private link resources for an account. | +> | Microsoft.CognitiveServices/accounts/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.CognitiveServices/accounts/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.CognitiveServices/accounts/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Cognitive Services account | +> | Microsoft.CognitiveServices/accounts/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Cognitive Services. | +> | Microsoft.CognitiveServices/accounts/raiBlocklists/read | Reads available blocklists under a resource. | +> | Microsoft.CognitiveServices/accounts/raiBlocklists/write | Modifies available blocklists under a resource. | +> | Microsoft.CognitiveServices/accounts/raiBlocklists/delete | Deletes blocklists under a resource | +> | Microsoft.CognitiveServices/accounts/raiBlocklists/raiBlocklistItems/read | Gets blocklist items under a blocklist. | +> | Microsoft.CognitiveServices/accounts/raiBlocklists/raiBlocklistItems/write | Modifies blocklist items under a blocklist. | +> | Microsoft.CognitiveServices/accounts/raiBlocklists/raiBlocklistItems/delete | Deletes blocklist items under a blocklist. | +> | Microsoft.CognitiveServices/accounts/raiPolicies/read | Gets all applicable policies under the account including default policies. | +> | Microsoft.CognitiveServices/accounts/raiPolicies/write | Create or update a custom Responsible AI policy. | +> | Microsoft.CognitiveServices/accounts/raiPolicies/delete | Deletes a custom Responsible AI policy that's not referenced by an existing deployment. | +> | Microsoft.CognitiveServices/accounts/skus/read | Reads available SKUs for an existing resource. | +> | Microsoft.CognitiveServices/accounts/usages/read | Get the quota usage for an existing resource. | +> | Microsoft.CognitiveServices/attestationdefinitions/read | Reads all subscription level attestation definitions | +> | Microsoft.CognitiveServices/attestations/read | Reads Attestations | +> | Microsoft.CognitiveServices/attestations/write | Writes Attestation | +> | Microsoft.CognitiveServices/capacityReservations/read | Reads API accounts. | +> | Microsoft.CognitiveServices/capacityReservations/write | Writes API Accounts. | +> | Microsoft.CognitiveServices/capacityReservations/delete | Deletes API accounts | +> | Microsoft.CognitiveServices/deletedAccounts/read | List deleted accounts. | +> | Microsoft.CognitiveServices/locations/checkSkuAvailability/action | Reads available SKUs for a subscription. | +> | Microsoft.CognitiveServices/locations/deleteVirtualNetworkOrSubnets/action | Notification from Microsoft.Network of deleting VirtualNetworks or Subnets. | +> | Microsoft.CognitiveServices/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action | Notification from Microsoft.Network of NetworkSecurityPerimeter updates. | +> | Microsoft.CognitiveServices/locations/commitmentTiers/read | Reads available commitment tiers. | +> | Microsoft.CognitiveServices/locations/models/read | Reads available models. | +> | Microsoft.CognitiveServices/locations/networkSecurityPerimeterProxies/read | Reads a network security perimeter. | +> | Microsoft.CognitiveServices/locations/networkSecurityPerimeterProxies/write | Writes a network security perimeter. | +> | Microsoft.CognitiveServices/locations/networkSecurityPerimeterProxies/delete | Deletes a network security perimeter. | +> | Microsoft.CognitiveServices/locations/networkSecurityPerimeterProxies/profileProxies/read | Reads a network security perimeter profile. | +> | Microsoft.CognitiveServices/locations/networkSecurityPerimeterProxies/profileProxies/write | Writes a network security perimeter profile. | +> | Microsoft.CognitiveServices/locations/networkSecurityPerimeterProxies/profileProxies/delete | Deletes a network security perimeter profile. | +> | Microsoft.CognitiveServices/locations/networkSecurityPerimeterProxies/profileProxies/read | Reads a network security perimeter rule. | +> | Microsoft.CognitiveServices/locations/networkSecurityPerimeterProxies/profileProxies/write | Writes a network security perimeter rule. | +> | Microsoft.CognitiveServices/locations/networkSecurityPerimeterProxies/profileProxies/delete | Deletes a network security perimeter rule. | +> | Microsoft.CognitiveServices/locations/operationresults/read | Read the status of an asynchronous operation. | +> | Microsoft.CognitiveServices/locations/resourceGroups/deletedAccounts/read | Get deleted account. | +> | Microsoft.CognitiveServices/locations/resourceGroups/deletedAccounts/delete | Purge deleted account. | +> | Microsoft.CognitiveServices/locations/usages/read | Read all usages data | +> | Microsoft.CognitiveServices/Operations/read | List all available operations | +> | Microsoft.CognitiveServices/skus/read | Reads available SKUs for Cognitive Services. | +> | **DataAction** | **Description** | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/models:detect-last/action | Submit multivariate anomaly detection task with the modelId of trained model and inference data, and the inference data should be put into request body in a JSON format. The request will complete synchronously and return the detection immediately in the response body. | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/models:detect-batch/action | Submit multivariate anomaly detection task with the modelId of trained model and inference data, the input schema should be the same with the training request. The request will complete asynchronously and return a resultId to query the detection result.The request should be a source link to indicate an externally accessible Azure storage Uri, either pointed to an Azure blob storage folder, or pointed to a CSV file in Azure blob storage. | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/models/action | Create and train a multivariate anomaly detection model.<br>The request must include a source parameter to indicate an externally accessible Azure blob storage URI.There are two types of data input: An URI pointed to an Azure blob storage folder which contains multiple CSV files, and each CSV file contains two columns, timestamp and variable.<br>Another type of input is an URI pointed to a CSV file in Azure blob storage, which contains all the variables and a timestamp column. | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/detect-batch/read | For asynchronous inference, get multivariate anomaly detection result based on resultId returned by the BatchDetectAnomaly api. | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/models/write | Create and train a multivariate anomaly detection model.<br>The request must include a source parameter to indicate an externally accessible Azure storage Uri (preferably a Shared Access Signature Uri).<br>All time-series used in generate the model must be zipped into one single file.<br>Each time-series will be in a single CSV file in which the first column is timestamp and the second column is value. | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/models/delete | Delete an existing multivariate model according to the modelId | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/models/detect/action | Submit detection multivariate anomaly task with the trained model of modelId, the input schema should be the same with the training request.<br>Thus request will be complete asynchronously and will return a resultId for querying the detection result.The request should be a source link to indicate an externally accessible Azure storage Uri (preferably a Shared Access Signature Uri).<br>All time-series used in generate the model must be zipped into one single file.<br>Each time-series will be as follows: the first column is timestamp and the second column is value.<br>Synchronized API for anomaly detection. | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/models/read | Get detailed information of multivariate model, including the training status and variables used in the model. List models of a subscription | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/models/export/action | Export multivariate anomaly detection model based on modelId | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/multivariate/results/read | Get multivariate anomaly detection result based on resultId returned by the DetectAnomalyAsync api | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/timeseries/changepoint/detect/action | This operation generates a model using an entire series, each point is detected with the same model.<br>With this method, points before and after a certain point are used to determine whether it is a trend change point.<br>The entire detection can detect all trend change points of the time series. | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/timeseries/entire/detect/action | This operation generates a model using an entire series, each point is detected with the same model.<br>With this method, points before and after a certain point are used to determine whether it is an anomaly.<br>The entire detection can give the user an overall status of the time series. | +> | Microsoft.CognitiveServices/accounts/AnomalyDetector/timeseries/last/detect/action | This operation generates a model using points before the latest one. With this method, only historical points are used to determine whether the target point is an anomaly. The latest point detecting matches the scenario of real-time monitoring of business metrics. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/AudioFiles/delete | Delete audio files. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/AudioFiles/read | Query ACC exported audio files. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/CustomLexicons/write | Edit custom lexicon lexemes. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/CustomLexicons/read | Query custom lexicon lexemes. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ExportTasks/delete | Delete voice general tasks. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ExportTasks/read | Query metadata of voice general tasks for specific module kind. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ExportTasks/ApplyTuneTemplateTasks/read | Query ACC apply tune template tasks. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ExportTasks/AudioGenerationTasks/SubmitAudioGenerationTask/action | Create audio audio task. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ExportTasks/AudioGenerationTasks/read | Query ACC export audio tasks. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ExportTasks/CharacterPredictionTasks/SubmitPredictSsmlTagsTask/action | Create predict ssml tag task. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ExportTasks/CharacterPredictionTasks/read | Query ACC predict ssml content type tasks. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ExportTasks/ImportResourceFilesTasks/read | Import resource files tasks. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Metadata/IsCurrentSubscriptionInGroup/action | Check whether current subscription is in specific group kind. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Metadata/BlobEntitiesEndpointWithSas/read | Query blob url with SAS of artifacts. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Metadata/CustomvoiceGlobalSettings/read | Query customvoice global settings. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Metadata/LanguageMetadatas/read | Query language metadata. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Metadata/Reports/read | Generic query report API for endpoint billing history, model training hours history etc. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Metadata/TuneMetadatas/read | Query tuning metadata. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Metadata/Versions/read | Query API version. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Metadata/Voices/read | Query ACC voices. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Phoneme/validate/action | Validate phoneme. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Phoneme/PronLearnFromAudio/action | PronLearnFromAudio. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ResourceFolders/write | Edit folder metadata like name, tags. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ResourceFolders/ResourceFiles/CopyOrMoveResourceFolderOrFiles/action | Copy or move folder or files. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ResourceFolders/ResourceFiles/delete | Delete folder or files recursively, with optional to delete associated audio files. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ResourceFolders/ResourceFiles/write | Edit file's metadata like name, description, tags etc. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/ResourceFolders/ResourceFiles/read | Query files metadata like recursive file count, associated audio file count, exporting audio ssml file count. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Synthesis/SpeakMetadata/action | Query TTS synthesis metadata like F0, duration(used for intonation tuning). | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Synthesis/SpeakMetadataForPronunciation/action | Query TTS synthesis metadata for pronunciation. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Synthesis/Speak/action | TTS synthesis API for all ACC voices. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/Synthesis/PredictSsmlTagsRealtime/action | Realtime API for predict ssml tag. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneSsml/ConfigureSsmlFileReferenceFiles/action | Add/update/delete item(s) of SSML reference file plugin. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneSsml/ApplySequenceTuneOnFiles/action | Apply several ssml tag tune on one ssml file sequentially. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneSsml/SequenceTune/action | Apply several ssml tag tune on one ssml sequentially. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneSsml/MultiSequenceTune/action | Process several ssml tag sequence tune into one request. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneSsml/MultiTune/action | Process several ssml tag tune into one request. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneSsml/SplitSsmls/action | Split ssml with specified options. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneSsml/Tune/action | Tune ssml tag on ssml. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneTemplates/DetectTuneTemplate/action | Detect tune template. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneTemplates/read | Query tune template. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneTemplates/write | Create tune template. | +> | Microsoft.CognitiveServices/accounts/AudioContentCreation/TuneTemplates/delete | Delete tune template. | +> | Microsoft.CognitiveServices/accounts/Autosuggest/search/action | This operation provides suggestions for a given query or partial query. | +> | Microsoft.CognitiveServices/accounts/Billing/submitusage/action | submit usage with meter name and quantity specified in request body. | +> | Microsoft.CognitiveServices/accounts/Billing/createlicense/action | create and return a license for a subscription and list of license keys specified in request body. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/analyze/action | This operation extracts a rich set of visual features based on the image content. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/describe/action | This operation generates a description of an image in human readable language with complete sentences.<br> The description is based on a collection of content tags, which are also returned by the operation.<br>More than one description can be generated for each image.<br> Descriptions are ordered by their confidence score.<br>All descriptions are in English. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/generatethumbnail/action | This operation generates a thumbnail image with the user-specified width and height.<br> By default, the service analyzes the image, identifies the region of interest (ROI), and generates smart cropping coordinates based on the ROI.<br> Smart cropping helps when you specify an aspect ratio that differs from that of the input image | +> | Microsoft.CognitiveServices/accounts/ComputerVision/ocr/action | Optical Character Recognition (OCR) detects text in an image and extracts the recognized characters into a machine-usable character stream. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/recognizetext/action | Use this interface to get the result of a Recognize Text operation. When you use the Recognize Text interface, the response contains a field called "Operation-Location". The "Operation-Location" field contains the URL that you must use for your Get Recognize Text Operation Result operation. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/tag/action | This operation generates a list of words, or tags, that are relevant to the content of the supplied image.<br>The Computer Vision API can return tags based on objects, living beings, scenery or actions found in images.<br>Unlike categories, tags are not organized according to a hierarchical classification system, but correspond to image content.<br>Tags may contain hints to avoid ambiguity or provide context, for example the tag "cello" may be accompanied by the hint "musical instrument".<br>All tags are in English. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/areaofinterest/action | This operation returns a bounding box around the most important area of the image. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/detect/action | This operation Performs object detection on the specified image. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/imageanalysis:analyze/action | Analyze the input image. The request either contains image stream with any content type ['image/*', 'application/octet-stream'], or a JSON payload which includes an url property to be used to retrieve the image stream. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/imageanalysis:segment/action | Analyze the input image.<br>The request either contains an image stream with any content type ['image/*', 'application/octet-stream'], or a JSON payload which includes a url property to be used to retrieve the image stream.<br>An image stream of content type 'image/png' is returned, where the pixel values depend on the analysis mode.<br>The returned image has the same dimensions as the input image for modes: foregroundMatting.<br>The returned image has the same aspect ratio and same dimensions as the input image up to a limit of 16 megapixels for modes: backgroundRemoval. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/imagecomposition:rectify/action | Run the image rectification operation against an image with 4 control points provided in the parameter. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/imagecomposition:stitch/action | Run the image stitching operation against a sequence of images. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/models:cancel/action | Cancel model training. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/planogramcompliance:match/action | Run the planogram matching operation against a planogram and a product understanding result. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval:vectorizeimage/action | Return vector from an image. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval:vectorizetext/action | Return vector from a text. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/grounding/action | Perform grounding on the input image with the generated text. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/batch/write | This internal operation creates a new batch with the specified name. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/batch/read | This internal operation returns the list of batches. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/batch/analyzestatus/read | This internal operation returns the status of the specified batch. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/batch/status/read | This internal operation returns the status of the specified batch. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/datasets/read | Get information about a specific dataset. Get a list of datasets that have been registered. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/datasets/write | Register a new dataset. Update the properties of an existing dataset. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/datasets/delete | Unregister a dataset. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/deployments/write | Deploy an operation to be run on the target device. Update the properties of an existing deployment. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/deployments/delete | Delete a deployment, removing the operation from the target device. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/deployments/read | Get information about a specific deployment. Get a list of deployments that have been created. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/correction/images/delete | Face User Correction - Delete Batch Images | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/correction/users/delete | Face User Correction - Delete User | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/correction/users/groups/merge/action | Face User Correction - Merge Groups | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/correction/users/groups/faces/write | Face User Correction - Add Faces to Group | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/correction/users/groups/faces/delete | Face User Correction - Remove Faces from Group | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/correction/users/images/delete | Face User Correction - Delete Images | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/correction/users/operations/read | Face User Correction - Get Operation State | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/users/uncertainfaces/action | Face Grouping - Get Uncertain Faces | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/users/resetgroups/action | Face Grouping - Reset Groups | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/users/groupondemand/action | Face Grouping - Group on Demand | +> | Microsoft.CognitiveServices/accounts/ComputerVision/face/users/retrievegroups/action | Face Grouping - Retrieve Groups | +> | Microsoft.CognitiveServices/accounts/ComputerVision/models/read | This operation returns the list of domain-specific models that are supported by the Computer Vision API. Currently, the API supports following domain-specific models: celebrity recognizer, landmark recognizer. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/models/analyze/action | This operation recognizes content within an image by applying a domain-specific model.<br> The list of domain-specific models that are supported by the Computer Vision API can be retrieved using the /models GET request.<br> Currently, the API provides following domain-specific models: celebrities, landmarks. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/models/:cancel/action | Cancel model training. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/models/delete | Delete a custom model. A model can be deleted if it is in one of the 'Succeeded', 'Failed', or 'Canceled' states. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/models/write | Start training a custom model. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/models/evaluations/write | Evaluate an existing model. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/models/evaluations/delete | Delete a model evaluation. A model evaluation can be deleted if it is in the 'Succeeded' or 'Failed' states. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/models/evaluations/read | Get information about a specific model evaluation. Get a list of the available evaluations for a model.* | +> | Microsoft.CognitiveServices/accounts/ComputerVision/operations/imageanalysis:analyze/action | Analyze the input image of incoming request without deployment. The request either contains image stream | +> | Microsoft.CognitiveServices/accounts/ComputerVision/operations/read | Get information about a specific operation. Get a list of the available operations. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/operations/contentgeneration-backgrounds:generate/action | Generates a background from a specified query, style, and size. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/productrecognition/runs/write | Run the product recognition against a model with an image. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/productrecognition/runs/delete | Delete a product recognition run. A product recognition run can be deleted if it is in the 'Succeeded' or 'Failed' states. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/productrecognition/runs/read | Get information about a specific product recognition run. List all product recognition run of a model.* | +> | Microsoft.CognitiveServices/accounts/ComputerVision/read/analyze/action | Use this interface to perform a Read operation, employing the state-of-the-art Optical Character Recognition (OCR) algorithms optimized for text-heavy documents.<br>It can handle hand-written, printed or mixed documents.<br>When you use the Read interface, the response contains a header called 'Operation-Location'.<br>The 'Operation-Location' header contains the URL that you must use for your Get Read Result operation to access OCR results.** | +> | Microsoft.CognitiveServices/accounts/ComputerVision/read/analyzeresults/read | Use this interface to retrieve the status and OCR result of a Read operation. The URL containing the 'operationId' is returned in the Read operation 'Operation-Location' response header.* | +> | Microsoft.CognitiveServices/accounts/ComputerVision/read/core/asyncbatchanalyze/action | Use this interface to get the result of a Batch Read File operation, employing the state-of-the-art Optical Character | +> | Microsoft.CognitiveServices/accounts/ComputerVision/read/operations/read | This interface is used for getting OCR results of Read operation. The URL to this interface should be retrieved from <b>"Operation-Location"</b> field returned from Batch Read File interface. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/index-statis/action | Get index statistics inforamtion for the given users. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/suggest/action | Get search suggestions for the user, given the query text that the user has entered so far. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/search/action | Perform a search using the specified search query and parameters. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes:query/action | Search indexes using the specified search query and parameters. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes:querybyimage/action | Performs a image-based search on the specified index. The request accepts either image Url or base64 encoded image string. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes:querybytext/action | Performs a text-based search on the specified index. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes:sample/action | Performs a sampling technique on the doucment within an index. The request contains index name and document id . | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/documents/read | Get a list of all documents. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/facegroups/read | Get the list of available face groups for a user. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/facegroups/write | Update the properties of a face group. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes/delete | Deletes an index and all its associated ingestion documents. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes/write | This method creates an index, which can then be used to ingest documents. Updates an index with the specified name.* | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes/read | Retrieves the index with the specified name. Retrieves a list of all indexes across all ingestions.* | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes/documents/write | Create a document in an index. If the index doesn't exist, then it will be created automatically. Update a document.* | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes/documents/delete | Delete a document. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes/documents/read | Get a list of documents within an index. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes/ingestions/write | Ingestion request can have either video or image payload at once, but not both. | +> | Microsoft.CognitiveServices/accounts/ComputerVision/retrieval/indexes/ingestions/read | Gets the ingestion status for the specified index and ingestion name. Retrieves all ingestions for the specific index.* | +> | Microsoft.CognitiveServices/accounts/ComputerVision/textoperations/read | This interface is used for getting recognize text operation result. The URL to this interface should be retrieved from <b>"Operation-Location"</b> field returned from Recognize Text interface. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/imagelists/action | Create image list. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/termlists/action | Create term list. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/image:analyze/action | A sync API for harmful content analysis for image | +> | Microsoft.CognitiveServices/accounts/ContentModerator/image:batchanalyze/action | An API to trigger harmful content analysis for image batch | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text:analyze/action | A sync API for harmful content analysis for text | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text:batchanalyze/action | An API for triggering harmful content analysis of text batch | +> | Microsoft.CognitiveServices/accounts/ContentModerator/image/analyzeresults/read | An API to get harmful content analysis results for image batch | +> | Microsoft.CognitiveServices/accounts/ContentModerator/imagelists/read | Image Lists - Get Details - Image Lists - Get All | +> | Microsoft.CognitiveServices/accounts/ContentModerator/imagelists/delete | Image Lists - Delete | +> | Microsoft.CognitiveServices/accounts/ContentModerator/imagelists/refreshindex/action | Image Lists - Refresh Search Index | +> | Microsoft.CognitiveServices/accounts/ContentModerator/imagelists/write | Image Lists - Update Details | +> | Microsoft.CognitiveServices/accounts/ContentModerator/imagelists/images/write | Add an Image to your image list. The image list can be used to do fuzzy matching against other images when using Image/Match API. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/imagelists/images/delete | Delete an Image from your image list. The image list can be used to do fuzzy matching against other images when using Image/Match API. Delete all images from your list. The image list can be used to do fuzzy matching against other images when using Image/Match API.* | +> | Microsoft.CognitiveServices/accounts/ContentModerator/imagelists/images/read | Image - Get all Image Ids | +> | Microsoft.CognitiveServices/accounts/ContentModerator/processimage/evaluate/action | Returns probabilities of the image containing racy or adult content. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/processimage/findfaces/action | Find faces in images. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/processimage/match/action | Fuzzily match an image against one of your custom Image Lists. You can create and manage your custom image lists using this API. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/processimage/ocr/action | Returns any text found in the image for the language specified. If no language is specified in input then the detection defaults to English. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/processtext/detectlanguage/action | This operation will detect the language of given input content. Returns the ISO 639-3 code for the predominant language comprising the submitted text. Over 110 languages supported. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/processtext/screen/action | The operation detects profanity in more than 100 languages and match against custom and shared blocklists. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/jobs/action | A job Id will be returned for the Image content posted on this endpoint. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/reviews/action | The reviews created would show up for Reviewers on your team. As Reviewers complete reviewing, results of the Review would be POSTED (i.e. HTTP POST) on the specified CallBackEndpoint. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/jobs/read | Get the Job Details for a Job Id. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/reviews/read | Returns review details for the review Id passed. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/reviews/publish/action | Video reviews are initially created in an unpublished state - which means it is not available for reviewers on your team to review yet. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/reviews/transcript/action | This API adds a transcript file (text version of all the words spoken in a video) to a video review. The file should be a valid WebVTT format. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/reviews/transcriptmoderationresult/action | This API adds a transcript screen text result file for a video review. Transcript screen text result file is a result of Screen Text API . In order to generate transcript screen text result file , a transcript file has to be screened for profanity using Screen Text API. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/reviews/accesskey/read | Get the review content access key for your team. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/reviews/frames/write | Use this method to add frames for a video review. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/reviews/frames/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/settings/templates/write | Creates or updates the specified template | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/settings/templates/delete | Delete a template in your team | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/settings/templates/read | Returns an array of review templates provisioned on this team. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/workflows/write | Create a new workflow or update an existing one. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/teams/workflows/read | Get the details of a specific Workflow on your Team Get all the Workflows available for you Team* | +> | Microsoft.CognitiveServices/accounts/ContentModerator/termlists/bulkupdate/action | Term Lists - Bulk Update | +> | Microsoft.CognitiveServices/accounts/ContentModerator/termlists/delete | Term Lists - Delete | +> | Microsoft.CognitiveServices/accounts/ContentModerator/termlists/read | Term Lists - Get All - Term Lists - Get Details | +> | Microsoft.CognitiveServices/accounts/ContentModerator/termlists/refreshindex/action | Term Lists - Refresh Search Index | +> | Microsoft.CognitiveServices/accounts/ContentModerator/termlists/write | Term Lists - Update Details | +> | Microsoft.CognitiveServices/accounts/ContentModerator/termlists/terms/write | Term - Add Term | +> | Microsoft.CognitiveServices/accounts/ContentModerator/termlists/terms/delete | Term - Delete - Term - Delete All Terms | +> | Microsoft.CognitiveServices/accounts/ContentModerator/termlists/terms/read | Term - Get All Terms | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text/detect/action | A sync API for harmful content detection | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text/analyzeresults/read | An API to get harmful content analysis results for text batch | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text/lists/write | Updates an Text List by listId, , if listId not exists, create a new Text List | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text/lists/delete | Deletes Text List with the list Id equal to list Id passed. | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text/lists/read | Get All Text Lists Returns text list details of the Text List with list Id equal to list Id passed.* | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text/lists/items/write | Create Item In Text List | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text/lists/items/delete | Delete Item By itemId and listId | +> | Microsoft.CognitiveServices/accounts/ContentModerator/text/lists/items/read | Get All Items By listId Get Item By itemId and listId* | +> | Microsoft.CognitiveServices/accounts/ContentSafety/image:analyze/action | A sync API for harmful content analysis for image. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text:analyze/action | A sync API for harmful content analysis for text. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/imagewithtext:analyze/action | A sync API for harmful content analysis for image with text | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text:detectprotectedmaterial/action | A synchronous API for the analysis of protected material. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text:detectjailbreak/action | A synchronous API for the analysis of text jailbreak. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text:adaptiveannotate/action | A remote procedure call (RPC) operation. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text:detectungroundedness/action | A synchronous API for the analysis of language model outputs to determine if they align with the information provided by the user or contain fictional content. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/blocklisthitcalls/read | Show blocklist hit request count at different timestamps. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/blocklisttopterms/read | List top terms hit in blocklist at different timestamps. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/categories/severities/requestcounts/read | List API request count number of a specific category and a specific severity given a time range. Default maxpagesize is 1000. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/image/incidents/read | Get or List Image Incidents | +> | Microsoft.CognitiveServices/accounts/ContentSafety/image/incidents/write | Updates a image incident. If the image incident does not exist, a new image incident will be created. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/image/incidents/delete | Deletes a image incident. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/image/incidents/incidentsamples/read | Get incidentSamples By incidentName from a image incident. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/metrics/blocklistHitCalls/read | Show blocklist hit request count at different timestamps. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/metrics/blocklistTopTerms/read | List top terms hit in blocklist at different timestamps. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/metrics/categories/requestCounts/read | List API request count at different timestamps of a specific category given a time range. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/metrics/rejectCounts/read | List API reject counts at different timestamps given a time range. Default maxpagesize is 1000. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/metrics/requestCounts/read | List API request counts at different timestamps given a time range. Default maxpagesize is 1000. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/metrics/requestLatencies/read | List API request latencies at different timestamps given a time range. Default maxpagesize is 1000. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/requestcounts/read | List API request counts at different timestamps given a time range. Default maxpagesize is 1000. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/requestlatencies/read | List API request latencies at different timestamps given a time range. Default maxpagesize is 1000. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/blocklists/read | Get or List Text Blocklist | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/blocklists/write | Updates a text blocklist, if blocklistName does not exist, create a new blocklist. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/blocklists/delete | Deletes a text blocklist. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/blocklists/blockitems/read | Get blockItem By blockItemId from a text blocklist. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/categories/read | Get or List Text Categories | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/categories/write | Create or replace operation template. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/categories/delete | Resource delete operation template. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/incidents/read | Get or List Text Incidents | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/incidents/write | Updates a text incident. If the text incident does not exist, a new text incident will be created. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/incidents/delete | Deletes a text incident. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/text/incidents/incidentsamples/read | Get incidentSamples By incidentName from a text incident. | +> | Microsoft.CognitiveServices/accounts/ContentSafety/whitelist/features/read | Get allowlist features. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/write | Creates a new project or replaces metadata of an existing project. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/delete | Deletes a project. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action | Triggers a job to export project data in JSON format. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/read | Returns a project. Returns the list of existing projects.* | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/import/action | Triggers a job to import a new project in JSON format. If a project with the same name already exists, the data of that project is replaced. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/train/action | Trigger training job. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write | Trigger job to create new deployment or replace an existing deployment. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/jobs/read | Gets a deployment job status and result details. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/evaluation/read | Get the evaluation result of a certain training model name. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/jobs/read | Get export job status details. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/jobs/result/read | Get export job result details. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/import/jobs/read | Get import or replace project job status and result details. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/languages/read | Get List of Supported Cultures for conversational projects. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/models/delete | Deletes a trained model. | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/models/read | Gets a specific trained model of a project. Gets the trained models of a project.* | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/train/jobs/read | Get training jobs result details for a project. Get training job status and result details.* | +> | Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/validation/read | Get the validation result of a certain training model name. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/action | Create a project. | +> | Microsoft.CognitiveServices/accounts/CustomVision/user/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision/quota/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/action | Create a project. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/user/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/quota/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/classify/iterations/image/action | Classify an image and saves the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/classify/iterations/url/action | Classify an image url and saves the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/classify/iterations/image/nostore/action | Classify an image without saving the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/classify/iterations/url/nostore/action | Classify an image url without saving the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/detect/iterations/image/action | Detect objects in an image and saves the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/detect/iterations/url/action | Detect objects in an image url and saves the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/detect/iterations/image/nostore/action | Detect objects in an image without saving the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/detect/iterations/url/nostore/action | Detect objects in an image url without saving the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/domains/read | Get information about a specific domain. Get a list of the available domains.* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/labelproposals/setting/action | Set pool size of Label Proposal. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/labelproposals/setting/read | Get pool size of Label Proposal for this project. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/project/migrate/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/action | This API accepts body content as multipart/form-data and application/octet-stream. When using multipart | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/tags/action | Create a tag for the project. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/delete | Delete a specific project. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/read | Get a specific project. Get your projects.* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/train/action | Queues project for training. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/write | Update a specific project. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/import/action | Imports a project. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/export/read | Exports a project. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/regions/action | This API accepts a batch of image regions, and optionally tags, to update existing images with region information. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/files/action | This API accepts a batch of files, and optionally tags, to create images. There is a limit of 64 images and 20 tags. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/predictions/action | This API creates a batch of images from predicted images specified. There is a limit of 64 images and 20 tags. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/urls/action | This API accepts a batch of urls, and optionally tags, to create images. There is a limit of 64 images and 20 tags. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/tags/action | Associate a set of images with a set of tags. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/delete | Delete images from the set of training images. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/regionproposals/action | This API will get region proposals for an image along with confidences for the region. It returns an empty array if no proposals are found. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/suggested/action | This API will fetch untagged images filtered by suggested tags Ids. It returns an empty array if no images are found. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/id/read | This API will return a set of Images for the specified tags and optionally iteration. If no iteration is specified the | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/regions/delete | Delete a set of image regions. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/suggested/count/action | This API takes in tagIds to get count of untagged images per suggested tags for a given threshold. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/tagged/read | This API supports batching and range selection. By default it will only return first 50 images matching images. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/tagged/count/read | The filtering is on an and/or relationship. For example, if the provided tag ids are for the "Dog" and | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/tags/delete | Remove a set of tags from a set of images. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/untagged/read | This API supports batching and range selection. By default it will only return first 50 images matching images. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/images/untagged/count/read | This API returns the images which have no tags for a given project and optionally an iteration. If no iteration is specified the | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/delete | Delete a specific iteration of a project. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/export/action | Export a trained iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/read | Get a specific iteration. Get iterations for the project.* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/publish/action | Publish a specific iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/write | Update a specific iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/export/read | Get the list of exports for a specific iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/performance/read | Get detailed performance information about an iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/performance/images/read | This API supports batching and range selection. By default it will only return first 50 images matching images. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/performance/images/count/read | The filtering is on an and/or relationship. For example, if the provided tag ids are for the "Dog" and | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/iterations/publish/delete | Unpublish a specific iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/predictions/delete | Delete a set of predicted images and their associated prediction results. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/predictions/query/action | Get images that were sent to your prediction endpoint. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/quicktest/image/action | Quick test an image. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/quicktest/url/action | Quick test an image url. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/tags/delete | Delete a tag from the project. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/tags/read | Get information about a specific tag. Get the tags for a given project and iteration.* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/tags/write | Update a tag. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/tagsandregions/suggestions/action | This API will get suggested tags and regions for an array/batch of untagged images along with confidences for the tags. It returns an empty array if no tags are found. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/projects/train/advanced/action | Queues project for training with PipelineConfiguration and training type. | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/quota/delete | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/quota/refresh/write | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/usage/prediction/user/read | Get usage for prediction resource for Oxford user | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/usage/training/resource/tier/read | Get usage for training resource for Azure user | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/usage/training/user/read | Get usage for training resource for Oxford user | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/user/delete | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/user/state/write | Update user state | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/user/tier/write | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/users/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/whitelist/delete | Deletes an allowlisted user with specific capability | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/whitelist/read | Gets a list of allowlisted users with specific capability | +> | Microsoft.CognitiveServices/accounts/CustomVision.Prediction/whitelist/write | Updates or creates a user in the allowlist with specific capability | +> | Microsoft.CognitiveServices/accounts/CustomVision/classify/iterations/image/action | Classify an image and saves the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision/classify/iterations/url/action | Classify an image url and saves the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision/classify/iterations/image/nostore/action | Classify an image without saving the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision/classify/iterations/url/nostore/action | Classify an image url without saving the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision/detect/iterations/image/action | Detect objects in an image and saves the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision/detect/iterations/url/action | Detect objects in an image url and saves the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision/detect/iterations/image/nostore/action | Detect objects in an image without saving the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision/detect/iterations/url/nostore/action | Detect objects in an image url without saving the result. | +> | Microsoft.CognitiveServices/accounts/CustomVision/domains/read | Get information about a specific domain. Get a list of the available domains.* | +> | Microsoft.CognitiveServices/accounts/CustomVision/labelproposals/setting/action | Set pool size of Label Proposal. | +> | Microsoft.CognitiveServices/accounts/CustomVision/labelproposals/setting/read | Get pool size of Label Proposal for this project. | +> | Microsoft.CognitiveServices/accounts/CustomVision/project/migrate/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/action | This API accepts body content as multipart/form-data and application/octet-stream. When using multipart | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/action | Create a tag for the project. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/delete | Delete a specific project. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/read | Get a specific project. Get your projects.* | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/train/action | Queues project for training. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/write | Update a specific project. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action | Imports a project. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/artifacts/read | Get artifact content from blob storage, based on artifact relative path in the blob. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | Exports a project. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/regions/action | This API accepts a batch of image regions, and optionally tags, to update existing images with region information. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/files/action | This API accepts a batch of files, and optionally tags, to create images. There is a limit of 64 images and 20 tags. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/predictions/action | This API creates a batch of images from predicted images specified. There is a limit of 64 images and 20 tags. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/urls/action | This API accepts a batch of urls, and optionally tags, to create images. There is a limit of 64 images and 20 tags. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/tags/action | Associate a set of images with a set of tags. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/delete | Delete images from the set of training images. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/regionproposals/action | This API will get region proposals for an image along with confidences for the region. It returns an empty array if no proposals are found. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/action | This API will fetch untagged images filtered by suggested tags Ids. It returns an empty array if no images are found. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/read | This API supports batching and range selection. By default it will only return first 50 images matching images. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/metadata/action | This API accepts a batch of image Ids, and metadata, to update images. There is a limit of 64 images. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/count/read | The filtering is on an and/or relationship. For example, if the provided tag ids are for the "Dog" and | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/id/read | This API will return a set of Images for the specified tags and optionally iteration. If no iteration is specified the | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/regions/delete | Delete a set of image regions. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/count/action | This API takes in tagIds to get count of untagged images per suggested tags for a given threshold. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/tagged/read | This API supports batching and range selection. By default it will only return first 50 images matching images. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/tagged/count/read | The filtering is on an and/or relationship. For example, if the provided tag ids are for the "Dog" and | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/tags/delete | Remove a set of tags from a set of images. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/untagged/read | This API supports batching and range selection. By default it will only return first 50 images matching images. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/images/untagged/count/read | This API returns the images which have no tags for a given project and optionally an iteration. If no iteration is specified the | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/delete | Delete a specific iteration of a project. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/action | Export a trained iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/read | Get a specific iteration. Get iterations for the project.* | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/action | Publish a specific iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/write | Update a specific iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/read | Get the list of exports for a specific iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/performance/read | Get detailed performance information about an iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/performance/images/read | This API supports batching and range selection. By default it will only return first 50 images matching images. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/performance/images/count/read | The filtering is on an and/or relationship. For example, if the provided tag ids are for the "Dog" and | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/delete | Unpublish a specific iteration. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/delete | Delete a set of predicted images and their associated prediction results. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | Get images that were sent to your prediction endpoint. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/image/action | Quick test an image. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/url/action | Quick test an image url. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/delete | Delete a tag from the project. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/read | Get information about a specific tag. Get the tags for a given project and iteration.* | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/write | Update a tag. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action | This API will get suggested tags and regions for an array/batch of untagged images along with confidences for the tags. It returns an empty array if no tags are found. | +> | Microsoft.CognitiveServices/accounts/CustomVision/projects/train/advanced/action | Queues project for training with PipelineConfiguration and training type. | +> | Microsoft.CognitiveServices/accounts/CustomVision/quota/delete | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision/quota/refresh/write | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision/usage/prediction/user/read | Get usage for prediction resource for Oxford user | +> | Microsoft.CognitiveServices/accounts/CustomVision/usage/training/resource/tier/read | Get usage for training resource for Azure user | +> | Microsoft.CognitiveServices/accounts/CustomVision/usage/training/user/read | Get usage for training resource for Oxford user | +> | Microsoft.CognitiveServices/accounts/CustomVision/user/delete | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision/user/state/write | Update user state | +> | Microsoft.CognitiveServices/accounts/CustomVision/user/tier/write | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision/users/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/CustomVision/whitelist/delete | Deletes an allowlisted user with specific capability | +> | Microsoft.CognitiveServices/accounts/CustomVision/whitelist/read | Gets a list of allowlisted users with specific capability | +> | Microsoft.CognitiveServices/accounts/CustomVision/whitelist/write | Updates or creates a user in the allowlist with specific capability | +> | Microsoft.CognitiveServices/accounts/CustomVoice/endpoints/action | Operations (disable/suspend/resume etc.) on an existing voice endpoint | +> | Microsoft.CognitiveServices/accounts/CustomVoice/models/action | Operations like model copy or model saveas. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/action | Creates a new evaluation. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/datasets/write | Create or update a dataset. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/datasets/delete | Deletes the voice dataset with the given id. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/datasets/read | Gets one or more datasets. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/datasets/blocks/read | Get one or more uploaded blocks | +> | Microsoft.CognitiveServices/accounts/CustomVoice/datasets/blocks/write | Create or update a dataset blocks | +> | Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read | Gets the files of the dataset identified by the given ID. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/datasets/utterances/read | Gets utterances of the specified training set. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/discount/read | Get the discount for neural model training. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/endpoints/write | Create or update an voice endpoint. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/endpoints/delete | Delete the specified voice endpoint. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/endpoints/read | Get one or more voice endpoints | +> | Microsoft.CognitiveServices/accounts/CustomVoice/endpoints/manifest/read | Returns an endpoint manifest which can be used in an on-premise container. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/delete | Deletes the specified evaluation. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/read | Gets details of one or more evaluations | +> | Microsoft.CognitiveServices/accounts/CustomVoice/features/read | Gets a list of allowed features. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/histories/read | Generic query report API for endpoint billing history, model training hours history etc. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/delete | Deletes the specified long audio synthesis task. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/read | Gets one or more long audio syntheses. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/write | Create or update a long audio synthesis. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/models/write | Create or update a voice model. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/models/delete | Deletes the voice model with the given id. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/models/read | Gets one or more voice models. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/operations/read | Gets status of a given operation. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/projects/write | Create or update a project. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/projects/delete | Deletes the project identified by the given ID. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/projects/read | Gets one or more projects. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/speakerauthorizations/delete | Deletes the specified speaker authorization. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/speakerauthorizations/read | Get the list of speaker authorizations for specified project. | +> | Microsoft.CognitiveServices/accounts/CustomVoice/speakerauthorizations/write | Updates the mutable details of the voice speaker authorization identified by its ID. | +> | Microsoft.CognitiveServices/accounts/EntitySearch/search/action | Get entities and places results for a given query. | +> | Microsoft.CognitiveServices/accounts/Face/detect/action | Detect human faces in an image, return face rectangles, and optionally with faceIds, landmarks, and attributes. | +> | Microsoft.CognitiveServices/accounts/Face/findsimilars/action | Given query face's faceId, to search the similar-looking faces from a faceId array, a face list or a large face list. faceId | +> | Microsoft.CognitiveServices/accounts/Face/group/action | Divide candidate faces into groups based on face similarity. | +> | Microsoft.CognitiveServices/accounts/Face/identify/action | 1-to-many identification to find the closest matches of the specific query person face from a person group or large person group. | +> | Microsoft.CognitiveServices/accounts/Face/verify/action | Verify whether two faces belong to a same person or whether one face belongs to a person. | +> | Microsoft.CognitiveServices/accounts/Face/snapshots/action | Take a snapshot for an object. | +> | Microsoft.CognitiveServices/accounts/Face/persons/action | Creates a new person in a person directory. | +> | Microsoft.CognitiveServices/accounts/Face/compare/action | Compare two faces from source image and target image based on a their similarity. | +> | Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action | <p>Performs liveness detection on a target face in a sequence of infrared, color and/or depth images, and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs.</p> | +> | Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action | <p>Performs liveness detection on a target face in a sequence of images of the same modality (e.g. color or infrared), and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs.</p> | +> | Microsoft.CognitiveServices/accounts/Face/detectLiveness/singleModal/sessions/action | <p>Creates a session for a client to perform liveness detection.</p> | +> | Microsoft.CognitiveServices/accounts/Face/detectLiveness/singleModal/sessions/delete | <p>Deletes a liveness detection session.</p> | +> | Microsoft.CognitiveServices/accounts/Face/detectLiveness/singleModal/sessions/read | <p>Reads the state of detectLiveness/singleModal session.</p> | +> | Microsoft.CognitiveServices/accounts/Face/detectLiveness/singleModal/sessions/audit/read | <p>List audit entries for detectLiveness/singleModal.</p> | +> | Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action | Detects liveness of a target face in a sequence of images of the same stream type (e.g. color) and then compares with VerifyImage to return confidence score for identity scenarios. | +> | Microsoft.CognitiveServices/accounts/Face/detectlivenessWithVerify/singleModal/sessions/action | <p>Creates a session for a client to perform liveness detection with verify.</p> | +> | Microsoft.CognitiveServices/accounts/Face/detectLivenessWithVerify/singleModal/sessions/delete | <p>Deletes a liveness detection with verify session.</p> | +> | Microsoft.CognitiveServices/accounts/Face/detectLivenessWithVerify/singleModal/sessions/read | <p>Reads the state of detectLivenessWithVerify/singleModal session.</p> | +> | Microsoft.CognitiveServices/accounts/Face/detectLivenessWithVerify/singleModal/sessions/audit/read | <p>List audit entries for detectLivenessWithVerify/singleModal.</p> | +> | Microsoft.CognitiveServices/accounts/Face/dynamicpersongroups/write | Creates a new dynamic person group with specified dynamicPersonGroupId, name, and user-provided userData.<br>Update an existing dynamic person group name, userData, add, or remove persons.<br>The properties keep unchanged if they are not in request body.* | +> | Microsoft.CognitiveServices/accounts/Face/dynamicpersongroups/delete | Deletes an existing dynamic person group with specified dynamicPersonGroupId. Deleting this dynamic person group only delete the references to persons data. To delete actual person see PersonDirectory Person - Delete. | +> | Microsoft.CognitiveServices/accounts/Face/dynamicpersongroups/read | Retrieve the information of a dynamic person group, including its name and userData. This API returns dynamic person group information List all existing dynamic person groups by dynamicPersonGroupId along with name and userData.* | +> | Microsoft.CognitiveServices/accounts/Face/dynamicpersongroups/persons/read | List all persons in the specified dynamic person group. | +> | Microsoft.CognitiveServices/accounts/Face/facelists/write | Create an empty face list with user-specified faceListId, name, an optional userData and recognitionModel. Up to 64 face lists are allowed Update information of a face list, including name and userData.* | +> | Microsoft.CognitiveServices/accounts/Face/facelists/delete | Delete a specified face list. | +> | Microsoft.CognitiveServices/accounts/Face/facelists/read | Retrieve a face list's faceListId, name, userData, recognitionModel and faces in the face list. List face lists' faceListId, name, userData and recognitionModel.* | +> | Microsoft.CognitiveServices/accounts/Face/facelists/persistedfaces/write | Add a face to a specified face list, up to 1,000 faces. | +> | Microsoft.CognitiveServices/accounts/Face/facelists/persistedfaces/delete | Delete a face from a face list by specified faceListId and persistedFaceId. | +> | Microsoft.CognitiveServices/accounts/Face/largefacelists/write | Create an empty large face list with user-specified largeFaceListId, name, an optional userData and recognitionModel. Update information of a large face list, including name and userData.* | +> | Microsoft.CognitiveServices/accounts/Face/largefacelists/delete | Delete a specified large face list. | +> | Microsoft.CognitiveServices/accounts/Face/largefacelists/read | Retrieve a large face list's largeFaceListId, name, userData and recognitionModel. List large face lists' information of largeFaceListId, name, userData and recognitionModel.* | +> | Microsoft.CognitiveServices/accounts/Face/largefacelists/train/action | Submit a large face list training task. Training is a crucial step that only a trained large face list can use. | +> | Microsoft.CognitiveServices/accounts/Face/largefacelists/persistedfaces/write | Add a face to a specified large face list, up to 1,000,000 faces. Update a specified face's userData field in a large face list by its persistedFaceId.* | +> | Microsoft.CognitiveServices/accounts/Face/largefacelists/persistedfaces/delete | Delete a face from a large face list by specified largeFaceListId and persistedFaceId. | +> | Microsoft.CognitiveServices/accounts/Face/largefacelists/persistedfaces/read | Retrieve persisted face in large face list by largeFaceListId and persistedFaceId. List faces' persistedFaceId and userData in a specified large face list.* | +> | Microsoft.CognitiveServices/accounts/Face/largefacelists/training/read | To check the large face list training status completed or still ongoing. LargeFaceList Training is an asynchronous operation | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/write | Create a new large person group with user-specified largePersonGroupId, name, an optional userData and recognitionModel. Update an existing large person group's name and userData. The properties keep unchanged if they are not in request body.* | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/delete | Delete an existing large person group with specified personGroupId. Persisted data in this large person group will be deleted. | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/read | Retrieve the information of a large person group, including its name, userData and recognitionModel. This API returns large person group information List all existing large person groups's largePersonGroupId, name, userData and recognitionModel.* | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/train/action | Submit a large person group training task. Training is a crucial step that only a trained large person group can use. | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/persons/action | Create a new person in a specified large person group. To add face to this person, please call | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/persons/delete | Delete an existing person from a large person group. The persistedFaceId, userData, person name and face feature(s) in the person entry will all be deleted. | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/persons/read | Retrieve a person's name and userData, and the persisted faceIds representing the registered person face feature(s). List all persons' information in the specified large person group, including personId, name, userData and persistedFaceIds* | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/persons/write | Update name or userData of a person. | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/persons/persistedfaces/write | Add a face to a person into a large person group for face identification or verification. To deal with an image containing Update a person persisted face's userData field.* | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/persons/persistedfaces/delete | Delete a face from a person in a large person group by specified largePersonGroupId, personId and persistedFaceId. | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/persons/persistedfaces/read | Retrieve person face information. The persisted person face is specified by its largePersonGroupId, personId and persistedFaceId. | +> | Microsoft.CognitiveServices/accounts/Face/largepersongroups/training/read | To check large person group training status completed or still ongoing. LargePersonGroup Training is an asynchronous operation | +> | Microsoft.CognitiveServices/accounts/Face/operations/read | Get status of a snapshot operation. Get status of a long running operation.* | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/write | Create a new person group with specified personGroupId, name, user-provided userData and recognitionModel. Update an existing person group's name and userData. The properties keep unchanged if they are not in request body.* | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/delete | Delete an existing person group with specified personGroupId. Persisted data in this person group will be deleted. | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/read | Retrieve person group name, userData and recognitionModel. To get person information under this personGroup, use List person groups's personGroupId, name, userData and recognitionModel.* | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/train/action | Submit a person group training task. Training is a crucial step that only a trained person group can use. | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/persons/action | Create a new person in a specified person group. To add face to this person, please call | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/persons/delete | Delete an existing person from a person group. The persistedFaceId, userData, person name and face feature(s) in the person entry will all be deleted. | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/persons/read | Retrieve a person's name and userData, and the persisted faceIds representing the registered person face feature(s). List all persons' information in the specified person group, including personId, name, userData and persistedFaceIds of registered* | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/persons/write | Update name or userData of a person. | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/persons/persistedfaces/write | Add a face to a person into a person group for face identification or verification. To deal with an image containing Update a person persisted face's userData field.* | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/persons/persistedfaces/delete | Delete a face from a person in a person group by specified personGroupId, personId and persistedFaceId. | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/persons/persistedfaces/read | Retrieve person face information. The persisted person face is specified by its personGroupId, personId and persistedFaceId. | +> | Microsoft.CognitiveServices/accounts/Face/persongroups/training/read | To check person group training status completed or still ongoing. PersonGroup Training is an asynchronous operation triggered | +> | Microsoft.CognitiveServices/accounts/Face/persons/delete | Delete an existing person from person directory. The persistedFaceId(s), userData, person name and face feature(s) in the person entry will all be deleted. Delete an existing person from person directory The persistedFaceId(s), userData, person name and face feature(s) in the person entry will all be deleted.* | +> | Microsoft.CognitiveServices/accounts/Face/persons/read | Retrieve a person's name and userData from person directory. List all persons' information in person directory, including personId, name, and userData.* Retrieve a person's name and userData from person directory.* List all persons' information in person directory, including personId, name, and userData.* | +> | Microsoft.CognitiveServices/accounts/Face/persons/write | Update name or userData of a person. Update name or userData of a person.* | +> | Microsoft.CognitiveServices/accounts/Face/persons/dynamicpersongroupreferences/read | List all dynamic person groups a person has been referenced by in person directory. | +> | Microsoft.CognitiveServices/accounts/Face/persons/recognitionmodels/persistedfaces/write | Add a face to a person (see PersonDirectory Person - Create) for face identification or verification.<br>To deal with an image containing Update a person persisted face's userData field.* Add a face to a person (see PersonDirectory Person - Create) for face identification or verification.<br>To deal with an image containing* Update a person persisted face's userData field.* | +> | Microsoft.CognitiveServices/accounts/Face/persons/recognitionmodels/persistedfaces/delete | Delete a face from a person in person directory by specified personId and persistedFaceId. Delete a face from a person in person directory by specified personId and persistedFaceId.* | +> | Microsoft.CognitiveServices/accounts/Face/persons/recognitionmodels/persistedfaces/read | Retrieve person face information.<br>The persisted person face is specified by its personId.<br>recognitionModel, and persistedFaceId.<br>Retrieve a person's persistedFaceIds representing the registered person face feature(s).<br>* Retrieve person face information.<br>The persisted person face is specified by its personId.<br>recognitionModel, and persistedFaceId.* Retrieve a person's persistedFaceIds representing the registered person face feature(s).<br>* | +> | Microsoft.CognitiveServices/accounts/Face/snapshots/apply/action | Apply a snapshot, providing a user-specified object id. | +> | Microsoft.CognitiveServices/accounts/Face/snapshots/delete | Delete a snapshot. | +> | Microsoft.CognitiveServices/accounts/Face/snapshots/read | Get information of a snapshot. List all of the user's accessible snapshots with information.* | +> | Microsoft.CognitiveServices/accounts/Face/snapshots/write | Update properties of a snapshot. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/documentmodels:analyze/action | Analyze document with prebuilt or custom models. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/read/action | Internal usage | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/documentmodels:build/action | Trains a custom document analysis model. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/documentmodels:compose/action | Creates a new model from document types of existing models. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/documentmodels:copyto/action | Copies model to the target resource, region, and modelId. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/documentmodels:authorizecopy/action | Generates authorization to copy a model to this location with specified modelId and optional description. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/analysis/analyze/document/action | Analyze Document. Support prebuilt models or custom trained model. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/analysis/batchanalyze/document/action | Batch Analyze Documents. Support prebuilt models or custom trained model. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/analysis/get/analyze/result/read | Gets the result of document analysis. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/analysis/get/batchanalyze/result/read | Gets the result of batch document analysis. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/classification/analyze/document/action | Classify document. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/classification/get/analyze/result/read | Gets the result of document classification. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/creation/build/action | Builds a custom document analysis model. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/creation/classify/action | Builds a custom document classifier. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/creation/compose/model/action | Creates a new model from document types of existing models. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/creation/copy/model/action | Copy a custom Form Recognizer model from one subscription to another.<br>Start the process by obtaining a `modelId` token from the target endpoint by using this API with `source=false` query string.<br>Then pass the `modelId` reference in the request body along with other target resource information. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/creation/generate/copyauthorization/action | Generate authorization payload to copy a model at the target Form Recognizer resource. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/train/action | Create and train a custom model.<br>The train request must include a source parameter that is either an externally accessible Azure Storage blob container Uri (preferably a Shared Access Signature Uri) or valid path to a data folder in a locally mounted drive.<br>When local paths are specified, they must follow the Linux/Unix path format and be an absolute path rooted to the input mount configuration | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/action | Create and train a custom model.<br>The request must include a source parameter that is either an externally accessible Azure storage blob container Uri (preferably a Shared Access Signature Uri) or valid path to a data folder in a locally mounted drive.<br>When local paths are specified, they must follow the Linux/Unix path format and be an absolute path rooted to the input mount configuration setting value e.g., if '{Mounts:Input}' configuration setting value is '/input' then a valid source path would be '/input/contosodataset'.<br>All data to be trained is expected to be under the source folder or sub folders under it.<br>Models are trained using documents that are of the following content type - 'application/pdf', 'image/jpeg', 'image/png', 'image/tiff'.<br>Other type of content is ignored. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/analyze/action | Extract key-value pairs from a given document. The input document must be of one of the supported content types - 'application/pdf', 'image/jpeg' or 'image/png'. A success response is returned in JSON. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/delete | Delete model artifacts. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/read | Get information about a model. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/copyauthorization/action | Generate authorization payload to copy a model at the target Form Recognizer resource. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/copy/action | Copy a custom Form Recognizer model from one subscription to another.<br>Start the process by obtaining a `modelId` token from the target endpoint by using this API with `source=false` query string.<br>Then pass the `modelId` reference in the request body along with other target resource information. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/analyze/action | Extract key-value pairs, tables, and semantic values from a given document.<br>The input document must be of one of the supported content types - 'application/pdf', 'image/jpeg', 'image/png' or 'image/tiff'.<br>Alternatively, use 'application/json' type to specify the Url location of the document to be analyzed. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/copy/action | Copy a custom Form Recognizer model to a target Form Recognizer resource. Before invoking this operation, you must first obtain authorization to copy into | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/delete | Mark model for deletion. Model artifacts will be permanently removed within 48 hours. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/copyauthorization/action | Generate authorization payload for a model copy operation. This operation is called against a target Form Recognizer resource endpoint | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/read | Get detailed information about a custom model. Get information about all custom models | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/compose/action | Compose request would include list of models ids. It would validate what all models either trained with labels model or composed model. It would validate limit of models put together. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/analyzeresults/read | Obtain current status and the result of the analyze form operation. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/analyzeresults/read | Obtain current status and the result of the analyze form operation. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/copyresults/read | Obtain current status and the result of the custom form model copy operation. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/copyresults/read | Obtain current status and the result of the custom form model copy operation. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/custom/models/keys/read | Retrieve the keys for the model. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/documentmodels/delete | Mark model for deletion. Model artifacts will be permanently removed within 48 hours. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/documentmodels/read | Get detailed information about a custom model. Get information about all custom models* | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/documentmodels/analyzeresults/read | Get document analyze result from specified {modelId} and {resultId} | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/info/read | Return basic info about the current resource. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/layout/analyze/action | Extract text and layout information from a given document.<br>The input document must be of one of the supported content types - 'application/pdf', 'image/jpeg', 'image/png' or 'image/tiff'.<br>Alternatively, use 'application/json' type to specify the Url location of the document to be analyzed. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/layout/analyzeresults/read | Track the progress and obtain the result of the analyze layout operation | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/management/classifier/delete | Deletes document classifier. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/management/get/classifier/read | List all document classifiers. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/management/get/info/read | Return basic info about the current resource. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/management/get/model/read | Get information about a model. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/management/model/delete | Delete model artifacts. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/operation/get/operation/read | Gets operation. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/operation/list/operations/read | Lists operations. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/operations/read | Gets operation info. Lists all operations.* | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/prebuilt/businesscard/analyze/action | Extract field text and semantic values from a given business card document. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/prebuilt/businesscard/analyzeresults/read | Query the status and retrieve the result of an Analyze Business Card operation. The URL to this interface can be obtained from the 'Operation-Location' header in the Analyze Business Card response. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/prebuilt/iddocument/analyze/action | Extract field text and semantic values from a given Id document. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/prebuilt/iddocument/analyzeresults/read | Query the status and retrieve the result of an Analyze Id operation. The URL to this interface can be obtained from the 'Operation-Location' header in the Analyze Id response. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/prebuilt/invoice/analyze/action | Extract field text and semantic values from a given invoice document. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/prebuilt/invoice/analyzeresults/read | Query the status and retrieve the result of an Analyze Invoice operation. The URL to this interface can be obtained from the 'Operation-Location' header in the Analyze Invoice response. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/prebuilt/receipt/asyncbatchanalyze/action | Extract field text and semantic values from a given receipt document. The input document must be of one of the supported | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/prebuilt/receipt/analyzeresults/read | Query the status and retrieve the result of an Analyze Receipt operation. The URL to this interface can be obtained from the 'Operation-Location' header in the Analyze Receipt response. | +> | Microsoft.CognitiveServices/accounts/FormRecognizer/prebuilt/receipt/operations/read | Query the status and retrieve the result of an Analyze Receipt operation. The URL to this interface can be obtained from the 'Operation-Location' header in the Analyze Receipt response. | +> | Microsoft.CognitiveServices/accounts/ImageSearch/details/action | Returns insights about an image, such as webpages that include the image. | +> | Microsoft.CognitiveServices/accounts/ImageSearch/search/action | Get relevant images for a given query. | +> | Microsoft.CognitiveServices/accounts/ImageSearch/trending/action | Get currently trending images. | +> | Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action | Creates an Immersive Reader session | +> | Microsoft.CognitiveServices/accounts/Knowledge/entitymatch/action | Entity Match* | +> | Microsoft.CognitiveServices/accounts/Knowledge/entities:annotate/action | Search annotation* | +> | Microsoft.CognitiveServices/accounts/Knowledge/annotation/dataverse/action | Dataverse search annotation | +> | Microsoft.CognitiveServices/accounts/Knowledge/dbdata/answer/action | DBDataAnswer | +> | Microsoft.CognitiveServices/accounts/Knowledge/dbvalue/create/action | DBValueCreate* | +> | Microsoft.CognitiveServices/accounts/Knowledge/dbvalue/update/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/Knowledge/nl2sq/api/nl2sq/predict/action | NL2SQL Predict* | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/action | Answer Knowledgebase. | +> | Microsoft.CognitiveServices/accounts/Language/query-text/action | Answer Text. | +> | Microsoft.CognitiveServices/accounts/Language/query-dataverse/action | Query Dataverse. | +> | Microsoft.CognitiveServices/accounts/Language/generate-questionanswers/action | Submit a Generate question answers Job request. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/action | Analyzes the input conversation. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/action | Submit a collection of text documents for analysis. Specify a single unique task to be executed immediately. | +> | Microsoft.CognitiveServices/accounts/Language/:migratefromluis/action | Triggers a job to migrate one or more LUIS apps. | +> | Microsoft.CognitiveServices/accounts/Language/generate/action | Language generation. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversation/jobscancel/action | Cancel a long-running analysis job on conversation. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversation/jobs/action | Submit a long conversation for analysis. Specify one or more unique tasks to be executed as a long-running operation. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversation/jobs/read | Get the status of an analysis job. A job may consist of one or more tasks. Once all tasks are succeeded, the job will transition to the suceeded state and results will be available for each task. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobscancel/action | Cancel a long-running analysis job on conversation. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobs/action | Submit a long conversation for analysis. Specify one or more unique tasks to be executed as a long-running operation. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/internal/projects/run-gpt/action | Trigger GPT job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/internal/projects/submit-gpt-prediction-decisions/action | Trigger job to submit decisions on accepting, rejecting, or modifying GPT predictions. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/internal/projects/export/jobs/result/read | Get export job result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/internal/projects/gpt-predictions/read | Get GPT predictions result. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/internal/projects/models/read | Get a trained model info. Get trained models info.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/internal/projects/models/modelguidance/read | Get trained model guidance. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/internal/projects/run-gpt/jobs/read | Get GPT prediction jobs. Get GPT predictions status and result details.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/internal/projects/submit-gpt-prediction-decisions/jobs/read | Get submit GPT prediction decisions job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobs/read | Get the status of an analysis job. A job may consist of one or more tasks. Once all tasks are succeeded, the job will transition to the suceeded state and results will be available for each task. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/write | Creates a new or update a project. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/delete | Deletes a project. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/read | Gets a project info. Returns the list of projects.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/export/action | Triggers a job to export project data in JSON format. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/import/action | Triggers a job to import a project in JSON format. If a project with the same name already exists, the data of that project is replaced. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/train/action | Trigger training job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/copy/action | Copies an existing project to another Azure resource. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/authorize-copy/action | Generates a copy project operation authorization to the current target Azure resource. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/copy/jobs/read | Gets the status of an existing copy project job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/deletion/jobs/read | Get project deletion job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/deployments/read | Get a deployment info. List all deployments.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/deployments/delete | Delete a deployment. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/deployments/write | Trigger a new deployment or replace an existing one. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/deployments/swap/action | Trigger job to swap two deployments. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/deployments/delete-from-resources/action | Deletes a project deployment from the specified assigned resources. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/deployments/delete-from-resources/jobs/read | Gets the status of an existing delete deployment from specific resources job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/deployments/jobs/read | Get deployment job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/deployments/swap/jobs/read | Gets a swap deployment job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/export/jobs/read | Get export job status details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/export/jobs/result/read | Get export job result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/global/deletion-jobs/read | Get project deletion job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/global/deployments/resources/read | Lists the deployments to which an Azure resource is assigned. This doesn't return deployments belonging to projects owned by this resource. It only returns deployments belonging to projects owned by other resources. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/global/languages/read | Get List of Supported languages. Get List of Supported languages.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/global/prebuilt-entities/read | Get list of Supported prebuilts for conversational projects. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/global/prebuilts/read | Get list of Supported prebuilts for conversational projects. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/global/training-config-versions/read | List all training config versions. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/import/jobs/read | Get import or replace project job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/languages/read | Get List of Supported languages. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/delete | Delete a trained model. Delete a trained model.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/read | Get a trained model info. List all trained models.* Get a trained model info.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/load-snapshot/action | Restores the snapshot of this trained model to be the current working directory of the project. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/evaluate/action | Triggers evaluation operation on a trained model. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/evaluate/jobs/read | Gets the status for an evaluation job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/evaluation/read | Get trained model evaluation report. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/evaluation/result/read | Get trained model evaluation result. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/evaluation/summary-result/read | Get trained model evaluation summary. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/load-snapshot/jobs/read | Gets the status for loading a snapshot. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/models/verification/read | Get trained model verification report. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/prebuilts/read | Get list of Supported prebuilts for conversational projects. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/resources/assign/action | Assign new Azure resources to a project to allow deploying new deployments to them.<br>This API is available only via AAD authentication and not supported via subscription key authentication.<br>For more details about AAD authentication, check here: [Authenticate with Azure Active Directory](/azure/ai-services/authentication?tabs=powershell#authenticate-with-azure-active-directory) | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/resources/read | Lists the deployments resources assigned to the project. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/resources/unassign/action | Unassign resources from a project. This disallows deploying new deployments to these resources, and deletes existing deployments assigned to them. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/resources/assign/jobs/read | Gets the status of an existing assign deployment resources job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/resources/unassign/jobs/read | Gets the status of an existing unassign deployment resources job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/train/jobs/read | Get training jobs. Get training job status and result details.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-conversations/projects/train/jobs/cancel/action | Cancels a running training job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/jobs/action | Submit a collection of text documents for analysis. Specify one or more unique tasks to be executed. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/jobscancel/action | Cancel a long-running Text Analysis job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/autotag/action | Trigger auto tagging job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/run-gpt/action | Trigger GPT job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/submit-gpt-prediction-decisions/action | Trigger job to submit decisions on accepting, rejecting, or modifying GPT predictions. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/autotag/jobs/read | Get autotagging jobs. Get auto tagging job status and result details.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/export/jobs/result/read | Get export job result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/gpt-predictions/read | Get GPT predictions result. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/models/read | Get a trained model info. Get trained models info.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/models/modelguidance/read | Get trained model guidance. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/run-gpt/jobs/read | Get GPT prediction jobs. Get GPT predictions status and result details.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/internal/projects/submit-gpt-prediction-decisions/jobs/read | Get submit GPT prediction decisions job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/jobs/read | Get the status of an analysis job. A job may consist of one or more tasks. Once all tasks are completed, the job will transition to the completed state and results will be available for each task. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/write | Creates a new or update a project. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/delete | Deletes a project. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/read | Gets a project info. Returns the list of projects.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/export/action | Triggers a job to export project data in JSON format. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/import/action | Triggers a job to import a project in JSON format. If a project with the same name already exists, the data of that project is replaced. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/train/action | Trigger training job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/copy/action | Copies an existing project to another Azure resource. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/authorize-copy/action | Generates a copy project operation authorization to the current target Azure resource. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/copy/jobs/read | Gets the status of an existing copy project job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/deletion/jobs/read | Get project deletion job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/deployments/read | Get a deployment info. List all deployments.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/deployments/delete | Delete a deployment. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/deployments/write | Trigger a new deployment or replace an existing one. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/deployments/swap/action | Trigger job to swap two deployments. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/deployments/delete-from-resources/action | Deletes a project deployment from the specified assigned resources. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/deployments/delete-from-resources/jobs/read | Gets the status of an existing delete deployment from specific resources job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/deployments/jobs/read | Get deployment job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/deployments/swap/jobs/read | Gets a swap deployment job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/export/jobs/read | Get export job status details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/export/jobs/result/read | Get export job result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/exported-models/write | Creates a new exported model or replaces an existing one. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/exported-models/delete | Deletes an existing exported model. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/exported-models/read | Gets the details of an exported model. Lists the exported models belonging to a project.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/exported-models/jobs/read | Gets the status for an existing job to create or update an exported model. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/exported-models/manifest/read | Gets the details and URL needed to download the exported model. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/global/deletion-jobs/read | Get project deletion job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/global/deployments/resources/read | Lists the deployments to which an Azure resource is assigned. This doesn't return deployments belonging to projects owned by this resource. It only returns deployments belonging to projects owned by other resources. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/global/languages/read | Get List of Supported languages. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/global/prebuilt-entities/read | Lists the supported prebuilt entities that can be used while creating composed entities. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/global/training-config-versions/read | List all training config versions. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/import/jobs/read | Get import or replace project job status and result details. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/languages/read | Get List of Supported languages. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/delete | Delete a trained model. Delete a trained model.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/read | Get a trained model info. List all trained models.* Get a trained model info.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/load-snapshot/action | Restores the snapshot of this trained model to be the current working directory of the project. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/evaluate/action | Triggers evaluation operation on a trained model. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/evaluate/jobs/read | Gets the status for an evaluation job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/evaluation/read | Get trained model evaluation report. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/evaluation/result/read | Get trained model evaluation result. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/evaluation/summary-result/read | Get trained model evaluation summary. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/load-snapshot/jobs/read | Gets the status for loading a snapshot. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/models/verification/read | Get trained model verification report. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/resources/assign/action | Assign new Azure resources to a project to allow deploying new deployments to them.<br>This API is available only via AAD authentication and not supported via subscription key authentication.<br>For more details about AAD authentication, check here: [Authenticate with Azure Active Directory](/azure/ai-services/authentication?tabs=powershell#authenticate-with-azure-active-directory) | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/resources/read | Lists the deployments resources assigned to the project. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/resources/unassign/action | Unassign resources from a project. This disallows deploying new deployments to these resources, and deletes existing deployments assigned to them. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/resources/assign/jobs/read | Gets the status of an existing assign deployment resources job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/resources/unassign/jobs/read | Gets the status of an existing unassign deployment resources job. | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/train/jobs/read | Get training jobs. Get training job status and result details.* | +> | Microsoft.CognitiveServices/accounts/Language/analyze-text/projects/train/jobs/cancel/action | Cancels a running training job. | +> | Microsoft.CognitiveServices/accounts/Language/generate-questionanswers/jobs/read | Get QA generation Job Status. | +> | Microsoft.CognitiveServices/accounts/Language/migratefromluis/jobs/read | Gets the status of a migration job of a batch of LUIS apps. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/read | List Projects. Get Project Details.* | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/write | Create Project. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/delete | Delete Project. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/export/action | Export Project. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/import/action | Import Project. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/feedback/action | Train Active Learning. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/deletion-jobs/read | Get Import Job Status. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/deployments/read | Get Project Deployment. List Deployments.* | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/deployments/write | Deploy Project. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/deployments/jobs/read | Get Deploy Job Status. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/export/jobs/read | Get Export Job Status. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/export/jobs/result/read | Get Export Job Status. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/import/jobs/read | Get Import Job Status. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/qnas/read | Get QnAs. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/qnas/write | Update QnAs. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/qnas/jobs/read | Get Update QnAs Job Status. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/sources/read | Get Sources. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/sources/write | Update QnAs. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/sources/jobs/read | Get Update Sources Job Status. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/synonyms/read | Get Synonyms. | +> | Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/projects/synonyms/write | Update Synonyms. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/action | Creates a new project. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/delete | Deletes a project. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/read | Returns a project. Returns the list of projects.* | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/write | Updates the project info. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/action | Trigger publishing job. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/train/action | Trigger training job. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/cultures/read | Get List of Supported Cultures. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/evaluation/read | Get the evaluation result of a certain training model name. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/jobs/read | Get publishing job status and result details. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/train/jobs/read | Get training job status and result details. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/trainedmodels/read | Get List of Trained Model Info. | +> | Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/validation/read | Get the validation result of a certain training model name. | +> | Microsoft.CognitiveServices/accounts/LUIS/unlabeled/action | Appends unlabeled data to the corresponding applications | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/write | Creates a new LUIS app. Updates the name or description of the application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action | Assigns an Azure account to the application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/delete | Deletes an application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/read | Gets the application info. Lists all of the user applications. Returns the list of applications* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/import/action | Imports an application to LUIS, the application's JSON should be included in the request body. Returns new app ID. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action | Publishes a specific version of the application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/move/action | Moves the app to a different LUIS authoring Azure resource. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/subscriptions/action | Assigns the subscription information to the specified application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/unlabeled/action | Uploads unlabeled data from csv file to the application | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/activeversion/write | Updates the currently active version of the specified app | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/assistants/read | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/read | Gets the LUIS Azure accounts assigned to the application for the user using his Azure Resource Manager token. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete | Gets the LUIS Azure accounts for the user using his Azure Resource Manager token. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/cultures/read | Gets the supported LUIS application cultures. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/cultures/tokenizerversions/read | Gets the LUIS application culture and supported tokenizer versions for culture. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/customprebuiltdomains/write | Adds a prebuilt domain along with its models as a new application. Returns new app ID. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/customprebuiltdomains/read | Gets all the available custom prebuilt domains for a specific culture Gets all the available custom prebuilt domains for all cultures | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/domains/read | Gets the available application domains. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/endpoints/read | Returns the available endpoint deployment regions and urls | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/metadata/read | Get the application metadata | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/metadata/write | Updates the application metadata | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/permissions/write | Adds a user to the allowed list of users to access this LUIS application. Replaces the current users access list with the one sent in the body.* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/permissions/read | Gets the list of user emails that have permissions to access your application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/permissions/delete | Removed a user to the allowed list of users to access this LUIS application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/publishsettings/read | Get the publish settings for the application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/publishsettings/write | Updates the application publish settings. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/querylogs/read | Gets the query logs of the past month for the application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/querylogsasync/read | Get the status of the download request for query logs. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/runtimepermissions/bot/action | Adds a bot runtime permission to the application | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/runtimepermissions/bot/delete | Deleted a bot runtime application permission | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/runtimepermissions/bot/read | Gets the bot runtime permissions for the application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/settings/read | Get the application settings | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write | Updates the application settings | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/slots/evaluations/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/slots/evaluations/result/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/slots/evaluations/status/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/slots/predict/read | Gets the published predictions for the specified slot using the given query. The current maximum query size is 500 characters. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/stats/detailedendpointhitshistory/read | Gets the endpoint hits history for each day for a given timeframe with slot and region details. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/subscriptions/read | Return the information of the assigned subscriptions for the application | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/subscriptions/delete | Removes the subscription with the specified id from the assigned subscriptions for the application | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/delete | Deletes a given dataset from a given application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/read | Gets the given batch test meta data. Returns a list of all the batch test datasets of a given application.* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write | Updates last test results of an exisiting batch test data set for a given application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/download/read | Downloads the dataset with the given id. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/rename/write | Updates the name of an exisiting batch test data set for a given application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/usagescenarios/read | Gets the application available usage scenarios. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/train/action | Sends a training request for a version of a specified LUIS application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/clone/action | Creates a new application version equivalent to the current snapshot of the selected application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/delete | Deletes an application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/read | Gets the application version info. Gets the info for the list of application versions. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/import/action | Imports a new version into a LUIS application, the version's JSON should be included in the request body. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/write | Updates the name or description of the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/evaluations/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/releasedispatch/action | Releases a new snapshot of the selected application version to be used by Dispatch applications | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/assignedkey/write | **THIS IS DEPRECATED** | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/assignedkey/read | **THIS IS DEPRECATED** | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/write | Adds a list entity to the LUIS app. Adds a batch of sublists to an existing closedlist.* Updates the closed list model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/delete | Deletes a closed list entity from the application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/read | Gets information of a closed list model. Gets information about the closedlist models. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/suggest/action | suggest new entries for existing or newly created closed lists | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/presuggestion/read | Loads previous suggestion result for closed list entity. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/roles/write | Adds a role for a closed list entity model Updates a role for a closed list entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/roles/delete | Deletes the role for a closed list entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/roles/read | Gets the role for a closed list entity model. Gets the roles for a closed list entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/sublists/write | Adds a list to an existing closed list Updates one of the closed list's sublists | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/closedlists/sublists/delete | Deletes a sublist of a specified list entity. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/compositeentities/write | Adds a composite entity extractor to the application. Updates the composite entity extractor. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/compositeentities/delete | Deletes a composite entity extractor from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/compositeentities/read | Gets information about the composite entity model. Gets information about the composite entity models of the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/compositeentities/children/write | Adds a single child in an existing composite entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/compositeentities/children/delete | Deletes a composite entity extractor child from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/compositeentities/roles/write | Adds a role for a composite entity model. Updates a role for a composite entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/compositeentities/roles/delete | Deletes the role for a composite entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/compositeentities/roles/read | Gets the role for a composite entity model. Gets the roles for a composite entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/connectedservices/write | Creates the mapping between an intent and a service Updates the mapping between an intent and a service* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/connectedservices/delete | Deletes the mapping between an intent and a service | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/connectedservices/read | Gets the mapping between an intent and a service | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltdomains/write | Adds a customizable prebuilt domain along with all of its models to this application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltdomains/delete | Deletes a prebuilt domain's models from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltentities/write | Adds a custom prebuilt domain entity model to the application version. Use [delete entity](https://westus.dev.cognitive.microsoft.com/docs/services/5890b47c39e2bb17b84a55ff/operations/5890b47c39e2bb052c5b9c1f) with the entity id to remove this entity. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltentities/read | Gets all custom prebuilt domain entities info for this application version | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltentities/roles/write | Adds a role for a custom prebuilt domain entity model Updates a role for a custom prebuilt domain entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltentities/roles/delete | Deletes the role for a custom prebuilt entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltentities/roles/read | Gets the role for a custom prebuilt domain entity model. Gets the roles for a custom prebuilt domain entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltintents/write | Adds a custom prebuilt domain intent model to the application. Use [delete intent](https://westus.dev.cognitive.microsoft.com/docs/services/5890b47c39e2bb17b84a55ff/operations/5890b47c39e2bb052c5b9c1c) with the intent id to remove this intent. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltintents/read | Gets custom prebuilt intents info for this application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltintentsbatch/write | Adds custom prebuilt domain intents to application in batch | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/customprebuiltmodels/read | Gets all custom prebuilt domain models info for this application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/detailedmodels/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/write | Adds a simple entity extractor to the application version. Updates the name of an entity extractor. Updates the entity extractor.* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/delete | Deletes a simple entity extractor from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/read | Gets info about the simple entity model. Gets info about the simple entity models in the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/children/write | Creates a single child in an existing entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/features/write | Adds a feature relation for an entity model Updates the list of feature relations for the entity* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/features/delete | Deletes the feature relation for an entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/features/read | Gets the feature relations for an entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/roles/write | Adds a role for a simple entity model Updates a role of a simple entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/roles/delete | Deletes the role for a simple entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/roles/read | Gets the role for a simple entity model. Gets the roles for a simple entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/roles/suggest/read | Suggests examples that would improve the accuracy of the entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/stats/endpointscores/read | Gets the number of times the entity model scored as the top intent | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/entities/suggest/read | Suggests examples that would improve the accuracy of the entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/evaluations/result/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/evaluations/status/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/example/write | Adds a labeled example to the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/examples/write | Adds a batch of non-duplicate labeled examples to the specified application. Batch can't include hierarchical child entities. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/examples/delete | Deletes the label with the specified ID. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/examples/read | Returns a subset of endpoint examples to be reviewed. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/export/read | Exports a LUIS application version to JSON format. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/externalkeys/delete | THIS API IS DEPRECATED. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/externalkeys/read | **THIS IS DEPRECATED** | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/externalkeys/write | **THIS IS DEPRECATED** | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/features/read | Gets all application version features. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/featuresuggestion/status/read | Get application version feature suggestion status | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/featuresuggestion/suggestions/read | Get application version feature suggestions | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/hierarchicalentities/write | Adds a hierarchical entity extractor to the application version. Updates the name and children of a hierarchical entity extractor model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/hierarchicalentities/delete | Deletes a hierarchical entity extractor from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/hierarchicalentities/read | Gets info about the hierarchical entity model. Gets information about the hierarchical entity models in the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/hierarchicalentities/children/write | Creates a single child in an existing hierarchical entity model. Renames a single child in an existing hierarchical entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/hierarchicalentities/children/delete | Deletes a hierarchical entity extractor child from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/hierarchicalentities/children/read | Gets info about the hierarchical entity child model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/hierarchicalentities/roles/write | Adds a role for a hierarchical entity model Updates a role for a hierarchical entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/hierarchicalentities/roles/delete | Deletes the role for a hierarchical entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/hierarchicalentities/roles/read | Gets the role for a hierarchical entity model. Gets the roles for a hierarchical entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/write | Adds an intent classifier to the application version. Updates the name of an intent classifier. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/delete | Deletes an intent classifier from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/read | Gets info about the intent model. Gets info about the intent models in the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/entitiescount/read | Gets the entities count of the labeled utterances for the given intent in the given task in the given app. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/features/write | Adds a feature relation for an intent model Updates the list of feature relations for the intent* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/features/delete | Deletes the feature relation for an intent model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/features/read | Gets the feature relations for an intent model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/patternrules/read | Gets the patterns for a specific intent. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/stats/read | Get application version training stats per intent | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/stats/endpointscores/read | Gets the number of times the intent model scored as the top intent | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/intents/suggest/read | Suggests examples that would improve the accuracy of the intent model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/labeleddata/read | Gets the labeled data for the specified application | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/listprebuilts/read | Gets all the available prebuilt entities for the application based on the application's culture. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/models/read | Gets info about the application version models. Gets information about a model.* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/models/endpointscoreshistory/read | Gets the number of times the intent model scored as the top intent history given timeframe | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/models/examples/read | Gets list of model examples. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/models/review/read | Gets the labeled utterances for the given model in the given task in the given app. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/models/reviewlabels/read | Gets the labeled utterances for the given model in the given task in the given app. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/models/reviewpredictions/read | Gets the labeled utterances for the given model in the given task in the given app. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternanyentities/write | Adds a Pattern.any entity extractor to the application version. Updates the Pattern.any entity extractor. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternanyentities/delete | Deletes a Pattern.any entity extractor from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternanyentities/read | Gets info about the Pattern.any entity model. Gets info about the Pattern.any entity models in the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternanyentities/explicitlist/write | Adds an item to a Pattern.any explicit list. Updates the explicit list item for a Pattern.any entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternanyentities/explicitlist/delete | Deletes an item from a Pattern.any explicit list. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternanyentities/explicitlist/read | Gets the explicit list of a Pattern.any entity model. Gets the explicit list item for a Pattern.Any entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternanyentities/roles/write | Adds a role for a Pattern.any entity model Updates a role for a Pattern.any entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternanyentities/roles/delete | Deletes the role for a Pattern.any entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternanyentities/roles/read | Gets the role for a Pattern.any entity model. Gets the roles for a Pattern.any entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternrule/write | Adds a pattern to the specified application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternrules/write | Adds a list of patterns to the application version. Updates a pattern in the application version. Updates a list of patterns in the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternrules/delete | Deletes a list of patterns from the application version. Deletes a pattern from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patternrules/read | Gets the patterns in the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patterns/write | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patterns/delete | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/patterns/read | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/phraselists/write | Creates a new phraselist feature. Updates the phrases, the state and the name of the phraselist feature. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/phraselists/delete | Deletes a phraselist feature from an application. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/phraselists/read | Gets phraselist feature info. Gets all phraselist features for the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/phraselists/suggest/action | suggest new entries for existing or newly created phrase lists | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/phraselists/presuggestion/read | Loads previous suggestion result for phraselist feature. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/prebuilts/write | Adds a list of prebuilt entity extractors to the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/prebuilts/delete | Deletes a prebuilt entity extractor from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/prebuilts/read | Gets info about the prebuilt entity model. Gets info about the prebuilt entity models in the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/prebuilts/roles/write | Adds a role for a prebuilt entity model Updates a role for a prebuilt entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/prebuilts/roles/delete | Deletes the role for a prebuilt entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/prebuilts/roles/read | Gets the role for a prebuilt entity model. Gets the roles for a prebuilt entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/predict/read | Gets the published predictions for the specified application version using the given query. The current maximum query size is 500 characters. Gets the prediction (intents/entities) for the utterance given.* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/regexentities/write | Adds a regular expression entity extractor to the application version. Updates the regular expression entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/regexentities/delete | Deletes a regular expression entity model from the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/regexentities/read | Gets info about a regular expression entity model. Gets info about the regular expression entity models in the application version. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/regexentities/roles/write | Adds a role for a regular expression entity model Updates a role for a regular expression entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/regexentities/roles/delete | Deletes the role for a regular expression entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/regexentities/roles/read | Gets the roles for a regular expression entity model. Gets the role for a regular expression entity model. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/settings/read | Gets the application version settings. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/settings/write | Updates the application version settings. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/state/read | Gets a flag indicating if the app version has been previously trained | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/stats/read | Get application version training stats | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/stats/endpointhitshistory/read | Gets the endpoint hits history for each day for a given timeframe. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/stats/examplesperentity/read | Gets the number of examples per entity of a given application | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/stats/labelsperentity/read | Gets the number of labels per entity of a given application | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/stats/labelsperintent/read | Gets the number of labels per intent for a given application | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/stats/operations/read | Get application version training stats unexpired operation info Get application version training stats unexpired operations* | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/statsmetadata/read | Get application version training stats metadata | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/suggest/delete | Deleted an endpoint utterance. This utterance is in the "Review endpoint utterances" list. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/testdatasets/run/read | Runs the batch test given by the application id and dataset id on the given | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/train/read | Gets the training status of all models (intents and entities) for the specified application version. You must call the train API to train the LUIS app before you call this API to get training status. | +> | Microsoft.CognitiveServices/accounts/LUIS/apps/versions/trainingstatus/read | Gets a flag indicating if the app version has been previously trained | +> | Microsoft.CognitiveServices/accounts/LUIS/azureaccounts/read | Gets the LUIS Azure accounts for the user using his Azure Resource Manager token. | +> | Microsoft.CognitiveServices/accounts/LUIS/compositesmigration/apps/versions/migrate/action | Migrate composites for application version | +> | Microsoft.CognitiveServices/accounts/LUIS/compositesmigration/apps/versions/operations/migrate/read | Get composite migration result | +> | Microsoft.CognitiveServices/accounts/LUIS/compositesmigration/apps/versions/operations/migrate/status/read | Get composite migration operation status | +> | Microsoft.CognitiveServices/accounts/LUIS/compositesmigration/needmigrationapps/read | Get applications needing composite migrations | +> | Microsoft.CognitiveServices/accounts/LUIS/externalkeys/write | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/externalkeys/delete | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/externalkeys/read | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/package/slot/gzip/read | Packages published LUIS application as GZip | +> | Microsoft.CognitiveServices/accounts/LUIS/package/versions/gzip/read | Packages trained LUIS application as GZip | +> | Microsoft.CognitiveServices/accounts/LUIS/ping/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/predict/read | Gets the published endpoint prediction for the given query. | +> | Microsoft.CognitiveServices/accounts/LUIS/previewfeatures/read | Gets eligibility status of preview features for current owner. | +> | Microsoft.CognitiveServices/accounts/LUIS/programmatickey/write | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/resources/apps/count/read | Gets the number of applications owned by the user. | +> | Microsoft.CognitiveServices/accounts/LUIS/resources/apps/versions/count/read | Gets the number of versions of a given application. | +> | Microsoft.CognitiveServices/accounts/LUIS/subscriptions/write | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/subscriptions/delete | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/subscriptions/read | **THIS API IS DEPRECATED.** | +> | Microsoft.CognitiveServices/accounts/LUIS/user/termsofuse/action | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/user/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/user/delete | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/user/write | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/user/authoringazureaccount/write | Migrates the user's APIM authoring key to be an Azure resource. | +> | Microsoft.CognitiveServices/accounts/LUIS/user/collaborators/read | Gets users per app for all apps the user has collaborators on. | +> | Microsoft.CognitiveServices/accounts/LUIS/user/detailedinfo/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/user/programmatickey/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/user/programmatickeywithendpointurl/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/LUIS/user/unownedappsowners/read | Gets owners of the apps that user collaborates on. | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/alert/anomaly/configurations/write | Create or update anomaly alerting configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/alert/anomaly/configurations/delete | Delete anomaly alerting configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/alert/anomaly/configurations/read | Query a single anomaly alerting configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/alert/anomaly/configurations/alerts/query/action | Query alerts under anomaly alerting configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/alert/anomaly/configurations/alerts/anomalies/read | Query anomalies under a specific alert | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/alert/anomaly/configurations/alerts/incidents/read | Query incidents under a specific alert | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/credentials/write | Create or update a new data source credential | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/credentials/delete | Delete a data source credential | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/credentials/read | Get a data source credential or list all credentials | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/datafeeds/write | Create or update a data feed. | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/datafeeds/delete | Delete a data feed | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/datafeeds/read | Get a data feed by its id or list all data feeds | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/datafeeds/ingestionprogress/read | Get data last success ingestion job timestamp by data feed | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/datafeeds/ingestionprogress/reset/action | Reset data ingestion status by data feed to backfill data | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/datafeeds/ingestionstatus/query/action | Get data ingestion status by data feed | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/enrichment/anomalydetection/configurations/write | Create or update anomaly detection configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/enrichment/anomalydetection/configurations/delete | Delete anomaly detection configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/enrichment/anomalydetection/configurations/read | Query a single anomaly detection configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/enrichment/anomalydetection/configurations/alert/anomaly/configurations/read | Query all anomaly alerting configurations for specific anomaly detection configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/enrichment/anomalydetection/configurations/anomalies/query/action | Query anomalies under anomaly detection configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/enrichment/anomalydetection/configurations/anomalies/dimension/query/action | Query dimension values of anomalies | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/enrichment/anomalydetection/configurations/incidents/query/action | Query incidents under anomaly detection configuration | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/enrichment/anomalydetection/configurations/incidents/rootcause/read | Query root cause for incident | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/enrichment/anomalydetection/configurations/series/query/action | Query series enriched by anomaly detection | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/feedback/metric/write | Create a new metric feedback | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/feedback/metric/read | Get a metric feedback by its id | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/feedback/metric/query/action | List feedback on the given metric | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/hooks/write | Create or update a hook | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/hooks/delete | Delete a hook | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/hooks/read | Get a hook by its id or list all hooks | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/metrics/data/query/action | Get time series data from metric | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/metrics/dimension/query/action | List dimension from certain metric | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/metrics/enrichment/anomalydetection/configurations/read | Query all anomaly detection configurations for specific metric | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/metrics/series/query/action | List series (dimension combinations) from metric | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/metrics/status/enrichment/anomalydetection/query/action | Query anomaly detection status | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/latest/read | Get latest usage stats | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/write | Create or update a time series group | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/delete | Delete a time series group | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/read | Get a time series group | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/write | Create or update an application instance to a time series group | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/delete | Delete an application instance from a time series group | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/read | Get a time series group's application instance | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/inference/action | Inference time series group application instance model | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/train/action | Train time series group application instance model | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/history/read | Get the running result history from a time series group application instance by its id | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/inferencescore/read | Get the inference score values from a time series group application instance | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/inferenceseverity/read | Get the inference severity values from a time series group application instance | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/latestresult/read | Get the latest running result from a time series group application instance by its id | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/modelstate/read | Get time series group application instance model state | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/ops/read | Get time series group application instance operation records | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/appinstances/ops/inferencestatus/read | Get time series group application instance inference status | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/seriessets/write | Add or update a time series set to a time series group | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/seriessets/delete | Delete a time series set from a time series group | +> | Microsoft.CognitiveServices/accounts/MetricsAdvisor/timeseriesgroups/seriessets/read | Get a time series set | +> | Microsoft.CognitiveServices/accounts/ModelDistribution/models/read | Get model manifest for given conditions | +> | Microsoft.CognitiveServices/accounts/ModelDistribution/models/latest/read | Get latest available and compatible model for a specific service. | +> | Microsoft.CognitiveServices/accounts/NewsSearch/categorysearch/action | Returns news for a provided category. | +> | Microsoft.CognitiveServices/accounts/NewsSearch/search/action | Get news articles relevant for a given query. | +> | Microsoft.CognitiveServices/accounts/NewsSearch/trendingtopics/action | Get trending topics identified by Bing. These are the same topics shown in the banner at the bottom of the Bing home page. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/write | Create or update assistants. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/read | Get assistants. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/delete | Delete assistants. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/files/write | Create assistant file. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/files/read | Retrieve assistant file. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/files/delete | Delete assistant file. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/write | Create assistant thread. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/read | Retrieve assistant thread. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/delete | Delete assistant thread. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/messages/write | Create assistant thread message. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/messages/read | Retrieve assistant thread message. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/messages/files/read | Retrieve assistant thread message file. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/runs/write | Create or update assistant thread run. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/runs/read | Retrieve assistant thread run. | +> | Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/runs/steps/read | Retrieve assistant thread run step. | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action | Search for the most relevant documents using the current engine. | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action | Create a completion from a chosen model. | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/read | Gets information about deployments. | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/write | Create or update deployments. | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/delete | Delete deployment. | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action | Return the embeddings for a given prompt. | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/audio/action | Return the transcript or translation for a given audio file. | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/rainbow/action | Creates a completion for the provided prompt, consisting of text and images | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action | Creates a completion for the chat message | +> | Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action | Creates a completion for the chat message with extensions | +> | Microsoft.CognitiveServices/accounts/OpenAI/engines/read | Read engine information. | +> | Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action | Create a completion from a chosen model | +> | Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action | Search for the most relevant documents using the current engine. | +> | Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action | Sample from the model via POST request. | +> | Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action | (Intended for browsers only.) Stream generated text from the model via GET request.<br>This method is provided because the browser-native EventSource method can only send GET requests.<br>It supports a more limited set of configuration options than the POST variant. | +> | Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action | Create a completion from a chosen model | +> | Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/browser_stream/action | (Intended for browsers only.) Stream generated text from the model via GET request.<br>This method is provided because the browser-native EventSource method can only send GET requests.<br>It supports a more limited set of configuration options than the POST variant. | +> | Microsoft.CognitiveServices/accounts/OpenAI/extensions/on-your-data/ingestion/read | Read Operations related to on-your-data feature | +> | Microsoft.CognitiveServices/accounts/OpenAI/extensions/on-your-data/ingestion/write | Write Operations related to on-your-data feature | +> | Microsoft.CognitiveServices/accounts/OpenAI/files/write | Upload or import files. | +> | Microsoft.CognitiveServices/accounts/OpenAI/files/delete | Delete files. | +> | Microsoft.CognitiveServices/accounts/OpenAI/files/read | Gets information about files. | +> | Microsoft.CognitiveServices/accounts/OpenAI/fine-tunes/write | Creates or cancels adaptation of a model. | +> | Microsoft.CognitiveServices/accounts/OpenAI/fine-tunes/delete | Delete the adaptation of a model. | +> | Microsoft.CognitiveServices/accounts/OpenAI/fine-tunes/read | Gets information about fine-tuned models. | +> | Microsoft.CognitiveServices/accounts/OpenAI/gptv-registrations/read | Gets a registered Azure Resource corresponding to a deployment. | +> | Microsoft.CognitiveServices/accounts/OpenAI/gptv-registrations/delete | Unregisters a registered Azure Resource corresponding to a deployment. | +> | Microsoft.CognitiveServices/accounts/OpenAI/gptv-registrations/write | Registers or updates an existing Azure Resource corresponding to a deployment. | +> | Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action | Create image generations. | +> | Microsoft.CognitiveServices/accounts/OpenAI/management/modelscaleset/deployment/read | Get Modelscale set deployment status and info. | +> | Microsoft.CognitiveServices/accounts/OpenAI/management/modelscaleset/deployment/write | Modify Modelscale set deployment status and info. | +> | Microsoft.CognitiveServices/accounts/OpenAI/models/read | Gets information about models | +> | Microsoft.CognitiveServices/accounts/OpenAI/openapi/read | Get OpenAI Info | +> | Microsoft.CognitiveServices/accounts/Personalizer/rank/action | A personalization rank request. | +> | Microsoft.CognitiveServices/accounts/Personalizer/evaluations/action | Submit a new evaluation. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/client/action | Get the client configuration. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/applyfromevaluation/action | Apply Learning Settings and model from a pre-existing Offline Evaluation, making them the current online Learning Settings and model and replacing the previous ones. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/client/action | Get configuration settings used in distributed Personalizer deployments. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/policy/delete | Delete the current policy. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/policy/read | Get the policy configuration. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/policy/write | Update the policy configuration. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/policy/read | Get the Learning Settings currently used by the Personalizer service. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/policy/delete | Resets the learning settings of the Personalizer service to default. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/policy/write | Update the Learning Settings that the Personalizer service will use to train models. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/service/read | Get the service configuration. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/service/write | Update the service configuration. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/service/read | Get the Personalizer service configuration. | +> | Microsoft.CognitiveServices/accounts/Personalizer/configurations/service/write | Update the Personalizer service configuration. | +> | Microsoft.CognitiveServices/accounts/Personalizer/evaluations/delete | Delete the evaluation associated with the ID. | +> | Microsoft.CognitiveServices/accounts/Personalizer/evaluations/read | Get the evaluation associated with the ID. List all submitted evaluations.* | +> | Microsoft.CognitiveServices/accounts/Personalizer/evaluations/write | Submit a new Offline Evaluation job. | +> | Microsoft.CognitiveServices/accounts/Personalizer/evaluations/delete | Delete the Offline Evaluation associated with the Id. | +> | Microsoft.CognitiveServices/accounts/Personalizer/evaluations/read | Get the Offline Evaluation associated with the Id. List of all Offline Evaluations.* | +> | Microsoft.CognitiveServices/accounts/Personalizer/events/reward/action | Report reward to allocate to the top ranked action for the specified event. | +> | Microsoft.CognitiveServices/accounts/Personalizer/events/activate/action | Report that the specified event was actually displayed to the user and a reward should be expected for it. | +> | Microsoft.CognitiveServices/accounts/Personalizer/events/activate/action | Report that the specified event was actually used (e.g. by being displayed to the user) and a reward should be expected for it. | +> | Microsoft.CognitiveServices/accounts/Personalizer/events/reward/action | Report reward between 0 and 1 that resulted from using the action specified in rewardActionId, for the specified event. | +> | Microsoft.CognitiveServices/accounts/Personalizer/featureimportances/read | List of all Feature Importances. Get the Feature Importance associated with the Id. | +> | Microsoft.CognitiveServices/accounts/Personalizer/featureimportances/write | Submit a new Feature Importance job. | +> | Microsoft.CognitiveServices/accounts/Personalizer/featureimportances/delete | Delete the Feature Importance associated with the Id. | +> | Microsoft.CognitiveServices/accounts/Personalizer/logs/delete | Deletes all the logs. | +> | Microsoft.CognitiveServices/accounts/Personalizer/logs/delete | Delete all logs of Rank and Reward calls stored by Personalizer. | +> | Microsoft.CognitiveServices/accounts/Personalizer/logs/interactions/action | The endpoint is intended to be used from within a SDK for logging interactions and accepts specific format defined in https://github.com/VowpalWabbit/reinforcement_learning. This endpoint should not be used by the customer. | +> | Microsoft.CognitiveServices/accounts/Personalizer/logs/observations/action | The endpoint is intended to be used from within a SDK for logging observations and accepts specific format defined in https://github.com/VowpalWabbit/reinforcement_learning. This endpoint should not be used by the customer. | +> | Microsoft.CognitiveServices/accounts/Personalizer/logs/properties/read | Gets logs properties. | +> | Microsoft.CognitiveServices/accounts/Personalizer/logs/properties/read | Get properties of the Personalizer logs. | +> | Microsoft.CognitiveServices/accounts/Personalizer/model/read | Get current model. | +> | Microsoft.CognitiveServices/accounts/Personalizer/model/delete | Resets the model. | +> | Microsoft.CognitiveServices/accounts/Personalizer/model/read | Get the model file generated by Personalizer service. | +> | Microsoft.CognitiveServices/accounts/Personalizer/model/delete | Resets the model file generated by Personalizer service. | +> | Microsoft.CognitiveServices/accounts/Personalizer/model/write | Replace the existing model file for the Personalizer service. | +> | Microsoft.CognitiveServices/accounts/Personalizer/model/properties/read | Get model properties. | +> | Microsoft.CognitiveServices/accounts/Personalizer/model/properties/read | Get properties of the model file generated by Personalizer service. | +> | Microsoft.CognitiveServices/accounts/Personalizer/multislot/rank/action | Submit a Personalizer multi-slot rank request. Receives a context, a list of actions, and a list of slots. Returns which of the provided actions should be used in each slot, in each rewardActionId. | +> | Microsoft.CognitiveServices/accounts/Personalizer/multislot/events/activate/action | Report that the specified event was actually used or displayed to the user and a rewards should be expected for it. | +> | Microsoft.CognitiveServices/accounts/Personalizer/multislot/events/reward/action | Report reward that resulted from using the action specified in rewardActionId for the slot. | +> | Microsoft.CognitiveServices/accounts/Personalizer/status/read | Gets the status of the operation. | +> | Microsoft.CognitiveServices/accounts/Personalizer/status/read | *NotDefined* | +> | Microsoft.CognitiveServices/accounts/QnAMaker/root/action | QnA Maker | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/root/action | QnA Maker | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read | Download alterations from runtime. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write | Replace alterations data. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read | Gets endpoint keys for an endpoint | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action | Re-generates an endpoint key. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read | Gets endpoint settings for an endpoint | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write | Update endpoint seettings for an endpoint. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/publish/action | Publishes all changes in test index of a knowledgebase to its prod index. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/delete | Deletes the knowledgebase and all its data. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read | Download the knowledgebase. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read | Gets details of a specific long running operation. | +> | Microsoft.CognitiveServices/accounts/QnAMaker.v2/QnaMaker/generateanswer/action | GenerateAnswer call to query over the given passage or documents | +> | Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read | Download alterations from runtime. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write | Replace alterations data. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint | +> | Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action | Re-generates an endpoint key. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint | +> | Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write | Update endpoint seettings for an endpoint. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/publish/action | Publishes all changes in test index of a knowledgebase to its prod index. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/delete | Deletes the knowledgebase and all its data. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read | Download the knowledgebase. | +> | Microsoft.CognitiveServices/accounts/QnAMaker/operations/read | Gets details of a specific long running operation. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/issuetoken/action | Issue Cognitive Services jwt token for authentication. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models:authorizecopy/action | This method can be used to allow copying a model from another speech resource. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models:copyto/action | This method is obsolete and will be removed in future API version. Please use models/{id}:copy instead. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models:copy/action | This method can be used to copy a model from this speech resource to a target one. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/evaluations/action | Creates a new evaluation. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models/action | Creates a new model. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/action | Creates a new project. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/webhooks:ping/action | The request body of the POST request sent to the registered web hook URL is of the same shape as in the GET request for a specific hook. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/webhooks:test/action | The payload will be generated from the last entity that would have invoked the web hook. If no entity is present for none of the registered event types, | +> | Microsoft.CognitiveServices/accounts/SpeechServices/datasets/blocks:commit/action | Commit block list to complete the upload of the dataset. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/datasets/delete | Deletes the specified dataset. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/datasets/read | Gets a list of datasets for the authenticated subscription. Gets the dataset identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/datasets/write | Updates the mutable details of the dataset identified by its ID. Uploads and creates a new dataset by getting the data from a specified URL or starts waiting for data blocks to be uploaded.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/datasets/upload/action | Uploads data and creates a new dataset. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/datasets/blocks/read | Gets the list of uploaded blocks for this dataset. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/datasets/blocks/write | Upload a block of data for the dataset. The maximum size of the block is 8MiB. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/datasets/files/read | Gets one specific file (identified with fileId) from a dataset (identified with id). Gets the files of the dataset identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/datasets/locales/read | Gets a list of supported locales for datasets. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/endpoints/write | Creates a new endpoint. Updates the metadata of the endpoint identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/endpoints/delete | Deletes the endpoint identified by the given ID. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/endpoints/read | Gets the endpoint identified by the given ID. Gets the list of endpoints for the authenticated subscription.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/endpoints/base/files/logs/delete | Deletes one audio or transcription log that have been stored when using the default base model of a given language. Deletion process is done asynchronously and can take up to one day depending on the amount of log files.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/endpoints/base/files/logs/read | Gets a specific audio or transcription log for the default base model in a given language. Gets the list of audio and transcription logs that have been stored when using the default base model of a given language.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/endpoints/files/logs/delete | Deletes one audio or transcription log that have been stored for a given endpoint. The deletion process is done asynchronously and can take up to one day depending on the amount of log files.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/endpoints/files/logs/read | Gets a specific audio or transcription log for a given endpoint. Gets the list of audio and transcription logs that have been stored for a given endpoint.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/endpoints/locales/read | Gets a list of supported locales for endpoint creations. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/evaluations/delete | Deletes the evaluation identified by the given ID. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/evaluations/read | Gets the evaluation identified by the given ID. Gets the list of evaluations for the authenticated subscription.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/evaluations/write | Updates the mutable details of the evaluation identified by its id. Creates a new evaluation.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/evaluations/files/read | Gets one specific file (identified with fileId) from an evaluation (identified with id). Gets the files of the evaluation identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/evaluations/locales/read | Gets a list of supported locales for evaluations. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/healthstatus/read | Returns the overall health of the service and optionally of the different subcomponents. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models/delete | Deletes the model identified by the given ID. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models/read | Gets the list of custom models for the authenticated subscription. Gets the model identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models/write | Updates the metadata of the model identified by the given ID. Creates a new model.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models/base/read | Gets the base model identified by the given ID. Gets the list of base models for the authenticated subscription.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models/base/manifest/read | Returns an manifest for this base model which can be used in an on-premise container. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models/files/read | Gets one specific file (identified with fileId) from a model (identified with id). Gets the files of the model identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models/locales/read | Gets a list of supported locales for model adaptation. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/models/manifest/read | Returns an manifest for this model which can be used in an on-premise container. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/operations/models/copy/read | Gets the operation identified by the given ID. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/delete | Deletes the project identified by the given ID. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/read | Gets the list of projects for the authenticated subscription. Gets the project identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/write | Updates the project identified by the given ID. Creates a new project.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/datasets/read | Gets the list of datasets for specified project. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/endpoints/read | Gets the list of endpoints for specified project. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/evaluations/read | Gets the list of evaluations for specified project. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/locales/read | Gets the list of supported locales. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/models/read | Gets the list of models for specified project. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/projects/transcriptions/read | Gets the list of transcriptions for specified project. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/action | This method can be used to copy a model from one location to another. If the target subscription | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/webhooks/action | Web hooks operations | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/datasets/write | Create or update a dataset | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/datasets/delete | Delete a dataset | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/datasets/read | Get one or more datasets | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/datasets/blocks/read | Get one or more uploaded blocks | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/datasets/blocks/write | Create or update a dataset blocks | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/datasets/files/read | Get one or more dataset files | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/endpoints/write | Create or update an endpoint | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/endpoints/delete | Delete an endpoint | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/endpoints/read | Get one or more endpoints | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/endpoints/files/logs/write | Create a endpoint data export | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/endpoints/files/logs/delete | Delete some or all custom model endpoint logs | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/endpoints/files/logs/read | Get one or more custom model endpoint logs | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/evaluations/write | Create or update an evaluation | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/evaluations/delete | Delete an evaluation | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/evaluations/read | Get one or more evaluations | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/evaluations/files/read | Get one or more evaluation files | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/healthstatus/read | Get health status | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/write | Create or update a model. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/delete | Delete a model | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/read | Get one or more models | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/base/manifest/read | Returns an manifest for this base model which can be used in an on-premise container. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/files/read | Returns files for this model. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/manifest/read | Returns an manifest for this model which can be used in an on-premise container. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/projects/write | Create or update a project | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/projects/delete | Delete a project | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/projects/read | Get one or more projects | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/transcriptions/write | Create or update a transcription | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/transcriptions/delete | Delete a transcription | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/transcriptions/read | Get one or more transcriptions | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/transcriptions/files/read | Get one or more transcription files | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/webhooks/write | Create or update a web hook | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/webhooks/delete | Delete a web hook | +> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/webhooks/read | Get one or more web hooks | +> | Microsoft.CognitiveServices/accounts/SpeechServices/synctranscriptions/write | create file based sync transcriptions | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/profiles:verify/action | Verifies existing profiles against input audio. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/phrases/read | Retrieves list of supported passphrases for a specific locale. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/profiles/write | Create a new speaker profile with specified locale. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/profiles/delete | Deletes an existing profile. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/profiles/read | Retrieves a set of profiles or retrieves a single profile by ID. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/profiles/verify/action | Verifies existing profiles against input audio. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/profiles/enrollments/write | Adds an enrollment to existing profile. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/profiles/enrollments/write | Adds an enrollment to existing profile. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/profiles/reset/write | Resets existing profile to its original creation state. The reset operation does the following: | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/profiles:reset/write | Resets existing profile to its original creation state. The reset operation does the following: | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles:identifysinglespeaker/action | Identifies who is speaking in input audio among a list of candidate profiles. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles:verify/action | Verifies existing profiles against input audio. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/phrases/read | Retrieves list of supported passphrases for a specific locale. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles/write | Creates a new speaker profile with specified locale. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles/delete | Deletes an existing profile. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles/identifysinglespeaker/action | Identifies who is speaking in input audio among a list of candidate profiles. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles/read | Retrieves a set of profiles or retrieves a single profile by ID. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles/verify/action | Verifies existing profiles against input audio. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles/enrollments/write | Adds an enrollment to existing profile. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles/enrollments/write | Adds an enrollment to existing profile. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles/reset/write | Resets existing profile to its original creation state. The reset operation does the following: | +> | Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/profiles:reset/write | Resets existing profile to its original creation state. The reset operation does the following: | +> | Microsoft.CognitiveServices/accounts/SpeechServices/transcriptions/write | Creates a new transcription. Updates the mutable details of the transcription identified by its ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/transcriptions/delete | Deletes the specified transcription task. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/transcriptions/read | Gets a list of transcriptions for the authenticated subscription. Gets the transcription identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/transcriptions/files/read | Gets one specific file (identified with fileId) from a transcription (identified with id). Gets the files of the transcription identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/transcriptions/locales/read | Gets a list of supported locales for offline transcriptions. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/unified-speech/frontend/action | This endpoint manages the Speech Frontend | +> | Microsoft.CognitiveServices/accounts/SpeechServices/unified-speech/management/action | This endpoint manages the Speech Frontend | +> | Microsoft.CognitiveServices/accounts/SpeechServices/unified-speech/probes/action | This endpoint monitors the Speech Frontend health | +> | Microsoft.CognitiveServices/accounts/SpeechServices/unified-speech/languages/action | This endpoint provides the REST language api. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/unified-speech/legacy/query/action | The Speech Service legacy REST api. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/webhooks/write | If the property secret in the configuration is present and contains a non-empty string, it will be used to create a SHA256 hash of the payload with If the property secret in the configuration is omitted or contains an empty string, future callbacks won't contain X-MicrosoftSpeechServices-Signature* | +> | Microsoft.CognitiveServices/accounts/SpeechServices/webhooks/delete | Deletes the web hook identified by the given ID. | +> | Microsoft.CognitiveServices/accounts/SpeechServices/webhooks/read | Gets the list of web hooks for the authenticated subscription. Gets the web hook identified by the given ID.* | +> | Microsoft.CognitiveServices/accounts/SpellCheck/spellcheck/action | Get result of a spell check query through GET or POST. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/languages/action | The API returns the detected language and a numeric score between 0 and 1. Scores close to 1 indicate 100% certainty that the identified language is true. A total of 120 languages are supported. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/entities/action | The API returns a list of known entities and general named entities (\"Person\", \"Location\", \"Organization\" etc) in a given document. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/keyphrases/action | The API returns a list of strings denoting the key talking points in the input text. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/sentiment/action | The API returns a numeric score between 0 and 1.<br>Scores close to 1 indicate positive sentiment, while scores close to 0 indicate negative sentiment.<br>A score of 0.5 indicates the lack of sentiment (e.g.<br>a factoid statement). | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/analyze/action | Submit a collection of text documents for analysis. Specify one or more unique tasks to be executed. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/action | QnA Maker | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/generateanswer/action | GenerateAnswer call to query over the given passage or documents | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/alterations/read | Download alterations from runtime. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/alterations/write | Replace alterations data. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/endpointkeys/read | Gets endpoint keys for an endpoint | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/endpointkeys/refreshkeys/action | Re-generates an endpoint key. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/endpointsettings/read | Gets endpoint settings for an endpoint | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/endpointsettings/write | Update endpoint seettings for an endpoint. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/knowledgebases/publish/action | Publishes all changes in test index of a knowledgebase to its prod index. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/knowledgebases/delete | Deletes the knowledgebase and all its data. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/knowledgebases/download/read | Download the knowledgebase. | +> | Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/operations/read | Gets details of a specific long running operation. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/document:translate/action | API to translate a document. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/detect/action | Identifies the language of a piece of text. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/breaksentence/action | Identifies the positioning of sentence boundaries in a piece of text. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/translate/action | Translates text. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/transliterate/action | Converts text in one language from one script to another script. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/batches/delete | Cancel a currently processing or queued document translation request. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/batches/read | Get the status of a specific document translation request based on its Id or get the status of all the document translation requests submitted | +> | Microsoft.CognitiveServices/accounts/TextTranslation/batches/write | Submit a bulk (batch) translation request to the Document Translation service. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/batches/documents/read | Get the translation status for a specific document based on the request Id and document Id or get the status for all documents in a document translation request. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/dictionary/examples/action | Provides examples that show how terms in the dictionary are used in context. This operation is used in tandem with Dictionary lookup. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/dictionary/lookup/action | Provides alternative translations for a word and a small number of idiomatic phrases.<br>Each translation has a part-of-speech and a list of back-translations.<br>The back-translations enable a user to understand the translation in context.<br>The Dictionary Example operation allows further drill down to see example uses of each translation pair. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/documents/formats/read | List document formats supported by the Document Translation service. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/glossaries/formats/read | List glossary formats supported by the Document Translation service. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/languages/read | Gets the set of languages currently supported by other operations of the Translator Text API. | +> | Microsoft.CognitiveServices/accounts/TextTranslation/storagesources/read | List storage sources/options supported by the Document Translation service. | +> | Microsoft.CognitiveServices/accounts/VideoSearch/trending/action | Get currently trending videos. | +> | Microsoft.CognitiveServices/accounts/VideoSearch/details/action | Get insights about a video, such as related videos. | +> | Microsoft.CognitiveServices/accounts/VideoSearch/search/action | Get videos relevant for a given query. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/Metadata/read | Query video translation metadata. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/Translations/write | Create or update video files. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/Translations/read | Read video files. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/Translations/write | Create or update video files. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/VideoFiles/write | Create or update video files. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/VideoFiles/read | Read video files. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/VideoFiles/delete | Delete video files. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/VideoFileTargetLocale/delete | Delete target locale. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/WebVttFiles/read | Read webvtt files. | +> | Microsoft.CognitiveServices/accounts/VideoTranslation/WebVttFiles/write | Create or update webvtt files. | +> | Microsoft.CognitiveServices/accounts/VisualSearch/search/action | Returns a list of tags relevant to the provided image | +> | Microsoft.CognitiveServices/accounts/WebSearch/search/action | Get web, image, news, & videos results for a given query. | ++## Microsoft.MachineLearning ++Azure service: [Machine Learning Studio (classic)](/azure/machine-learning/classic/) +++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.MachineLearning/register/action | Registers the subscription for the machine learning web service resource provider and enables the creation of web services. | +> | Microsoft.MachineLearning/webServices/action | Create regional Web Service Properties for supported regions | +> | Microsoft.MachineLearning/commitmentPlans/read | Read any Machine Learning Commitment Plan | +> | Microsoft.MachineLearning/commitmentPlans/write | Create or Update any Machine Learning Commitment Plan | +> | Microsoft.MachineLearning/commitmentPlans/delete | Delete any Machine Learning Commitment Plan | +> | Microsoft.MachineLearning/commitmentPlans/join/action | Join any Machine Learning Commitment Plan | +> | Microsoft.MachineLearning/commitmentPlans/commitmentAssociations/read | Read any Machine Learning Commitment Plan Association | +> | Microsoft.MachineLearning/commitmentPlans/commitmentAssociations/move/action | Move any Machine Learning Commitment Plan Association | +> | Microsoft.MachineLearning/locations/operationresults/read | Get result of a Machine Learning Operation | +> | Microsoft.MachineLearning/locations/operationsstatus/read | Get status of an ongoing Machine Learning Operation | +> | Microsoft.MachineLearning/operations/read | Get Machine Learning Operations | +> | Microsoft.MachineLearning/skus/read | Get Machine Learning Commitment Plan SKUs | +> | Microsoft.MachineLearning/webServices/read | Read any Machine Learning Web Service | +> | Microsoft.MachineLearning/webServices/write | Create or Update any Machine Learning Web Service | +> | Microsoft.MachineLearning/webServices/delete | Delete any Machine Learning Web Service | +> | Microsoft.MachineLearning/webServices/listkeys/read | Get keys to a Machine Learning Web Service | +> | Microsoft.MachineLearning/Workspaces/read | Read any Machine Learning Workspace | +> | Microsoft.MachineLearning/Workspaces/write | Create or Update any Machine Learning Workspace | +> | Microsoft.MachineLearning/Workspaces/delete | Delete any Machine Learning Workspace | +> | Microsoft.MachineLearning/Workspaces/listworkspacekeys/action | List keys for a Machine Learning Workspace | +> | Microsoft.MachineLearning/Workspaces/resyncstoragekeys/action | Resync keys of storage account configured for a Machine Learning Workspace | ++## Microsoft.MachineLearningServices ++Azure service: [Machine Learning](/azure/machine-learning/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.MachineLearningServices/register/action | Registers the subscription for the Machine Learning Services Resource Provider | +> | Microsoft.MachineLearningServices/locations/deleteVirtualNetworkOrSubnets/action | Deleted the references to virtual networks/subnets associated with Machine Learning Service Workspaces. | +> | Microsoft.MachineLearningServices/locations/updateQuotas/action | Update quota for each VM family at a subscription or a workspace level. | +> | Microsoft.MachineLearningServices/locations/computeoperationsstatus/read | Gets the status of a particular compute operation | +> | Microsoft.MachineLearningServices/locations/mfeOperationResults/read | Gets the result of a particular MFE operation | +> | Microsoft.MachineLearningServices/locations/mfeOperationsStatus/read | Gets the status of a particular MFE operation | +> | Microsoft.MachineLearningServices/locations/quotas/read | Gets the currently assigned Workspace Quotas based on VMFamily. | +> | Microsoft.MachineLearningServices/locations/usages/read | Usage report for aml compute resources in a subscription | +> | Microsoft.MachineLearningServices/locations/vmsizes/read | Get supported vm sizes | +> | Microsoft.MachineLearningServices/locations/workspaceOperationsStatus/read | Gets the status of a particular workspace operation | +> | Microsoft.MachineLearningServices/operations/read | Get all the operations for the Machine Learning Services Resource Provider | +> | Microsoft.MachineLearningServices/registries/read | Gets the Machine Learning Services registry(ies) | +> | Microsoft.MachineLearningServices/registries/write | Creates or updates the Machine Learning Services registry(ies) | +> | Microsoft.MachineLearningServices/registries/delete | Deletes the Machine Learning Services registry(ies) | +> | Microsoft.MachineLearningServices/registries/privateEndpointConnectionsApproval/action | Approve or reject a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/registries/assets/read | Reads assets in Machine Learning Services registry(ies) | +> | Microsoft.MachineLearningServices/registries/assets/write | Creates or updates assets in Machine Learning Services registry(ies) | +> | Microsoft.MachineLearningServices/registries/assets/delete | Deletes assets in Machine Learning Services registry(ies) | +> | Microsoft.MachineLearningServices/registries/assets/stage/write | Updates the stage on a Machine Learning Services registry asset | +> | Microsoft.MachineLearningServices/registries/checkNameAvailability/read | Checks name for Machine Learning Services registry(ies) | +> | Microsoft.MachineLearningServices/registries/connections/read | Gets the Machine Learning Services registry(ies) connection(s) | +> | Microsoft.MachineLearningServices/registries/connections/write | Creates or updates the Machine Learning Services registry(ies) connection(s) | +> | Microsoft.MachineLearningServices/registries/connections/delete | Deletes the Machine Learning Services registry(ies) registry(ies) connection(s) | +> | Microsoft.MachineLearningServices/registries/privateEndpointConnectionProxies/read | View the state of a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/registries/privateEndpointConnectionProxies/write | Change the state of a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/registries/privateEndpointConnectionProxies/delete | Delete a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/registries/privateEndpointConnectionProxies/validate/action | Validate a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/registries/privateEndpointConnections/read | View the state of a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/registries/privateEndpointConnections/write | Change the state of a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/registries/privateEndpointConnections/delete | Delete a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/registries/privateLinkResources/read | Gets the available private link resources for the specified instance of the Machine Learning Services registry(ies) | +> | Microsoft.MachineLearningServices/virtualclusters/read | Gets the Machine Learning Services Virtual Cluster(s) | +> | Microsoft.MachineLearningServices/virtualclusters/write | Creates or updates a Machine Learning Services Virtual Cluster(s) | +> | Microsoft.MachineLearningServices/virtualclusters/delete | Deletes the Machine Learning Services Virtual Cluster(s) | +> | Microsoft.MachineLearningServices/virtualclusters/jobs/submit/action | Submit job to a Machine Learning Services Virtual Cluster | +> | Microsoft.MachineLearningServices/workspaces/checkComputeNameAvailability/action | Checks name for compute in batch endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/read | Gets the Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/write | Creates or updates a Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/delete | Deletes the Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/listKeys/action | List secrets for a Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/resynckeys/action | Resync secrets for a Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/listStorageAccountKeys/action | List Storage Account keys for a Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/provisionManagedNetwork/action | Provision the managed network of Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/privateEndpointConnectionsApproval/action | Approve or reject a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/workspaces/featuresets/action | Allows action on the Machine Learning Services FeatureSet(s) | +> | Microsoft.MachineLearningServices/workspaces/featurestoreentities/action | Allows action on the Machine Learning Services FeatureEntity(s) | +> | Microsoft.MachineLearningServices/workspaces/assets/stage/write | Updates the stage on a Machine Learning Services workspace asset | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/read | Gets batch inference endpoints in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/write | Creates or updates batch inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/delete | Deletes batch inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/listKeys/action | Lists keys for batch inference endpoints in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/checkNameAvailability/read | Checks name for batch inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/read | Gets deployments in batch inference endpoints in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/write | Creates or updates deployments in batch inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/delete | Deletes deployments in batch inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/checkNameAvailability/read | Checks name for deployment in batch inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/jobs/read | Reads job in batch inference deployment in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/jobs/write | Creates or updates job in batch inference deployment in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/jobs/delete | Deletes job in batch inference deployment in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/jobs/read | Reads job in batch inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/jobs/write | Creates or updates job in batch inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/batchEndpoints/jobs/delete | Deletes job in batch inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/codes/read | Reads Code in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/codes/write | Create or Update Code in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/codes/delete | Deletes Code in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/codes/versions/read | Reads Code Versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/codes/versions/write | Create or Update Code Versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/codes/versions/delete | Deletes Code Versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/components/read | Gets component in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/components/write | Creates or updates component in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/components/delete | Deletes component in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/components/versions/read | Gets component version in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/components/versions/write | Creates or updates component version in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/components/versions/delete | Deletes component version in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/computes/read | Gets the compute resources in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/computes/write | Creates or updates the compute resources in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/computes/delete | Deletes the compute resources in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/computes/listKeys/action | List secrets for compute resources in Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/computes/listNodes/action | List nodes for compute resource in Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/computes/start/action | Start compute resource in Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/computes/stop/action | Stop compute resource in Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/computes/restart/action | Restart compute resource in Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/computes/updateDataMounts/action | Update compute data mounts in Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/computes/updateIdleShutdownSetting/action | Update compute idle shutdown settings in Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/computes/applicationaccess/action | Access compute resource in Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/computes/updateSchedules/action | Edit compute start/stop schedules | +> | Microsoft.MachineLearningServices/workspaces/computes/applicationaccessuilinks/action | Enable compute instance UI links | +> | Microsoft.MachineLearningServices/workspaces/computes/reimage/action | Reimages compute resource in Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/connections/read | Gets the Machine Learning Services Workspace connection(s) | +> | Microsoft.MachineLearningServices/workspaces/connections/write | Creates or updates a Machine Learning Services connection(s) | +> | Microsoft.MachineLearningServices/workspaces/connections/delete | Deletes the Machine Learning Services connection(s) | +> | Microsoft.MachineLearningServices/workspaces/connections/listsecrets/action | Gets the Machine Learning Services connection with secret values | +> | Microsoft.MachineLearningServices/workspaces/data/read | Reads Data container in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/data/write | Writes Data container in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/data/delete | Deletes Data container in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/data/versions/read | Reads Data Versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/data/versions/write | Create or Update Data Versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/data/versions/delete | Deletes Data Versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datadriftdetectors/read | Gets data drift detectors in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datadriftdetectors/write | Creates or updates data drift detectors in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datadriftdetectors/delete | Deletes data drift detectors in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/read | Gets dataset in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/write | Creates or updates dataset in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/delete | Deletes dataset in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/registered/read | Gets registered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/registered/write | Creates or updates registered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/registered/delete | Deletes registered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/registered/preview/read | Gets dataset preview for registered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/registered/profile/read | Gets dataset profiles for registered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/registered/profile/write | Creates or updates dataset profiles for registered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/registered/schema/read | Gets dataset schema for registered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/unregistered/read | Gets unregistered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/unregistered/write | Creates or updates unregistered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/unregistered/delete | Deletes unregistered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/unregistered/preview/read | Gets dataset preview for unregistered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/unregistered/profile/read | Gets dataset profiles for unregistered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/unregistered/profile/write | Creates or updates dataset profiles for unregistered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/unregistered/schema/read | Gets dataset schema for unregistered datasets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/versions/read | Gets dataset version in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/versions/write | Creates or updates dataset version in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datasets/versions/delete | Deletes dataset version in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datastores/read | Gets datastores in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datastores/write | Creates or updates datastores in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datastores/delete | Deletes datastores in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/datastores/listsecrets/action | Lists datastore secrets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/diagnose/read | Diagnose setup problems of Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/endpoints/read | Gets the Machine Learning Services endpoint | +> | Microsoft.MachineLearningServices/workspaces/endpoints/write | Creates or Updates the Machine Learning Services endpoint | +> | Microsoft.MachineLearningServices/workspaces/endpoints/delete | Deletes the Machine Learning Services endpoint | +> | Microsoft.MachineLearningServices/workspaces/endpoints/listkeys/action | Lists keys for the Machine Learning Services endpoint | +> | Microsoft.MachineLearningServices/workspaces/endpoints/deployments/read | Gets the Machine Learning Services Endpoint deployment | +> | Microsoft.MachineLearningServices/workspaces/endpoints/deployments/write | Creates or Updates the Machine Learning Services Endpoint deployment | +> | Microsoft.MachineLearningServices/workspaces/endpoints/deployments/delete | Deletes the Machine Learning Services Endpoint deployment | +> | Microsoft.MachineLearningServices/workspaces/endpoints/deployments/modelmonitorings/read | Gets model monitor for specific deployment on an online enpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/endpoints/deployments/modelmonitorings/write | Creates or updates model monitor detectors for specific deployment on an online enpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/endpoints/deployments/modelmonitorings/delete | Deletes data model monitor for specific deployment on an online enpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/endpoints/models/read | Gets the Machine Learning Services Endpoint model | +> | Microsoft.MachineLearningServices/workspaces/endpoints/pipelines/read | Gets published pipelines and pipeline endpoints in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/endpoints/pipelines/write | Creates or updates published pipelines and pipeline endpoints in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/environments/read | Gets environments in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/environments/readSecrets/action | Gets environments with secrets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/environments/write | Creates or updates environments in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/environments/build/action | Builds environments in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/environments/versions/read | Gets environment version in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/environments/versions/write | Creates or updates environment versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/environments/versions/delete | Delete environment version in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/eventGridFilters/read | Get an Event Grid filter for a particular workspace | +> | Microsoft.MachineLearningServices/workspaces/eventGridFilters/write | Create or update an Event Grid filter for a particular workspace | +> | Microsoft.MachineLearningServices/workspaces/eventGridFilters/delete | Delete an Event Grid filter for a particular workspace | +> | Microsoft.MachineLearningServices/workspaces/experiments/read | Gets experiments in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/experiments/write | Creates or updates experiments in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/experiments/delete | Deletes experiments in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/experiments/runs/submit/action | Creates or updates script runs in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/experiments/runs/read | Gets runs in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/experiments/runs/write | Creates or updates runs in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/experiments/runs/delete | Deletes runs in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/features/read | Gets all enabled features for a Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/featuresets/read | Gets the Machine Learning Services FeatureSet(s) | +> | Microsoft.MachineLearningServices/workspaces/featuresets/write | Creates or Updates the Machine Learning Services FeatureSet(s) | +> | Microsoft.MachineLearningServices/workspaces/featuresets/delete | Delete the Machine Learning Services FeatureSet(s) | +> | Microsoft.MachineLearningServices/workspaces/featurestoreentities/read | Gets the Machine Learning Services FeatureEntity(s) | +> | Microsoft.MachineLearningServices/workspaces/featurestoreentities/write | Creates or Updates the Machine Learning Services FeatureEntity(s) | +> | Microsoft.MachineLearningServices/workspaces/featurestoreentities/delete | Delete the Machine Learning Services FeatureEntity(s) | +> | Microsoft.MachineLearningServices/workspaces/featurestores/read | Gets the Machine Learning Services FeatureStore(s) | +> | Microsoft.MachineLearningServices/workspaces/featurestores/write | Creates or Updates the Machine Learning Services FeatureStore(s) | +> | Microsoft.MachineLearningServices/workspaces/featurestores/delete | Deletes the Machine Learning Services FeatureStore(s) | +> | Microsoft.MachineLearningServices/workspaces/hubs/read | Gets the Machine Learning Services Hub Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/hubs/write | Creates or updates a Machine Learning Services Hub Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/hubs/delete | Deletes the Machine Learning Services Hub Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/hubs/join/action | Join the Machine Learning Services Hub Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/hubs/policies/read | Gets the Machine Learning Services Hub policies | +> | Microsoft.MachineLearningServices/workspaces/hubs/policies/delete | Deletes the Machine Learning Services Hub policies | +> | Microsoft.MachineLearningServices/workspaces/hubs/policies/write | Creates or Updates the Machine Learning Services Hub policies | +> | Microsoft.MachineLearningServices/workspaces/jobs/read | Reads Jobs in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/jobs/write | Create or Update Jobs in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/jobs/delete | Deletes Jobs in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/jobs/cancel/action | Cancel Jobs in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/jobs/operationresults/read | Reads Jobs in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/export/action | Export labels of labeling projects in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/labelimport/action | Import labels into labeling projects in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/labels/read | Gets labels of labeling projects in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/labels/write | Creates labels of labeling projects in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action | Reject labels of labeling projects in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/labels/delete | Deletes labels of labeling project in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/labels/update/action | Updates labels of labeling project in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/labels/approve_unapprove/action | Approve or unapprove labels of labeling project in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/projects/read | Gets labeling project in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/projects/write | Creates or updates labeling project in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/projects/delete | Deletes labeling project in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read | Gets labeling project summary in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/linkedServices/read | Gets all linked services for a Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/linkedServices/write | Create or Update Machine Learning Services Workspace Linked Service(s) | +> | Microsoft.MachineLearningServices/workspaces/linkedServices/delete | Delete Machine Learning Services Workspace Linked Service(s) | +> | Microsoft.MachineLearningServices/workspaces/listNotebookAccessToken/read | List Azure Notebook Access Token for a Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/listNotebookKeys/read | List Azure Notebook keys for a Machine Learning Services Workspace | +> | Microsoft.MachineLearningServices/workspaces/managedstorages/claim/read | Get my claims on data | +> | Microsoft.MachineLearningServices/workspaces/managedstorages/claim/write | Update my claims on data | +> | Microsoft.MachineLearningServices/workspaces/managedstorages/quota/read | Get my data quota usage | +> | Microsoft.MachineLearningServices/workspaces/metadata/artifacts/read | Gets artifacts in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/metadata/artifacts/write | Creates or updates artifacts in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/metadata/artifacts/delete | Deletes artifacts in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/metadata/secrets/read | Gets secrets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/metadata/secrets/write | Creates or updates secrets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/metadata/secrets/delete | Deletes secrets in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/metadata/snapshots/read | Gets snapshots in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/metadata/snapshots/write | Creates or updates snapshots in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/metadata/snapshots/delete | Deletes snapshots in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/metrics/resource/write | Creates resource metrics in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/models/read | Gets models in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/models/write | Creates or updates models in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/models/delete | Deletes models in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/models/package/action | Packages models in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/models/versions/read | Reads Model Versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/models/versions/write | Create or Update Model Versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/models/versions/delete | Deletes Model Versions in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/modules/read | Gets modules in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/modules/write | Creates or updates module in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/notebooks/samples/read | Gets the sample notebooks | +> | Microsoft.MachineLearningServices/workspaces/notebooks/storage/read | Gets the notebook files for a workspace | +> | Microsoft.MachineLearningServices/workspaces/notebooks/storage/write | Writes files to the workspace storage | +> | Microsoft.MachineLearningServices/workspaces/notebooks/storage/delete | Deletes files from workspace storage | +> | Microsoft.MachineLearningServices/workspaces/notebooks/storage/upload/action | Upload files to workspace storage | +> | Microsoft.MachineLearningServices/workspaces/notebooks/storage/download/action | Download files from workspace storage | +> | Microsoft.MachineLearningServices/workspaces/notebooks/vm/read | Gets the Notebook VMs for a particular workspace | +> | Microsoft.MachineLearningServices/workspaces/notebooks/vm/write | Change the state of a Notebook VM | +> | Microsoft.MachineLearningServices/workspaces/notebooks/vm/delete | Deletes a Notebook VM | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/read | Gets online inference endpoints in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/write | Creates or updates an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/delete | Deletes an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineendpoints/regeneratekeys/action | Regenerate Keys action for Online Endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/score/action | Score Online Endpoints in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineendpoints/token/action | Retrieve auth token to score Online Endpoints in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineendpoints/listkeys/action | Retrieve auth keys to score Online Endpoints in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/checkNameAvailability/read | Checks name for an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments/read | Gets deployments in an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineendpoints/deployments/getlogs/action | Gets deployments Logs in an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments/write | Creates or updates deployment in an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments/delete | Deletes a deployment in an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments/checkNameAvailability/read | Checks name for deployment in online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineendpoints/deployments/operationresults/read | Gets deployments operation Result in an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineendpoints/deployments/operationsstatus/read | Gets deployments Operations Status in an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments/skus/read | Gets scale sku settings for a deployment in an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineendpoints/operationresults/read | Checks Online Endpoint Operation Result for an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/onlineendpoints/operationsstatus/read | Checks Online Endpoint Operation Status for an online inference endpoint in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/outboundNetworkDependenciesEndpoints/read | Read all external outbound dependencies (FQDNs) programmatically | +> | Microsoft.MachineLearningServices/workspaces/pipelinedrafts/read | Gets pipeline drafts in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/pipelinedrafts/write | Creates or updates pipeline drafts in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/pipelinedrafts/delete | Deletes pipeline drafts in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/privateEndpointConnectionProxies/read | View the state of a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/workspaces/privateEndpointConnectionProxies/write | Change the state of a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/workspaces/privateEndpointConnectionProxies/delete | Delete a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/workspaces/privateEndpointConnectionProxies/validate/action | Validate a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/read | View the state of a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/write | Change the state of a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/delete | Delete a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.MachineLearningServices/workspaces/privateLinkResources/read | Gets the available private link resources for the specified instance of the Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.MachineLearningServices/workspaces/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.MachineLearningServices/workspaces/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Azure machine learning workspaces | +> | Microsoft.MachineLearningServices/workspaces/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Azure machine learning workspaces | +> | Microsoft.MachineLearningServices/workspaces/reports/read | Gets custom reports in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/reports/write | Creates or updates custom reports in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/reports/delete | Deletes custom reports in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/schedules/read | Gets schedule in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/schedules/write | Creates or updates schedule in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/schedules/delete | Deletes schedule in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/serverlessEndpoints/read | Gets the Machine Learning Service Workspaces Serverless Endpoint(s) | +> | Microsoft.MachineLearningServices/workspaces/serverlessEndpoints/write | Creates or Updates the Machine Learning Service Workspaces Serverless Endpoint(s) | +> | Microsoft.MachineLearningServices/workspaces/serverlessEndpoints/delete | Deletes the Machine Learning Service Workspaces Serverless Endpoint(s) | +> | Microsoft.MachineLearningServices/workspaces/serverlessEndpoints/listKeys/action | Lists the keys for the Machine Learning Service Workspaces Serverless Endpoint(s) | +> | Microsoft.MachineLearningServices/workspaces/serverlessEndpoints/regenerateKeys/action | Regenerates the keys for the Machine Learning Service Workspaces Serverless Endpoint(s) | +> | Microsoft.MachineLearningServices/workspaces/services/read | Gets services in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/services/aci/write | Creates or updates ACI services in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/services/aci/listkeys/action | Lists keys for ACI services in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/services/aci/delete | Deletes ACI services in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/services/aks/write | Creates or updates AKS services in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/services/aks/listkeys/action | Lists keys for AKS services in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/services/aks/delete | Deletes AKS services in Machine Learning Services Workspace(s) | +> | Microsoft.MachineLearningServices/workspaces/services/aks/score/action | Retrieve auth token or keys to score AKS services in Machine Learning Services Workspace(s) | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/analytics.md | + + Title: Azure permissions for Analytics - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Analytics category. +++++ Last updated : 02/07/2024++++# Azure permissions for Analytics ++This article lists the permissions for the Azure resource providers in the Analytics category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.AnalysisServices ++Azure service: [Azure Analysis Services](/azure/analysis-services/index) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AnalysisServices/register/action | Registers Analysis Services resource provider. | +> | Microsoft.AnalysisServices/locations/checkNameAvailability/action | Checks that given Analysis Server name is valid and not in use. | +> | Microsoft.AnalysisServices/locations/operationresults/read | Retrieves the information of the specified operation result. | +> | Microsoft.AnalysisServices/locations/operationstatuses/read | Retrieves the information of the specified operation status. | +> | Microsoft.AnalysisServices/operations/read | Retrieves the information of operations | +> | Microsoft.AnalysisServices/servers/read | Retrieves the information of the specified Analysis Server. | +> | Microsoft.AnalysisServices/servers/write | Creates or updates the specified Analysis Server. | +> | Microsoft.AnalysisServices/servers/delete | Deletes the Analysis Server. | +> | Microsoft.AnalysisServices/servers/suspend/action | Suspends the Analysis Server. | +> | Microsoft.AnalysisServices/servers/resume/action | Resumes the Analysis Server. | +> | Microsoft.AnalysisServices/servers/listGatewayStatus/action | List the status of the gateway associated with the server. | +> | Microsoft.AnalysisServices/servers/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for Analysis Server | +> | Microsoft.AnalysisServices/servers/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for Analysis Server | +> | Microsoft.AnalysisServices/servers/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for servers | +> | Microsoft.AnalysisServices/servers/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Analysis Server | +> | Microsoft.AnalysisServices/servers/skus/read | Retrieve available SKU information for the server | +> | Microsoft.AnalysisServices/skus/read | Retrieves the information of Skus | ++## Microsoft.Databricks ++Azure service: [Azure Databricks](/azure/databricks/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Databricks/register/action | Register to Databricks. | +> | Microsoft.Databricks/accessConnectors/read | Retrieves a list of Azure Databricks Access Connectors | +> | Microsoft.Databricks/accessConnectors/write | Creates an Azure Databricks Access Connector | +> | Microsoft.Databricks/accessConnectors/delete | Removes Azure Databricks Access Connector | +> | Microsoft.Databricks/locations/getNetworkPolicies/action | Get Network Intent Polices for a subnet based on the location used by NRP | +> | Microsoft.Databricks/locations/operationstatuses/read | Reads the operation status for the resource. | +> | Microsoft.Databricks/operations/read | Gets the list of operations. | +> | Microsoft.Databricks/workspaces/read | Retrieves a list of Databricks workspaces. | +> | Microsoft.Databricks/workspaces/write | Creates a Databricks workspace. | +> | Microsoft.Databricks/workspaces/delete | Removes a Databricks workspace. | +> | Microsoft.Databricks/workspaces/refreshPermissions/action | Refresh permissions for a workspace | +> | Microsoft.Databricks/workspaces/migratePrivateLinkWorkspaces/action | Applies new Network Intent Policy templates based on 'requiredNsgRules' and 'enablePublicAccess' | +> | Microsoft.Databricks/workspaces/updateDenyAssignment/action | Update deny assignment not actions for a managed resource group of a workspace | +> | Microsoft.Databricks/workspaces/refreshWorkspaces/action | Refresh a workspace with new details like URL | +> | Microsoft.Databricks/workspaces/privateEndpointConnectionsApproval/action | Approve or reject a connection to a Private Endpoint resource. | +> | Microsoft.Databricks/workspaces/dbWorkspaces/write | Initializes the Databricks workspace (internal only) | +> | Microsoft.Databricks/workspaces/outboundNetworkDependenciesEndpoints/read | Gets a list of egress endpoints (network endpoints of all outbound dependencies) for an Azure Databricks Workspace. The operation returns properties of each egress endpoint | +> | Microsoft.Databricks/workspaces/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.Databricks/workspaces/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxies | +> | Microsoft.Databricks/workspaces/privateEndpointConnectionProxies/write | Put Private Endpoint Connection Proxies | +> | Microsoft.Databricks/workspaces/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxies | +> | Microsoft.Databricks/workspaces/privateEndpointConnections/read | List Private Endpoint Connections | +> | Microsoft.Databricks/workspaces/privateEndpointConnections/write | Approve Private Endpoint Connections | +> | Microsoft.Databricks/workspaces/privateEndpointConnections/delete | Remove Private Endpoint Connection | +> | Microsoft.Databricks/workspaces/privateLinkResources/read | List Private Link Resources | +> | Microsoft.Databricks/workspaces/providers/Microsoft.Insights/diagnosticSettings/read | Sets the available diagnostic settings for the Databricks workspace | +> | Microsoft.Databricks/workspaces/providers/Microsoft.Insights/diagnosticSettings/write | Add or modify diagnostics settings. | +> | Microsoft.Databricks/workspaces/providers/Microsoft.Insights/logDefinitions/read | Gets the available log definitions for the Databricks workspace | +> | Microsoft.Databricks/workspaces/virtualNetworkPeerings/read | Gets the virtual network peering. | +> | Microsoft.Databricks/workspaces/virtualNetworkPeerings/write | Add or modify virtual network peering | +> | Microsoft.Databricks/workspaces/virtualNetworkPeerings/delete | Deletes a virtual network peering | ++## Microsoft.DataLakeAnalytics ++Azure service: [Data Lake Analytics](/azure/data-lake-analytics/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DataLakeAnalytics/register/action | Register subscription to DataLakeAnalytics. | +> | Microsoft.DataLakeAnalytics/accounts/read | Get information about an existing DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/write | Create or update a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/delete | Delete a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/transferAnalyticsUnits/action | Transfer SystemMaxAnalyticsUnits among DataLakeAnalytics accounts. | +> | Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action | Grant permissions to cancel jobs submitted by other users. | +> | Microsoft.DataLakeAnalytics/accounts/computePolicies/read | Get information about a compute policy. | +> | Microsoft.DataLakeAnalytics/accounts/computePolicies/write | Create or update a compute policy. | +> | Microsoft.DataLakeAnalytics/accounts/computePolicies/delete | Delete a compute policy. | +> | Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/read | Get information about a linked DataLakeStore account of a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/write | Create or update a linked DataLakeStore account of a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/delete | Unlink a DataLakeStore account from a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/dataLakeStoreGen2Accounts/read | Get information about a linked DataLakeStoreGen2 account of a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/dataLakeStoreGen2Accounts/write | Create or update a linked DataLakeStoreGen2 account of a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/dataLakeStoreGen2Accounts/delete | Unlink a DataLakeStoreGen2 account from a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/firewallRules/read | Get information about a firewall rule. | +> | Microsoft.DataLakeAnalytics/accounts/firewallRules/write | Create or update a firewall rule. | +> | Microsoft.DataLakeAnalytics/accounts/firewallRules/delete | Delete a firewall rule. | +> | Microsoft.DataLakeAnalytics/accounts/operationResults/read | Get result of a DataLakeAnalytics account operation. | +> | Microsoft.DataLakeAnalytics/accounts/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings for the DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/providers/Microsoft.Insights/diagnosticSettings/write | Create or update the diagnostic settings for the DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/providers/Microsoft.Insights/logDefinitions/read | Get the available logs for the DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/providers/Microsoft.Insights/metricDefinitions/read | Get the available metrics for the DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/storageAccounts/read | Get information about a linked Storage account of a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/storageAccounts/write | Create or update a linked Storage account of a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/storageAccounts/delete | Unlink a Storage account from a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/storageAccounts/Containers/read | Get containers of a linked Storage account of a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/storageAccounts/Containers/listSasTokens/action | List SAS tokens for storage containers of a linked Storage account of a DataLakeAnalytics account. | +> | Microsoft.DataLakeAnalytics/accounts/virtualNetworkRules/read | Get information about a virtual network rule. | +> | Microsoft.DataLakeAnalytics/accounts/virtualNetworkRules/write | Create or update a virtual network rule. | +> | Microsoft.DataLakeAnalytics/accounts/virtualNetworkRules/delete | Delete a virtual network rule. | +> | Microsoft.DataLakeAnalytics/locations/checkNameAvailability/action | Check availability of a DataLakeAnalytics account name. | +> | Microsoft.DataLakeAnalytics/locations/capability/read | Get capability information of a subscription regarding using DataLakeAnalytics. | +> | Microsoft.DataLakeAnalytics/locations/operationResults/read | Get result of a DataLakeAnalytics account operation. | +> | Microsoft.DataLakeAnalytics/locations/usages/read | Get quota usages information of a subscription regarding using DataLakeAnalytics. | +> | Microsoft.DataLakeAnalytics/operations/read | Get available operations of DataLakeAnalytics. | ++## Microsoft.DataLakeStore ++Azure service: [Azure Data Lake Store](/azure/storage/blobs/data-lake-storage-introduction) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DataLakeStore/register/action | Register subscription to DataLakeStore. | +> | Microsoft.DataLakeStore/accounts/read | Get information about an existing DataLakeStore account. | +> | Microsoft.DataLakeStore/accounts/write | Create or update a DataLakeStore account. | +> | Microsoft.DataLakeStore/accounts/delete | Delete a DataLakeStore account. | +> | Microsoft.DataLakeStore/accounts/enableKeyVault/action | Enable KeyVault for a DataLakeStore account. | +> | Microsoft.DataLakeStore/accounts/Superuser/action | Grant Superuser on Data Lake Store when granted with Microsoft.Authorization/roleAssignments/write. | +> | Microsoft.DataLakeStore/accounts/cosmosCertMappings/read | Get information about a Cosmos Cert Mapping. | +> | Microsoft.DataLakeStore/accounts/cosmosCertMappings/write | Create or update a Cosmos Cert Mapping. | +> | Microsoft.DataLakeStore/accounts/cosmosCertMappings/delete | Delete a Cosmos Cert Mapping. | +> | Microsoft.DataLakeStore/accounts/eventGridFilters/read | Get an EventGrid Filter. | +> | Microsoft.DataLakeStore/accounts/eventGridFilters/write | Create or update an EventGrid Filter. | +> | Microsoft.DataLakeStore/accounts/eventGridFilters/delete | Delete an EventGrid Filter. | +> | Microsoft.DataLakeStore/accounts/firewallRules/read | Get information about a firewall rule. | +> | Microsoft.DataLakeStore/accounts/firewallRules/write | Create or update a firewall rule. | +> | Microsoft.DataLakeStore/accounts/firewallRules/delete | Delete a firewall rule. | +> | Microsoft.DataLakeStore/accounts/mountpoints/read | Get information about a mount point. | +> | Microsoft.DataLakeStore/accounts/operationResults/read | Get result of a DataLakeStore account operation. | +> | Microsoft.DataLakeStore/accounts/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings for the DataLakeStore account. | +> | Microsoft.DataLakeStore/accounts/providers/Microsoft.Insights/diagnosticSettings/write | Create or update the diagnostic settings for the DataLakeStore account. | +> | Microsoft.DataLakeStore/accounts/providers/Microsoft.Insights/logDefinitions/read | Get the available logs for the DataLakeStore account. | +> | Microsoft.DataLakeStore/accounts/providers/Microsoft.Insights/metricDefinitions/read | Get the available metrics for the DataLakeStore account. | +> | Microsoft.DataLakeStore/accounts/shares/read | Get information about a share. | +> | Microsoft.DataLakeStore/accounts/shares/write | Create or update a share. | +> | Microsoft.DataLakeStore/accounts/shares/delete | Delete a share. | +> | Microsoft.DataLakeStore/accounts/trustedIdProviders/read | Get information about a trusted identity provider. | +> | Microsoft.DataLakeStore/accounts/trustedIdProviders/write | Create or update a trusted identity provider. | +> | Microsoft.DataLakeStore/accounts/trustedIdProviders/delete | Delete a trusted identity provider. | +> | Microsoft.DataLakeStore/accounts/virtualNetworkRules/read | Get information about a virtual network rule. | +> | Microsoft.DataLakeStore/accounts/virtualNetworkRules/write | Create or update a virtual network rule. | +> | Microsoft.DataLakeStore/accounts/virtualNetworkRules/delete | Delete a virtual network rule. | +> | Microsoft.DataLakeStore/locations/checkNameAvailability/action | Check availability of a DataLakeStore account name. | +> | Microsoft.DataLakeStore/locations/deleteVirtualNetworkOrSubnets/action | Delete Virtual Network or Subnets across DataLakeStore Accounts. | +> | Microsoft.DataLakeStore/locations/capability/read | Get capability information of a subscription regarding using DataLakeStore. | +> | Microsoft.DataLakeStore/locations/operationResults/read | Get result of a DataLakeStore account operation. | +> | Microsoft.DataLakeStore/locations/usages/read | Get quota usages information of a subscription regarding using DataLakeStore. | +> | Microsoft.DataLakeStore/operations/read | Get available operations of DataLakeStore. | ++## Microsoft.EventHub ++Azure service: [Event Hubs](/azure/event-hubs/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.EventHub/checkNamespaceAvailability/action | Checks availability of namespace under given subscription. This API is deprecated please use CheckNameAvailability instead. | +> | Microsoft.EventHub/checkNameAvailability/action | Checks availability of namespace under given subscription. | +> | Microsoft.EventHub/register/action | Registers the subscription for the EventHub resource provider and enables the creation of EventHub resources | +> | Microsoft.EventHub/unregister/action | Registers the EventHub Resource Provider | +> | Microsoft.EventHub/availableClusterRegions/read | Read operation to list available pre-provisioned clusters by Azure region. | +> | Microsoft.EventHub/clusters/read | Gets the Cluster Resource Description | +> | Microsoft.EventHub/clusters/write | Creates or modifies an existing Cluster resource. | +> | Microsoft.EventHub/clusters/delete | Deletes an existing Cluster resource. | +> | Microsoft.EventHub/clusters/namespaces/read | List namespace Azure Resource Manager IDs for namespaces within a cluster. | +> | Microsoft.EventHub/clusters/operationresults/read | Get the status of an asynchronous cluster operation. | +> | Microsoft.EventHub/clusters/providers/Microsoft.Insights/metricDefinitions/read | Get list of Cluster metrics Resource Descriptions | +> | Microsoft.EventHub/locations/deleteVirtualNetworkOrSubnets/action | Deletes the VNet rules in EventHub Resource Provider for the specified VNet | +> | Microsoft.EventHub/namespaces/write | Create a Namespace Resource and Update its properties. Tags and Capacity of the Namespace are the properties which can be updated. | +> | Microsoft.EventHub/namespaces/read | Get the list of Namespace Resource Description | +> | Microsoft.EventHub/namespaces/Delete | Delete Namespace Resource | +> | Microsoft.EventHub/namespaces/authorizationRules/action | Updates Namespace Authorization Rule. This API is deprecated. Please use a PUT call to update the Namespace Authorization Rule instead.. This operation is not supported on API version 2017-04-01. | +> | Microsoft.EventHub/namespaces/removeAcsNamepsace/action | Remove ACS namespace | +> | Microsoft.EventHub/namespaces/updateState/action | UpdateNamespaceState | +> | Microsoft.EventHub/namespaces/privateEndpointConnectionsApproval/action | Approve Private Endpoint Connection | +> | Microsoft.EventHub/namespaces/joinPerimeter/action | Action to Join the Network Security Perimeter. This action is used to perform linked access by NSP RP. | +> | Microsoft.EventHub/namespaces/authorizationRules/read | Get the list of Namespaces Authorization Rules description. | +> | Microsoft.EventHub/namespaces/authorizationRules/write | Create a Namespace level Authorization Rules and update its properties. The Authorization Rules Access Rights, the Primary and Secondary Keys can be updated. | +> | Microsoft.EventHub/namespaces/authorizationRules/delete | Delete Namespace Authorization Rule. The Default Namespace Authorization Rule cannot be deleted. | +> | Microsoft.EventHub/namespaces/authorizationRules/listkeys/action | Get the Connection String to the Namespace | +> | Microsoft.EventHub/namespaces/authorizationRules/regenerateKeys/action | Regenerate the Primary or Secondary key to the Resource | +> | Microsoft.EventHub/namespaces/disasterrecoveryconfigs/checkNameAvailability/action | Checks availability of namespace alias under given subscription. | +> | Microsoft.EventHub/namespaces/disasterRecoveryConfigs/write | Creates or Updates the Disaster Recovery configuration associated with the namespace. | +> | Microsoft.EventHub/namespaces/disasterRecoveryConfigs/read | Gets the Disaster Recovery configuration associated with the namespace. | +> | Microsoft.EventHub/namespaces/disasterRecoveryConfigs/delete | Deletes the Disaster Recovery configuration associated with the namespace. This operation can only be invoked via the primary namespace. | +> | Microsoft.EventHub/namespaces/disasterRecoveryConfigs/breakPairing/action | Disables Disaster Recovery and stops replicating changes from primary to secondary namespaces. | +> | Microsoft.EventHub/namespaces/disasterRecoveryConfigs/failover/action | Invokes a GEO DR failover and reconfigures the namespace alias to point to the secondary namespace. | +> | Microsoft.EventHub/namespaces/disasterRecoveryConfigs/authorizationRules/read | Get Disaster Recovery Primary Namespace's Authorization Rules | +> | Microsoft.EventHub/namespaces/disasterRecoveryConfigs/authorizationRules/listkeys/action | Gets the authorization rules keys for the Disaster Recovery primary namespace | +> | Microsoft.EventHub/namespaces/eventhubs/write | Create or Update EventHub properties. | +> | Microsoft.EventHub/namespaces/eventhubs/read | Get list of EventHub Resource Descriptions | +> | Microsoft.EventHub/namespaces/eventhubs/Delete | Operation to delete EventHub Resource | +> | Microsoft.EventHub/namespaces/eventhubs/authorizationRules/action | Operation to update EventHub. This operation is not supported on API version 2017-04-01. Authorization Rules. Please use a PUT call to update Authorization Rule. | +> | Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read | Get the list of EventHub Authorization Rules | +> | Microsoft.EventHub/namespaces/eventhubs/authorizationRules/write | Create EventHub Authorization Rules and Update its properties. The Authorization Rules Access Rights can be updated. | +> | Microsoft.EventHub/namespaces/eventhubs/authorizationRules/delete | Operation to delete EventHub Authorization Rules | +> | Microsoft.EventHub/namespaces/eventhubs/authorizationRules/listkeys/action | Get the Connection String to EventHub | +> | Microsoft.EventHub/namespaces/eventhubs/authorizationRules/regenerateKeys/action | Regenerate the Primary or Secondary key to the Resource | +> | Microsoft.EventHub/namespaces/eventHubs/consumergroups/write | Create or Update ConsumerGroup properties. | +> | Microsoft.EventHub/namespaces/eventHubs/consumergroups/read | Get list of ConsumerGroup Resource Descriptions | +> | Microsoft.EventHub/namespaces/eventHubs/consumergroups/Delete | Operation to delete ConsumerGroup Resource | +> | Microsoft.EventHub/namespaces/ipFilterRules/read | Get IP Filter Resource | +> | Microsoft.EventHub/namespaces/ipFilterRules/write | Create IP Filter Resource | +> | Microsoft.EventHub/namespaces/ipFilterRules/delete | Delete IP Filter Resource | +> | Microsoft.EventHub/namespaces/messagingPlan/read | Gets the Messaging Plan for a namespace.<br>This API is deprecated.<br>Properties exposed via the MessagingPlan resource are moved to the (parent) Namespace resource in later API versions..<br>This operation is not supported on API version 2017-04-01. | +> | Microsoft.EventHub/namespaces/messagingPlan/write | Updates the Messaging Plan for a namespace.<br>This API is deprecated.<br>Properties exposed via the MessagingPlan resource are moved to the (parent) Namespace resource in later API versions..<br>This operation is not supported on API version 2017-04-01. | +> | Microsoft.EventHub/namespaces/networkruleset/read | Gets NetworkRuleSet Resource | +> | Microsoft.EventHub/namespaces/networkruleset/write | Create VNET Rule Resource | +> | Microsoft.EventHub/namespaces/networkruleset/delete | Delete VNET Rule Resource | +> | Microsoft.EventHub/namespaces/networkrulesets/read | Gets NetworkRuleSet Resource | +> | Microsoft.EventHub/namespaces/networkrulesets/write | Create VNET Rule Resource | +> | Microsoft.EventHub/namespaces/networkrulesets/delete | Delete VNET Rule Resource | +> | Microsoft.EventHub/namespaces/networkSecurityPerimeterAssociationProxies/write | Create NetworkSecurityPerimeterAssociationProxies | +> | Microsoft.EventHub/namespaces/networkSecurityPerimeterAssociationProxies/read | Get NetworkSecurityPerimeterAssociationProxies | +> | Microsoft.EventHub/namespaces/networkSecurityPerimeterAssociationProxies/delete | Delete NetworkSecurityPerimeterAssociationProxies | +> | Microsoft.EventHub/namespaces/networkSecurityPerimeterAssociationProxies/reconcile/action | Reconcile NetworkSecurityPerimeterAssociationProxies | +> | Microsoft.EventHub/namespaces/networkSecurityPerimeterConfigurations/read | Get Network Security Perimeter Configurations | +> | Microsoft.EventHub/namespaces/networkSecurityPerimeterConfigurations/reconcile/action | Reconcile Network Security Perimeter Configurations | +> | Microsoft.EventHub/namespaces/operationresults/read | Get the status of Namespace operation | +> | Microsoft.EventHub/namespaces/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxy | +> | Microsoft.EventHub/namespaces/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.EventHub/namespaces/privateEndpointConnectionProxies/write | Create Private Endpoint Connection Proxy | +> | Microsoft.EventHub/namespaces/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy | +> | Microsoft.EventHub/namespaces/privateEndpointConnectionProxies/operationstatus/read | Get the status of an asynchronous private endpoint operation | +> | Microsoft.EventHub/namespaces/privateEndpointConnections/read | Get Private Endpoint Connection | +> | Microsoft.EventHub/namespaces/privateEndpointConnections/write | Create or Update Private Endpoint Connection | +> | Microsoft.EventHub/namespaces/privateEndpointConnections/delete | Removes Private Endpoint Connection | +> | Microsoft.EventHub/namespaces/privateEndpointConnections/operationstatus/read | Get the status of an asynchronous private endpoint operation | +> | Microsoft.EventHub/namespaces/privateLinkResources/read | Gets the resource types that support private endpoint connections | +> | Microsoft.EventHub/namespaces/providers/Microsoft.Insights/diagnosticSettings/read | Get list of Namespace diagnostic settings Resource Descriptions | +> | Microsoft.EventHub/namespaces/providers/Microsoft.Insights/diagnosticSettings/write | Get list of Namespace diagnostic settings Resource Descriptions | +> | Microsoft.EventHub/namespaces/providers/Microsoft.Insights/logDefinitions/read | Get list of Namespace logs Resource Descriptions | +> | Microsoft.EventHub/namespaces/providers/Microsoft.Insights/metricDefinitions/read | Get list of Namespace metrics Resource Descriptions | +> | Microsoft.EventHub/namespaces/schemagroups/write | Create or Update SchemaGroup properties. | +> | Microsoft.EventHub/namespaces/schemagroups/read | Get list of SchemaGroup Resource Descriptions | +> | Microsoft.EventHub/namespaces/schemagroups/delete | Operation to delete SchemaGroup Resource | +> | Microsoft.EventHub/namespaces/virtualNetworkRules/read | Gets VNET Rule Resource | +> | Microsoft.EventHub/namespaces/virtualNetworkRules/write | Create VNET Rule Resource | +> | Microsoft.EventHub/namespaces/virtualNetworkRules/delete | Delete VNET Rule Resource | +> | Microsoft.EventHub/operations/read | Get Operations | +> | Microsoft.EventHub/sku/read | Get list of Sku Resource Descriptions | +> | Microsoft.EventHub/sku/regions/read | Get list of SkuRegions Resource Descriptions | +> | **DataAction** | **Description** | +> | Microsoft.EventHub/namespaces/messages/send/action | Send messages | +> | Microsoft.EventHub/namespaces/messages/receive/action | Receive messages | +> | Microsoft.EventHub/namespaces/schemas/read | Retrieve schemas | +> | Microsoft.EventHub/namespaces/schemas/write | Write schemas | +> | Microsoft.EventHub/namespaces/schemas/delete | Delete schemas | ++## Microsoft.HDInsight ++Azure service: [HDInsight](/azure/hdinsight/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.HDInsight/register/action | Register HDInsight resource provider for the subscription | +> | Microsoft.HDInsight/unregister/action | Unregister HDInsight resource provider for the subscription | +> | Microsoft.HDInsight/clusterPools/read | Get details about HDInsight on AKS Cluster Pool | +> | Microsoft.HDInsight/clusterPools/write | Create or Update HDInsight on AKS Cluster Pool | +> | Microsoft.HDInsight/clusterPools/delete | Delete a HDInsight on AKS Cluster Pool | +> | Microsoft.HDInsight/clusterPools/clusters/read | Get details about HDInsight on AKS Cluster | +> | Microsoft.HDInsight/clusterPools/clusters/write | Create or Update HDInsight on AKS Cluster | +> | Microsoft.HDInsight/clusterPools/clusters/delete | Delete a HDInsight on AKS cluster | +> | Microsoft.HDInsight/clusterPools/clusters/resize/action | Resize a HDInsight on AKS Cluster | +> | Microsoft.HDInsight/clusterPools/clusters/runjob/action | Run HDInsight on AKS Cluster Job | +> | Microsoft.HDInsight/clusterPools/clusters/instanceviews/read | Get details about HDInsight on AKS Cluster Instance View | +> | Microsoft.HDInsight/clusterPools/clusters/jobs/read | List HDInsight on AKS Cluster Jobs | +> | Microsoft.HDInsight/clusterPools/clusters/serviceconfigs/read | Get details about HDInsight on AKS Cluster Service Configurations | +> | Microsoft.HDInsight/clusters/write | Create or Update HDInsight Cluster | +> | Microsoft.HDInsight/clusters/read | Get details about HDInsight Cluster | +> | Microsoft.HDInsight/clusters/delete | Delete a HDInsight Cluster | +> | Microsoft.HDInsight/clusters/getGatewaySettings/action | Get gateway settings for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/updateGatewaySettings/action | Update gateway settings for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/configurations/action | Get HDInsight Cluster Configurations | +> | Microsoft.HDInsight/clusters/executeScriptActions/action | Execute Script Actions for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/resolvePrivateLinkServiceId/action | Resolve Private Link Service ID for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/privateEndpointConnectionsApproval/action | Auto Approve Private Endpoint Connections for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/applications/read | Get Application for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/applications/write | Create or Update Application for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/applications/delete | Delete Application for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/configurations/read | Get HDInsight Cluster Configurations | +> | Microsoft.HDInsight/clusters/executeScriptActions/azureasyncoperations/read | Get Script Action status for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/executeScriptActions/operationresults/read | Get Script Action status for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/extensions/write | Create Cluster Extension for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/extensions/read | Get Cluster Extension for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/extensions/delete | Delete Cluster Extension for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/outboundNetworkDependenciesEndpoints/read | List Outbound Network Dependencies Endpoints for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/privateEndpointConnections/read | Get Private Endpoint Connections for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/privateEndpointConnections/write | Update Private Endpoint Connections for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/privateEndpointConnections/delete | Delete Private Endpoint Connections for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/privateLinkResources/read | Get Private Link Resources for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource HDInsight Cluster | +> | Microsoft.HDInsight/clusters/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource HDInsight Cluster | +> | Microsoft.HDInsight/clusters/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/roles/resize/action | Resize a HDInsight Cluster | +> | Microsoft.HDInsight/clusters/scriptActions/read | Get persisted Script Actions for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/scriptActions/delete | Delete persisted Script Actions for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/scriptExecutionHistory/read | Get Script Actions history for HDInsight Cluster | +> | Microsoft.HDInsight/clusters/scriptExecutionHistory/promote/action | Promote Script Action for HDInsight Cluster | +> | Microsoft.HDInsight/locations/capabilities/read | Get Subscription Capabilities | +> | Microsoft.HDInsight/locations/checkNameAvailability/read | Check Name Availability | ++## Microsoft.Kusto ++Azure service: [Azure Data Explorer](/azure/data-explorer/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Kusto/register/action | Subscription Registration Action | +> | Microsoft.Kusto/Register/action | Registers the subscription to the Kusto Resource Provider. | +> | Microsoft.Kusto/Unregister/action | Unregisters the subscription to the Kusto Resource Provider. | +> | Microsoft.Kusto/Clusters/read | Reads a cluster resource. | +> | Microsoft.Kusto/Clusters/write | Writes a cluster resource. | +> | Microsoft.Kusto/Clusters/delete | Deletes a cluster resource. | +> | Microsoft.Kusto/Clusters/Start/action | Starts the cluster. | +> | Microsoft.Kusto/Clusters/Stop/action | Stops the cluster. | +> | Microsoft.Kusto/Clusters/Activate/action | Starts the cluster. | +> | Microsoft.Kusto/Clusters/Deactivate/action | Stops the cluster. | +> | Microsoft.Kusto/Clusters/CheckNameAvailability/action | Checks the cluster name availability. | +> | Microsoft.Kusto/Clusters/Migrate/action | Migrates the cluster data to another cluster. | +> | Microsoft.Kusto/Clusters/DetachFollowerDatabases/action | Detaches follower's databases. | +> | Microsoft.Kusto/Clusters/ListFollowerDatabases/action | Lists the follower's databases. | +> | Microsoft.Kusto/Clusters/DiagnoseVirtualNetwork/action | Diagnoses network connectivity status for external resources on which the service is dependent. | +> | Microsoft.Kusto/Clusters/ListLanguageExtensions/action | Lists language extensions. | +> | Microsoft.Kusto/Clusters/AddLanguageExtensions/action | Add language extensions. | +> | Microsoft.Kusto/Clusters/RemoveLanguageExtensions/action | Remove language extensions. | +> | Microsoft.Kusto/Clusters/AttachedDatabaseConfigurations/read | Reads an attached database configuration resource. | +> | Microsoft.Kusto/Clusters/AttachedDatabaseConfigurations/write | Writes an attached database configuration resource. | +> | Microsoft.Kusto/Clusters/AttachedDatabaseConfigurations/delete | Deletes an attached database configuration resource. | +> | Microsoft.Kusto/Clusters/AttachedDatabaseConfigurations/write | Write a script resource. | +> | Microsoft.Kusto/Clusters/AttachedDatabaseConfigurations/delete | Delete a script resource. | +> | Microsoft.Kusto/Clusters/Databases/read | Reads a database resource. | +> | Microsoft.Kusto/Clusters/Databases/write | Writes a database resource. | +> | Microsoft.Kusto/Clusters/Databases/delete | Deletes a database resource. | +> | Microsoft.Kusto/Clusters/Databases/ListPrincipals/action | Lists database principals. | +> | Microsoft.Kusto/Clusters/Databases/AddPrincipals/action | Adds database principals. | +> | Microsoft.Kusto/Clusters/Databases/RemovePrincipals/action | Removes database principals. | +> | Microsoft.Kusto/Clusters/Databases/DataConnectionValidation/action | Validates database data connection. | +> | Microsoft.Kusto/Clusters/Databases/CheckNameAvailability/action | Checks name availability for a given type. | +> | Microsoft.Kusto/Clusters/Databases/EventHubConnectionValidation/action | Validates database Event Hub connection. | +> | Microsoft.Kusto/Clusters/Databases/InviteFollower/action | | +> | Microsoft.Kusto/Clusters/Databases/DataConnections/read | Reads a data connections resource. | +> | Microsoft.Kusto/Clusters/Databases/DataConnections/write | Writes a data connections resource. | +> | Microsoft.Kusto/Clusters/Databases/DataConnections/delete | Deletes a data connections resource. | +> | Microsoft.Kusto/Clusters/Databases/EventHubConnections/read | Reads an Event Hub connections resource. | +> | Microsoft.Kusto/Clusters/Databases/EventHubConnections/write | Writes an Event Hub connections resource. | +> | Microsoft.Kusto/Clusters/Databases/EventHubConnections/delete | Deletes an Event Hub connections resource. | +> | Microsoft.Kusto/Clusters/Databases/PrincipalAssignments/read | Reads a database principal assignments resource. | +> | Microsoft.Kusto/Clusters/Databases/PrincipalAssignments/write | Writes a database principal assignments resource. | +> | Microsoft.Kusto/Clusters/Databases/PrincipalAssignments/delete | Deletes a database principal assignments resource. | +> | Microsoft.Kusto/Clusters/Databases/Scripts/read | Reads a script resource. | +> | Microsoft.Kusto/Clusters/DataConnections/read | Reads a cluster's data connections resource. | +> | Microsoft.Kusto/Clusters/DataConnections/write | Writes a cluster's data connections resource. | +> | Microsoft.Kusto/Clusters/DataConnections/delete | Deletes a cluster's data connections resource. | +> | Microsoft.Kusto/Clusters/ManagedPrivateEndpoints/read | Reads a managed private endpoint | +> | Microsoft.Kusto/Clusters/ManagedPrivateEndpoints/write | Writes a managed private endpoint | +> | Microsoft.Kusto/Clusters/ManagedPrivateEndpoints/delete | Deletes a managed private endpoint | +> | Microsoft.Kusto/Clusters/OutboundNetworkDependenciesEndpoints/read | Reads outbound network dependencies endpoints for a resource | +> | Microsoft.Kusto/Clusters/PrincipalAssignments/read | Reads a Cluster principal assignments resource. | +> | Microsoft.Kusto/Clusters/PrincipalAssignments/write | Writes a Cluster principal assignments resource. | +> | Microsoft.Kusto/Clusters/PrincipalAssignments/delete | Deletes a Cluster principal assignments resource. | +> | Microsoft.Kusto/Clusters/PrivateEndpointConnectionProxies/read | Reads a private endpoint connection proxy | +> | Microsoft.Kusto/Clusters/PrivateEndpointConnectionProxies/write | Writes a private endpoint connection proxy | +> | Microsoft.Kusto/Clusters/PrivateEndpointConnectionProxies/delete | Deletes a private endpoint connection proxy | +> | Microsoft.Kusto/Clusters/PrivateEndpointConnections/read | Reads a private endpoint connection | +> | Microsoft.Kusto/Clusters/PrivateEndpointConnections/write | Writes a private endpoint connection | +> | Microsoft.Kusto/Clusters/PrivateEndpointConnections/delete | Deletes a private endpoint connection | +> | Microsoft.Kusto/Clusters/PrivateLinkResources/read | Reads private link resources | +> | Microsoft.Kusto/Clusters/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for the resource | +> | Microsoft.Kusto/Clusters/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Kusto/Clusters/providers/Microsoft.Insights/logDefinitions/read | Gets the diagnostic logs settings for the resource | +> | Microsoft.Kusto/Clusters/providers/Microsoft.Insights/metricDefinitions/read | Gets the metric definitions of the resource | +> | Microsoft.Kusto/Clusters/SandboxCustomImages/read | Reads a sandbox custom image | +> | Microsoft.Kusto/Clusters/SandboxCustomImages/write | Writes a sandbox custom image | +> | Microsoft.Kusto/Clusters/SandboxCustomImages/delete | Deletes a sandbox custom image | +> | Microsoft.Kusto/Clusters/SKUs/read | Reads a cluster SKU resource. | +> | Microsoft.Kusto/Clusters/SKUs/PrivateEndpointConnectionProxyValidation/action | Validates a private endpoint connection proxy | +> | Microsoft.Kusto/Locations/CheckNameAvailability/action | Checks resource name availability. | +> | Microsoft.Kusto/Locations/Skus/action | | +> | Microsoft.Kusto/locations/operationresults/read | Reads operations resources | +> | Microsoft.Kusto/Operations/read | Reads operations resources | +> | Microsoft.Kusto/SKUs/read | Reads a SKU resource. | ++## Microsoft.PowerBIDedicated ++Azure service: [Power BI Embedded](/azure/power-bi-embedded/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.PowerBIDedicated/register/action | Registers Power BI Dedicated resource provider. | +> | Microsoft.PowerBIDedicated/register/action | Registers Power BI Dedicated resource provider. | +> | Microsoft.PowerBIDedicated/autoScaleVCores/read | Retrieves the information of the specificed Power BI Auto Scale V-Core. | +> | Microsoft.PowerBIDedicated/autoScaleVCores/write | Creates or updates the specified Power BI Auto Scale V-Core. | +> | Microsoft.PowerBIDedicated/autoScaleVCores/delete | Deletes the Power BI Auto Scale V-Core. | +> | Microsoft.PowerBIDedicated/capacities/read | Retrieves the information of the specified Power BI capacity. | +> | Microsoft.PowerBIDedicated/capacities/write | Creates or updates the specified Power BI capacity. | +> | Microsoft.PowerBIDedicated/capacities/delete | Deletes the Power BI capacity. | +> | Microsoft.PowerBIDedicated/capacities/suspend/action | Suspends the Capacity. | +> | Microsoft.PowerBIDedicated/capacities/resume/action | Resumes the Capacity. | +> | Microsoft.PowerBIDedicated/capacities/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.PowerBIDedicated/capacities/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.PowerBIDedicated/capacities/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Power BI Dedicated Capacities | +> | Microsoft.PowerBIDedicated/capacities/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Power BI capacity. | +> | Microsoft.PowerBIDedicated/capacities/skus/read | Retrieve available SKU information for the capacity | +> | Microsoft.PowerBIDedicated/locations/checkNameAvailability/action | Checks that given Power BI Dedicated resource name is valid and not in use. | +> | Microsoft.PowerBIDedicated/locations/checkNameAvailability/action | Checks that given Power BI Dedicated resource name is valid and not in use. | +> | Microsoft.PowerBIDedicated/locations/operationresults/read | Retrieves the information of the specified operation result. | +> | Microsoft.PowerBIDedicated/locations/operationresults/read | Retrieves the information of the specified operation result. | +> | Microsoft.PowerBIDedicated/locations/operationstatuses/read | Retrieves the information of the specified operation status. | +> | Microsoft.PowerBIDedicated/locations/operationstatuses/read | Retrieves the information of the specified operation status. | +> | Microsoft.PowerBIDedicated/operations/read | Retrieves the information of operations | +> | Microsoft.PowerBIDedicated/operations/read | Retrieves the information of operations | +> | Microsoft.PowerBIDedicated/servers/read | Retrieves the information of the specified Power BI Dedicated Server. | +> | Microsoft.PowerBIDedicated/servers/write | Creates or updates the specified Power BI Dedicated Server | +> | Microsoft.PowerBIDedicated/servers/delete | Deletes the Power BI Dedicated Server | +> | Microsoft.PowerBIDedicated/servers/suspend/action | Suspends the Server. | +> | Microsoft.PowerBIDedicated/servers/resume/action | Resumes the Server. | +> | Microsoft.PowerBIDedicated/servers/skus/read | Retrieve available SKU information for the Server. | +> | Microsoft.PowerBIDedicated/skus/read | Retrieves the information of Skus | +> | Microsoft.PowerBIDedicated/skus/read | Retrieves the information of Skus | ++## Microsoft.StreamAnalytics ++Azure service: [Stream Analytics](/azure/stream-analytics/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.StreamAnalytics/Register/action | Register subscription with Stream Analytics Resource Provider | +> | Microsoft.StreamAnalytics/clusters/Delete | Delete Stream Analytics Cluster | +> | Microsoft.StreamAnalytics/clusters/ListStreamingJobs/action | List streaming jobs for Stream Analytics Cluster | +> | Microsoft.StreamAnalytics/clusters/Read | Read Stream Analytics Cluster | +> | Microsoft.StreamAnalytics/clusters/Write | Write Stream Analytics Cluster | +> | Microsoft.StreamAnalytics/clusters/operationresults/Read | Read operation results for Stream Analytics Cluster | +> | Microsoft.StreamAnalytics/clusters/privateEndpoints/Delete | Delete Stream Analytics Cluster Private Endpoint | +> | Microsoft.StreamAnalytics/clusters/privateEndpoints/Read | Read Stream Analytics Cluster Private Endpoint | +> | Microsoft.StreamAnalytics/clusters/privateEndpoints/Write | Write Stream Analytics Cluster Private Endpoint | +> | Microsoft.StreamAnalytics/clusters/privateEndpoints/operationresults/Read | Read operation results for Stream Analytics Cluster Private Endpoint | +> | Microsoft.StreamAnalytics/locations/CompileQuery/action | Compile Query for Stream Analytics Resource Provider | +> | Microsoft.StreamAnalytics/locations/SampleInput/action | Sample Input for Stream Analytics Resource Provider | +> | Microsoft.StreamAnalytics/locations/TestInput/action | Test Input for Stream Analytics Resource Provider | +> | Microsoft.StreamAnalytics/locations/TestOutput/action | Test Output for Stream Analytics Resource Provider | +> | Microsoft.StreamAnalytics/locations/TestQuery/action | Test Query for Stream Analytics Resource Provider | +> | Microsoft.StreamAnalytics/locations/operationresults/Read | Read Stream Analytics Operation Result | +> | Microsoft.StreamAnalytics/locations/quotas/Read | Read Stream Analytics Subscription Quota | +> | Microsoft.StreamAnalytics/operations/Read | Read Stream Analytics Operations | +> | Microsoft.StreamAnalytics/streamingjobs/CompileQuery/action | Compile Query for Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/Delete | Delete Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/DownloadDiagram/action | Download job diagrams for Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/GenerateTopologies/action | Generate topologies for Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/PublishEdgePackage/action | Publish edge package for Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/Read | Read Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/Scale/action | Scale Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/Start/action | Start Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/Stop/action | Stop Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/TestQuery/action | Test Query for Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/Write | Write Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/functions/Delete | Delete Stream Analytics Job Function | +> | Microsoft.StreamAnalytics/streamingjobs/functions/Read | Read Stream Analytics Job Function | +> | Microsoft.StreamAnalytics/streamingjobs/functions/RetrieveDefaultDefinition/action | Retrieve Default Definition of a Stream Analytics Job Function | +> | Microsoft.StreamAnalytics/streamingjobs/functions/Test/action | Test Stream Analytics Job Function | +> | Microsoft.StreamAnalytics/streamingjobs/functions/Write | Write Stream Analytics Job Function | +> | Microsoft.StreamAnalytics/streamingjobs/functions/operationresults/Read | Read operation results for Stream Analytics Job Function | +> | Microsoft.StreamAnalytics/streamingjobs/inputs/Delete | Delete Stream Analytics Job Input | +> | Microsoft.StreamAnalytics/streamingjobs/inputs/Read | Read Stream Analytics Job Input | +> | Microsoft.StreamAnalytics/streamingjobs/inputs/Sample/action | Sample Stream Analytics Job Input | +> | Microsoft.StreamAnalytics/streamingjobs/inputs/Test/action | Test Stream Analytics Job Input | +> | Microsoft.StreamAnalytics/streamingjobs/inputs/Write | Write Stream Analytics Job Input | +> | Microsoft.StreamAnalytics/streamingjobs/inputs/operationresults/Read | Read operation results for Stream Analytics Job Input | +> | Microsoft.StreamAnalytics/streamingjobs/metricdefinitions/Read | Read Metric Definitions | +> | Microsoft.StreamAnalytics/streamingjobs/operationresults/Read | Read operation results for Stream Analytics Job | +> | Microsoft.StreamAnalytics/streamingjobs/outputs/Delete | Delete Stream Analytics Job Output | +> | Microsoft.StreamAnalytics/streamingjobs/outputs/Read | Read Stream Analytics Job Output | +> | Microsoft.StreamAnalytics/streamingjobs/outputs/Test/action | Test Stream Analytics Job Output | +> | Microsoft.StreamAnalytics/streamingjobs/outputs/Write | Write Stream Analytics Job Output | +> | Microsoft.StreamAnalytics/streamingjobs/outputs/operationresults/Read | Read operation results for Stream Analytics Job Output | +> | Microsoft.StreamAnalytics/streamingjobs/providers/Microsoft.Insights/diagnosticSettings/read | Read diagnostic setting. | +> | Microsoft.StreamAnalytics/streamingjobs/providers/Microsoft.Insights/diagnosticSettings/write | Write diagnostic setting. | +> | Microsoft.StreamAnalytics/streamingjobs/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for streamingjobs | +> | Microsoft.StreamAnalytics/streamingjobs/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for streamingjobs | +> | Microsoft.StreamAnalytics/streamingjobs/Skus/Read | Read Stream Analytics Job SKUs | +> | Microsoft.StreamAnalytics/streamingjobs/transformations/Delete | Delete Stream Analytics Job Transformation | +> | Microsoft.StreamAnalytics/streamingjobs/transformations/Read | Read Stream Analytics Job Transformation | +> | Microsoft.StreamAnalytics/streamingjobs/transformations/Write | Write Stream Analytics Job Transformation | ++## Microsoft.Synapse ++Azure service: [Azure Synapse Analytics](/azure/synapse-analytics/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Synapse/checkNameAvailability/action | Checks Workspace name availability. | +> | Microsoft.Synapse/register/action | Registers the Azure Synapse Analytics (workspaces) Resource Provider and enables the creation of Workspaces. | +> | Microsoft.Synapse/unregister/action | Unregisters the Azure Synapse Analytics (workspaces) Resource Provider and disables the creation of Workspaces. | +> | Microsoft.Synapse/Locations/KustoPoolCheckNameAvailability/action | Checks resource name availability. | +> | Microsoft.Synapse/locations/kustoPoolOperationResults/read | Reads operations resources | +> | Microsoft.Synapse/locations/operationResults/read | Read any Async Operation Result. | +> | Microsoft.Synapse/locations/operationStatuses/read | Read any Async Operation Status. | +> | Microsoft.Synapse/locations/usages/read | Get all uasage and quota information | +> | Microsoft.Synapse/operations/read | Read Available Operations from the Azure Synapse Analytics Resource Provider. | +> | Microsoft.Synapse/privateEndpoints/notify/action | Notify Private Endpoint movement | +> | Microsoft.Synapse/privateLinkHubs/write | Create any PrivateLinkHubs. | +> | Microsoft.Synapse/privateLinkHubs/read | Read any PrivateLinkHubs. | +> | Microsoft.Synapse/privateLinkHubs/delete | Delete PrivateLinkHubs. | +> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnectionsApproval/action | Determines if user is allowed to auto approve a private endpoint connection to a privateLinkHub | +> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnectionProxies/validate/action | Validates Private Endpoint Connection for PrivateLinkHub Proxy | +> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnectionProxies/write | Create or Update Private Endpoint Connection for PrivateLinkHub Proxy | +> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnectionProxies/read | Read any Private Endpoint Connection Proxy | +> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection for PrivateLinkHub Proxy | +> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action | Updates the Private Endpoint Connection Proxy properties for Private Link Hub | +> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnections/write | Create or Update Private Endpoint Connection for PrivateLinkHub | +> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnections/read | Read any Private Endpoint Connection for PrivateLinkHub | +> | Microsoft.Synapse/privateLinkHubs/privateEndpointConnections/delete | Delete Private Endpoint Connection for PrivateLinkHub | +> | Microsoft.Synapse/privateLinkHubs/privateLinkResources/read | Get a list of Private Link Resources | +> | Microsoft.Synapse/resourceGroups/operationStatuses/read | Read any Async Operation Status. | +> | Microsoft.Synapse/SKUs/read | Reads a SKU resource. | +> | Microsoft.Synapse/userAssignedIdentities/notify/action | Notify user assigned identity deletion | +> | Microsoft.Synapse/workspaces/replaceAllIpFirewallRules/action | Replaces all Ip Firewall Rules for the Workspace. | +> | Microsoft.Synapse/workspaces/write | Create or Update any Workspaces. | +> | Microsoft.Synapse/workspaces/read | Read any Workspaces. | +> | Microsoft.Synapse/workspaces/delete | Delete any Workspaces. | +> | Microsoft.Synapse/workspaces/checkDefaultStorageAccountStatus/action | Checks Default Storage Account Status. | +> | Microsoft.Synapse/workspaces/privateEndpointConnectionsApproval/action | Determines if user is allowed to auto approve a private endpoint connection to a workspace | +> | Microsoft.Synapse/workspaces/administrators/write | Set Active Directory Administrator on the Workspace | +> | Microsoft.Synapse/workspaces/administrators/read | Get Workspace Active Directory Administrator | +> | Microsoft.Synapse/workspaces/administrators/delete | Delete Workspace Active Directory Administrator | +> | Microsoft.Synapse/workspaces/auditingSettings/write | Create or Update SQL server auditing settings. | +> | Microsoft.Synapse/workspaces/auditingSettings/read | Read default SQL server auditing settings. | +> | Microsoft.Synapse/workspaces/azureADOnlyAuthentications/write | Create Or Update Azure AD only authentication for workspace and its sub resources. | +> | Microsoft.Synapse/workspaces/azureADOnlyAuthentications/read | Status of Azure AD only authentication for workspace and its sub resources. | +> | Microsoft.Synapse/workspaces/bigDataPools/write | Create or Update any Spark pools. | +> | Microsoft.Synapse/workspaces/bigDataPools/read | Read any Spark pools. | +> | Microsoft.Synapse/workspaces/bigDataPools/delete | Delete any Spark pools. | +> | Microsoft.Synapse/workspaces/bigDataPools/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for a Big Data Pool | +> | Microsoft.Synapse/workspaces/bigDataPools/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for a Big Data Pool | +> | Microsoft.Synapse/workspaces/bigDataPools/providers/Microsoft.Insights/logdefinitions/read | Gets the log definitions for a Big Data Pool | +> | Microsoft.Synapse/workspaces/bigDataPools/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Big Data Pools | +> | Microsoft.Synapse/workspaces/dedicatedSQLminimalTlsSettings/write | Updates workspace SQL server TLS Version setting | +> | Microsoft.Synapse/workspaces/dedicatedSQLminimalTlsSettings/read | Reads workspace SQL server TLS Version setting | +> | Microsoft.Synapse/workspaces/extendedAuditingSettings/write | Create or Update SQL server extended auditing settings. | +> | Microsoft.Synapse/workspaces/extendedAuditingSettings/read | Read default SQL server extended auditing settings. | +> | Microsoft.Synapse/workspaces/firewallRules/write | Create or update any IP Firewall Rule. | +> | Microsoft.Synapse/workspaces/firewallRules/read | Read IP Firewall Rule | +> | Microsoft.Synapse/workspaces/firewallRules/delete | Delete any IP Firewall Rule. | +> | Microsoft.Synapse/workspaces/integrationRuntimes/read | Get any Integration Runtime. | +> | Microsoft.Synapse/workspaces/integrationruntimes/write | Create or Update any Integration Runtimes. | +> | Microsoft.Synapse/workspaces/integrationRuntimes/delete | Delete any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/getStatus/action | Get any Integration Runtime's Status | +> | Microsoft.Synapse/workspaces/integrationRuntimes/createExpressSHIRInstallLink/action | Create an Integration Runtime Install Link | +> | Microsoft.Synapse/workspaces/integrationRuntimes/start/action | Start any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/stop/action | Stop any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/getConnectionInfo/action | Get Connection Info of any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/regenerateAuthKey/action | Regenerate auth key of any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/listAuthKeys/action | List Auth Keys of any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/removeNode/action | Remove any Integration Runtime node | +> | Microsoft.Synapse/workspaces/integrationRuntimes/monitoringData/action | Get any Integration Runtime's monitoring data | +> | Microsoft.Synapse/workspaces/integrationRuntimes/syncCredentials/action | Sync credential on any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/upgrade/action | Upgrade any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/removeLinks/action | Remove any Integration Runtime link | +> | Microsoft.Synapse/workspaces/integrationRuntimes/enableInteractiveQuery/action | Enable Interactive query on any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/disableInteractiveQuery/action | Disable Interactive query on any Integration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/refreshObjectMetadata/action | Refresh Object metadata on any Intergration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/getObjectMetadata/action | Get Object metadata on any Intergration Runtime | +> | Microsoft.Synapse/workspaces/integrationRuntimes/nodes/read | Get any Integration Runtime Node. | +> | Microsoft.Synapse/workspaces/integrationRuntimes/nodes/delete | Delete any Integration Runtime Node. | +> | Microsoft.Synapse/workspaces/integrationRuntimes/nodes/write | Patch any Integration Runtime Node. | +> | Microsoft.Synapse/workspaces/integrationRuntimes/nodes/ipAddress/action | Get Integration Runtime Ip Address | +> | Microsoft.Synapse/workspaces/keys/write | Create or Update Workspace Keys | +> | Microsoft.Synapse/workspaces/keys/read | Read any Workspace Key Definition. | +> | Microsoft.Synapse/workspaces/keys/delete | Delete any Workspace Key. | +> | Microsoft.Synapse/workspaces/kustoPools/read | Reads a cluster resource. | +> | Microsoft.Synapse/workspaces/kustoPools/write | Writes a cluster resource. | +> | Microsoft.Synapse/workspaces/kustoPools/delete | Deletes a cluster resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Start/action | Starts the cluster. | +> | Microsoft.Synapse/workspaces/kustoPools/Stop/action | Stops the cluster. | +> | Microsoft.Synapse/workspaces/kustoPools/CheckNameAvailability/action | Checks the cluster name availability. | +> | Microsoft.Synapse/workspaces/kustoPools/Migrate/action | Migrates the cluster data to another cluster. | +> | Microsoft.Synapse/workspaces/kustoPools/ListLanguageExtensions/action | Lists language extensions. | +> | Microsoft.Synapse/workspaces/kustoPools/AddLanguageExtensions/action | Add language extensions. | +> | Microsoft.Synapse/workspaces/kustoPools/RemoveLanguageExtensions/action | Remove language extensions. | +> | Microsoft.Synapse/workspaces/kustoPools/DetachFollowerDatabases/action | Detaches follower's databases. | +> | Microsoft.Synapse/workspaces/kustoPools/ListFollowerDatabases/action | Lists the follower's databases. | +> | Microsoft.Synapse/workspaces/kustoPools/AttachedDatabaseConfigurations/read | Reads an attached database configuration resource. | +> | Microsoft.Synapse/workspaces/kustoPools/AttachedDatabaseConfigurations/write | Writes an attached database configuration resource. | +> | Microsoft.Synapse/workspaces/kustoPools/AttachedDatabaseConfigurations/delete | Deletes an attached database configuration resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/read | Reads a database resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/write | Writes a database resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/delete | Deletes a database resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/DataConnectionValidation/action | Validates database data connection. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/CheckNameAvailability/action | Checks name availability for a given type. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/InviteFollower/action | | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/DataConnections/read | Reads a data connections resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/DataConnections/write | Writes a data connections resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/DataConnections/delete | Deletes a data connections resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/PrincipalAssignments/read | Reads a database principal assignments resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/PrincipalAssignments/write | Writes a database principal assignments resource. | +> | Microsoft.Synapse/workspaces/kustoPools/Databases/PrincipalAssignments/delete | Deletes a database principal assignments resource. | +> | Microsoft.Synapse/workspaces/kustoPools/PrincipalAssignments/read | Reads a Cluster principal assignments resource. | +> | Microsoft.Synapse/workspaces/kustoPools/PrincipalAssignments/write | Writes a Cluster principal assignments resource. | +> | Microsoft.Synapse/workspaces/kustoPools/PrincipalAssignments/delete | Deletes a Cluster principal assignments resource. | +> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnectionProxies/read | Reads a private endpoint connection proxy | +> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnectionProxies/write | Writes a private endpoint connection proxy | +> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnectionProxies/delete | Deletes a private endpoint connection proxy | +> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnectionProxies/Validate/action | Validates a private endpoint connection proxy | +> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnections/read | Reads a private endpoint connection | +> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnections/write | Writes a private endpoint connection | +> | Microsoft.Synapse/workspaces/kustoPools/PrivateEndpointConnections/delete | Deletes a private endpoint connection | +> | Microsoft.Synapse/workspaces/kustoPools/PrivateLinkResources/read | Reads private link resources | +> | Microsoft.Synapse/workspaces/kustoPools/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for the resource | +> | Microsoft.Synapse/workspaces/kustoPools/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Synapse/workspaces/kustoPools/providers/Microsoft.Insights/logDefinitions/read | Gets the diagnostic logs settings for the resource | +> | Microsoft.Synapse/workspaces/kustoPools/providers/Microsoft.Insights/metricDefinitions/read | Gets the metric definitions of the resource | +> | Microsoft.Synapse/workspaces/kustoPools/SKUs/read | Reads a cluster SKU resource. | +> | Microsoft.Synapse/workspaces/libraries/read | Read Library Artifacts | +> | Microsoft.Synapse/workspaces/managedIdentitySqlControlSettings/write | Update Managed Identity SQL Control Settings on the workspace | +> | Microsoft.Synapse/workspaces/managedIdentitySqlControlSettings/read | Get Managed Identity SQL Control Settings | +> | Microsoft.Synapse/workspaces/operationResults/read | Read any Async Operation Result. | +> | Microsoft.Synapse/workspaces/operationStatuses/read | Read any Async Operation Status. | +> | Microsoft.Synapse/workspaces/privateEndpointConnectionProxies/validate/action | Validates Private Endpoint Connection Proxy | +> | Microsoft.Synapse/workspaces/privateEndpointConnectionProxies/write | Create or Update Private Endpoint Connection Proxy | +> | Microsoft.Synapse/workspaces/privateEndpointConnectionProxies/read | Read any Private Endpoint Connection Proxy | +> | Microsoft.Synapse/workspaces/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy | +> | Microsoft.Synapse/workspaces/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action | Updates the Private Endpoint Connection Proxy properties. | +> | Microsoft.Synapse/workspaces/privateEndpointConnections/write | Create or Update Private Endpoint Connection | +> | Microsoft.Synapse/workspaces/privateEndpointConnections/read | Read any Private Endpoint Connection | +> | Microsoft.Synapse/workspaces/privateEndpointConnections/delete | Delete Private Endpoint Connection | +> | Microsoft.Synapse/workspaces/privateLinkResources/read | Get a list of Private Link Resources | +> | Microsoft.Synapse/workspaces/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for a Workspace | +> | Microsoft.Synapse/workspaces/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for a Workspace | +> | Microsoft.Synapse/workspaces/providers/Microsoft.Insights/logDefinitions/read | Gets the log definitions for Synapse Workspaces | +> | Microsoft.Synapse/workspaces/providers/Microsoft.Insights/metricDefinitions/read | Gets the metric definitions for Workspaces | +> | Microsoft.Synapse/workspaces/recoverableSqlpools/read | Gets recoverable SQL Analytics Pools, which are the resources representing geo backups of SQL Analytics Pools | +> | Microsoft.Synapse/workspaces/restorableDroppedSqlPools/read | Gets a deleted Sql pool that can be restored | +> | Microsoft.Synapse/workspaces/scopePools/write | Create or Update any Scope pools. | +> | Microsoft.Synapse/workspaces/scopePools/read | Read any Scope pools. | +> | Microsoft.Synapse/workspaces/scopePools/delete | Delete any Scope pools. | +> | Microsoft.Synapse/workspaces/securityAlertPolicies/write | Create or Update SQL server security alert policies. | +> | Microsoft.Synapse/workspaces/securityAlertPolicies/read | Read default SQL server security alert policies. | +> | Microsoft.Synapse/workspaces/sparkConfigurations/read | Read SparkConfiguration Artifacts | +> | Microsoft.Synapse/workspaces/sqlAdministrators/write | Set Active Directory Administrator on the Workspace | +> | Microsoft.Synapse/workspaces/sqlAdministrators/read | Get Workspace Active Directory Administrator | +> | Microsoft.Synapse/workspaces/sqlAdministrators/delete | Delete Workspace Active Directory Administrator | +> | Microsoft.Synapse/workspaces/sqlDatabases/write | Create or Update any SQL Analytics Databases. | +> | Microsoft.Synapse/workspaces/sqlDatabases/read | Read any SQL Analytics Databases. | +> | Microsoft.Synapse/workspaces/sqlPools/write | Create or Update any SQL Analytics pools. | +> | Microsoft.Synapse/workspaces/sqlPools/read | Read any SQL Analytics pools. | +> | Microsoft.Synapse/workspaces/sqlPools/delete | Delete any SQL Analytics pools. | +> | Microsoft.Synapse/workspaces/sqlPools/pause/action | Pause any SQL Analytics pools. | +> | Microsoft.Synapse/workspaces/sqlPools/resume/action | Resume any SQL Analytics pools. | +> | Microsoft.Synapse/workspaces/sqlPools/restorePoints/action | Create a SQL Analytics pool Restore Point. | +> | Microsoft.Synapse/workspaces/sqlPools/move/action | Rename any SQL Analytics pools. | +> | Microsoft.Synapse/workspaces/sqlPools/auditingSettings/read | Read any SQL Analytics pool Auditing Settings. | +> | Microsoft.Synapse/workspaces/sqlPools/auditingSettings/write | Create or Update any SQL Analytics pool Auditing Settings. | +> | Microsoft.Synapse/workspaces/sqlPools/auditRecords/read | Get Sql pool blob audit records | +> | Microsoft.Synapse/workspaces/sqlPools/columns/read | Return a list of columns for a SQL Analytics pool | +> | Microsoft.Synapse/workspaces/sqlPools/connectionPolicies/read | Read any SQL Analytics pool Connection Policies. | +> | Microsoft.Synapse/workspaces/sqlPools/currentSensitivityLabels/read | Read any SQL Analytics pool Current Sensitivity Labels. | +> | Microsoft.Synapse/workspaces/sqlPools/currentSensitivityLabels/write | Batch update current sensitivity labels | +> | Microsoft.Synapse/workspaces/sqlPools/dataMaskingPolicies/read | Return the list of SQL Analytics pool data masking policies. | +> | Microsoft.Synapse/workspaces/sqlPools/dataMaskingPolicies/write | Creates or updates a SQL Analytics pool data masking policy | +> | Microsoft.Synapse/workspaces/sqlPools/dataMaskingPolicies/rules/read | Gets a list of SQL Analytics pool data masking rules. | +> | Microsoft.Synapse/workspaces/sqlPools/dataMaskingPolicies/rules/write | Creates or updates a SQL Analytics pool data masking rule. | +> | Microsoft.Synapse/workspaces/sqlPools/dataWarehouseQueries/read | Read any SQL Analytics pool Queries. | +> | Microsoft.Synapse/workspaces/sqlPools/dataWarehouseQueries/dataWarehouseQuerySteps/read | Read any SQL Analytics pool Query Steps. | +> | Microsoft.Synapse/workspaces/sqlPools/dataWarehouseQueries/Steps/read | Read any SQL Analytics pool Query Steps. | +> | Microsoft.Synapse/workspaces/sqlPools/dataWarehouseUserActivities/read | Read any SQL Analytics pool User Activities. | +> | Microsoft.Synapse/workspaces/sqlPools/extendedAuditingSettings/read | Read any SQL Analytics pool Extended Auditing Settings. | +> | Microsoft.Synapse/workspaces/sqlPools/extendedAuditingSettings/write | Create or Update any SQL Analytics pool Extended Auditing Settings. | +> | Microsoft.Synapse/workspaces/sqlPools/extensions/read | Get SQL Analytics Pool extension | +> | Microsoft.Synapse/workspaces/sqlPools/extensions/write | Change the extension for a given SQL Analytics Pool | +> | Microsoft.Synapse/workspaces/sqlPools/geoBackupPolicies/read | Read any SQL Analytics pool Geo Backup Policies. | +> | Microsoft.Synapse/workspaces/sqlPools/maintenanceWindowOptions/read | Read any SQL Analytics pool Maintenance Window Options. | +> | Microsoft.Synapse/workspaces/sqlPools/maintenanceWindows/read | Read any SQL Analytics pool Maintenance Windows. | +> | Microsoft.Synapse/workspaces/sqlPools/maintenanceWindows/write | Read any SQL Analytics pool Maintenance Windows. | +> | Microsoft.Synapse/workspaces/sqlPools/metadataSync/write | Create or Update SQL Analytics pool Metadata Sync Config | +> | Microsoft.Synapse/workspaces/sqlPools/metadataSync/read | Read SQL Analytics pool Metadata Sync Config | +> | Microsoft.Synapse/workspaces/sqlPools/operationResults/read | Read any Async Operation Result. | +> | Microsoft.Synapse/workspaces/sqlPools/operations/read | Read any SQL Analytics pool Operations. | +> | Microsoft.Synapse/workspaces/sqlPools/operationStatuses/read | Read any Async Operation Result. | +> | Microsoft.Synapse/workspaces/sqlPools/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for a SQL Pool | +> | Microsoft.Synapse/workspaces/sqlPools/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for a SQL Pool | +> | Microsoft.Synapse/workspaces/sqlPools/providers/Microsoft.Insights/logdefinitions/read | Gets the log definitions for a SQL Pool | +> | Microsoft.Synapse/workspaces/sqlPools/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for SQL Pools | +> | Microsoft.Synapse/workspaces/sqlPools/recommendedSensitivityLabels/read | Read any SQL Analytics pool Recommended Sensitivity Labels. | +> | Microsoft.Synapse/workspaces/sqlPools/recommendedSensitivityLabels/write | Batch update recommended sensitivity labels | +> | Microsoft.Synapse/workspaces/sqlPools/replicationLinks/read | Read any SQL Analytics pool Replication Links. | +> | Microsoft.Synapse/workspaces/sqlPools/restorePoints/read | Read any SQL Analytics pool Restore Points. | +> | Microsoft.Synapse/workspaces/sqlPools/restorePoints/delete | Deletes a restore point. | +> | Microsoft.Synapse/workspaces/sqlPools/schemas/read | Read any SQL Analytics pool Schemas. | +> | Microsoft.Synapse/workspaces/sqlPools/schemas/tables/read | Read any SQL Analytics pool Schema Tables. | +> | Microsoft.Synapse/workspaces/sqlPools/schemas/tables/columns/read | Read any SQL Analytics pool Schema Table Columns. | +> | Microsoft.Synapse/workspaces/sqlPools/schemas/tables/columns/sensitivityLabels/read | Gets the sensitivity label of a given column. | +> | Microsoft.Synapse/workspaces/sqlPools/schemas/tables/columns/sensitivityLabels/enable/action | Enable any SQL Analytics pool Sensitivity Labels. | +> | Microsoft.Synapse/workspaces/sqlPools/schemas/tables/columns/sensitivityLabels/disable/action | Disable any SQL Analytics pool Sensitivity Labels. | +> | Microsoft.Synapse/workspaces/sqlPools/schemas/tables/columns/sensitivityLabels/write | Create or Update any SQL Analytics pool Sensitivity Labels. | +> | Microsoft.Synapse/workspaces/sqlPools/schemas/tables/columns/sensitivityLabels/delete | Delete any SQL Analytics pool Sensitivity Labels. | +> | Microsoft.Synapse/workspaces/sqlPools/securityAlertPolicies/read | Read any Sql Analytics pool Threat Detection Policies. | +> | Microsoft.Synapse/workspaces/sqlPools/securityAlertPolicies/write | Create or Update any SQL Analytics pool Threat Detection Policies. | +> | Microsoft.Synapse/workspaces/sqlPools/sensitivityLabels/read | Gets the sensitivity label of a given column. | +> | Microsoft.Synapse/workspaces/sqlPools/transparentDataEncryption/read | Read any SQL Analytics pool Transparent Data Encryption Configuration. | +> | Microsoft.Synapse/workspaces/sqlPools/transparentDataEncryption/write | Create or Update any SQL Analytics pool Transparent Data Encryption Configuration. | +> | Microsoft.Synapse/workspaces/sqlPools/transparentDataEncryption/operationResults/read | Read any SQL Analytics pool Transparent Data Encryption Configuration Operation Results. | +> | Microsoft.Synapse/workspaces/sqlPools/usages/read | Read any SQL Analytics pool Usages. | +> | Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/read | Read any SQL Analytics pool Vulnerability Assessment. | +> | Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/write | Creates or updates the Sql pool vulnerability assessment | +> | Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/delete | Delete any SQL Analytics pool Vulnerability Assessment. | +> | Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/rules/baselines/read | Get a SQL Analytics pool Vulnerability Assessment Rule Baseline. | +> | Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/rules/baselines/write | Create or Update any SQL Analytics pool Vulnerability Assessment Rule Baseline. | +> | Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/rules/baselines/delete | Delete any SQL Analytics pool Vulnerability Assessment Rule Baseline. | +> | Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/scans/read | Read any SQL Analytics pool Vulnerability Assessment Scan Records. | +> | Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/scans/initiateScan/action | Initiate any SQL Analytics pool Vulnerability Assessment Scan Records. | +> | Microsoft.Synapse/workspaces/sqlPools/vulnerabilityAssessments/scans/export/action | Export any SQL Analytics pool Vulnerability Assessment Scan Records. | +> | Microsoft.Synapse/workspaces/sqlPools/workloadGroups/read | Lists the workload groups for a selected SQL pool. | +> | Microsoft.Synapse/workspaces/sqlPools/workloadGroups/write | Sets the properties for a specific workload group. | +> | Microsoft.Synapse/workspaces/sqlPools/workloadGroups/delete | Drops a specific workload group. | +> | Microsoft.Synapse/workspaces/sqlPools/workloadGroups/operationStatuses/read | SQL Analytics Pool workload group operation status | +> | Microsoft.Synapse/workspaces/sqlPools/workloadGroups/workloadClassifiers/read | Lists the workload classifiers for a selected SQL Analytics Pool. | +> | Microsoft.Synapse/workspaces/sqlPools/workloadGroups/workloadClassifiers/write | Sets the properties for a specific workload classifier. | +> | Microsoft.Synapse/workspaces/sqlPools/workloadGroups/workloadClassifiers/delete | Drops a specific workload classifier. | +> | Microsoft.Synapse/workspaces/sqlPools/workloadGroups/workloadClassifiers/operationResults/read | SQL Analytics Pool workload classifier operation result | +> | Microsoft.Synapse/workspaces/sqlPools/workloadGroups/workloadClassifiers/operationStatuses/read | SQL Analytics Pool workload classifier operation status | +> | Microsoft.Synapse/workspaces/sqlUsages/read | Gets usage limits available for SQL Analytics Pools | +> | Microsoft.Synapse/workspaces/trustedServiceBypassConfiguration/write | Update Trusted Service Bypass configuration for workspace. | +> | Microsoft.Synapse/workspaces/usages/read | Get all uasage and quota information | +> | Microsoft.Synapse/workspaces/vulnerabilityAssessments/write | Create or Update SQL server vulnerability assement report. | +> | Microsoft.Synapse/workspaces/vulnerabilityAssessments/read | Read default SQL server vulnerability assement report. | +> | Microsoft.Synapse/workspaces/vulnerabilityAssessments/delete | Delete SQL server vulnerability assement report. | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Compute | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/compute.md | + + Title: Azure permissions for Compute - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Compute category. +++++ Last updated : 02/07/2024++++# Azure permissions for Compute ++This article lists the permissions for the Azure resource providers in the Compute category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## microsoft.app ++Azure service: [Azure Container Apps](/azure/container-apps/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | microsoft.app/register/action | Register microsoft.app resource provider for the subscription | +> | microsoft.app/unregister/action | Unregister microsoft.app resource provider for the subscription | +> | microsoft.app/getcustomdomainverificationid/action | Get Subscription Verification Id used for verifying custom domains | +> | microsoft.app/builders/write | Create or update a Builder | +> | microsoft.app/builders/read | Get a Builder | +> | microsoft.app/builders/delete | Delete a Builder | +> | microsoft.app/builders/patches/read | Get a Builder's Patch | +> | microsoft.app/builders/patches/delete | Delete a Builder's Patch | +> | microsoft.app/builders/patches/skip/action | Skip a Builder's Patch | +> | microsoft.app/builders/patches/apply/action | Apply a Builder's Patch | +> | microsoft.app/builds/write | Create or update a Build's build | +> | microsoft.app/builds/read | Get a Builder's Build | +> | microsoft.app/builds/delete | Delete a Managed Environment's Build | +> | microsoft.app/builds/listauthtoken/action | Gets the token used to connect to the build endpoints, such as source code upload or build log streaming. | +> | microsoft.app/connectedenvironments/join/action | Allows to create a Container App or Container Apps Job in a Connected Environment | +> | microsoft.app/connectedenvironments/checknameavailability/action | Check reource name availability for a Connected Environment | +> | microsoft.app/connectedenvironments/write | Create or update a Connected Environment | +> | microsoft.app/connectedenvironments/delete | Delete a Connected Environment | +> | microsoft.app/connectedenvironments/read | Get a Connected Environment | +> | microsoft.app/connectedenvironments/certificates/write | Create or update a Connected Environment Certificate | +> | microsoft.app/connectedenvironments/certificates/read | Get a Connected Environment's Certificate | +> | microsoft.app/connectedenvironments/certificates/delete | Delete a Connected Environment's Certificate | +> | microsoft.app/connectedenvironments/daprcomponents/write | Create or Update Connected Environment Dapr Component | +> | microsoft.app/connectedenvironments/daprcomponents/read | Read Connected Environment Dapr Component | +> | microsoft.app/connectedenvironments/daprcomponents/delete | Delete Connected Environment Dapr Component | +> | microsoft.app/connectedenvironments/daprcomponents/listsecrets/action | List Secrets of a Dapr Component | +> | microsoft.app/connectedenvironments/storages/read | Get storage for a Connected Environment. | +> | microsoft.app/connectedenvironments/storages/write | Create or Update a storage of Connected Environment. | +> | microsoft.app/connectedenvironments/storages/delete | Delete a storage of Connected Environment. | +> | microsoft.app/containerapp/resiliencypolicies/read | Get App Resiliency Policy | +> | microsoft.app/containerapps/write | Create or update a Container App | +> | microsoft.app/containerapps/delete | Delete a Container App | +> | microsoft.app/containerapps/read | Get a Container App | +> | microsoft.app/containerapps/listsecrets/action | List secrets of a container app | +> | microsoft.app/containerapps/listcustomhostnameanalysis/action | List custom host name analysis result | +> | microsoft.app/containerapps/stop/action | Stop a Container App | +> | microsoft.app/containerapps/start/action | Start a Container App | +> | microsoft.app/containerapps/authtoken/action | Get Auth Token for Container App Dev APIs to get log stream, exec or port forward from a container. This operation will be deprecated. | +> | microsoft.app/containerapps/getauthtoken/action | Get Auth Token for Container App Dev APIs to get log stream, exec or port forward from a container. | +> | microsoft.app/containerapps/authconfigs/read | Get auth config of a container app | +> | microsoft.app/containerapps/authconfigs/write | Create or update auth config of a container app | +> | microsoft.app/containerapps/authconfigs/delete | Delete auth config of a container app | +> | microsoft.app/containerapps/detectors/read | Get detector of a container app | +> | microsoft.app/containerapps/resiliencypolicies/write | Create or Update App Resiliency Policy | +> | microsoft.app/containerapps/resiliencypolicies/delete | Delete App Resiliency Policy | +> | microsoft.app/containerapps/revisions/read | Get revision of a container app | +> | microsoft.app/containerapps/revisions/restart/action | Restart a container app revision | +> | microsoft.app/containerapps/revisions/activate/action | Activate a container app revision | +> | microsoft.app/containerapps/revisions/deactivate/action | Deactivate a container app revision | +> | microsoft.app/containerapps/revisions/replicas/read | Get replica of a container app revision | +> | microsoft.app/containerapps/sourcecontrols/write | Create or Update Container App Source Control Configuration | +> | microsoft.app/containerapps/sourcecontrols/read | Get Container App Source Control Configuration | +> | microsoft.app/containerapps/sourcecontrols/delete | Delete Container App Source Control Configuration | +> | microsoft.app/jobs/write | Create or update a Container Apps Job | +> | microsoft.app/jobs/delete | Delete a Container Apps Job | +> | microsoft.app/jobs/start/action | Start a Container Apps Job | +> | microsoft.app/jobs/stop/action | Stop multiple Container Apps Job executions | +> | microsoft.app/jobs/read | Get a Container Apps Job | +> | microsoft.app/jobs/listsecrets/action | List secrets of a container apps job | +> | microsoft.app/jobs/detectors/read | Get detector of a container apps job | +> | microsoft.app/jobs/execution/read | Get a single execution from a Container Apps Job | +> | microsoft.app/jobs/executions/read | Get a Container Apps Job's execution history | +> | microsoft.app/jobs/stop/execution/action | Stop a Container Apps Job's specific execution | +> | microsoft.app/jobs/stop/execution/backport/action | Stop a Container Apps Job's specific execution | +> | microsoft.app/locations/availablemanagedenvironmentsworkloadprofiletypes/read | Get Available Workload Profile Types in a Region | +> | microsoft.app/locations/billingmeters/read | Get Billing Meters in a Region | +> | microsoft.app/locations/connectedenvironmentoperationresults/read | Get a Connected Environment Long Running Operation Result | +> | microsoft.app/locations/connectedenvironmentoperationstatuses/read | Get a Connected Environment Long Running Operation Status | +> | microsoft.app/locations/containerappoperationresults/read | Get a Container App Long Running Operation Result | +> | microsoft.app/locations/containerappoperationstatuses/read | Get a Container App Long Running Operation Status | +> | microsoft.app/locations/containerappsjoboperationresults/read | Get a Container Apps Job Long Running Operation Result | +> | microsoft.app/locations/containerappsjoboperationstatuses/read | Get a Container Apps Job Long Running Operation Status | +> | microsoft.app/locations/managedcertificateoperationstatuses/read | Get a Managed Certificate Long Running Operation Result | +> | microsoft.app/locations/managedcertificateoperationstatuses/delete | Delete a Managed Certificate Long Running Operation Result | +> | microsoft.app/locations/managedenvironmentoperationresults/read | Get a Managed Environment Long Running Operation Result | +> | microsoft.app/locations/managedenvironmentoperationstatuses/read | Get a Managed Environment Long Running Operation Status | +> | microsoft.app/locations/operationresults/read | Get a Long Running Operation Result | +> | microsoft.app/locations/operationstatuses/read | Get a Long Running Operation Status | +> | microsoft.app/locations/sourcecontroloperationresults/read | Get Container App Source Control Long Running Operation Result | +> | microsoft.app/locations/sourcecontroloperationstatuses/read | Get a Container App Source Control Long Running Operation Status | +> | microsoft.app/locations/usages/read | Get Quota Usages in a Region | +> | microsoft.app/managedenvironments/join/action | Allows to create a Container App in a Managed Environment | +> | microsoft.app/managedenvironments/read | Get a Managed Environment | +> | microsoft.app/managedenvironments/write | Create or update a Managed Environment | +> | microsoft.app/managedenvironments/delete | Delete a Managed Environment | +> | microsoft.app/managedenvironments/getauthtoken/action | Get Auth Token for Managed Environment Dev APIs to get log stream, exec or port forward from a container | +> | microsoft.app/managedenvironments/checknameavailability/action | Check reource name availability for a Managed Environment | +> | microsoft.app/managedenvironments/certificates/write | Create or update a Managed Environment Certificate | +> | microsoft.app/managedenvironments/certificates/read | Get a Managed Environment's Certificate | +> | microsoft.app/managedenvironments/certificates/delete | Delete a Managed Environment's Certificate | +> | microsoft.app/managedenvironments/daprcomponents/write | Create or Update Managed Environment Dapr Component | +> | microsoft.app/managedenvironments/daprcomponents/read | Read Managed Environment Dapr Component | +> | microsoft.app/managedenvironments/daprcomponents/delete | Delete Managed Environment Dapr Component | +> | microsoft.app/managedenvironments/daprcomponents/listsecrets/action | List Secrets of a Dapr Component | +> | microsoft.app/managedenvironments/daprcomponents/daprsubscriptions/write | Create or Update Managed Environment Dapr PubSub Subscription | +> | microsoft.app/managedenvironments/daprcomponents/daprsubscriptions/read | Read Managed Environment Dapr PubSub Subscription | +> | microsoft.app/managedenvironments/daprcomponents/daprsubscriptions/delete | Delete Managed Environment Dapr PubSub Subscription | +> | microsoft.app/managedenvironments/daprcomponents/resiliencypolicies/write | Create or Update Managed Environment Dapr Component Resiliency Policy | +> | microsoft.app/managedenvironments/daprcomponents/resiliencypolicies/read | Read Managed Environment Dapr Component Resiliency Policy | +> | microsoft.app/managedenvironments/daprcomponents/resiliencypolicies/delete | Delete Managed Environment Dapr Component Resiliency Policy | +> | microsoft.app/managedenvironments/detectors/read | Get detector of a managed environment | +> | microsoft.app/managedenvironments/dotnetcomponents/read | Read Managed Environment .NET Component | +> | microsoft.app/managedenvironments/dotnetcomponents/write | Create or update Managed Environment .NET Component | +> | microsoft.app/managedenvironments/dotnetcomponents/delete | Delete Managed Environment .NET Component | +> | microsoft.app/managedenvironments/javacomponents/read | Read Managed Environment Java Component | +> | microsoft.app/managedenvironments/javacomponents/write | Create or update Managed Environment Java Component | +> | microsoft.app/managedenvironments/javacomponents/delete | Delete Managed Environment Java Component | +> | microsoft.app/managedenvironments/managedcertificates/write | Create or update a Managed Certificate in Managed Environment | +> | microsoft.app/managedenvironments/managedcertificates/read | Get a Managed Certificate in Managed Environment | +> | microsoft.app/managedenvironments/managedcertificates/delete | Delete a Managed Certificate in Managed Environment | +> | microsoft.app/managedenvironments/storages/read | Get storage for a Managed Environment. | +> | microsoft.app/managedenvironments/storages/write | Create or Update a storage of Managed Environment. | +> | microsoft.app/managedenvironments/storages/delete | Delete a storage of Managed Environment. | +> | microsoft.app/managedenvironments/usages/read | Get Quota Usages in a Managed Environment | +> | microsoft.app/managedenvironments/workloadprofilestates/read | Get Current Workload Profile States | +> | microsoft.app/operations/read | Get a list of supported container app operations | +> | microsoft.app/sessionpools/write | Create or Update a Session Pool | +> | microsoft.app/sessionpools/read | Get a Session Pool | +> | microsoft.app/sessionpools/delete | Delete a Session Pool | +> | microsoft.app/sessionpools/sessions/generatesessions/action | Generate sessions | +> | microsoft.app/sessionpools/sessions/read | Get a Session | +> | **DataAction** | **Description** | +> | microsoft.app/sessionpools/interpreters/execute/action | Execute Code | +> | microsoft.app/sessionpools/interpreters/read | Read interpreter resources | ++## Microsoft.ClassicCompute ++Azure service: Classic deployment model virtual machine ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ClassicCompute/register/action | Register to Classic Compute | +> | Microsoft.ClassicCompute/checkDomainNameAvailability/action | Checks the availability of a given domain name. | +> | Microsoft.ClassicCompute/moveSubscriptionResources/action | Move all classic resources to a different subscription. | +> | Microsoft.ClassicCompute/validateSubscriptionMoveAvailability/action | Validate the subscription's availability for classic move operation. | +> | Microsoft.ClassicCompute/capabilities/read | Shows the capabilities | +> | Microsoft.ClassicCompute/checkDomainNameAvailability/read | Gets the availability of a given domain name. | +> | Microsoft.ClassicCompute/domainNames/read | Return the domain names for resources. | +> | Microsoft.ClassicCompute/domainNames/write | Add or modify the domain names for resources. | +> | Microsoft.ClassicCompute/domainNames/delete | Remove the domain names for resources. | +> | Microsoft.ClassicCompute/domainNames/swap/action | Swaps the staging slot to the production slot. | +> | Microsoft.ClassicCompute/domainNames/active/write | Sets the active domain name. | +> | Microsoft.ClassicCompute/domainNames/availabilitySets/read | Show the availability set for the resource. | +> | Microsoft.ClassicCompute/domainNames/capabilities/read | Shows the domain name capabilities | +> | Microsoft.ClassicCompute/domainNames/deploymentslots/read | Shows the deployment slots. | +> | Microsoft.ClassicCompute/domainNames/deploymentslots/write | Creates or update the deployment. | +> | Microsoft.ClassicCompute/domainNames/deploymentslots/roles/read | Get role on deployment slot of domain name | +> | Microsoft.ClassicCompute/domainNames/deploymentslots/roles/roleinstances/read | Get role instance for role on deployment slot of domain name | +> | Microsoft.ClassicCompute/domainNames/deploymentslots/state/read | Get the deployment slot state. | +> | Microsoft.ClassicCompute/domainNames/deploymentslots/state/write | Add the deployment slot state. | +> | Microsoft.ClassicCompute/domainNames/deploymentslots/upgradedomain/read | Get upgrade domain for deployment slot on domain name | +> | Microsoft.ClassicCompute/domainNames/deploymentslots/upgradedomain/write | Update upgrade domain for deployment slot on domain name | +> | Microsoft.ClassicCompute/domainNames/extensions/read | Returns the domain name extensions. | +> | Microsoft.ClassicCompute/domainNames/extensions/write | Add the domain name extensions. | +> | Microsoft.ClassicCompute/domainNames/extensions/delete | Remove the domain name extensions. | +> | Microsoft.ClassicCompute/domainNames/extensions/operationStatuses/read | Reads the operation status for the domain names extensions. | +> | Microsoft.ClassicCompute/domainNames/internalLoadBalancers/read | Gets the internal load balancers. | +> | Microsoft.ClassicCompute/domainNames/internalLoadBalancers/write | Creates a new internal load balance. | +> | Microsoft.ClassicCompute/domainNames/internalLoadBalancers/delete | Remove a new internal load balance. | +> | Microsoft.ClassicCompute/domainNames/internalLoadBalancers/operationStatuses/read | Reads the operation status for the domain names internal load balancers. | +> | Microsoft.ClassicCompute/domainNames/loadBalancedEndpointSets/read | Get the load balanced endpoint sets. | +> | Microsoft.ClassicCompute/domainNames/loadBalancedEndpointSets/write | Add the load balanced endpoint set. | +> | Microsoft.ClassicCompute/domainNames/loadBalancedEndpointSets/operationStatuses/read | Reads the operation status for the domain names load balanced endpoint sets. | +> | Microsoft.ClassicCompute/domainNames/operationstatuses/read | Get operation status of the domain name. | +> | Microsoft.ClassicCompute/domainNames/operationStatuses/read | Reads the operation status for the domain names extensions. | +> | Microsoft.ClassicCompute/domainNames/serviceCertificates/read | Returns the service certificates used. | +> | Microsoft.ClassicCompute/domainNames/serviceCertificates/write | Add or modify the service certificates used. | +> | Microsoft.ClassicCompute/domainNames/serviceCertificates/delete | Delete the service certificates used. | +> | Microsoft.ClassicCompute/domainNames/serviceCertificates/operationStatuses/read | Reads the operation status for the domain names service certificates. | +> | Microsoft.ClassicCompute/domainNames/slots/read | Shows the deployment slots. | +> | Microsoft.ClassicCompute/domainNames/slots/write | Creates or update the deployment. | +> | Microsoft.ClassicCompute/domainNames/slots/delete | Deletes a given deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/start/action | Starts a deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/stop/action | Suspends the deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/validateMigration/action | Validates migration of a deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/prepareMigration/action | Prepares migration of a deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/commitMigration/action | Commits migration of a deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/abortMigration/action | Aborts migration of a deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/operationStatuses/read | Reads the operation status for the domain names slots. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/read | Get the role for the deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/write | Add role for the deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/extensionReferences/read | Returns the extension reference for the deployment slot role. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/extensionReferences/write | Add or modify the extension reference for the deployment slot role. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/extensionReferences/delete | Remove the extension reference for the deployment slot role. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/extensionReferences/operationStatuses/read | Reads the operation status for the domain names slots roles extension references. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/metricdefinitions/read | Get the role metric definition for the domain name. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/metrics/read | Get role metric for the domain name. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/operationstatuses/read | Get the operation status for the domain names slot role. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostics settings. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/providers/Microsoft.Insights/diagnosticSettings/write | Add or modify diagnostics settings. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics definitions. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/roleInstances/downloadremotedesktopconnectionfile/action | Downloads remote desktop connection file for the role instance on the domain name slot role. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/roleInstances/read | Get the role instance. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/roleInstances/restart/action | Restarts role instances. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/roleInstances/reimage/action | Reimages the role instance. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/roleInstances/rebuild/action | Rebuilds the role instance. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/roleInstances/operationStatuses/read | Gets the operation status for the role instance on domain names slot role. | +> | Microsoft.ClassicCompute/domainNames/slots/roles/skus/read | Get role sku for the deployment slot. | +> | Microsoft.ClassicCompute/domainNames/slots/state/start/write | Changes the deployment slot state to stopped. | +> | Microsoft.ClassicCompute/domainNames/slots/state/stop/write | Changes the deployment slot state to started. | +> | Microsoft.ClassicCompute/domainNames/slots/upgradeDomain/write | Walk upgrade the domain. | +> | Microsoft.ClassicCompute/operatingSystemFamilies/read | Lists the guest operating system families available in Microsoft Azure, and also lists the operating system versions available for each family. | +> | Microsoft.ClassicCompute/operatingSystems/read | Lists the versions of the guest operating system that are currently available in Microsoft Azure. | +> | Microsoft.ClassicCompute/operations/read | Gets the list of operations. | +> | Microsoft.ClassicCompute/operationStatuses/read | Reads the operation status for the resource. | +> | Microsoft.ClassicCompute/quotas/read | Get the quota for the subscription. | +> | Microsoft.ClassicCompute/resourceTypes/skus/read | Gets the Sku list for supported resource types. | +> | Microsoft.ClassicCompute/virtualMachines/read | Retrieves list of virtual machines. | +> | Microsoft.ClassicCompute/virtualMachines/write | Add or modify virtual machines. | +> | Microsoft.ClassicCompute/virtualMachines/delete | Removes virtual machines. | +> | Microsoft.ClassicCompute/virtualMachines/capture/action | Capture a virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/start/action | Start the virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/redeploy/action | Redeploys the virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/performMaintenance/action | Performs maintenance on the virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/restart/action | Restarts virtual machines. | +> | Microsoft.ClassicCompute/virtualMachines/stop/action | Stops the virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/shutdown/action | Shutdown the virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/attachDisk/action | Attaches a data disk to a virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/detachDisk/action | Detaches a data disk from virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/downloadRemoteDesktopConnectionFile/action | Downloads the RDP file for virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/read | Gets the network security group associated with the virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/write | Adds a network security group associated with the virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/delete | Deletes the network security group associated with the virtual machine. | +> | Microsoft.ClassicCompute/virtualMachines/associatedNetworkSecurityGroups/operationStatuses/read | Reads the operation status for the virtual machines associated network security groups. | +> | Microsoft.ClassicCompute/virtualMachines/asyncOperations/read | Gets the possible async operations | +> | Microsoft.ClassicCompute/virtualMachines/diagnosticsettings/read | Get virtual machine diagnostics settings. | +> | Microsoft.ClassicCompute/virtualMachines/disks/read | Retrieves list of data disks | +> | Microsoft.ClassicCompute/virtualMachines/extensions/read | Gets the virtual machine extension. | +> | Microsoft.ClassicCompute/virtualMachines/extensions/write | Puts the virtual machine extension. | +> | Microsoft.ClassicCompute/virtualMachines/extensions/operationStatuses/read | Reads the operation status for the virtual machines extensions. | +> | Microsoft.ClassicCompute/virtualMachines/metricdefinitions/read | Get the virtual machine metric definition. | +> | Microsoft.ClassicCompute/virtualMachines/metrics/read | Gets the metrics. | +> | Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/read | Gets the network security group associated with the network interface. | +> | Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/write | Adds a network security group associated with the network interface. | +> | Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/delete | Deletes the network security group associated with the network interface. | +> | Microsoft.ClassicCompute/virtualMachines/networkInterfaces/associatedNetworkSecurityGroups/operationStatuses/read | Reads the operation status for the virtual machines associated network security groups. | +> | Microsoft.ClassicCompute/virtualMachines/operationStatuses/read | Reads the operation status for the virtual machines. | +> | Microsoft.ClassicCompute/virtualMachines/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostics settings. | +> | Microsoft.ClassicCompute/virtualMachines/providers/Microsoft.Insights/diagnosticSettings/write | Add or modify diagnostics settings. | +> | Microsoft.ClassicCompute/virtualMachines/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics definitions. | ++## Microsoft.Compute ++Azure service: [Virtual Machines](/azure/virtual-machines/), [Virtual Machine Scale Sets](/azure/virtual-machine-scale-sets/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Compute/register/action | Registers Subscription with Microsoft.Compute resource provider | +> | Microsoft.Compute/unregister/action | Unregisters Subscription with Microsoft.Compute resource provider | +> | Microsoft.Compute/availabilitySets/read | Get the properties of an availability set | +> | Microsoft.Compute/availabilitySets/write | Creates a new availability set or updates an existing one | +> | Microsoft.Compute/availabilitySets/delete | Deletes the availability set | +> | Microsoft.Compute/availabilitySets/vmSizes/read | List available sizes for creating or updating a virtual machine in the availability set | +> | Microsoft.Compute/capacityReservationGroups/read | Get the properties of a capacity reservation group | +> | Microsoft.Compute/capacityReservationGroups/write | Creates a new capacity reservation group or updates an existing capacity reservation group | +> | Microsoft.Compute/capacityReservationGroups/delete | Deletes the capacity reservation group | +> | Microsoft.Compute/capacityReservationGroups/deploy/action | Deploy a new VM/VMSS using Capacity Reservation Group | +> | Microsoft.Compute/capacityReservationGroups/share/action | Share the Capacity Reservation Group with one or more Subscriptionss | +> | Microsoft.Compute/capacityReservationGroups/capacityReservations/read | Get the properties of a capacity reservation | +> | Microsoft.Compute/capacityReservationGroups/capacityReservations/write | Creates a new capacity reservation or updates an existing capacity reservation | +> | Microsoft.Compute/capacityReservationGroups/capacityReservations/delete | Deletes the capacity reservation | +> | Microsoft.Compute/cloudServices/read | Get the properties of a CloudService. | +> | Microsoft.Compute/cloudServices/write | Created a new CloudService or Update an existing one. | +> | Microsoft.Compute/cloudServices/delete | Deletes the CloudService. | +> | Microsoft.Compute/cloudServices/poweroff/action | Power off the CloudService. | +> | Microsoft.Compute/cloudServices/start/action | Starts the CloudService. | +> | Microsoft.Compute/cloudServices/restart/action | Restarts one or more role instances in a CloudService. | +> | Microsoft.Compute/cloudServices/reimage/action | Rebuilds all the disks in the role instances in a CloudService. | +> | Microsoft.Compute/cloudServices/rebuild/action | Reimage all the role instances in a CloudService. | +> | Microsoft.Compute/cloudServices/delete/action | Deletes role instances in a CloudService. | +> | Microsoft.Compute/cloudServices/instanceView/read | Gets the status of a CloudService. | +> | Microsoft.Compute/cloudServices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the CloudService. | +> | Microsoft.Compute/cloudServices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the CloudService. | +> | Microsoft.Compute/cloudServices/providers/Microsoft.Insights/metricDefinitions/read | Gets the CloudService metrics definition | +> | Microsoft.Compute/cloudServices/roleInstances/delete | Deletes a RoleInstance from CloudService. | +> | Microsoft.Compute/cloudServices/roleInstances/read | Gets a RoleInstance from CloudService. | +> | Microsoft.Compute/cloudServices/roleInstances/restart/action | Restart a role instance of a CloudService | +> | Microsoft.Compute/cloudServices/roleInstances/reimage/action | Reimage a role instance of a CloudService. | +> | Microsoft.Compute/cloudServices/roleInstances/rebuild/action | Rebuild all the disks in a CloudService. | +> | Microsoft.Compute/cloudServices/roleInstances/instanceView/read | Gets the status of a role instance from a CloudService. | +> | Microsoft.Compute/cloudServices/roles/read | Gets a role from a CloudService. | +> | Microsoft.Compute/cloudServices/roles/write | Scale instances in a Role | +> | Microsoft.Compute/cloudServices/roles/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the CloudService Roles. | +> | Microsoft.Compute/cloudServices/roles/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the CloudService Roles | +> | Microsoft.Compute/cloudServices/roles/providers/Microsoft.Insights/metricDefinitions/read | Gets the CloudService Roles Metric Definitions | +> | Microsoft.Compute/cloudServices/updateDomains/read | Gets a list of all update domains in a CloudService. | +> | Microsoft.Compute/diskAccesses/read | Get the properties of DiskAccess resource | +> | Microsoft.Compute/diskAccesses/write | Create a new DiskAccess resource or update an existing one | +> | Microsoft.Compute/diskAccesses/delete | Delete a DiskAccess resource | +> | Microsoft.Compute/diskAccesses/privateEndpointConnectionsApproval/action | Auto Approve a Private Endpoint Connection | +> | Microsoft.Compute/diskAccesses/privateEndpointConnectionProxies/read | Get the properties of a private endpoint connection proxy | +> | Microsoft.Compute/diskAccesses/privateEndpointConnectionProxies/write | Create a new Private Endpoint Connection Proxy | +> | Microsoft.Compute/diskAccesses/privateEndpointConnectionProxies/delete | Delete a Private Endpoint Connection Proxy | +> | Microsoft.Compute/diskAccesses/privateEndpointConnectionProxies/validate/action | Validate a Private Endpoint Connection Proxy object | +> | Microsoft.Compute/diskAccesses/privateEndpointConnections/delete | Delete a Private Endpoint Connection | +> | Microsoft.Compute/diskAccesses/privateEndpointConnections/read | Get a Private Endpoint Connection | +> | Microsoft.Compute/diskAccesses/privateEndpointConnections/write | Approve or Reject a Private Endpoint Connection | +> | Microsoft.Compute/diskEncryptionSets/read | Get the properties of a disk encryption set | +> | Microsoft.Compute/diskEncryptionSets/write | Create a new disk encryption set or update an existing one | +> | Microsoft.Compute/diskEncryptionSets/delete | Delete a disk encryption set | +> | Microsoft.Compute/disks/read | Get the properties of a Disk | +> | Microsoft.Compute/disks/write | Creates a new Disk or updates an existing one | +> | Microsoft.Compute/disks/delete | Deletes the Disk | +> | Microsoft.Compute/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access | +> | Microsoft.Compute/disks/endGetAccess/action | Revoke the SAS URI of the Disk | +> | Microsoft.Compute/galleries/read | Gets the properties of Gallery | +> | Microsoft.Compute/galleries/write | Creates a new Gallery or updates an existing one | +> | Microsoft.Compute/galleries/delete | Deletes the Gallery | +> | Microsoft.Compute/galleries/share/action | Shares a Gallery to different scopes | +> | Microsoft.Compute/galleries/applications/read | Gets the properties of Gallery Application | +> | Microsoft.Compute/galleries/applications/write | Creates a new Gallery Application or updates an existing one | +> | Microsoft.Compute/galleries/applications/delete | Deletes the Gallery Application | +> | Microsoft.Compute/galleries/applications/versions/read | Gets the properties of Gallery Application Version | +> | Microsoft.Compute/galleries/applications/versions/write | Creates a new Gallery Application Version or updates an existing one | +> | Microsoft.Compute/galleries/applications/versions/delete | Deletes the Gallery Application Version | +> | Microsoft.Compute/galleries/images/read | Gets the properties of Gallery Image | +> | Microsoft.Compute/galleries/images/write | Creates a new Gallery Image or updates an existing one | +> | Microsoft.Compute/galleries/images/delete | Deletes the Gallery Image | +> | Microsoft.Compute/galleries/images/versions/read | Gets the properties of Gallery Image Version | +> | Microsoft.Compute/galleries/images/versions/write | Creates a new Gallery Image Version or updates an existing one | +> | Microsoft.Compute/galleries/images/versions/delete | Deletes the Gallery Image Version | +> | Microsoft.Compute/galleries/serviceArtifacts/read | Gets the properties of Gallery Service Artifact | +> | Microsoft.Compute/galleries/serviceArtifacts/write | Creates a new Gallery Service Artifact or updates an existing one | +> | Microsoft.Compute/galleries/serviceArtifacts/delete | Deletes the Gallery Service Artifact | +> | Microsoft.Compute/hostGroups/read | Get the properties of a host group | +> | Microsoft.Compute/hostGroups/write | Creates a new host group or updates an existing host group | +> | Microsoft.Compute/hostGroups/delete | Deletes the host group | +> | Microsoft.Compute/hostGroups/hosts/read | Get the properties of a host | +> | Microsoft.Compute/hostGroups/hosts/write | Creates a new host or updates an existing host | +> | Microsoft.Compute/hostGroups/hosts/delete | Deletes the host | +> | Microsoft.Compute/hostGroups/hosts/hostSizes/read | Lists available sizes the host can be updated to. NOTE: The dedicated host sizes provided can be used to only scale up the existing dedicated host. | +> | Microsoft.Compute/images/read | Get the properties of the Image | +> | Microsoft.Compute/images/write | Creates a new Image or updates an existing one | +> | Microsoft.Compute/images/delete | Deletes the image | +> | Microsoft.Compute/locations/capsOperations/read | Gets the status of an asynchronous Caps operation | +> | Microsoft.Compute/locations/cloudServiceOsFamilies/read | Read any guest OS Family that can be specified in the XML service configuration (.cscfg) for a Cloud Service. | +> | Microsoft.Compute/locations/cloudServiceOsVersions/read | Read any guest OS Version that can be specified in the XML service configuration (.cscfg) for a Cloud Service. | +> | Microsoft.Compute/locations/communityGalleries/read | Get the properties of a Community Gallery | +> | Microsoft.Compute/locations/communityGalleries/images/read | Get the properties of a Community Gallery Image | +> | Microsoft.Compute/locations/communityGalleries/images/versions/read | Get the properties of a Community Gallery Image Version | +> | Microsoft.Compute/locations/diagnosticOperations/read | Gets status of a Compute Diagnostic operation | +> | Microsoft.Compute/locations/diagnostics/diskInspection/action | Create a request for executing DiskInspection Diagnostic | +> | Microsoft.Compute/locations/diagnostics/read | Gets the properties of all available Compute Disgnostics | +> | Microsoft.Compute/locations/diagnostics/diskInspection/read | Gets the properties of DiskInspection Diagnostic | +> | Microsoft.Compute/locations/diskOperations/read | Gets the status of an asynchronous Disk operation | +> | Microsoft.Compute/locations/edgeZones/publishers/read | Get the properties of a Publisher in an edge zone | +> | Microsoft.Compute/locations/edgeZones/publishers/artifacttypes/offers/read | Get the properties of a Platform Image Offer in an edge zone | +> | Microsoft.Compute/locations/edgeZones/publishers/artifacttypes/offers/skus/read | Get the properties of a Platform Image Sku in an edge zone | +> | Microsoft.Compute/locations/edgeZones/publishers/artifacttypes/offers/skus/versions/read | Get the properties of a Platform Image Version in an edge zone | +> | Microsoft.Compute/locations/logAnalytics/getRequestRateByInterval/action | Create logs to show total requests by time interval to aid throttling diagnostics. | +> | Microsoft.Compute/locations/logAnalytics/getThrottledRequests/action | Create logs to show aggregates of throttled requests grouped by ResourceName, OperationName, or the applied Throttle Policy. | +> | Microsoft.Compute/locations/operations/read | Gets the status of an asynchronous operation | +> | Microsoft.Compute/locations/privateEndpointConnectionProxyAzureAsyncOperation/read | Get the status of asynchronous Private Endpoint Connection Proxy operation | +> | Microsoft.Compute/locations/privateEndpointConnectionProxyOperationResults/read | Get the results of Private Endpoint Connection Proxy operation | +> | Microsoft.Compute/locations/publishers/read | Get the properties of a Publisher | +> | Microsoft.Compute/locations/publishers/artifacttypes/offers/read | Get the properties of a Platform Image Offer | +> | Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/read | Get the properties of a Platform Image Sku | +> | Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read | Get the properties of a Platform Image Version | +> | Microsoft.Compute/locations/publishers/artifacttypes/types/read | Get the properties of a VMExtension Type | +> | Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read | Get the properties of a VMExtension Version | +> | Microsoft.Compute/locations/runCommands/read | Lists available run commands in location | +> | Microsoft.Compute/locations/sharedGalleries/read | Get the properties of a Shared Gallery | +> | Microsoft.Compute/locations/sharedGalleries/images/read | Get the properties of a Shared Gallery Image | +> | Microsoft.Compute/locations/sharedGalleries/images/versions/read | Get the properties of a Shared Gallery Image Version | +> | Microsoft.Compute/locations/usages/read | Gets service limits and current usage quantities for the subscription's compute resources in a location | +> | Microsoft.Compute/locations/vmSizes/read | Lists available virtual machine sizes in a location | +> | Microsoft.Compute/locations/vsmOperations/read | Gets the status of an asynchronous operation for Virtual Machine Scale Set with the Virtual Machine Runtime Service Extension | +> | Microsoft.Compute/operations/read | Lists operations available on Microsoft.Compute resource provider | +> | Microsoft.Compute/proximityPlacementGroups/read | Get the Properties of a Proximity Placement Group | +> | Microsoft.Compute/proximityPlacementGroups/write | Creates a new Proximity Placement Group or updates an existing one | +> | Microsoft.Compute/proximityPlacementGroups/delete | Deletes the Proximity Placement Group | +> | Microsoft.Compute/restorePointCollections/read | Get the properties of a restore point collection | +> | Microsoft.Compute/restorePointCollections/write | Creates a new restore point collection or updates an existing one | +> | Microsoft.Compute/restorePointCollections/delete | Deletes the restore point collection and contained restore points | +> | Microsoft.Compute/restorePointCollections/restorePoints/read | Get the properties of a restore point | +> | Microsoft.Compute/restorePointCollections/restorePoints/write | Creates a new restore point | +> | Microsoft.Compute/restorePointCollections/restorePoints/delete | Deletes the restore point | +> | Microsoft.Compute/restorePointCollections/restorePoints/retrieveSasUris/action | Get the properties of a restore point along with blob SAS URIs | +> | Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/read | Get the properties of an incremental DiskRestorePoint | +> | Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/beginGetAccess/action | Get the SAS URI of the incremental DiskRestorePoint | +> | Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/endGetAccess/action | Revoke the SAS URI of the incremental DiskRestorePoint | +> | Microsoft.Compute/sharedVMExtensions/read | Gets the properties of Shared VM Extension | +> | Microsoft.Compute/sharedVMExtensions/write | Creates a new Shared VM Extension or updates an existing one | +> | Microsoft.Compute/sharedVMExtensions/delete | Deletes the Shared VM Extension | +> | Microsoft.Compute/sharedVMExtensions/versions/read | Gets the properties of Shared VM Extension Version | +> | Microsoft.Compute/sharedVMExtensions/versions/write | Creates a new Shared VM Extension Version or updates an existing one | +> | Microsoft.Compute/sharedVMExtensions/versions/delete | Deletes the Shared VM Extension Version | +> | Microsoft.Compute/sharedVMImages/read | Get the properties of a SharedVMImage | +> | Microsoft.Compute/sharedVMImages/write | Creates a new SharedVMImage or updates an existing one | +> | Microsoft.Compute/sharedVMImages/delete | Deletes the SharedVMImage | +> | Microsoft.Compute/sharedVMImages/versions/read | Get the properties of a SharedVMImageVersion | +> | Microsoft.Compute/sharedVMImages/versions/write | Create a new SharedVMImageVersion or update an existing one | +> | Microsoft.Compute/sharedVMImages/versions/delete | Delete a SharedVMImageVersion | +> | Microsoft.Compute/sharedVMImages/versions/replicate/action | Replicate a SharedVMImageVersion to target regions | +> | Microsoft.Compute/skus/read | Gets the list of Microsoft.Compute SKUs available for your Subscription | +> | Microsoft.Compute/snapshots/read | Get the properties of a Snapshot | +> | Microsoft.Compute/snapshots/write | Create a new Snapshot or update an existing one | +> | Microsoft.Compute/snapshots/delete | Delete a Snapshot | +> | Microsoft.Compute/snapshots/beginGetAccess/action | Get the SAS URI of the Snapshot for blob access | +> | Microsoft.Compute/snapshots/endGetAccess/action | Revoke the SAS URI of the Snapshot | +> | Microsoft.Compute/sshPublicKeys/read | Get the properties of an SSH public key | +> | Microsoft.Compute/sshPublicKeys/write | Creates a new SSH public key or updates an existing SSH public key | +> | Microsoft.Compute/sshPublicKeys/delete | Deletes the SSH public key | +> | Microsoft.Compute/sshPublicKeys/generateKeyPair/action | Generates a new SSH public/private key pair | +> | Microsoft.Compute/virtualMachines/read | Get the properties of a virtual machine | +> | Microsoft.Compute/virtualMachines/write | Creates a new virtual machine or updates an existing virtual machine | +> | Microsoft.Compute/virtualMachines/delete | Deletes the virtual machine | +> | Microsoft.Compute/virtualMachines/start/action | Starts the virtual machine | +> | Microsoft.Compute/virtualMachines/powerOff/action | Powers off the virtual machine. Note that the virtual machine will continue to be billed. | +> | Microsoft.Compute/virtualMachines/reapply/action | Reapplies a virtual machine's current model | +> | Microsoft.Compute/virtualMachines/redeploy/action | Redeploys virtual machine | +> | Microsoft.Compute/virtualMachines/restart/action | Restarts the virtual machine | +> | Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action | Retrieves boot diagnostic logs blob URIs | +> | Microsoft.Compute/virtualMachines/deallocate/action | Powers off the virtual machine and releases the compute resources | +> | Microsoft.Compute/virtualMachines/generalize/action | Sets the virtual machine state to Generalized and prepares the virtual machine for capture | +> | Microsoft.Compute/virtualMachines/capture/action | Captures the virtual machine by copying virtual hard disks and generates a template that can be used to create similar virtual machines | +> | Microsoft.Compute/virtualMachines/runCommand/action | Executes a predefined script on the virtual machine | +> | Microsoft.Compute/virtualMachines/convertToManagedDisks/action | Converts the blob based disks of the virtual machine to managed disks | +> | Microsoft.Compute/virtualMachines/performMaintenance/action | Performs Maintenance Operation on the VM. | +> | Microsoft.Compute/virtualMachines/reimage/action | Reimages virtual machine which is using differencing disk. | +> | Microsoft.Compute/virtualMachines/installPatches/action | Installs available OS update patches on the virtual machine based on parameters provided by user. Assessment results containing list of available patches will also get refreshed as part of this. | +> | Microsoft.Compute/virtualMachines/assessPatches/action | Assesses the virtual machine and finds list of available OS update patches for it. | +> | Microsoft.Compute/virtualMachines/cancelPatchInstallation/action | Cancels the ongoing install OS update patch operation on the virtual machine. | +> | Microsoft.Compute/virtualMachines/simulateEviction/action | Simulates the eviction of spot Virtual Machine | +> | Microsoft.Compute/virtualMachines/osUpgradeInternal/action | Perform OS Upgrade on Virtual Machine belonging to Virtual Machine Scale Set with Flexible Orchestration Mode. | +> | Microsoft.Compute/virtualMachines/rollbackOSDisk/action | Rollback OSDisk on Virtual Machine after failed OS Upgrade invoked by Virtual Machine Scale Set with Flexible Orchestration Mode. | +> | Microsoft.Compute/virtualMachines/deletePreservedOSDisk/action | Deletes PreservedOSDisk on the Virtual Machine which belongs to Virtual Machine Scale Set with Flexible Orchestration Mode. | +> | Microsoft.Compute/virtualMachines/extensions/read | Get the properties of a virtual machine extension | +> | Microsoft.Compute/virtualMachines/extensions/write | Creates a new virtual machine extension or updates an existing one | +> | Microsoft.Compute/virtualMachines/extensions/delete | Deletes the virtual machine extension | +> | Microsoft.Compute/virtualMachines/instanceView/read | Gets the detailed runtime status of the virtual machine and its resources | +> | Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read | Retrieves the summary of the latest patch assessment operation | +> | Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read | Retrieves list of patches assessed during the last patch assessment operation | +> | Microsoft.Compute/virtualMachines/patchInstallationResults/read | Retrieves the summary of the latest patch installation operation | +> | Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read | Retrieves list of patches attempted to be installed during the last patch installation operation | +> | Microsoft.Compute/virtualMachines/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the Virtual Machine. | +> | Microsoft.Compute/virtualMachines/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the Virtual Machine. | +> | Microsoft.Compute/virtualMachines/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Virtual Machine. | +> | Microsoft.Compute/virtualMachines/providers/Microsoft.Insights/metricDefinitions/read | Reads Virtual Machine Metric Definitions | +> | Microsoft.Compute/virtualMachines/runCommands/read | Get the properties of a virtual machine run command | +> | Microsoft.Compute/virtualMachines/runCommands/write | Creates a new virtual machine run command or updates an existing one | +> | Microsoft.Compute/virtualMachines/runCommands/delete | Deletes the virtual machine run command | +> | Microsoft.Compute/virtualMachines/vmSizes/read | Lists available sizes the virtual machine can be updated to | +> | Microsoft.Compute/virtualMachineScaleSets/read | Get the properties of a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/write | Creates a new Virtual Machine Scale Set or updates an existing one | +> | Microsoft.Compute/virtualMachineScaleSets/delete | Deletes the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/delete/action | Deletes the instances of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/start/action | Starts the instances of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/powerOff/action | Powers off the instances of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/reapply/action | Reapply the Virtual Machine Scale Set Virtual Machine Profile to the Virtual Machine Instances | +> | Microsoft.Compute/virtualMachineScaleSets/restart/action | Restarts the instances of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/deallocate/action | Powers off and releases the compute resources for the instances of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/manualUpgrade/action | Manually updates instances to latest model of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/reimage/action | Reimages the instances of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/reimageAll/action | Reimages all disks (OS Disk and Data Disks) for the instances of a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/approveRollingUpgrade/action | Approves deferred rolling upgrades for the instances of a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/redeploy/action | Redeploy the instances of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/performMaintenance/action | Performs planned maintenance on the instances of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/scale/action | Verify if an existing Virtual Machine Scale Set can Scale In/Scale Out to specified instance count | +> | Microsoft.Compute/virtualMachineScaleSets/forceRecoveryServiceFabricPlatformUpdateDomainWalk/action | Manually walk the platform update domains of a service fabric Virtual Machine Scale Set to finish a pending update that is stuck | +> | Microsoft.Compute/virtualMachineScaleSets/osRollingUpgrade/action | Starts a rolling upgrade to move all Virtual Machine Scale Set instances to the latest available Platform Image OS version. | +> | Microsoft.Compute/virtualMachineScaleSets/setOrchestrationServiceState/action | Sets the state of an orchestration service based on the action provided in operation input. | +> | Microsoft.Compute/virtualMachineScaleSets/rollingUpgrades/action | Cancels the rolling upgrade of a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/disks/beginGetAccess/action | Get the SAS URI of VirtualMachineScaleSets Disk | +> | Microsoft.Compute/virtualMachineScaleSets/extensions/read | Gets the properties of a Virtual Machine Scale Set Extension | +> | Microsoft.Compute/virtualMachineScaleSets/extensions/write | Creates a new Virtual Machine Scale Set Extension or updates an existing one | +> | Microsoft.Compute/virtualMachineScaleSets/extensions/delete | Deletes the Virtual Machine Scale Set Extension | +> | Microsoft.Compute/virtualMachineScaleSets/extensions/roles/read | Gets the properties of a Role in a Virtual Machine Scale Set with the Virtual Machine Runtime Service Extension | +> | Microsoft.Compute/virtualMachineScaleSets/extensions/roles/write | Updates the properties of an existing Role in a Virtual Machine Scale Set with the Virtual Machine Runtime Service Extension | +> | Microsoft.Compute/virtualMachineScaleSets/instanceView/read | Gets the instance view of the Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read | Get properties of all network interfaces of a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/osUpgradeHistory/read | Gets the history of OS upgrades for a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the Virtual Machine Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the Virtual Machine Scale set. | +> | Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Virtual Machine Scale Sets. | +> | Microsoft.Compute/virtualMachineScaleSets/providers/Microsoft.Insights/metricDefinitions/read | Reads Virtual Machine Scale Set Metric Definitions | +> | Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read | Get properties of all public IP addresses of a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/rollingUpgrades/read | Get latest Rolling Upgrade status for a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/skus/read | Lists the valid SKUs for an existing Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Retrieves the properties of a Virtual Machine in a VM Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write | Updates the properties of a Virtual Machine in a VM Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete | Delete a specific Virtual Machine in a VM Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/start/action | Starts a Virtual Machine instance in a VM Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/powerOff/action | Powers Off a Virtual Machine instance in a VM Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/restart/action | Restarts a Virtual Machine instance in a VM Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/deallocate/action | Powers off and releases the compute resources for a Virtual Machine in a VM Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/reimage/action | Reimages a Virtual Machine instance in a Virtual Machine Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/reimageAll/action | Reimages all disks (OS Disk and Data Disks) for Virtual Machine instance in a Virtual Machine Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/approveRollingUpgrade/action | Approves deferred rolling upgrade for Virtual Machine instance in a Virtual Machine Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/redeploy/action | Redeploys a Virtual Machine instance in a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/retrieveBootDiagnosticsData/action | Retrieves boot diagnostic logs blob URIs of Virtual Machine instance in a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/performMaintenance/action | Performs planned maintenance on a Virtual Machine instance in a Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action | Executes a predefined script on a Virtual Machine instance in a Virtual Machine Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/simulateEviction/action | Simulates the eviction of spot Virtual Machine in Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read | Get the properties of an extension for Virtual Machine in Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/write | Creates a new extension for Virtual Machine in Virtual Machine Scale Set or updates an existing one | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/delete | Deletes the extension for Virtual Machine in Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read | Retrieves the instance view of a Virtual Machine in a VM Scale Set. | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read | Get properties of one or all network interfaces of a virtual machine created using Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read | Get properties of one or all IP configurations of a network interface created using Virtual Machine Scale Set. IP configurations represent private IPs | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read | Get properties of public IP address created using Virtual Machine Scale Set. Virtual Machine Scale Set can create at most one public IP per ipconfiguration (private IP) | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/providers/Microsoft.Insights/metricDefinitions/read | Reads Virtual Machine in Scale Set Metric Definitions | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommands/read | Get the properties of a run command for Virtual Machine in Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommands/write | Creates a new run command for Virtual Machine in Virtual Machine Scale Set or updates an existing one | +> | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommands/delete | Deletes the run command for Virtual Machine in Virtual Machine Scale Set | +> | Microsoft.Compute/virtualMachineScaleSets/vmSizes/read | List available sizes for creating or updating a virtual machine in the Virtual Machine Scale Set | +> | **DataAction** | **Description** | +> | Microsoft.Compute/disks/download/action | Perform read data operations on Disk SAS Uri | +> | Microsoft.Compute/disks/upload/action | Perform write data operations on Disk SAS Uri | +> | Microsoft.Compute/snapshots/download/action | Perform read data operations on Snapshot SAS Uri | +> | Microsoft.Compute/snapshots/upload/action | Perform write data operations on Snapshot SAS Uri | +> | Microsoft.Compute/virtualMachines/login/action | Log in to a virtual machine as a regular user | +> | Microsoft.Compute/virtualMachines/loginAsAdmin/action | Log in to a virtual machine with Windows administrator or Linux root user privileges | +> | Microsoft.Compute/virtualMachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator | ++## Microsoft.DesktopVirtualization ++Azure service: [Azure Virtual Desktop](/azure/virtual-desktop/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DesktopVirtualization/unregister/action | Action on unregister | +> | Microsoft.DesktopVirtualization/register/action | Register subscription | +> | Microsoft.DesktopVirtualization/appattachpackages/read | Read the appattachpackages to see packages present. | +> | Microsoft.DesktopVirtualization/appattachpackages/write | Update the appattachpackages to save changes. | +> | Microsoft.DesktopVirtualization/applicationgroups/read | Read applicationgroups | +> | Microsoft.DesktopVirtualization/applicationgroups/write | Write applicationgroups | +> | Microsoft.DesktopVirtualization/applicationgroups/delete | Delete applicationgroups | +> | Microsoft.DesktopVirtualization/applicationgroups/move/action | Move a applicationgroups to another resource group | +> | Microsoft.DesktopVirtualization/applicationgroups/applications/read | Read applicationgroups/applications | +> | Microsoft.DesktopVirtualization/applicationgroups/applications/write | Write applicationgroups/applications | +> | Microsoft.DesktopVirtualization/applicationgroups/applications/delete | Delete applicationgroups/applications | +> | Microsoft.DesktopVirtualization/applicationgroups/desktops/read | Read applicationgroups/desktops | +> | Microsoft.DesktopVirtualization/applicationgroups/desktops/write | Write applicationgroups/desktops | +> | Microsoft.DesktopVirtualization/applicationgroups/desktops/delete | Delete applicationgroups/desktops | +> | Microsoft.DesktopVirtualization/applicationgroups/externaluserassignments/read | | +> | Microsoft.DesktopVirtualization/applicationgroups/externaluserassignments/write | | +> | Microsoft.DesktopVirtualization/applicationgroups/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting | +> | Microsoft.DesktopVirtualization/applicationgroups/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting | +> | Microsoft.DesktopVirtualization/applicationgroups/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs | +> | Microsoft.DesktopVirtualization/applicationgroups/startmenuitems/read | Read start menu items | +> | Microsoft.DesktopVirtualization/connectionPolicies/read | Read the connectionPolicies to see packages present. | +> | Microsoft.DesktopVirtualization/connectionPolicies/write | Update the connectionPolicies to save changes. | +> | Microsoft.DesktopVirtualization/hostpools/read | Read hostpools | +> | Microsoft.DesktopVirtualization/hostpools/write | Write hostpools | +> | Microsoft.DesktopVirtualization/hostpools/delete | Delete hostpools | +> | Microsoft.DesktopVirtualization/hostpools/controlUpdate/action | | +> | Microsoft.DesktopVirtualization/hostpools/update/action | Action on update | +> | Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action | Retrieve registration token for host pool | +> | Microsoft.DesktopVirtualization/hostpools/move/action | Move a hostpools to another resource group | +> | Microsoft.DesktopVirtualization/hostpools/expandmsiximage/action | Expand an expandmsiximage to see MSIX Packages present | +> | Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action | Internal operation that is not meant to be called by customers. This will be removed in a future version. Do not use it. | +> | Microsoft.DesktopVirtualization/hostpools/activeSessionhostconfigurations/read | Read the appattachpackages to see configurations present. | +> | Microsoft.DesktopVirtualization/hostpools/msixpackages/read | Read hostpools/msixpackages | +> | Microsoft.DesktopVirtualization/hostpools/msixpackages/write | Write hostpools/msixpackages | +> | Microsoft.DesktopVirtualization/hostpools/msixpackages/delete | Delete hostpools/msixpackages | +> | Microsoft.DesktopVirtualization/hostpools/privateendpointconnectionproxies/read | Read hostpools/privateendpointconnectionproxies | +> | Microsoft.DesktopVirtualization/hostpools/privateendpointconnectionproxies/write | Write hostpools/privateendpointconnectionproxies | +> | Microsoft.DesktopVirtualization/hostpools/privateendpointconnectionproxies/delete | Delete hostpools/privateendpointconnectionproxies | +> | Microsoft.DesktopVirtualization/hostpools/privateendpointconnectionproxies/validate/action | Validates the private endpoint connection proxy | +> | Microsoft.DesktopVirtualization/hostpools/privateendpointconnectionproxies/operationresults/read | Gets operation result on private endpoint connection proxy | +> | Microsoft.DesktopVirtualization/hostpools/privateendpointconnections/read | Read hostpools/privateendpointconnections | +> | Microsoft.DesktopVirtualization/hostpools/privateendpointconnections/write | Write hostpools/privateendpointconnections | +> | Microsoft.DesktopVirtualization/hostpools/privateendpointconnections/delete | Delete hostpools/privateendpointconnections | +> | Microsoft.DesktopVirtualization/hostpools/privatelinkresources/read | Read privatelinkresources | +> | Microsoft.DesktopVirtualization/hostpools/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting | +> | Microsoft.DesktopVirtualization/hostpools/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting | +> | Microsoft.DesktopVirtualization/hostpools/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs | +> | Microsoft.DesktopVirtualization/hostpools/scalingplans/read | Read scalingplans | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/read | Read hostpools/sessionhostconfigurations | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/write | Write hostpools/sessionhostconfigurations | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/delete | Delete hostpools/sessionhostconfigurations | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/operationresults/read | Read the operationresults to see results present. | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/operationstatuses/read | Read the operationstatuses to see statuses present. | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostmanagements/controlSessionHostUpdate/action | Action on controlSessionHostUpdate. | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostmanagements/initiateSessionHostUpdate/action | Action on initiateSessionHostUpdate. | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostmanagements/read | Read sessionhostmanagements. | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostmanagements/write | Write to sessionhostmanagements to update. | +> | Microsoft.DesktopVirtualization/hostpools/sessionhostmanagements/operationstatuses/read | Read operationstatuses to get statuses. | +> | Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | Read hostpools/sessionhosts | +> | Microsoft.DesktopVirtualization/hostpools/sessionhosts/write | Write hostpools/sessionhosts | +> | Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete | Delete hostpools/sessionhosts | +> | Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action | Action on retryprovisioning. | +> | Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read | Read hostpools/sessionhosts/usersessions | +> | Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/write | Write hostpools/sessionhosts/usersessions | +> | Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete | Delete hostpools/sessionhosts/usersessions | +> | Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action | Disconnects the user session form session host | +> | Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action | Send message to user session | +> | Microsoft.DesktopVirtualization/hostpools/updateDetails/read | Read updateDetails | +> | Microsoft.DesktopVirtualization/hostpools/updateOperationResults/read | Read updateOperationResults | +> | Microsoft.DesktopVirtualization/hostpools/usersessions/read | Read usersessions | +> | Microsoft.DesktopVirtualization/operations/read | Read operations | +> | Microsoft.DesktopVirtualization/resourceTypes/read | Read resourceTypes | +> | Microsoft.DesktopVirtualization/scalingplans/read | Read scalingplans | +> | Microsoft.DesktopVirtualization/scalingplans/write | Write scalingplans | +> | Microsoft.DesktopVirtualization/scalingplans/delete | Delete scalingplans | +> | Microsoft.DesktopVirtualization/scalingplans/move/action | Move scalingplans to another ResourceGroup or Subscription | +> | Microsoft.DesktopVirtualization/scalingplans/personalSchedules/read | Read scalingplans/personalSchedules | +> | Microsoft.DesktopVirtualization/scalingplans/personalSchedules/write | Write scalingplans/personalSchedules | +> | Microsoft.DesktopVirtualization/scalingplans/personalSchedules/delete | Delete scalingplans/personalSchedules | +> | Microsoft.DesktopVirtualization/scalingplans/pooledSchedules/read | Read scalingplans/pooledSchedules | +> | Microsoft.DesktopVirtualization/scalingplans/pooledSchedules/write | Write scalingplans/pooledSchedules | +> | Microsoft.DesktopVirtualization/scalingplans/pooledSchedules/delete | Delete scalingplans/pooledSchedules | +> | Microsoft.DesktopVirtualization/skus/read | Read skus. | +> | Microsoft.DesktopVirtualization/workspaces/read | Read workspaces | +> | Microsoft.DesktopVirtualization/workspaces/write | Write workspaces | +> | Microsoft.DesktopVirtualization/workspaces/delete | Delete workspaces | +> | Microsoft.DesktopVirtualization/workspaces/move/action | Move a workspaces to another resource group | +> | Microsoft.DesktopVirtualization/workspaces/privateendpointconnectionproxies/read | Read workspaces/privateendpointconnectionproxies | +> | Microsoft.DesktopVirtualization/workspaces/privateendpointconnectionproxies/write | Write workspaces/privateendpointconnectionproxies | +> | Microsoft.DesktopVirtualization/workspaces/privateendpointconnectionproxies/delete | Delete workspaces/privateendpointconnectionproxies | +> | Microsoft.DesktopVirtualization/workspaces/privateendpointconnectionproxies/validate/action | Validates the private endpoint connection proxy | +> | Microsoft.DesktopVirtualization/workspaces/privateendpointconnectionproxies/operationresults/read | Gets operation result on private endpoint connection proxy | +> | Microsoft.DesktopVirtualization/workspaces/privateendpointconnections/read | Read workspaces/privateendpointconnections | +> | Microsoft.DesktopVirtualization/workspaces/privateendpointconnections/write | Write workspaces/privateendpointconnections | +> | Microsoft.DesktopVirtualization/workspaces/privateendpointconnections/delete | Delete workspaces/privateendpointconnections | +> | Microsoft.DesktopVirtualization/workspaces/privatelinkresources/read | Read privatelinkresources | +> | Microsoft.DesktopVirtualization/workspaces/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting | +> | Microsoft.DesktopVirtualization/workspaces/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting | +> | Microsoft.DesktopVirtualization/workspaces/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs | +> | **DataAction** | **Description** | +> | Microsoft.DesktopVirtualization/appattachpackages/useapplications/action | Allow user permissioning on app attach packages in an application group | +> | Microsoft.DesktopVirtualization/applicationgroups/useapplications/action | Use ApplicationGroup | ++## Microsoft.ServiceFabric ++Azure service: [Service Fabric](/azure/service-fabric/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ServiceFabric/register/action | Register any Action | +> | Microsoft.ServiceFabric/clusters/read | Read any Cluster | +> | Microsoft.ServiceFabric/clusters/write | Create or Update any Cluster | +> | Microsoft.ServiceFabric/clusters/delete | Delete any Cluster | +> | Microsoft.ServiceFabric/clusters/applications/read | Read any Application | +> | Microsoft.ServiceFabric/clusters/applications/write | Create or Update any Application | +> | Microsoft.ServiceFabric/clusters/applications/delete | Delete any Application | +> | Microsoft.ServiceFabric/clusters/applications/services/read | Read any Service | +> | Microsoft.ServiceFabric/clusters/applications/services/write | Create or Update any Service | +> | Microsoft.ServiceFabric/clusters/applications/services/delete | Delete any Service | +> | Microsoft.ServiceFabric/clusters/applications/services/partitions/read | Read any Partition | +> | Microsoft.ServiceFabric/clusters/applications/services/partitions/replicas/read | Read any Replica | +> | Microsoft.ServiceFabric/clusters/applications/services/statuses/read | Read any Service Status | +> | Microsoft.ServiceFabric/clusters/applicationTypes/read | Read any Application Type | +> | Microsoft.ServiceFabric/clusters/applicationTypes/write | Create or Update any Application Type | +> | Microsoft.ServiceFabric/clusters/applicationTypes/delete | Delete any Application Type | +> | Microsoft.ServiceFabric/clusters/applicationTypes/versions/read | Read any Application Type Version | +> | Microsoft.ServiceFabric/clusters/applicationTypes/versions/write | Create or Update any Application Type Version | +> | Microsoft.ServiceFabric/clusters/applicationTypes/versions/delete | Delete any Application Type Version | +> | Microsoft.ServiceFabric/clusters/nodes/read | Read any Node | +> | Microsoft.ServiceFabric/clusters/statuses/read | Read any Cluster Status | +> | Microsoft.ServiceFabric/locations/clusterVersions/read | Read any Cluster Version | +> | Microsoft.ServiceFabric/locations/environments/clusterVersions/read | Read any Cluster Version for a specific environment | +> | Microsoft.ServiceFabric/locations/operationresults/read | Read any Operation Results | +> | Microsoft.ServiceFabric/locations/operations/read | Read any Operations by location | +> | Microsoft.ServiceFabric/managedclusters/read | Read any Managed Clusters | +> | Microsoft.ServiceFabric/managedclusters/write | Create or Update any Managed Clusters | +> | Microsoft.ServiceFabric/managedclusters/delete | Delete any Managed Clusters | +> | Microsoft.ServiceFabric/managedclusters/applications/read | Read any Application | +> | Microsoft.ServiceFabric/managedclusters/applications/write | Create or Update any Application | +> | Microsoft.ServiceFabric/managedclusters/applications/delete | Delete any Application | +> | Microsoft.ServiceFabric/managedclusters/applications/services/read | Read any Service | +> | Microsoft.ServiceFabric/managedclusters/applications/services/write | Create or Update any Service | +> | Microsoft.ServiceFabric/managedclusters/applications/services/delete | Delete any Service | +> | Microsoft.ServiceFabric/managedclusters/applicationTypes/read | Read any Application Type | +> | Microsoft.ServiceFabric/managedclusters/applicationTypes/write | Create or Update any Application Type | +> | Microsoft.ServiceFabric/managedclusters/applicationTypes/delete | Delete any Application Type | +> | Microsoft.ServiceFabric/managedclusters/applicationTypes/versions/read | Read any Application Type Version | +> | Microsoft.ServiceFabric/managedclusters/applicationTypes/versions/write | Create or Update any Application Type Version | +> | Microsoft.ServiceFabric/managedclusters/applicationTypes/versions/delete | Delete any Application Type Version | +> | Microsoft.ServiceFabric/managedclusters/nodetypes/read | Read any Node Type | +> | Microsoft.ServiceFabric/managedclusters/nodetypes/write | Create or Update any Node Type | +> | Microsoft.ServiceFabric/managedclusters/nodetypes/delete | Delete Node Type | +> | Microsoft.ServiceFabric/managedclusters/nodetypes/skus/read | Read Node Type supported SKUs | +> | Microsoft.ServiceFabric/operations/read | Read any Available Operations | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/containers.md | + + Title: Azure permissions for Containers - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Containers category. +++++ Last updated : 02/07/2024++++# Azure permissions for Containers ++This article lists the permissions for the Azure resource providers in the Containers category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.ContainerInstance ++Azure service: [Container Instances](/azure/container-instances/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ContainerInstance/register/action | Registers the subscription for the container instance resource provider and enables the creation of container groups. | +> | Microsoft.ContainerInstance/containerGroupProfiles/read | Get all container goup profiles. | +> | Microsoft.ContainerInstance/containerGroupProfiles/write | Create or update a specific container group profile. | +> | Microsoft.ContainerInstance/containerGroupProfiles/delete | Delete the specific container group profile. | +> | Microsoft.ContainerInstance/containerGroupProfiles/revisions/read | Get container group profile revisions | +> | Microsoft.ContainerInstance/containerGroupProfiles/revisions/deregister/action | Deregister container group profile revision. | +> | Microsoft.ContainerInstance/containerGroups/read | Get all container groups. | +> | Microsoft.ContainerInstance/containerGroups/write | Create or update a specific container group. | +> | Microsoft.ContainerInstance/containerGroups/delete | Delete the specific container group. | +> | Microsoft.ContainerInstance/containerGroups/restart/action | Restarts a specific container group. | +> | Microsoft.ContainerInstance/containerGroups/stop/action | Stops a specific container group. Compute resources will be deallocated and billing will stop. | +> | Microsoft.ContainerInstance/containerGroups/refreshDelegatedResourceIdentity/action | Refresh delegated resource identity for a specific container group. | +> | Microsoft.ContainerInstance/containerGroups/start/action | Starts a specific container group. | +> | Microsoft.ContainerInstance/containerGroups/containers/exec/action | Exec into a specific container. | +> | Microsoft.ContainerInstance/containerGroups/containers/attach/action | Attach to the output stream of a container. | +> | Microsoft.ContainerInstance/containerGroups/containers/buildlogs/read | Get build logs for a specific container. | +> | Microsoft.ContainerInstance/containerGroups/containers/logs/read | Get logs for a specific container. | +> | Microsoft.ContainerInstance/containerGroups/detectors/read | List Container Group Detectors | +> | Microsoft.ContainerInstance/containerGroups/operationResults/read | Get async operation result | +> | Microsoft.ContainerInstance/containerGroups/outboundNetworkDependenciesEndpoints/read | List Container Group Detectors | +> | Microsoft.ContainerInstance/containerGroups/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the container group. | +> | Microsoft.ContainerInstance/containerGroups/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the container group. | +> | Microsoft.ContainerInstance/containerGroups/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for container group. | +> | Microsoft.ContainerInstance/containerScaleSets/read | Get details of a container scale set. | +> | Microsoft.ContainerInstance/containerScaleSets/write | Create or update a specific container scale set. | +> | Microsoft.ContainerInstance/containerScaleSets/delete | Delete Container Scale Set | +> | Microsoft.ContainerInstance/containerScaleSets/containerGroups/restart/action | Restart specific container groups in a container scale set. | +> | Microsoft.ContainerInstance/containerScaleSets/containerGroups/start/action | Start specific container groups in a container scale set. | +> | Microsoft.ContainerInstance/containerScaleSets/containerGroups/stop/action | Stop specific container groups in a container scale set. | +> | Microsoft.ContainerInstance/containerScaleSets/containerGroups/delete/action | Delete specific container groups in a container scale set. | +> | Microsoft.ContainerInstance/locations/validateDeleteVirtualNetworkOrSubnets/action | Notifies Microsoft.ContainerInstance that virtual network or subnet is being deleted. | +> | Microsoft.ContainerInstance/locations/deleteVirtualNetworkOrSubnets/action | Notifies Microsoft.ContainerInstance that virtual network or subnet is being deleted. | +> | Microsoft.ContainerInstance/locations/cachedImages/read | Gets the cached images for the subscription in a region. | +> | Microsoft.ContainerInstance/locations/capabilities/read | Get the capabilities for a region. | +> | Microsoft.ContainerInstance/locations/operationResults/read | Get async operation result | +> | Microsoft.ContainerInstance/locations/operations/read | List the operations for Azure Container Instance service. | +> | Microsoft.ContainerInstance/locations/usages/read | Get the usage for a specific region. | +> | Microsoft.ContainerInstance/operations/read | List the operations for Azure Container Instance service. | +> | Microsoft.ContainerInstance/serviceassociationlinks/delete | Delete the service association link created by azure container instance resource provider on a subnet. | ++## Microsoft.ContainerRegistry ++Azure service: [Container Registry](/azure/container-registry/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ContainerRegistry/register/action | Registers the subscription for the container registry resource provider and enables the creation of container registries. | +> | Microsoft.ContainerRegistry/unregister/action | Unregisters the subscription for the container registry resource provider. | +> | Microsoft.ContainerRegistry/checkNameAvailability/read | Checks whether the container registry name is available for use. | +> | Microsoft.ContainerRegistry/locations/deleteVirtualNetworkOrSubnets/action | Notifies Microsoft.ContainerRegistry that virtual network or subnet is being deleted | +> | Microsoft.ContainerRegistry/locations/operationResults/read | Gets an async operation result | +> | Microsoft.ContainerRegistry/operations/read | Lists all of the available Azure Container Registry REST API operations | +> | Microsoft.ContainerRegistry/registries/read | Gets the properties of the specified container registry or lists all the container registries under the specified resource group or subscription. | +> | Microsoft.ContainerRegistry/registries/write | Creates or updates a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/delete | Deletes a container registry. | +> | Microsoft.ContainerRegistry/registries/listCredentials/action | Lists the login credentials for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/regenerateCredential/action | Regenerates one of the login credentials for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/generateCredentials/action | Generate keys for a token of a specified container registry. | +> | Microsoft.ContainerRegistry/registries/importImage/action | Import Image to container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/getBuildSourceUploadUrl/action | Gets the upload location for the user to be able to upload the source. | +> | Microsoft.ContainerRegistry/registries/queueBuild/action | Creates a new build based on the request parameters and add it to the build queue. | +> | Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action | Get source upload url location for a container registry. | +> | Microsoft.ContainerRegistry/registries/scheduleRun/action | Schedule a run against a container registry. | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action | Auto Approves a Private Endpoint Connection | +> | Microsoft.ContainerRegistry/registries/agentpools/read | Get a agentpool for a container registry or list all agentpools. | +> | Microsoft.ContainerRegistry/registries/agentpools/write | Create or Update an agentpool for a container registry. | +> | Microsoft.ContainerRegistry/registries/agentpools/delete | Delete an agentpool for a container registry. | +> | Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action | List all queue status of an agentpool for a container registry. | +> | Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read | Gets an agentpool async operation result status | +> | Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read | Gets an agentpool async operation status | +> | Microsoft.ContainerRegistry/registries/artifacts/delete | Delete artifact in a container registry. | +> | Microsoft.ContainerRegistry/registries/builds/read | Gets the properties of the specified build or lists all the builds for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/builds/write | Updates a build for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/builds/getLogLink/action | Gets a link to download the build logs. | +> | Microsoft.ContainerRegistry/registries/builds/cancel/action | Cancels an existing build. | +> | Microsoft.ContainerRegistry/registries/buildTasks/read | Gets the properties of the specified build task or lists all the build tasks for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/buildTasks/write | Creates or updates a build task for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/buildTasks/delete | Deletes a build task from a container registry. | +> | Microsoft.ContainerRegistry/registries/buildTasks/listSourceRepositoryProperties/action | Lists the source control properties for a build task. | +> | Microsoft.ContainerRegistry/registries/buildTasks/steps/read | Gets the properties of the specified build step or lists all the build steps for the specified build task. | +> | Microsoft.ContainerRegistry/registries/buildTasks/steps/write | Creates or updates a build step for a build task with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/buildTasks/steps/delete | Deletes a build step from a build task. | +> | Microsoft.ContainerRegistry/registries/buildTasks/steps/listBuildArguments/action | Lists the build arguments for a build step including the secret arguments. | +> | Microsoft.ContainerRegistry/registries/cacheRules/read | Gets the properties of the specified cache rule or lists all the cache rules for the specified container registry | +> | Microsoft.ContainerRegistry/registries/cacheRules/write | Creates or updates a cache rule for a container registry with the specified parameters | +> | Microsoft.ContainerRegistry/registries/cacheRules/delete | Deletes a cache rule from a container registry | +> | Microsoft.ContainerRegistry/registries/cacheRules/operationStatuses/read | Gets a cache rule async operation status | +> | Microsoft.ContainerRegistry/registries/connectedRegistries/read | Gets the properties of the specified connected registry or lists all the connected registries for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/connectedRegistries/write | Creates or updates a connected registry for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/connectedRegistries/delete | Deletes a connected registry from a container registry. | +> | Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action | Deactivates a connected registry for a container registry | +> | Microsoft.ContainerRegistry/registries/credentialSets/read | Gets the properties of the specified credential set or lists all the credential sets for the specified container registry | +> | Microsoft.ContainerRegistry/registries/credentialSets/write | Creates or updates a credential set for a container registry with the specified parameters | +> | Microsoft.ContainerRegistry/registries/credentialSets/delete | Deletes a credential set from a container registry | +> | Microsoft.ContainerRegistry/registries/credentialSets/operationStatuses/read | Gets a credential set async operation status | +> | Microsoft.ContainerRegistry/registries/deleted/read | Gets the deleted artifacts in a container registry | +> | Microsoft.ContainerRegistry/registries/deleted/restore/action | Restores deleted artifacts in a container registry | +> | Microsoft.ContainerRegistry/registries/eventGridFilters/read | Gets the properties of the specified event grid filter or lists all the event grid filters for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/eventGridFilters/write | Creates or updates an event grid filter for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/eventGridFilters/delete | Deletes an event grid filter from a container registry. | +> | Microsoft.ContainerRegistry/registries/exportPipelines/read | Gets the properties of the specified export pipeline or lists all the export pipelines for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/exportPipelines/write | Creates or updates an export pipeline for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/exportPipelines/delete | Deletes an export pipeline from a container registry. | +> | Microsoft.ContainerRegistry/registries/importPipelines/read | Gets the properties of the specified import pipeline or lists all the import pipelines for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/importPipelines/write | Creates or updates an import pipeline for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/importPipelines/delete | Deletes an import pipeline from a container registry. | +> | Microsoft.ContainerRegistry/registries/listPolicies/read | Lists the policies for the specified container registry | +> | Microsoft.ContainerRegistry/registries/listUsages/read | Lists the quota usages for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/metadata/read | Gets the metadata of a specific repository for a container registry | +> | Microsoft.ContainerRegistry/registries/metadata/write | Updates the metadata of a repository for a container registry | +> | Microsoft.ContainerRegistry/registries/operationStatuses/read | Gets a registry async operation status | +> | Microsoft.ContainerRegistry/registries/packages/archives/read | Get all the properties of Archive | +> | Microsoft.ContainerRegistry/registries/packages/archives/write | Creates or updates a Archive for a container registry with the specified parameters | +> | Microsoft.ContainerRegistry/registries/packages/archives/delete | Delete an Archive from a container registry | +> | Microsoft.ContainerRegistry/registries/packages/archives/versions/read | Get all the properties of Archive version | +> | Microsoft.ContainerRegistry/registries/packages/archives/versions/write | Creates or updates a Archive version for an Archive with the specified parameter | +> | Microsoft.ContainerRegistry/registries/packages/archives/versions/delete | Delete an Archive version from an Archive | +> | Microsoft.ContainerRegistry/registries/packages/archives/versions/operationStatuses/read | Get Archive version async Operation Status | +> | Microsoft.ContainerRegistry/registries/pipelineRuns/read | Gets the properties of the specified pipeline run or lists all the pipeline runs for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/pipelineRuns/write | Creates or updates a pipeline run for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/pipelineRuns/delete | Deletes a pipeline run from a container registry. | +> | Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read | Gets a pipeline run async operation status. | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/validate/action | Validate the Private Endpoint Connection Proxy (NRP only) | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/read | Get the Private Endpoint Connection Proxy (NRP only) | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/write | Create the Private Endpoint Connection Proxy (NRP only) | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/delete | Delete the Private Endpoint Connection Proxy (NRP only) | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/operationStatuses/read | Get Private Endpoint Connection Proxy Async Operation Status | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnections/read | Gets the properties of private endpoint connection or list all the private endpoint connections for the specified container registry | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnections/write | Approves/Rejects the private endpoint connection | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete | Deletes the private endpoint connection | +> | Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read | Get Private Endpoint Connection Async Operation Status | +> | Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Microsoft ContainerRegistry | +> | Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Microsoft ContainerRegistry | +> | Microsoft.ContainerRegistry/registries/pull/read | Pull or Get images from a container registry. | +> | Microsoft.ContainerRegistry/registries/push/write | Push or Write images to a container registry. | +> | Microsoft.ContainerRegistry/registries/quarantine/read | Pull or Get quarantined images from container registry | +> | Microsoft.ContainerRegistry/registries/quarantine/write | Write/Modify quarantine state of quarantined images | +> | Microsoft.ContainerRegistry/registries/replications/read | Gets the properties of the specified replication or lists all the replications for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/replications/write | Creates or updates a replication for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/replications/delete | Deletes a replication from a container registry. | +> | Microsoft.ContainerRegistry/registries/replications/operationStatuses/read | Gets a replication async operation status | +> | Microsoft.ContainerRegistry/registries/runs/read | Gets the properties of a run against a container registry or list runs. | +> | Microsoft.ContainerRegistry/registries/runs/write | Updates a run. | +> | Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action | Gets the log SAS URL for a run. | +> | Microsoft.ContainerRegistry/registries/runs/cancel/action | Cancel an existing run. | +> | Microsoft.ContainerRegistry/registries/scopeMaps/read | Gets the properties of the specified scope map or lists all the scope maps for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/scopeMaps/write | Creates or updates a scope map for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/scopeMaps/delete | Deletes a scope map from a container registry. | +> | Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read | Gets a scope map async operation status. | +> | Microsoft.ContainerRegistry/registries/sign/write | Push/Pull content trust metadata for a container registry. | +> | Microsoft.ContainerRegistry/registries/taskruns/read | Get a taskrun for a container registry or list all taskruns. | +> | Microsoft.ContainerRegistry/registries/taskruns/write | Create or Update a taskrun for a container registry. | +> | Microsoft.ContainerRegistry/registries/taskruns/delete | Delete a taskrun for a container registry. | +> | Microsoft.ContainerRegistry/registries/taskruns/listDetails/action | List all details of a taskrun for a container registry. | +> | Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read | Gets a taskrun async operation status | +> | Microsoft.ContainerRegistry/registries/tasks/read | Gets a task for a container registry or list all tasks. | +> | Microsoft.ContainerRegistry/registries/tasks/write | Creates or Updates a task for a container registry. | +> | Microsoft.ContainerRegistry/registries/tasks/delete | Deletes a task for a container registry. | +> | Microsoft.ContainerRegistry/registries/tasks/listDetails/action | List all details of a task for a container registry. | +> | Microsoft.ContainerRegistry/registries/tokens/read | Gets the properties of the specified token or lists all the tokens for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/tokens/write | Creates or updates a token for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/tokens/delete | Deletes a token from a container registry. | +> | Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read | Gets a token async operation status. | +> | Microsoft.ContainerRegistry/registries/updatePolicies/write | Updates the policies for the specified container registry | +> | Microsoft.ContainerRegistry/registries/webhooks/read | Gets the properties of the specified webhook or lists all the webhooks for the specified container registry. | +> | Microsoft.ContainerRegistry/registries/webhooks/write | Creates or updates a webhook for a container registry with the specified parameters. | +> | Microsoft.ContainerRegistry/registries/webhooks/delete | Deletes a webhook from a container registry. | +> | Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | Gets the configuration of service URI and custom headers for the webhook. | +> | Microsoft.ContainerRegistry/registries/webhooks/ping/action | Triggers a ping event to be sent to the webhook. | +> | Microsoft.ContainerRegistry/registries/webhooks/listEvents/action | Lists recent events for the specified webhook. | +> | Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read | Gets a webhook async operation status | +> | **DataAction** | **Description** | +> | Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Allows pull or get of the quarantined artifacts from container registry. This is similar to Microsoft.ContainerRegistry/registries/quarantine/read except that it is a data action | +> | Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Allows write or update of the quarantine state of quarantined artifacts. This is similar to Microsoft.ContainerRegistry/registries/quarantine/write action except that it is a data action | +> | Microsoft.ContainerRegistry/registries/repositories/content/read | Pull or Get images from a container registry. | +> | Microsoft.ContainerRegistry/registries/repositories/content/write | Push or Write images to a container registry. | +> | Microsoft.ContainerRegistry/registries/repositories/content/delete | Delete artifact in a container registry. | +> | Microsoft.ContainerRegistry/registries/repositories/metadata/read | Gets the metadata of a specific repository for a container registry | +> | Microsoft.ContainerRegistry/registries/repositories/metadata/write | Updates the metadata of a repository for a container registry | +> | Microsoft.ContainerRegistry/registries/repositories/metadata/delete | Delete the metadata of a repository for a container registry | +> | Microsoft.ContainerRegistry/registries/trustedCollections/write | Allows push or publish of trusted collections of container registry content. This is similar to Microsoft.ContainerRegistry/registries/sign/write action except that this is a data action | ++## Microsoft.ContainerService ++Azure service: [Azure Kubernetes Service (AKS)](/azure/aks/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ContainerService/register/action | Registers Subscription with Microsoft.ContainerService resource provider | +> | Microsoft.ContainerService/unregister/action | Unregisters Subscription with Microsoft.ContainerService resource provider | +> | Microsoft.ContainerService/containerServices/read | Get a container service | +> | Microsoft.ContainerService/containerServices/write | Creates a new container service or updates an existing one | +> | Microsoft.ContainerService/containerServices/delete | Deletes a container service | +> | Microsoft.ContainerService/fleetMemberships/read | Get a fleet membership extension | +> | Microsoft.ContainerService/fleetMemberships/write | Create or Update a fleet membership extension | +> | Microsoft.ContainerService/fleetMemberships/delete | Delete a fleet membership extension | +> | Microsoft.ContainerService/fleetMemberships/forward/action | Forwards a call to the underlying cluster | +> | Microsoft.ContainerService/fleets/read | Get fleet | +> | Microsoft.ContainerService/fleets/write | Create or Update a fleet | +> | Microsoft.ContainerService/fleets/delete | Delete a fleet | +> | Microsoft.ContainerService/fleets/listCredentials/action | List fleet credentials | +> | Microsoft.ContainerService/fleets/members/read | Get a fleet member | +> | Microsoft.ContainerService/fleets/members/write | Create or Update a fleet member | +> | Microsoft.ContainerService/fleets/members/delete | Delete a fleet member | +> | Microsoft.ContainerService/fleets/updateRuns/read | Get a fleet update run | +> | Microsoft.ContainerService/fleets/updateRuns/write | Create or Update a fleet update run | +> | Microsoft.ContainerService/fleets/updateRuns/delete | Delete a fleet update run | +> | Microsoft.ContainerService/fleets/updateRuns/start/action | Starts a fleet update run | +> | Microsoft.ContainerService/fleets/updateRuns/stop/action | Stops a fleet update run | +> | Microsoft.ContainerService/fleets/updateStrategies/read | Get a fleet update strategy | +> | Microsoft.ContainerService/fleets/updateStrategies/write | Create or Update a fleet update strategy | +> | Microsoft.ContainerService/fleets/updateStrategies/delete | Delete a fleet update strategy | +> | Microsoft.ContainerService/locations/guardrailsVersions/read | Get Guardrails Versions | +> | Microsoft.ContainerService/locations/kubernetesversions/read | List available Kubernetes versions in the region. | +> | Microsoft.ContainerService/locations/meshRevisionProfiles/read | Read service mesh revision profiles in a location | +> | Microsoft.ContainerService/locations/operationresults/read | Gets the status of an asynchronous operation result | +> | Microsoft.ContainerService/locations/operations/read | Gets the status of an asynchronous operation | +> | Microsoft.ContainerService/locations/orchestrators/read | Lists the supported orchestrators | +> | Microsoft.ContainerService/locations/osOptions/read | Gets OS options | +> | Microsoft.ContainerService/locations/safeguardsVersions/read | Get Safeguards Versions | +> | Microsoft.ContainerService/locations/usages/read | List resource usage on Microsoft.ContainerService resource provider. | +> | Microsoft.ContainerService/managedClusters/read | Get a managed cluster | +> | Microsoft.ContainerService/managedClusters/write | Creates a new managed cluster or updates an existing one | +> | Microsoft.ContainerService/managedClusters/delete | Deletes a managed cluster | +> | Microsoft.ContainerService/managedClusters/start/action | Starts a managed cluster | +> | Microsoft.ContainerService/managedClusters/stop/action | Stops a managed cluster | +> | Microsoft.ContainerService/managedClusters/abort/action | Latest ongoing operation on managed cluster gets aborted | +> | Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | List the clusterAdmin credential of a managed cluster | +> | Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster | +> | Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | List the clusterMonitoringUser credential of a managed cluster | +> | Microsoft.ContainerService/managedClusters/resetServicePrincipalProfile/action | Reset the service principal profile of a managed cluster | +> | Microsoft.ContainerService/managedClusters/unpinManagedCluster/action | Unpin a managed cluster | +> | Microsoft.ContainerService/managedClusters/resolvePrivateLinkServiceId/action | Resolve the private link service id of a managed cluster | +> | Microsoft.ContainerService/managedClusters/resetAADProfile/action | Reset the AAD profile of a managed cluster | +> | Microsoft.ContainerService/managedClusters/rotateClusterCertificates/action | Rotate certificates of a managed cluster | +> | Microsoft.ContainerService/managedClusters/runCommand/action | Run user issued command against managed kubernetes server. | +> | Microsoft.ContainerService/managedClusters/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection | +> | Microsoft.ContainerService/managedClusters/accessProfiles/read | Get a managed cluster access profile by role name | +> | Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Get a managed cluster access profile by role name using list credential | +> | Microsoft.ContainerService/managedClusters/agentPools/read | Gets an agent pool | +> | Microsoft.ContainerService/managedClusters/agentPools/write | Creates a new agent pool or updates an existing one | +> | Microsoft.ContainerService/managedClusters/agentPools/delete | Deletes an agent pool | +> | Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action | Upgrade the node image version of agent pool | +> | Microsoft.ContainerService/managedClusters/agentPools/abort/action | Latest ongoing operation on agent pool gets aborted | +> | Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/write | Upgrade the node image version of agent pool | +> | Microsoft.ContainerService/managedClusters/agentPools/upgradeProfiles/read | Gets the upgrade profile of the Agent Pool | +> | Microsoft.ContainerService/managedClusters/availableAgentPoolVersions/read | Gets the available agent pool versions of the cluster | +> | Microsoft.ContainerService/managedClusters/commandResults/read | Retrieve result from previous issued command. | +> | Microsoft.ContainerService/managedClusters/detectors/read | Get Managed Cluster Detector | +> | Microsoft.ContainerService/managedClusters/diagnosticsState/read | Gets the diagnostics state of the cluster | +> | Microsoft.ContainerService/managedClusters/eventGridFilters/read | Get eventgrid filter | +> | Microsoft.ContainerService/managedClusters/eventGridFilters/write | Create or Update eventgrid filter | +> | Microsoft.ContainerService/managedClusters/eventGridFilters/delete | Delete an eventgrid filter | +> | Microsoft.ContainerService/managedClusters/extensionaddons/read | Gets an extension addon | +> | Microsoft.ContainerService/managedClusters/extensionaddons/write | Creates a new extension addon or updates an existing one | +> | Microsoft.ContainerService/managedClusters/extensionaddons/delete | Deletes an extension addon | +> | Microsoft.ContainerService/managedClusters/maintenanceConfigurations/read | Gets a maintenance configuration | +> | Microsoft.ContainerService/managedClusters/maintenanceConfigurations/write | Creates a new MaintenanceConfiguration or updates an existing one | +> | Microsoft.ContainerService/managedClusters/maintenanceConfigurations/delete | Deletes a maintenance configuration | +> | Microsoft.ContainerService/managedClusters/meshUpgradeProfiles/read | Read service mesh upgrade profiles for a managed cluster | +> | Microsoft.ContainerService/managedClusters/networkSecurityPerimeterAssociationProxies/read | Get ManagedCluster NetworkSecurityPerimeter Association | +> | Microsoft.ContainerService/managedClusters/networkSecurityPerimeterAssociationProxies/write | Create or update ManagedCluster NetworkSecurityPerimeter Association | +> | Microsoft.ContainerService/managedClusters/networkSecurityPerimeterAssociationProxies/delete | Delete ManagedCluster NetworkSecurityPerimeter Association | +> | Microsoft.ContainerService/managedClusters/networkSecurityPerimeterConfigurations/read | Get ManagedCluster NetworkSecurityPerimeter Association | +> | Microsoft.ContainerService/managedClusters/privateEndpointConnections/read | Get private endpoint connection | +> | Microsoft.ContainerService/managedClusters/privateEndpointConnections/write | Approve or Reject a private endpoint connection | +> | Microsoft.ContainerService/managedClusters/privateEndpointConnections/delete | Delete private endpoint connection | +> | Microsoft.ContainerService/managedClusters/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic setting for a managed cluster resource | +> | Microsoft.ContainerService/managedClusters/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for a managed cluster resource | +> | Microsoft.ContainerService/managedClusters/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Managed Cluster | +> | Microsoft.ContainerService/managedClusters/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Managed Cluster | +> | Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read | Get trusted access role bindings for managed cluster | +> | Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write | Create or update trusted access role bindings for managed cluster | +> | Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete | Delete trusted access role bindings for managed cluster | +> | Microsoft.ContainerService/managedClusters/upgradeProfiles/read | Gets the upgrade profile of the cluster | +> | Microsoft.ContainerService/managedclustersnapshots/read | Get a managed cluster snapshot | +> | Microsoft.ContainerService/managedclustersnapshots/write | Creates a new managed cluster snapshot | +> | Microsoft.ContainerService/managedclustersnapshots/delete | Deletes a managed cluster snapshot | +> | Microsoft.ContainerService/openShiftClusters/read | Get an Open Shift Cluster | +> | Microsoft.ContainerService/openShiftClusters/write | Creates a new Open Shift Cluster or updates an existing one | +> | Microsoft.ContainerService/openShiftClusters/delete | Delete an Open Shift Cluster | +> | Microsoft.ContainerService/openShiftManagedClusters/read | Get an Open Shift Managed Cluster | +> | Microsoft.ContainerService/openShiftManagedClusters/write | Creates a new Open Shift Managed Cluster or updates an existing one | +> | Microsoft.ContainerService/openShiftManagedClusters/delete | Delete an Open Shift Managed Cluster | +> | Microsoft.ContainerService/operations/read | Lists operations available on Microsoft.ContainerService resource provider | +> | Microsoft.ContainerService/snapshots/read | Get a snapshot | +> | Microsoft.ContainerService/snapshots/write | Creates a new snapshot | +> | Microsoft.ContainerService/snapshots/delete | Deletes a snapshot | +> | **DataAction** | **Description** | +> | Microsoft.ContainerService/fleets/admissionregistration.k8s.io/initializerconfigurations/read | Reads initializerconfigurations | +> | Microsoft.ContainerService/fleets/admissionregistration.k8s.io/initializerconfigurations/write | Writes initializerconfigurations | +> | Microsoft.ContainerService/fleets/admissionregistration.k8s.io/initializerconfigurations/delete | Deletes/DeletesCollection initializerconfigurations resource | +> | Microsoft.ContainerService/fleets/admissionregistration.k8s.io/mutatingwebhookconfigurations/read | Reads mutatingwebhookconfigurations | +> | Microsoft.ContainerService/fleets/admissionregistration.k8s.io/mutatingwebhookconfigurations/write | Writes mutatingwebhookconfigurations | +> | Microsoft.ContainerService/fleets/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete | Deletes mutatingwebhookconfigurations | +> | Microsoft.ContainerService/fleets/admissionregistration.k8s.io/validatingwebhookconfigurations/read | Reads validatingwebhookconfigurations | +> | Microsoft.ContainerService/fleets/admissionregistration.k8s.io/validatingwebhookconfigurations/write | Writes validatingwebhookconfigurations | +> | Microsoft.ContainerService/fleets/admissionregistration.k8s.io/validatingwebhookconfigurations/delete | Deletes validatingwebhookconfigurations | +> | Microsoft.ContainerService/fleets/api/read | Reads api | +> | Microsoft.ContainerService/fleets/api/v1/read | Reads api/v1 | +> | Microsoft.ContainerService/fleets/apiextensions.k8s.io/customresourcedefinitions/read | Reads customresourcedefinitions | +> | Microsoft.ContainerService/fleets/apiextensions.k8s.io/customresourcedefinitions/write | Writes customresourcedefinitions | +> | Microsoft.ContainerService/fleets/apiextensions.k8s.io/customresourcedefinitions/delete | Deletes customresourcedefinitions | +> | Microsoft.ContainerService/fleets/apiregistration.k8s.io/apiservices/read | Reads apiservices | +> | Microsoft.ContainerService/fleets/apiregistration.k8s.io/apiservices/write | Writes apiservices | +> | Microsoft.ContainerService/fleets/apiregistration.k8s.io/apiservices/delete | Deletes apiservices | +> | Microsoft.ContainerService/fleets/apis/read | Reads apis | +> | Microsoft.ContainerService/fleets/apis/admissionregistration.k8s.io/read | Reads admissionregistration.k8s.io | +> | Microsoft.ContainerService/fleets/apis/admissionregistration.k8s.io/v1/read | Reads admissionregistration.k8s.io/v1 | +> | Microsoft.ContainerService/fleets/apis/admissionregistration.k8s.io/v1beta1/read | Reads admissionregistration.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/apiextensions.k8s.io/read | Reads apiextensions.k8s.io | +> | Microsoft.ContainerService/fleets/apis/apiextensions.k8s.io/v1/read | Reads apiextensions.k8s.io/v1 | +> | Microsoft.ContainerService/fleets/apis/apiextensions.k8s.io/v1beta1/read | Reads apiextensions.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/apiregistration.k8s.io/read | Reads apiregistration.k8s.io | +> | Microsoft.ContainerService/fleets/apis/apiregistration.k8s.io/v1/read | Reads apiregistration.k8s.io/v1 | +> | Microsoft.ContainerService/fleets/apis/apiregistration.k8s.io/v1beta1/read | Reads apiregistration.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/apps/read | Reads apps | +> | Microsoft.ContainerService/fleets/apis/apps/v1/read | Reads apps/v1 | +> | Microsoft.ContainerService/fleets/apis/apps/v1beta1/read | Reads apps/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/apps/v1beta2/read | Reads apps/v1beta2 | +> | Microsoft.ContainerService/fleets/apis/authentication.k8s.io/read | Reads authentication.k8s.io | +> | Microsoft.ContainerService/fleets/apis/authentication.k8s.io/v1/read | Reads authentication.k8s.io/v1 | +> | Microsoft.ContainerService/fleets/apis/authentication.k8s.io/v1beta1/read | Reads authentication.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/authorization.k8s.io/read | Reads authorization.k8s.io | +> | Microsoft.ContainerService/fleets/apis/authorization.k8s.io/v1/read | Reads authorization.k8s.io/v1 | +> | Microsoft.ContainerService/fleets/apis/authorization.k8s.io/v1beta1/read | Reads authorization.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/autoscaling/read | Reads autoscaling | +> | Microsoft.ContainerService/fleets/apis/autoscaling/v1/read | Reads autoscaling/v1 | +> | Microsoft.ContainerService/fleets/apis/autoscaling/v2beta1/read | Reads autoscaling/v2beta1 | +> | Microsoft.ContainerService/fleets/apis/autoscaling/v2beta2/read | Reads autoscaling/v2beta2 | +> | Microsoft.ContainerService/fleets/apis/batch/read | Reads batch | +> | Microsoft.ContainerService/fleets/apis/batch/v1/read | Reads batch/v1 | +> | Microsoft.ContainerService/fleets/apis/batch/v1beta1/read | Reads batch/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/certificates.k8s.io/read | Reads certificates.k8s.io | +> | Microsoft.ContainerService/fleets/apis/certificates.k8s.io/v1beta1/read | Reads certificates.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/coordination.k8s.io/read | Reads coordination.k8s.io | +> | Microsoft.ContainerService/fleets/apis/coordination.k8s.io/v1/read | Reads coordination/v1 | +> | Microsoft.ContainerService/fleets/apis/coordination.k8s.io/v1beta1/read | Reads coordination.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/events.k8s.io/read | Reads events.k8s.io | +> | Microsoft.ContainerService/fleets/apis/events.k8s.io/v1beta1/read | Reads events.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/extensions/read | Reads extensions | +> | Microsoft.ContainerService/fleets/apis/extensions/v1beta1/read | Reads extensions/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/metrics.k8s.io/read | Reads metrics.k8s.io | +> | Microsoft.ContainerService/fleets/apis/metrics.k8s.io/v1beta1/read | Reads metrics.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/networking.k8s.io/read | Reads networking.k8s.io | +> | Microsoft.ContainerService/fleets/apis/networking.k8s.io/v1/read | Reads networking/v1 | +> | Microsoft.ContainerService/fleets/apis/networking.k8s.io/v1beta1/read | Reads networking.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/node.k8s.io/read | Reads node.k8s.io | +> | Microsoft.ContainerService/fleets/apis/node.k8s.io/v1beta1/read | Reads node.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/policy/read | Reads policy | +> | Microsoft.ContainerService/fleets/apis/policy/v1beta1/read | Reads policy/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/rbac.authorization.k8s.io/read | Reads rbac.authorization.k8s.io | +> | Microsoft.ContainerService/fleets/apis/rbac.authorization.k8s.io/v1/read | Reads rbac.authorization/v1 | +> | Microsoft.ContainerService/fleets/apis/rbac.authorization.k8s.io/v1beta1/read | Reads rbac.authorization.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/scheduling.k8s.io/read | Reads scheduling.k8s.io | +> | Microsoft.ContainerService/fleets/apis/scheduling.k8s.io/v1/read | Reads scheduling/v1 | +> | Microsoft.ContainerService/fleets/apis/scheduling.k8s.io/v1beta1/read | Reads scheduling.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apis/storage.k8s.io/read | Reads storage.k8s.io | +> | Microsoft.ContainerService/fleets/apis/storage.k8s.io/v1/read | Reads storage/v1 | +> | Microsoft.ContainerService/fleets/apis/storage.k8s.io/v1beta1/read | Reads storage.k8s.io/v1beta1 | +> | Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Reads controllerrevisions | +> | Microsoft.ContainerService/fleets/apps/controllerrevisions/write | Writes controllerrevisions | +> | Microsoft.ContainerService/fleets/apps/controllerrevisions/delete | Deletes controllerrevisions | +> | Microsoft.ContainerService/fleets/apps/daemonsets/read | Reads daemonsets | +> | Microsoft.ContainerService/fleets/apps/daemonsets/write | Writes daemonsets | +> | Microsoft.ContainerService/fleets/apps/daemonsets/delete | Deletes daemonsets | +> | Microsoft.ContainerService/fleets/apps/deployments/read | Reads deployments | +> | Microsoft.ContainerService/fleets/apps/deployments/write | Writes deployments | +> | Microsoft.ContainerService/fleets/apps/deployments/delete | Deletes deployments | +> | Microsoft.ContainerService/fleets/apps/statefulsets/read | Reads statefulsets | +> | Microsoft.ContainerService/fleets/apps/statefulsets/write | Writes statefulsets | +> | Microsoft.ContainerService/fleets/apps/statefulsets/delete | Deletes statefulsets | +> | Microsoft.ContainerService/fleets/authentication.k8s.io/tokenreviews/write | Writes tokenreviews | +> | Microsoft.ContainerService/fleets/authentication.k8s.io/userextras/impersonate/action | Impersonate userextras | +> | Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Writes localsubjectaccessreviews | +> | Microsoft.ContainerService/fleets/authorization.k8s.io/selfsubjectaccessreviews/write | Writes selfsubjectaccessreviews | +> | Microsoft.ContainerService/fleets/authorization.k8s.io/selfsubjectrulesreviews/write | Writes selfsubjectrulesreviews | +> | Microsoft.ContainerService/fleets/authorization.k8s.io/subjectaccessreviews/write | Writes subjectaccessreviews | +> | Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers | +> | Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write | Writes horizontalpodautoscalers | +> | Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/delete | Deletes horizontalpodautoscalers | +> | Microsoft.ContainerService/fleets/batch/cronjobs/read | Reads cronjobs | +> | Microsoft.ContainerService/fleets/batch/cronjobs/write | Writes cronjobs | +> | Microsoft.ContainerService/fleets/batch/cronjobs/delete | Deletes cronjobs | +> | Microsoft.ContainerService/fleets/batch/jobs/read | Reads jobs | +> | Microsoft.ContainerService/fleets/batch/jobs/write | Writes jobs | +> | Microsoft.ContainerService/fleets/batch/jobs/delete | Deletes jobs | +> | Microsoft.ContainerService/fleets/bindings/write | Writes bindings | +> | Microsoft.ContainerService/fleets/certificates.k8s.io/certificatesigningrequests/read | Reads certificatesigningrequests | +> | Microsoft.ContainerService/fleets/certificates.k8s.io/certificatesigningrequests/write | Writes certificatesigningrequests | +> | Microsoft.ContainerService/fleets/certificates.k8s.io/certificatesigningrequests/delete | Deletes certificatesigningrequests | +> | Microsoft.ContainerService/fleets/componentstatuses/read | Reads componentstatuses | +> | Microsoft.ContainerService/fleets/componentstatuses/write | Writes componentstatuses | +> | Microsoft.ContainerService/fleets/componentstatuses/delete | Deletes componentstatuses | +> | Microsoft.ContainerService/fleets/configmaps/read | Reads configmaps | +> | Microsoft.ContainerService/fleets/configmaps/write | Writes configmaps | +> | Microsoft.ContainerService/fleets/configmaps/delete | Deletes configmaps | +> | Microsoft.ContainerService/fleets/coordination.k8s.io/leases/read | Reads leases | +> | Microsoft.ContainerService/fleets/coordination.k8s.io/leases/write | Writes leases | +> | Microsoft.ContainerService/fleets/coordination.k8s.io/leases/delete | Deletes leases | +> | Microsoft.ContainerService/fleets/endpoints/read | Reads endpoints | +> | Microsoft.ContainerService/fleets/endpoints/write | Writes endpoints | +> | Microsoft.ContainerService/fleets/endpoints/delete | Deletes endpoints | +> | Microsoft.ContainerService/fleets/events/read | Reads events | +> | Microsoft.ContainerService/fleets/events/write | Writes events | +> | Microsoft.ContainerService/fleets/events/delete | Deletes events | +> | Microsoft.ContainerService/fleets/events.k8s.io/events/read | Reads events | +> | Microsoft.ContainerService/fleets/events.k8s.io/events/write | Writes events | +> | Microsoft.ContainerService/fleets/events.k8s.io/events/delete | Deletes events | +> | Microsoft.ContainerService/fleets/extensions/daemonsets/read | Reads daemonsets | +> | Microsoft.ContainerService/fleets/extensions/daemonsets/write | Writes daemonsets | +> | Microsoft.ContainerService/fleets/extensions/daemonsets/delete | Deletes daemonsets | +> | Microsoft.ContainerService/fleets/extensions/deployments/read | Reads deployments | +> | Microsoft.ContainerService/fleets/extensions/deployments/write | Writes deployments | +> | Microsoft.ContainerService/fleets/extensions/deployments/delete | Deletes deployments | +> | Microsoft.ContainerService/fleets/extensions/ingresses/read | Reads ingresses | +> | Microsoft.ContainerService/fleets/extensions/ingresses/write | Writes ingresses | +> | Microsoft.ContainerService/fleets/extensions/ingresses/delete | Deletes ingresses | +> | Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Reads networkpolicies | +> | Microsoft.ContainerService/fleets/extensions/networkpolicies/write | Writes networkpolicies | +> | Microsoft.ContainerService/fleets/extensions/networkpolicies/delete | Deletes networkpolicies | +> | Microsoft.ContainerService/fleets/extensions/podsecuritypolicies/read | Reads podsecuritypolicies | +> | Microsoft.ContainerService/fleets/extensions/podsecuritypolicies/write | Writes podsecuritypolicies | +> | Microsoft.ContainerService/fleets/extensions/podsecuritypolicies/delete | Deletes podsecuritypolicies | +> | Microsoft.ContainerService/fleets/groups/impersonate/action | Impersonate groups | +> | Microsoft.ContainerService/fleets/healthz/read | Reads healthz | +> | Microsoft.ContainerService/fleets/healthz/autoregister-completion/read | Reads autoregister-completion | +> | Microsoft.ContainerService/fleets/healthz/etcd/read | Reads etcd | +> | Microsoft.ContainerService/fleets/healthz/log/read | Reads log | +> | Microsoft.ContainerService/fleets/healthz/ping/read | Reads ping | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/apiservice-openapi-controller/read | Reads apiservice-openapi-controller | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/apiservice-registration-controller/read | Reads apiservice-registration-controller | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/apiservice-status-available-controller/read | Reads apiservice-status-available-controller | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/bootstrap-controller/read | Reads bootstrap-controller | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/ca-registration/read | Reads ca-registration | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/crd-informer-synced/read | Reads crd-informer-synced | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/generic-apiserver-start-informers/read | Reads generic-apiserver-start-informers | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/kube-apiserver-autoregistration/read | Reads kube-apiserver-autoregistration | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/rbac/bootstrap-roles/read | Reads bootstrap-roles | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/scheduling/bootstrap-system-priority-classes/read | Reads bootstrap-system-priority-classes | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/start-apiextensions-controllers/read | Reads start-apiextensions-controllers | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/start-apiextensions-informers/read | Reads start-apiextensions-informers | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/start-kube-aggregator-informers/read | Reads start-kube-aggregator-informers | +> | Microsoft.ContainerService/fleets/healthz/poststarthook/start-kube-apiserver-admission-initializer/read | Reads start-kube-apiserver-admission-initializer | +> | Microsoft.ContainerService/fleets/limitranges/read | Reads limitranges | +> | Microsoft.ContainerService/fleets/limitranges/write | Writes limitranges | +> | Microsoft.ContainerService/fleets/limitranges/delete | Deletes limitranges | +> | Microsoft.ContainerService/fleets/livez/read | Reads livez | +> | Microsoft.ContainerService/fleets/livez/autoregister-completion/read | Reads autoregister-completion | +> | Microsoft.ContainerService/fleets/livez/etcd/read | Reads etcd | +> | Microsoft.ContainerService/fleets/livez/log/read | Reads log | +> | Microsoft.ContainerService/fleets/livez/ping/read | Reads ping | +> | Microsoft.ContainerService/fleets/livez/poststarthook/apiservice-openapi-controller/read | Reads apiservice-openapi-controller | +> | Microsoft.ContainerService/fleets/livez/poststarthook/apiservice-registration-controller/read | Reads apiservice-registration-controller | +> | Microsoft.ContainerService/fleets/livez/poststarthook/apiservice-status-available-controller/read | Reads apiservice-status-available-controller | +> | Microsoft.ContainerService/fleets/livez/poststarthook/bootstrap-controller/read | Reads bootstrap-controller | +> | Microsoft.ContainerService/fleets/livez/poststarthook/ca-registration/read | Reads ca-registration | +> | Microsoft.ContainerService/fleets/livez/poststarthook/crd-informer-synced/read | Reads crd-informer-synced | +> | Microsoft.ContainerService/fleets/livez/poststarthook/generic-apiserver-start-informers/read | Reads generic-apiserver-start-informers | +> | Microsoft.ContainerService/fleets/livez/poststarthook/kube-apiserver-autoregistration/read | Reads kube-apiserver-autoregistration | +> | Microsoft.ContainerService/fleets/livez/poststarthook/rbac/bootstrap-roles/read | Reads bootstrap-roles | +> | Microsoft.ContainerService/fleets/livez/poststarthook/scheduling/bootstrap-system-priority-classes/read | Reads bootstrap-system-priority-classes | +> | Microsoft.ContainerService/fleets/livez/poststarthook/start-apiextensions-controllers/read | Reads start-apiextensions-controllers | +> | Microsoft.ContainerService/fleets/livez/poststarthook/start-apiextensions-informers/read | Reads start-apiextensions-informers | +> | Microsoft.ContainerService/fleets/livez/poststarthook/start-kube-aggregator-informers/read | Reads start-kube-aggregator-informers | +> | Microsoft.ContainerService/fleets/livez/poststarthook/start-kube-apiserver-admission-initializer/read | Reads start-kube-apiserver-admission-initializer | +> | Microsoft.ContainerService/fleets/logs/read | Reads logs | +> | Microsoft.ContainerService/fleets/metrics/read | Reads metrics | +> | Microsoft.ContainerService/fleets/metrics.k8s.io/nodes/read | Reads nodes | +> | Microsoft.ContainerService/fleets/metrics.k8s.io/pods/read | Reads pods | +> | Microsoft.ContainerService/fleets/namespaces/read | Reads namespaces | +> | Microsoft.ContainerService/fleets/namespaces/write | Writes namespaces | +> | Microsoft.ContainerService/fleets/namespaces/delete | Deletes namespaces | +> | Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Reads ingresses | +> | Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write | Writes ingresses | +> | Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/delete | Deletes ingresses | +> | Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Reads networkpolicies | +> | Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write | Writes networkpolicies | +> | Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/delete | Deletes networkpolicies | +> | Microsoft.ContainerService/fleets/node.k8s.io/runtimeclasses/read | Reads runtimeclasses | +> | Microsoft.ContainerService/fleets/node.k8s.io/runtimeclasses/write | Writes runtimeclasses | +> | Microsoft.ContainerService/fleets/node.k8s.io/runtimeclasses/delete | Deletes runtimeclasses | +> | Microsoft.ContainerService/fleets/nodes/read | Reads nodes | +> | Microsoft.ContainerService/fleets/nodes/write | Writes nodes | +> | Microsoft.ContainerService/fleets/nodes/delete | Deletes nodes | +> | Microsoft.ContainerService/fleets/openapi/v2/read | Reads v2 | +> | Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Reads persistentvolumeclaims | +> | Microsoft.ContainerService/fleets/persistentvolumeclaims/write | Writes persistentvolumeclaims | +> | Microsoft.ContainerService/fleets/persistentvolumeclaims/delete | Deletes persistentvolumeclaims | +> | Microsoft.ContainerService/fleets/persistentvolumes/read | Reads persistentvolumes | +> | Microsoft.ContainerService/fleets/persistentvolumes/write | Writes persistentvolumes | +> | Microsoft.ContainerService/fleets/persistentvolumes/delete | Deletes persistentvolumes | +> | Microsoft.ContainerService/fleets/podtemplates/read | Reads podtemplates | +> | Microsoft.ContainerService/fleets/podtemplates/write | Writes podtemplates | +> | Microsoft.ContainerService/fleets/podtemplates/delete | Deletes podtemplates | +> | Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets | +> | Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write | Writes poddisruptionbudgets | +> | Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/delete | Deletes poddisruptionbudgets | +> | Microsoft.ContainerService/fleets/policy/podsecuritypolicies/read | Reads podsecuritypolicies | +> | Microsoft.ContainerService/fleets/policy/podsecuritypolicies/write | Writes podsecuritypolicies | +> | Microsoft.ContainerService/fleets/policy/podsecuritypolicies/delete | Deletes podsecuritypolicies | +> | Microsoft.ContainerService/fleets/policy/podsecuritypolicies/use/action | Use action on podsecuritypolicies | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterrolebindings/read | Reads clusterrolebindings | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterrolebindings/write | Writes clusterrolebindings | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterrolebindings/delete | Deletes clusterrolebindings | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/read | Reads clusterroles | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/write | Writes clusterroles | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/delete | Deletes clusterroles | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/bind/action | Binds clusterroles | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterroles/escalate/action | Escalates | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/read | Reads rolebindings | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/write | Writes rolebindings | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/delete | Deletes rolebindings | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/read | Reads roles | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/write | Writes roles | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/delete | Deletes roles | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/bind/action | Binds roles | +> | Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/escalate/action | Escalates roles | +> | Microsoft.ContainerService/fleets/readyz/read | Reads readyz | +> | Microsoft.ContainerService/fleets/readyz/autoregister-completion/read | Reads autoregister-completion | +> | Microsoft.ContainerService/fleets/readyz/etcd/read | Reads etcd | +> | Microsoft.ContainerService/fleets/readyz/log/read | Reads log | +> | Microsoft.ContainerService/fleets/readyz/ping/read | Reads ping | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/apiservice-openapi-controller/read | Reads apiservice-openapi-controller | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/apiservice-registration-controller/read | Reads apiservice-registration-controller | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/apiservice-status-available-controller/read | Reads apiservice-status-available-controller | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/bootstrap-controller/read | Reads bootstrap-controller | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/ca-registration/read | Reads ca-registration | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/crd-informer-synced/read | Reads crd-informer-synced | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/generic-apiserver-start-informers/read | Reads generic-apiserver-start-informers | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/kube-apiserver-autoregistration/read | Reads kube-apiserver-autoregistration | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/rbac/bootstrap-roles/read | Reads bootstrap-roles | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/scheduling/bootstrap-system-priority-classes/read | Reads bootstrap-system-priority-classes | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/start-apiextensions-controllers/read | Reads start-apiextensions-controllers | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/start-apiextensions-informers/read | Reads start-apiextensions-informers | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/start-kube-aggregator-informers/read | Reads start-kube-aggregator-informers | +> | Microsoft.ContainerService/fleets/readyz/poststarthook/start-kube-apiserver-admission-initializer/read | Reads start-kube-apiserver-admission-initializer | +> | Microsoft.ContainerService/fleets/readyz/shutdown/read | Reads shutdown | +> | Microsoft.ContainerService/fleets/replicationcontrollers/read | Reads replicationcontrollers | +> | Microsoft.ContainerService/fleets/replicationcontrollers/write | Writes replicationcontrollers | +> | Microsoft.ContainerService/fleets/replicationcontrollers/delete | Deletes replicationcontrollers | +> | Microsoft.ContainerService/fleets/resetMetrics/read | Reads resetMetrics | +> | Microsoft.ContainerService/fleets/resourcequotas/read | Reads resourcequotas | +> | Microsoft.ContainerService/fleets/resourcequotas/write | Writes resourcequotas | +> | Microsoft.ContainerService/fleets/resourcequotas/delete | Deletes resourcequotas | +> | Microsoft.ContainerService/fleets/scheduling.k8s.io/priorityclasses/read | Reads priorityclasses | +> | Microsoft.ContainerService/fleets/scheduling.k8s.io/priorityclasses/write | Writes priorityclasses | +> | Microsoft.ContainerService/fleets/scheduling.k8s.io/priorityclasses/delete | Deletes priorityclasses | +> | Microsoft.ContainerService/fleets/secrets/read | Reads secrets | +> | Microsoft.ContainerService/fleets/secrets/write | Writes secrets | +> | Microsoft.ContainerService/fleets/secrets/delete | Deletes secrets | +> | Microsoft.ContainerService/fleets/serviceaccounts/read | Reads serviceaccounts | +> | Microsoft.ContainerService/fleets/serviceaccounts/write | Writes serviceaccounts | +> | Microsoft.ContainerService/fleets/serviceaccounts/delete | Deletes serviceaccounts | +> | Microsoft.ContainerService/fleets/serviceaccounts/impersonate/action | Impersonate serviceaccounts | +> | Microsoft.ContainerService/fleets/services/read | Reads services | +> | Microsoft.ContainerService/fleets/services/write | Writes services | +> | Microsoft.ContainerService/fleets/services/delete | Deletes services | +> | Microsoft.ContainerService/fleets/storage.k8s.io/csidrivers/read | Reads csidrivers | +> | Microsoft.ContainerService/fleets/storage.k8s.io/csidrivers/write | Writes csidrivers | +> | Microsoft.ContainerService/fleets/storage.k8s.io/csidrivers/delete | Deletes csidrivers | +> | Microsoft.ContainerService/fleets/storage.k8s.io/csinodes/read | Reads csinodes | +> | Microsoft.ContainerService/fleets/storage.k8s.io/csinodes/write | Writes csinodes | +> | Microsoft.ContainerService/fleets/storage.k8s.io/csinodes/delete | Deletes csinodes | +> | Microsoft.ContainerService/fleets/storage.k8s.io/storageclasses/read | Reads storageclasses | +> | Microsoft.ContainerService/fleets/storage.k8s.io/storageclasses/write | Writes storageclasses | +> | Microsoft.ContainerService/fleets/storage.k8s.io/storageclasses/delete | Deletes storageclasses | +> | Microsoft.ContainerService/fleets/storage.k8s.io/volumeattachments/read | Reads volumeattachments | +> | Microsoft.ContainerService/fleets/storage.k8s.io/volumeattachments/write | Writes volumeattachments | +> | Microsoft.ContainerService/fleets/storage.k8s.io/volumeattachments/delete | Deletes volumeattachments | +> | Microsoft.ContainerService/fleets/swagger-api/read | Reads swagger-api | +> | Microsoft.ContainerService/fleets/swagger-ui/read | Reads swagger-ui | +> | Microsoft.ContainerService/fleets/ui/read | Reads ui | +> | Microsoft.ContainerService/fleets/users/impersonate/action | Impersonate users | +> | Microsoft.ContainerService/fleets/version/read | Reads version | +> | Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/initializerconfigurations/read | Reads initializerconfigurations | +> | Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/initializerconfigurations/write | Writes initializerconfigurations | +> | Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/initializerconfigurations/delete | Deletes/DeletesCollection initializerconfigurations resource | +> | Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/read | Reads mutatingwebhookconfigurations | +> | Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/write | Writes mutatingwebhookconfigurations | +> | Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete | Deletes mutatingwebhookconfigurations | +> | Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/validatingwebhookconfigurations/read | Reads validatingwebhookconfigurations | +> | Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/validatingwebhookconfigurations/write | Writes validatingwebhookconfigurations | +> | Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/validatingwebhookconfigurations/delete | Deletes validatingwebhookconfigurations | +> | Microsoft.ContainerService/managedClusters/api/read | Reads api | +> | Microsoft.ContainerService/managedClusters/api/v1/read | Reads api/v1 | +> | Microsoft.ContainerService/managedClusters/apiextensions.k8s.io/customresourcedefinitions/read | Reads customresourcedefinitions | +> | Microsoft.ContainerService/managedClusters/apiextensions.k8s.io/customresourcedefinitions/write | Writes customresourcedefinitions | +> | Microsoft.ContainerService/managedClusters/apiextensions.k8s.io/customresourcedefinitions/delete | Deletes customresourcedefinitions | +> | Microsoft.ContainerService/managedClusters/apiregistration.k8s.io/apiservices/read | Reads apiservices | +> | Microsoft.ContainerService/managedClusters/apiregistration.k8s.io/apiservices/write | Writes apiservices | +> | Microsoft.ContainerService/managedClusters/apiregistration.k8s.io/apiservices/delete | Deletes apiservices | +> | Microsoft.ContainerService/managedClusters/apis/read | Reads apis | +> | Microsoft.ContainerService/managedClusters/apis/admissionregistration.k8s.io/read | Reads admissionregistration.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/admissionregistration.k8s.io/v1/read | Reads admissionregistration.k8s.io/v1 | +> | Microsoft.ContainerService/managedClusters/apis/admissionregistration.k8s.io/v1beta1/read | Reads admissionregistration.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/apiextensions.k8s.io/read | Reads apiextensions.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/apiextensions.k8s.io/v1/read | Reads apiextensions.k8s.io/v1 | +> | Microsoft.ContainerService/managedClusters/apis/apiextensions.k8s.io/v1beta1/read | Reads apiextensions.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/apiregistration.k8s.io/read | Reads apiregistration.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/apiregistration.k8s.io/v1/read | Reads apiregistration.k8s.io/v1 | +> | Microsoft.ContainerService/managedClusters/apis/apiregistration.k8s.io/v1beta1/read | Reads apiregistration.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/apps/read | Reads apps | +> | Microsoft.ContainerService/managedClusters/apis/apps/v1/read | Reads apps/v1 | +> | Microsoft.ContainerService/managedClusters/apis/apps/v1beta1/read | Reads apps/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/apps/v1beta2/read | Reads apps/v1beta2 | +> | Microsoft.ContainerService/managedClusters/apis/authentication.k8s.io/read | Reads authentication.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/authentication.k8s.io/v1/read | Reads authentication.k8s.io/v1 | +> | Microsoft.ContainerService/managedClusters/apis/authentication.k8s.io/v1beta1/read | Reads authentication.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/authorization.k8s.io/read | Reads authorization.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/authorization.k8s.io/v1/read | Reads authorization.k8s.io/v1 | +> | Microsoft.ContainerService/managedClusters/apis/authorization.k8s.io/v1beta1/read | Reads authorization.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/autoscaling/read | Reads autoscaling | +> | Microsoft.ContainerService/managedClusters/apis/autoscaling/v1/read | Reads autoscaling/v1 | +> | Microsoft.ContainerService/managedClusters/apis/autoscaling/v2beta1/read | Reads autoscaling/v2beta1 | +> | Microsoft.ContainerService/managedClusters/apis/autoscaling/v2beta2/read | Reads autoscaling/v2beta2 | +> | Microsoft.ContainerService/managedClusters/apis/batch/read | Reads batch | +> | Microsoft.ContainerService/managedClusters/apis/batch/v1/read | Reads batch/v1 | +> | Microsoft.ContainerService/managedClusters/apis/batch/v1beta1/read | Reads batch/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/certificates.k8s.io/read | Reads certificates.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/certificates.k8s.io/v1beta1/read | Reads certificates.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/coordination.k8s.io/read | Reads coordination.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/coordination.k8s.io/v1/read | Reads coordination/v1 | +> | Microsoft.ContainerService/managedClusters/apis/coordination.k8s.io/v1beta1/read | Reads coordination.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/events.k8s.io/read | Reads events.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/events.k8s.io/v1beta1/read | Reads events.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/extensions/read | Reads extensions | +> | Microsoft.ContainerService/managedClusters/apis/extensions/v1beta1/read | Reads extensions/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/metrics.k8s.io/read | Reads metrics.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/metrics.k8s.io/v1beta1/read | Reads metrics.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/networking.k8s.io/read | Reads networking.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/networking.k8s.io/v1/read | Reads networking/v1 | +> | Microsoft.ContainerService/managedClusters/apis/networking.k8s.io/v1beta1/read | Reads networking.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/node.k8s.io/read | Reads node.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/node.k8s.io/v1beta1/read | Reads node.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/policy/read | Reads policy | +> | Microsoft.ContainerService/managedClusters/apis/policy/v1beta1/read | Reads policy/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/rbac.authorization.k8s.io/read | Reads rbac.authorization.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/rbac.authorization.k8s.io/v1/read | Reads rbac.authorization/v1 | +> | Microsoft.ContainerService/managedClusters/apis/rbac.authorization.k8s.io/v1beta1/read | Reads rbac.authorization.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/scheduling.k8s.io/read | Reads scheduling.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/scheduling.k8s.io/v1/read | Reads scheduling/v1 | +> | Microsoft.ContainerService/managedClusters/apis/scheduling.k8s.io/v1beta1/read | Reads scheduling.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apis/storage.k8s.io/read | Reads storage.k8s.io | +> | Microsoft.ContainerService/managedClusters/apis/storage.k8s.io/v1/read | Reads storage/v1 | +> | Microsoft.ContainerService/managedClusters/apis/storage.k8s.io/v1beta1/read | Reads storage.k8s.io/v1beta1 | +> | Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Reads controllerrevisions | +> | Microsoft.ContainerService/managedClusters/apps/controllerrevisions/write | Writes controllerrevisions | +> | Microsoft.ContainerService/managedClusters/apps/controllerrevisions/delete | Deletes controllerrevisions | +> | Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Reads daemonsets | +> | Microsoft.ContainerService/managedClusters/apps/daemonsets/write | Writes daemonsets | +> | Microsoft.ContainerService/managedClusters/apps/daemonsets/delete | Deletes daemonsets | +> | Microsoft.ContainerService/managedClusters/apps/deployments/read | Reads deployments | +> | Microsoft.ContainerService/managedClusters/apps/deployments/write | Writes deployments | +> | Microsoft.ContainerService/managedClusters/apps/deployments/delete | Deletes deployments | +> | Microsoft.ContainerService/managedClusters/apps/replicasets/read | Reads replicasets | +> | Microsoft.ContainerService/managedClusters/apps/replicasets/write | Writes replicasets | +> | Microsoft.ContainerService/managedClusters/apps/replicasets/delete | Deletes replicasets | +> | Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Reads statefulsets | +> | Microsoft.ContainerService/managedClusters/apps/statefulsets/write | Writes statefulsets | +> | Microsoft.ContainerService/managedClusters/apps/statefulsets/delete | Deletes statefulsets | +> | Microsoft.ContainerService/managedClusters/authentication.k8s.io/tokenreviews/write | Writes tokenreviews | +> | Microsoft.ContainerService/managedClusters/authentication.k8s.io/userextras/impersonate/action | Impersonate userextras | +> | Microsoft.ContainerService/managedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Writes localsubjectaccessreviews | +> | Microsoft.ContainerService/managedClusters/authorization.k8s.io/selfsubjectaccessreviews/write | Writes selfsubjectaccessreviews | +> | Microsoft.ContainerService/managedClusters/authorization.k8s.io/selfsubjectrulesreviews/write | Writes selfsubjectrulesreviews | +> | Microsoft.ContainerService/managedClusters/authorization.k8s.io/subjectaccessreviews/write | Writes subjectaccessreviews | +> | Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers | +> | Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/write | Writes horizontalpodautoscalers | +> | Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/delete | Deletes horizontalpodautoscalers | +> | Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Reads cronjobs | +> | Microsoft.ContainerService/managedClusters/batch/cronjobs/write | Writes cronjobs | +> | Microsoft.ContainerService/managedClusters/batch/cronjobs/delete | Deletes cronjobs | +> | Microsoft.ContainerService/managedClusters/batch/jobs/read | Reads jobs | +> | Microsoft.ContainerService/managedClusters/batch/jobs/write | Writes jobs | +> | Microsoft.ContainerService/managedClusters/batch/jobs/delete | Deletes jobs | +> | Microsoft.ContainerService/managedClusters/bindings/write | Writes bindings | +> | Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/read | Reads certificatesigningrequests | +> | Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/write | Writes certificatesigningrequests | +> | Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/delete | Deletes certificatesigningrequests | +> | Microsoft.ContainerService/managedClusters/componentstatuses/read | Reads componentstatuses | +> | Microsoft.ContainerService/managedClusters/componentstatuses/write | Writes componentstatuses | +> | Microsoft.ContainerService/managedClusters/componentstatuses/delete | Deletes componentstatuses | +> | Microsoft.ContainerService/managedClusters/configmaps/read | Reads configmaps | +> | Microsoft.ContainerService/managedClusters/configmaps/write | Writes configmaps | +> | Microsoft.ContainerService/managedClusters/configmaps/delete | Deletes configmaps | +> | Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Reads leases | +> | Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Writes leases | +> | Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Deletes leases | +> | Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Reads endpointslices | +> | Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/write | Writes endpointslices | +> | Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/delete | Deletes endpointslices | +> | Microsoft.ContainerService/managedClusters/endpoints/read | Reads endpoints | +> | Microsoft.ContainerService/managedClusters/endpoints/write | Writes endpoints | +> | Microsoft.ContainerService/managedClusters/endpoints/delete | Deletes endpoints | +> | Microsoft.ContainerService/managedClusters/events/read | Reads events | +> | Microsoft.ContainerService/managedClusters/events/write | Writes events | +> | Microsoft.ContainerService/managedClusters/events/delete | Deletes events | +> | Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Reads events | +> | Microsoft.ContainerService/managedClusters/events.k8s.io/events/write | Writes events | +> | Microsoft.ContainerService/managedClusters/events.k8s.io/events/delete | Deletes events | +> | Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Reads daemonsets | +> | Microsoft.ContainerService/managedClusters/extensions/daemonsets/write | Writes daemonsets | +> | Microsoft.ContainerService/managedClusters/extensions/daemonsets/delete | Deletes daemonsets | +> | Microsoft.ContainerService/managedClusters/extensions/deployments/read | Reads deployments | +> | Microsoft.ContainerService/managedClusters/extensions/deployments/write | Writes deployments | +> | Microsoft.ContainerService/managedClusters/extensions/deployments/delete | Deletes deployments | +> | Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Reads ingresses | +> | Microsoft.ContainerService/managedClusters/extensions/ingresses/write | Writes ingresses | +> | Microsoft.ContainerService/managedClusters/extensions/ingresses/delete | Deletes ingresses | +> | Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Reads networkpolicies | +> | Microsoft.ContainerService/managedClusters/extensions/networkpolicies/write | Writes networkpolicies | +> | Microsoft.ContainerService/managedClusters/extensions/networkpolicies/delete | Deletes networkpolicies | +> | Microsoft.ContainerService/managedClusters/extensions/podsecuritypolicies/read | Reads podsecuritypolicies | +> | Microsoft.ContainerService/managedClusters/extensions/podsecuritypolicies/write | Writes podsecuritypolicies | +> | Microsoft.ContainerService/managedClusters/extensions/podsecuritypolicies/delete | Deletes podsecuritypolicies | +> | Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Reads replicasets | +> | Microsoft.ContainerService/managedClusters/extensions/replicasets/write | Writes replicasets | +> | Microsoft.ContainerService/managedClusters/extensions/replicasets/delete | Deletes replicasets | +> | Microsoft.ContainerService/managedClusters/flowcontrol.apiserver.k8s.io/flowschemas/read | Reads flowschemas | +> | Microsoft.ContainerService/managedClusters/flowcontrol.apiserver.k8s.io/flowschemas/write | Writes flowschemas | +> | Microsoft.ContainerService/managedClusters/flowcontrol.apiserver.k8s.io/flowschemas/delete | Deletes flowschemas | +> | Microsoft.ContainerService/managedClusters/flowcontrol.apiserver.k8s.io/prioritylevelconfigurations/read | Reads prioritylevelconfigurations | +> | Microsoft.ContainerService/managedClusters/flowcontrol.apiserver.k8s.io/prioritylevelconfigurations/write | Writes prioritylevelconfigurations | +> | Microsoft.ContainerService/managedClusters/flowcontrol.apiserver.k8s.io/prioritylevelconfigurations/delete | Deletes prioritylevelconfigurations | +> | Microsoft.ContainerService/managedClusters/groups/impersonate/action | Impersonate groups | +> | Microsoft.ContainerService/managedClusters/healthz/read | Reads healthz | +> | Microsoft.ContainerService/managedClusters/healthz/autoregister-completion/read | Reads autoregister-completion | +> | Microsoft.ContainerService/managedClusters/healthz/etcd/read | Reads etcd | +> | Microsoft.ContainerService/managedClusters/healthz/log/read | Reads log | +> | Microsoft.ContainerService/managedClusters/healthz/ping/read | Reads ping | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/apiservice-openapi-controller/read | Reads apiservice-openapi-controller | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/apiservice-registration-controller/read | Reads apiservice-registration-controller | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/apiservice-status-available-controller/read | Reads apiservice-status-available-controller | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/bootstrap-controller/read | Reads bootstrap-controller | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/ca-registration/read | Reads ca-registration | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/crd-informer-synced/read | Reads crd-informer-synced | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/generic-apiserver-start-informers/read | Reads generic-apiserver-start-informers | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/kube-apiserver-autoregistration/read | Reads kube-apiserver-autoregistration | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/rbac/bootstrap-roles/read | Reads bootstrap-roles | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/scheduling/bootstrap-system-priority-classes/read | Reads bootstrap-system-priority-classes | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/start-apiextensions-controllers/read | Reads start-apiextensions-controllers | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/start-apiextensions-informers/read | Reads start-apiextensions-informers | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/start-kube-aggregator-informers/read | Reads start-kube-aggregator-informers | +> | Microsoft.ContainerService/managedClusters/healthz/poststarthook/start-kube-apiserver-admission-initializer/read | Reads start-kube-apiserver-admission-initializer | +> | Microsoft.ContainerService/managedClusters/limitranges/read | Reads limitranges | +> | Microsoft.ContainerService/managedClusters/limitranges/write | Writes limitranges | +> | Microsoft.ContainerService/managedClusters/limitranges/delete | Deletes limitranges | +> | Microsoft.ContainerService/managedClusters/livez/read | Reads livez | +> | Microsoft.ContainerService/managedClusters/livez/autoregister-completion/read | Reads autoregister-completion | +> | Microsoft.ContainerService/managedClusters/livez/etcd/read | Reads etcd | +> | Microsoft.ContainerService/managedClusters/livez/log/read | Reads log | +> | Microsoft.ContainerService/managedClusters/livez/ping/read | Reads ping | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/apiservice-openapi-controller/read | Reads apiservice-openapi-controller | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/apiservice-registration-controller/read | Reads apiservice-registration-controller | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/apiservice-status-available-controller/read | Reads apiservice-status-available-controller | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/bootstrap-controller/read | Reads bootstrap-controller | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/ca-registration/read | Reads ca-registration | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/crd-informer-synced/read | Reads crd-informer-synced | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/generic-apiserver-start-informers/read | Reads generic-apiserver-start-informers | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/kube-apiserver-autoregistration/read | Reads kube-apiserver-autoregistration | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/rbac/bootstrap-roles/read | Reads bootstrap-roles | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/scheduling/bootstrap-system-priority-classes/read | Reads bootstrap-system-priority-classes | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/start-apiextensions-controllers/read | Reads start-apiextensions-controllers | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/start-apiextensions-informers/read | Reads start-apiextensions-informers | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/start-kube-aggregator-informers/read | Reads start-kube-aggregator-informers | +> | Microsoft.ContainerService/managedClusters/livez/poststarthook/start-kube-apiserver-admission-initializer/read | Reads start-kube-apiserver-admission-initializer | +> | Microsoft.ContainerService/managedClusters/logs/read | Reads logs | +> | Microsoft.ContainerService/managedClusters/metrics/read | Reads metrics | +> | Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Reads nodes | +> | Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Reads pods | +> | Microsoft.ContainerService/managedClusters/namespaces/read | Reads namespaces | +> | Microsoft.ContainerService/managedClusters/namespaces/write | Writes namespaces | +> | Microsoft.ContainerService/managedClusters/namespaces/delete | Deletes namespaces | +> | Microsoft.ContainerService/managedClusters/networking.k8s.io/ingressclasses/read | Reads ingressclasses | +> | Microsoft.ContainerService/managedClusters/networking.k8s.io/ingressclasses/write | Writes ingressclasses | +> | Microsoft.ContainerService/managedClusters/networking.k8s.io/ingressclasses/delete | Deletes ingressclasses | +> | Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Reads ingresses | +> | Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/write | Writes ingresses | +> | Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/delete | Deletes ingresses | +> | Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Reads networkpolicies | +> | Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/write | Writes networkpolicies | +> | Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/delete | Deletes networkpolicies | +> | Microsoft.ContainerService/managedClusters/node.k8s.io/runtimeclasses/read | Reads runtimeclasses | +> | Microsoft.ContainerService/managedClusters/node.k8s.io/runtimeclasses/write | Writes runtimeclasses | +> | Microsoft.ContainerService/managedClusters/node.k8s.io/runtimeclasses/delete | Deletes runtimeclasses | +> | Microsoft.ContainerService/managedClusters/nodes/read | Reads nodes | +> | Microsoft.ContainerService/managedClusters/nodes/write | Writes nodes | +> | Microsoft.ContainerService/managedClusters/nodes/delete | Deletes nodes | +> | Microsoft.ContainerService/managedClusters/openapi/v2/read | Reads v2 | +> | Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Reads persistentvolumeclaims | +> | Microsoft.ContainerService/managedClusters/persistentvolumeclaims/write | Writes persistentvolumeclaims | +> | Microsoft.ContainerService/managedClusters/persistentvolumeclaims/delete | Deletes persistentvolumeclaims | +> | Microsoft.ContainerService/managedClusters/persistentvolumes/read | Reads persistentvolumes | +> | Microsoft.ContainerService/managedClusters/persistentvolumes/write | Writes persistentvolumes | +> | Microsoft.ContainerService/managedClusters/persistentvolumes/delete | Deletes persistentvolumes | +> | Microsoft.ContainerService/managedClusters/pods/read | Reads pods | +> | Microsoft.ContainerService/managedClusters/pods/write | Writes pods | +> | Microsoft.ContainerService/managedClusters/pods/delete | Deletes pods | +> | Microsoft.ContainerService/managedClusters/pods/exec/action | Exec into pods resource | +> | Microsoft.ContainerService/managedClusters/podtemplates/read | Reads podtemplates | +> | Microsoft.ContainerService/managedClusters/podtemplates/write | Writes podtemplates | +> | Microsoft.ContainerService/managedClusters/podtemplates/delete | Deletes podtemplates | +> | Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets | +> | Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/write | Writes poddisruptionbudgets | +> | Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/delete | Deletes poddisruptionbudgets | +> | Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/read | Reads podsecuritypolicies | +> | Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/write | Writes podsecuritypolicies | +> | Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/delete | Deletes podsecuritypolicies | +> | Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/use/action | Use action on podsecuritypolicies | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/read | Reads clusterrolebindings | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/write | Writes clusterrolebindings | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete | Deletes clusterrolebindings | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/read | Reads clusterroles | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/write | Writes clusterroles | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/delete | Deletes clusterroles | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/bind/action | Binds clusterroles | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action | Escalates | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/rolebindings/read | Reads rolebindings | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/rolebindings/write | Writes rolebindings | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/rolebindings/delete | Deletes rolebindings | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/read | Reads roles | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/write | Writes roles | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/delete | Deletes roles | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/bind/action | Binds roles | +> | Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/escalate/action | Escalates roles | +> | Microsoft.ContainerService/managedClusters/readyz/read | Reads readyz | +> | Microsoft.ContainerService/managedClusters/readyz/autoregister-completion/read | Reads autoregister-completion | +> | Microsoft.ContainerService/managedClusters/readyz/etcd/read | Reads etcd | +> | Microsoft.ContainerService/managedClusters/readyz/log/read | Reads log | +> | Microsoft.ContainerService/managedClusters/readyz/ping/read | Reads ping | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/apiservice-openapi-controller/read | Reads apiservice-openapi-controller | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/apiservice-registration-controller/read | Reads apiservice-registration-controller | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/apiservice-status-available-controller/read | Reads apiservice-status-available-controller | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/bootstrap-controller/read | Reads bootstrap-controller | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/ca-registration/read | Reads ca-registration | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/crd-informer-synced/read | Reads crd-informer-synced | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/generic-apiserver-start-informers/read | Reads generic-apiserver-start-informers | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/kube-apiserver-autoregistration/read | Reads kube-apiserver-autoregistration | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/rbac/bootstrap-roles/read | Reads bootstrap-roles | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/scheduling/bootstrap-system-priority-classes/read | Reads bootstrap-system-priority-classes | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/start-apiextensions-controllers/read | Reads start-apiextensions-controllers | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/start-apiextensions-informers/read | Reads start-apiextensions-informers | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/start-kube-aggregator-informers/read | Reads start-kube-aggregator-informers | +> | Microsoft.ContainerService/managedClusters/readyz/poststarthook/start-kube-apiserver-admission-initializer/read | Reads start-kube-apiserver-admission-initializer | +> | Microsoft.ContainerService/managedClusters/readyz/shutdown/read | Reads shutdown | +> | Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Reads replicationcontrollers | +> | Microsoft.ContainerService/managedClusters/replicationcontrollers/write | Writes replicationcontrollers | +> | Microsoft.ContainerService/managedClusters/replicationcontrollers/delete | Deletes replicationcontrollers | +> | Microsoft.ContainerService/managedClusters/resetMetrics/read | Reads resetMetrics | +> | Microsoft.ContainerService/managedClusters/resourcequotas/read | Reads resourcequotas | +> | Microsoft.ContainerService/managedClusters/resourcequotas/write | Writes resourcequotas | +> | Microsoft.ContainerService/managedClusters/resourcequotas/delete | Deletes resourcequotas | +> | Microsoft.ContainerService/managedClusters/scheduling.k8s.io/priorityclasses/read | Reads priorityclasses | +> | Microsoft.ContainerService/managedClusters/scheduling.k8s.io/priorityclasses/write | Writes priorityclasses | +> | Microsoft.ContainerService/managedClusters/scheduling.k8s.io/priorityclasses/delete | Deletes priorityclasses | +> | Microsoft.ContainerService/managedClusters/secrets/read | Reads secrets | +> | Microsoft.ContainerService/managedClusters/secrets/write | Writes secrets | +> | Microsoft.ContainerService/managedClusters/secrets/delete | Deletes secrets | +> | Microsoft.ContainerService/managedClusters/serviceaccounts/read | Reads serviceaccounts | +> | Microsoft.ContainerService/managedClusters/serviceaccounts/write | Writes serviceaccounts | +> | Microsoft.ContainerService/managedClusters/serviceaccounts/delete | Deletes serviceaccounts | +> | Microsoft.ContainerService/managedClusters/serviceaccounts/impersonate/action | Impersonate serviceaccounts | +> | Microsoft.ContainerService/managedClusters/services/read | Reads services | +> | Microsoft.ContainerService/managedClusters/services/write | Writes services | +> | Microsoft.ContainerService/managedClusters/services/delete | Deletes services | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/csidrivers/read | Reads csidrivers | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/csidrivers/write | Writes csidrivers | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/csidrivers/delete | Deletes csidrivers | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/csinodes/read | Reads csinodes | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/csinodes/write | Writes csinodes | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/csinodes/delete | Deletes csinodes | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/csistoragecapacities/read | Reads csistoragecapacities | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/csistoragecapacities/write | Writes csistoragecapacities | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/csistoragecapacities/delete | Deletes csistoragecapacities | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/storageclasses/read | Reads storageclasses | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/storageclasses/write | Writes storageclasses | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/storageclasses/delete | Deletes storageclasses | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/volumeattachments/read | Reads volumeattachments | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/volumeattachments/write | Writes volumeattachments | +> | Microsoft.ContainerService/managedClusters/storage.k8s.io/volumeattachments/delete | Deletes volumeattachments | +> | Microsoft.ContainerService/managedClusters/swagger-api/read | Reads swagger-api | +> | Microsoft.ContainerService/managedClusters/swagger-ui/read | Reads swagger-ui | +> | Microsoft.ContainerService/managedClusters/ui/read | Reads ui | +> | Microsoft.ContainerService/managedClusters/users/impersonate/action | Impersonate users | +> | Microsoft.ContainerService/managedClusters/version/read | Reads version | ++## Microsoft.Kubernetes ++Azure service: [Azure Arc-enabled Kubernetes](/azure/azure-arc/kubernetes/overview) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Kubernetes/register/action | Registers Subscription with Microsoft.Kubernetes resource provider | +> | Microsoft.Kubernetes/unregister/action | Un-Registers Subscription with Microsoft.Kubernetes resource provider | +> | Microsoft.Kubernetes/connectedClusters/Read | Read connectedClusters | +> | Microsoft.Kubernetes/connectedClusters/Write | Writes connectedClusters | +> | Microsoft.Kubernetes/connectedClusters/Delete | Deletes connectedClusters | +> | Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | List clusterUser credential(preview) | +> | Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | List clusterUser credential | +> | Microsoft.Kubernetes/locations/operationstatuses/read | Read Operation Statuses | +> | Microsoft.Kubernetes/locations/operationstatuses/write | Write Operation Statuses | +> | Microsoft.Kubernetes/operations/read | Lists operations available on Microsoft.Kubernetes resource provider | +> | Microsoft.Kubernetes/RegisteredSubscriptions/read | Reads registered subscriptions | +> | **DataAction** | **Description** | +> | Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/initializerconfigurations/read | Reads initializerconfigurations | +> | Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/initializerconfigurations/write | Writes initializerconfigurations | +> | Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/initializerconfigurations/delete | Deletes initializerconfigurations | +> | Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/read | Reads mutatingwebhookconfigurations | +> | Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/write | Writes mutatingwebhookconfigurations | +> | Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete | Deletes mutatingwebhookconfigurations | +> | Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/validatingwebhookconfigurations/read | Reads validatingwebhookconfigurations | +> | Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/validatingwebhookconfigurations/write | Writes validatingwebhookconfigurations | +> | Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/validatingwebhookconfigurations/delete | Deletes validatingwebhookconfigurations | +> | Microsoft.Kubernetes/connectedClusters/api/read | Reads api | +> | Microsoft.Kubernetes/connectedClusters/api/v1/read | Reads api/v1 | +> | Microsoft.Kubernetes/connectedClusters/apiextensions.k8s.io/customresourcedefinitions/read | Reads customresourcedefinitions | +> | Microsoft.Kubernetes/connectedClusters/apiextensions.k8s.io/customresourcedefinitions/write | Writes customresourcedefinitions | +> | Microsoft.Kubernetes/connectedClusters/apiextensions.k8s.io/customresourcedefinitions/delete | Deletes customresourcedefinitions | +> | Microsoft.Kubernetes/connectedClusters/apiregistration.k8s.io/apiservices/read | Reads apiservices | +> | Microsoft.Kubernetes/connectedClusters/apiregistration.k8s.io/apiservices/write | Writes apiservices | +> | Microsoft.Kubernetes/connectedClusters/apiregistration.k8s.io/apiservices/delete | Deletes apiservices | +> | Microsoft.Kubernetes/connectedClusters/apis/read | Reads apis | +> | Microsoft.Kubernetes/connectedClusters/apis/admissionregistration.k8s.io/read | Reads admissionregistration.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/admissionregistration.k8s.io/v1/read | Reads admissionregistration.k8s.io/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/admissionregistration.k8s.io/v1beta1/read | Reads admissionregistration.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/apiextensions.k8s.io/read | Reads apiextensions.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/apiextensions.k8s.io/v1/read | Reads apiextensions.k8s.io/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/apiextensions.k8s.io/v1beta1/read | Reads apiextensions.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/apiregistration.k8s.io/read | Reads apiregistration.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/apiregistration.k8s.io/v1/read | Reads apiregistration.k8s.io/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/apiregistration.k8s.io/v1beta1/read | Reads apiregistration.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/apps/read | Reads apps | +> | Microsoft.Kubernetes/connectedClusters/apis/apps/v1beta1/read | Reads apps/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/apps/v1beta2/read | Reads v1beta2 | +> | Microsoft.Kubernetes/connectedClusters/apis/authentication.k8s.io/read | Reads authentication.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/authentication.k8s.io/v1/read | Reads authentication.k8s.io/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/authentication.k8s.io/v1beta1/read | Reads authentication.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/authorization.k8s.io/read | Reads authorization.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/authorization.k8s.io/v1/read | Reads authorization.k8s.io/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/authorization.k8s.io/v1beta1/read | Reads authorization.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/autoscaling/read | Reads autoscaling | +> | Microsoft.Kubernetes/connectedClusters/apis/autoscaling/v1/read | Reads autoscaling/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/autoscaling/v2beta1/read | Reads autoscaling/v2beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/autoscaling/v2beta2/read | Reads autoscaling/v2beta2 | +> | Microsoft.Kubernetes/connectedClusters/apis/batch/read | Reads batch | +> | Microsoft.Kubernetes/connectedClusters/apis/batch/v1/read | Reads batch/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/batch/v1beta1/read | Reads batch/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/certificates.k8s.io/read | Reads certificates.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/certificates.k8s.io/v1beta1/read | Reads certificates.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/coordination.k8s.io/read | Reads coordination.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/coordination.k8s.io/v1/read | Reads coordination/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/coordination.k8s.io/v1beta1/read | Reads coordination.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/events.k8s.io/read | Reads events.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/events.k8s.io/v1beta1/read | Reads events.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/extensions/read | Reads extensions | +> | Microsoft.Kubernetes/connectedClusters/apis/extensions/v1beta1/read | Reads extensions/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/metrics.k8s.io/read | Reads metrics.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/metrics.k8s.io/v1beta1/read | Reads metrics.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/networking.k8s.io/read | Reads networking.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/networking.k8s.io/v1/read | Reads networking/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/networking.k8s.io/v1beta1/read | Reads networking.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/node.k8s.io/read | Reads node.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/node.k8s.io/v1beta1/read | Reads node.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/policy/read | Reads policy | +> | Microsoft.Kubernetes/connectedClusters/apis/policy/v1beta1/read | Reads policy/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/rbac.authorization.k8s.io/read | Reads rbac.authorization.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/rbac.authorization.k8s.io/v1/read | Reads rbac.authorization/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/rbac.authorization.k8s.io/v1beta1/read | Reads rbac.authorization.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/scheduling.k8s.io/read | Reads scheduling.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/scheduling.k8s.io/v1/read | Reads scheduling/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/scheduling.k8s.io/v1beta1/read | Reads scheduling.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apis/storage.k8s.io/read | Reads storage.k8s.io | +> | Microsoft.Kubernetes/connectedClusters/apis/storage.k8s.io/v1/read | Reads storage/v1 | +> | Microsoft.Kubernetes/connectedClusters/apis/storage.k8s.io/v1beta1/read | Reads storage.k8s.io/v1beta1 | +> | Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | Reads controllerrevisions | +> | Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/write | Writes controllerrevisions | +> | Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/delete | Deletes controllerrevisions | +> | Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | Reads daemonsets | +> | Microsoft.Kubernetes/connectedClusters/apps/daemonsets/write | Writes daemonsets | +> | Microsoft.Kubernetes/connectedClusters/apps/daemonsets/delete | Deletes daemonsets | +> | Microsoft.Kubernetes/connectedClusters/apps/deployments/read | Reads deployments | +> | Microsoft.Kubernetes/connectedClusters/apps/deployments/write | Writes deployments | +> | Microsoft.Kubernetes/connectedClusters/apps/deployments/delete | Deletes deployments | +> | Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | Reads replicasets | +> | Microsoft.Kubernetes/connectedClusters/apps/replicasets/write | Writes replicasets | +> | Microsoft.Kubernetes/connectedClusters/apps/replicasets/delete | Deletes replicasets | +> | Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | Reads statefulsets | +> | Microsoft.Kubernetes/connectedClusters/apps/statefulsets/write | Writes statefulsets | +> | Microsoft.Kubernetes/connectedClusters/apps/statefulsets/delete | Deletes statefulsets | +> | Microsoft.Kubernetes/connectedClusters/authentication.k8s.io/tokenreviews/write | Writes tokenreviews | +> | Microsoft.Kubernetes/connectedClusters/authentication.k8s.io/userextras/impersonate/action | Impersonate userextras | +> | Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | Writes localsubjectaccessreviews | +> | Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/selfsubjectaccessreviews/write | Writes selfsubjectaccessreviews | +> | Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/selfsubjectrulesreviews/write | Writes selfsubjectrulesreviews | +> | Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/subjectaccessreviews/write | Writes subjectaccessreviews | +> | Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers | +> | Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/write | Writes horizontalpodautoscalers | +> | Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/delete | Deletes horizontalpodautoscalers | +> | Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | Reads cronjobs | +> | Microsoft.Kubernetes/connectedClusters/batch/cronjobs/write | Writes cronjobs | +> | Microsoft.Kubernetes/connectedClusters/batch/cronjobs/delete | Deletes cronjobs | +> | Microsoft.Kubernetes/connectedClusters/batch/jobs/read | Reads jobs | +> | Microsoft.Kubernetes/connectedClusters/batch/jobs/write | Writes jobs | +> | Microsoft.Kubernetes/connectedClusters/batch/jobs/delete | Deletes jobs | +> | Microsoft.Kubernetes/connectedClusters/bindings/write | Writes bindings | +> | Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/read | Reads certificatesigningrequests | +> | Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/write | Writes certificatesigningrequests | +> | Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/delete | Deletes certificatesigningrequests | +> | Microsoft.Kubernetes/connectedClusters/componentstatuses/read | Reads componentstatuses | +> | Microsoft.Kubernetes/connectedClusters/componentstatuses/write | Writes componentstatuses | +> | Microsoft.Kubernetes/connectedClusters/componentstatuses/delete | Deletes componentstatuses | +> | Microsoft.Kubernetes/connectedClusters/configmaps/read | Reads configmaps | +> | Microsoft.Kubernetes/connectedClusters/configmaps/write | Writes configmaps | +> | Microsoft.Kubernetes/connectedClusters/configmaps/delete | Deletes configmaps | +> | Microsoft.Kubernetes/connectedClusters/coordination.k8s.io/leases/read | Reads leases | +> | Microsoft.Kubernetes/connectedClusters/coordination.k8s.io/leases/write | Writes leases | +> | Microsoft.Kubernetes/connectedClusters/coordination.k8s.io/leases/delete | Deletes leases | +> | Microsoft.Kubernetes/connectedClusters/discovery.k8s.io/endpointslices/read | Reads endpointslices | +> | Microsoft.Kubernetes/connectedClusters/discovery.k8s.io/endpointslices/write | Writes endpointslices | +> | Microsoft.Kubernetes/connectedClusters/discovery.k8s.io/endpointslices/delete | Deletes endpointslices | +> | Microsoft.Kubernetes/connectedClusters/endpoints/read | Reads endpoints | +> | Microsoft.Kubernetes/connectedClusters/endpoints/write | Writes endpoints | +> | Microsoft.Kubernetes/connectedClusters/endpoints/delete | Deletes endpoints | +> | Microsoft.Kubernetes/connectedClusters/events/read | Reads events | +> | Microsoft.Kubernetes/connectedClusters/events/write | Writes events | +> | Microsoft.Kubernetes/connectedClusters/events/delete | Deletes events | +> | Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | Reads events | +> | Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/write | Writes events | +> | Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/delete | Deletes events | +> | Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | Reads daemonsets | +> | Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/write | Writes daemonsets | +> | Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/delete | Deletes daemonsets | +> | Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | Reads deployments | +> | Microsoft.Kubernetes/connectedClusters/extensions/deployments/write | Writes deployments | +> | Microsoft.Kubernetes/connectedClusters/extensions/deployments/delete | Deletes deployments | +> | Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | Reads ingresses | +> | Microsoft.Kubernetes/connectedClusters/extensions/ingresses/write | Writes ingresses | +> | Microsoft.Kubernetes/connectedClusters/extensions/ingresses/delete | Deletes ingresses | +> | Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | Reads networkpolicies | +> | Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/write | Writes networkpolicies | +> | Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/delete | Deletes networkpolicies | +> | Microsoft.Kubernetes/connectedClusters/extensions/podsecuritypolicies/read | Reads podsecuritypolicies | +> | Microsoft.Kubernetes/connectedClusters/extensions/podsecuritypolicies/write | Writes podsecuritypolicies | +> | Microsoft.Kubernetes/connectedClusters/extensions/podsecuritypolicies/delete | Deletes podsecuritypolicies | +> | Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | Reads replicasets | +> | Microsoft.Kubernetes/connectedClusters/extensions/replicasets/write | Writes replicasets | +> | Microsoft.Kubernetes/connectedClusters/extensions/replicasets/delete | Deletes replicasets | +> | Microsoft.Kubernetes/connectedClusters/flowcontrol.apiserver.k8s.io/flowschemas/read | Reads flowschemas | +> | Microsoft.Kubernetes/connectedClusters/flowcontrol.apiserver.k8s.io/flowschemas/write | Writes flowschemas | +> | Microsoft.Kubernetes/connectedClusters/flowcontrol.apiserver.k8s.io/flowschemas/delete | Deletes flowschemas | +> | Microsoft.Kubernetes/connectedClusters/flowcontrol.apiserver.k8s.io/prioritylevelconfigurations/read | Reads prioritylevelconfigurations | +> | Microsoft.Kubernetes/connectedClusters/flowcontrol.apiserver.k8s.io/prioritylevelconfigurations/write | Writes prioritylevelconfigurations | +> | Microsoft.Kubernetes/connectedClusters/flowcontrol.apiserver.k8s.io/prioritylevelconfigurations/delete | Deletes prioritylevelconfigurations | +> | Microsoft.Kubernetes/connectedClusters/groups/impersonate/action | Impersonate groups | +> | Microsoft.Kubernetes/connectedClusters/healthz/read | Reads healthz | +> | Microsoft.Kubernetes/connectedClusters/healthz/autoregister-completion/read | Reads autoregister-completion | +> | Microsoft.Kubernetes/connectedClusters/healthz/etcd/read | Reads etcd | +> | Microsoft.Kubernetes/connectedClusters/healthz/log/read | Reads log | +> | Microsoft.Kubernetes/connectedClusters/healthz/ping/read | Reads ping | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/apiservice-openapi-controller/read | Reads apiservice-openapi-controller | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/apiservice-registration-controller/read | Reads apiservice-registration-controller | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/apiservice-status-available-controller/read | Reads apiservice-status-available-controller | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/bootstrap-controller/read | Reads bootstrap-controller | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/ca-registration/read | Reads ca-registration | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/crd-informer-synced/read | Reads crd-informer-synced | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/generic-apiserver-start-informers/read | Reads generic-apiserver-start-informers | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/kube-apiserver-autoregistration/read | Reads kube-apiserver-autoregistration | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/rbac/bootstrap-roles/read | Reads bootstrap-roles | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/scheduling/bootstrap-system-priority-classes/read | Reads bootstrap-system-priority-classes | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/start-apiextensions-controllers/read | Reads start-apiextensions-controllers | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/start-apiextensions-informers/read | Reads start-apiextensions-informers | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/start-kube-aggregator-informers/read | Reads start-kube-aggregator-informers | +> | Microsoft.Kubernetes/connectedClusters/healthz/poststarthook/start-kube-apiserver-admission-initializer/read | Reads start-kube-apiserver-admission-initializer | +> | Microsoft.Kubernetes/connectedClusters/limitranges/read | Reads limitranges | +> | Microsoft.Kubernetes/connectedClusters/limitranges/write | Writes limitranges | +> | Microsoft.Kubernetes/connectedClusters/limitranges/delete | Deletes limitranges | +> | Microsoft.Kubernetes/connectedClusters/livez/read | Reads livez | +> | Microsoft.Kubernetes/connectedClusters/livez/autoregister-completion/read | Reads autoregister-completion | +> | Microsoft.Kubernetes/connectedClusters/livez/etcd/read | Reads etcd | +> | Microsoft.Kubernetes/connectedClusters/livez/log/read | Reads log | +> | Microsoft.Kubernetes/connectedClusters/livez/ping/read | Reads ping | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/apiservice-openapi-controller/read | Reads apiservice-openapi-controller | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/apiservice-registration-controller/read | Reads apiservice-registration-controller | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/apiservice-status-available-controller/read | Reads apiservice-status-available-controller | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/bootstrap-controller/read | Reads bootstrap-controller | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/ca-registration/read | Reads ca-registration | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/crd-informer-synced/read | Reads crd-informer-synced | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/generic-apiserver-start-informers/read | Reads generic-apiserver-start-informers | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/kube-apiserver-autoregistration/read | Reads kube-apiserver-autoregistration | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/rbac/bootstrap-roles/read | Reads bootstrap-roles | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/scheduling/bootstrap-system-priority-classes/read | Reads bootstrap-system-priority-classes | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/start-apiextensions-controllers/read | Reads start-apiextensions-controllers | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/start-apiextensions-informers/read | Reads start-apiextensions-informers | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/start-kube-aggregator-informers/read | Reads start-kube-aggregator-informers | +> | Microsoft.Kubernetes/connectedClusters/livez/poststarthook/start-kube-apiserver-admission-initializer/read | Reads start-kube-apiserver-admission-initializer | +> | Microsoft.Kubernetes/connectedClusters/logs/read | Reads logs | +> | Microsoft.Kubernetes/connectedClusters/metrics/read | Reads metrics | +> | Microsoft.Kubernetes/connectedClusters/metrics.k8s.io/nodes/read | Reads nodes | +> | Microsoft.Kubernetes/connectedClusters/metrics.k8s.io/pods/read | Reads pods | +> | Microsoft.Kubernetes/connectedClusters/namespaces/read | Reads namespaces | +> | Microsoft.Kubernetes/connectedClusters/namespaces/write | Writes namespaces | +> | Microsoft.Kubernetes/connectedClusters/namespaces/delete | Deletes namespaces | +> | Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingressclasses/read | Reads ingressclasses | +> | Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingressclasses/write | Writes ingressclasses | +> | Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingressclasses/delete | Deletes ingressclasses | +> | Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | Reads ingresses | +> | Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/write | Writes ingresses | +> | Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/delete | Deletes ingresses | +> | Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | Reads networkpolicies | +> | Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/write | Writes networkpolicies | +> | Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/delete | Deletes networkpolicies | +> | Microsoft.Kubernetes/connectedClusters/node.k8s.io/runtimeclasses/read | Reads runtimeclasses | +> | Microsoft.Kubernetes/connectedClusters/node.k8s.io/runtimeclasses/write | Writes runtimeclasses | +> | Microsoft.Kubernetes/connectedClusters/node.k8s.io/runtimeclasses/delete | Deletes runtimeclasses | +> | Microsoft.Kubernetes/connectedClusters/nodes/read | Reads nodes | +> | Microsoft.Kubernetes/connectedClusters/nodes/write | Writes nodes | +> | Microsoft.Kubernetes/connectedClusters/nodes/delete | Deletes nodes | +> | Microsoft.Kubernetes/connectedClusters/openapi/v2/read | Reads v2 | +> | Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | Reads persistentvolumeclaims | +> | Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/write | Writes persistentvolumeclaims | +> | Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/delete | Deletes persistentvolumeclaims | +> | Microsoft.Kubernetes/connectedClusters/persistentvolumes/read | Reads persistentvolumes | +> | Microsoft.Kubernetes/connectedClusters/persistentvolumes/write | Writes persistentvolumes | +> | Microsoft.Kubernetes/connectedClusters/persistentvolumes/delete | Deletes persistentvolumes | +> | Microsoft.Kubernetes/connectedClusters/pods/read | Reads pods | +> | Microsoft.Kubernetes/connectedClusters/pods/write | Writes pods | +> | Microsoft.Kubernetes/connectedClusters/pods/delete | Deletes pods | +> | Microsoft.Kubernetes/connectedClusters/pods/exec/action | Exec into a pod | +> | Microsoft.Kubernetes/connectedClusters/podtemplates/read | Reads podtemplates | +> | Microsoft.Kubernetes/connectedClusters/podtemplates/write | Writes podtemplates | +> | Microsoft.Kubernetes/connectedClusters/podtemplates/delete | Deletes podtemplates | +> | Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets | +> | Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/write | Writes poddisruptionbudgets | +> | Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/delete | Deletes poddisruptionbudgets | +> | Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/read | Reads podsecuritypolicies | +> | Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/write | Writes podsecuritypolicies | +> | Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/delete | Deletes podsecuritypolicies | +> | Microsoft.Kubernetes/connectedClusters/policy/podsecuritypolicies/use/action | Use action on podsecuritypolicies | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/read | Reads clusterrolebindings | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/write | Writes clusterrolebindings | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete | Deletes clusterrolebindings | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/read | Reads clusterroles | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write | Writes clusterroles | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete | Deletes clusterroles | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action | Binds clusterroles | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action | Escalates | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/read | Reads rolebindings | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/write | Writes rolebindings | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/delete | Deletes rolebindings | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/read | Reads roles | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write | Writes roles | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete | Deletes roles | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action | Binds roles | +> | Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action | Escalates roles | +> | Microsoft.Kubernetes/connectedClusters/readyz/read | Reads readyz | +> | Microsoft.Kubernetes/connectedClusters/readyz/autoregister-completion/read | Reads autoregister-completion | +> | Microsoft.Kubernetes/connectedClusters/readyz/etcd/read | Reads etcd | +> | Microsoft.Kubernetes/connectedClusters/readyz/log/read | Reads log | +> | Microsoft.Kubernetes/connectedClusters/readyz/ping/read | Reads ping | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/apiservice-openapi-controller/read | Reads apiservice-openapi-controller | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/apiservice-registration-controller/read | Reads apiservice-registration-controller | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/apiservice-status-available-controller/read | Reads apiservice-status-available-controller | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/bootstrap-controller/read | Reads bootstrap-controller | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/ca-registration/read | Reads ca-registration | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/crd-informer-synced/read | Reads crd-informer-synced | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/generic-apiserver-start-informers/read | Reads generic-apiserver-start-informers | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/kube-apiserver-autoregistration/read | Reads kube-apiserver-autoregistration | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/rbac/bootstrap-roles/read | Reads bootstrap-roles | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/scheduling/bootstrap-system-priority-classes/read | Reads bootstrap-system-priority-classes | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/start-apiextensions-controllers/read | Reads start-apiextensions-controllers | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/start-apiextensions-informers/read | Reads start-apiextensions-informers | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/start-kube-aggregator-informers/read | Reads start-kube-aggregator-informers | +> | Microsoft.Kubernetes/connectedClusters/readyz/poststarthook/start-kube-apiserver-admission-initializer/read | Reads start-kube-apiserver-admission-initializer | +> | Microsoft.Kubernetes/connectedClusters/readyz/shutdown/read | Reads shutdown | +> | Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | Reads replicationcontrollers | +> | Microsoft.Kubernetes/connectedClusters/replicationcontrollers/write | Writes replicationcontrollers | +> | Microsoft.Kubernetes/connectedClusters/replicationcontrollers/delete | Deletes replicationcontrollers | +> | Microsoft.Kubernetes/connectedClusters/resetMetrics/read | Reads resetMetrics | +> | Microsoft.Kubernetes/connectedClusters/resourcequotas/read | Reads resourcequotas | +> | Microsoft.Kubernetes/connectedClusters/resourcequotas/write | Writes resourcequotas | +> | Microsoft.Kubernetes/connectedClusters/resourcequotas/delete | Deletes resourcequotas | +> | Microsoft.Kubernetes/connectedClusters/scheduling.k8s.io/priorityclasses/read | Reads priorityclasses | +> | Microsoft.Kubernetes/connectedClusters/scheduling.k8s.io/priorityclasses/write | Writes priorityclasses | +> | Microsoft.Kubernetes/connectedClusters/scheduling.k8s.io/priorityclasses/delete | Deletes priorityclasses | +> | Microsoft.Kubernetes/connectedClusters/secrets/read | Reads secrets | +> | Microsoft.Kubernetes/connectedClusters/secrets/write | Writes secrets | +> | Microsoft.Kubernetes/connectedClusters/secrets/delete | Deletes secrets | +> | Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | Reads serviceaccounts | +> | Microsoft.Kubernetes/connectedClusters/serviceaccounts/write | Writes serviceaccounts | +> | Microsoft.Kubernetes/connectedClusters/serviceaccounts/delete | Deletes serviceaccounts | +> | Microsoft.Kubernetes/connectedClusters/serviceaccounts/impersonate/action | Impersonate serviceaccounts | +> | Microsoft.Kubernetes/connectedClusters/services/read | Reads services | +> | Microsoft.Kubernetes/connectedClusters/services/write | Writes services | +> | Microsoft.Kubernetes/connectedClusters/services/delete | Deletes services | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/csidrivers/read | Reads csidrivers | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/csidrivers/write | Writes csidrivers | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/csidrivers/delete | Deletes csidrivers | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/csinodes/read | Reads csinodes | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/csinodes/write | Writes csinodes | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/csinodes/delete | Deletes csinodes | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/csistoragecapacities/read | Reads csistoragecapacities | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/csistoragecapacities/write | Writes csistoragecapacities | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/csistoragecapacities/delete | Deletes csistoragecapacities | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/storageclasses/read | Reads storageclasses | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/storageclasses/write | Writes storageclasses | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/storageclasses/delete | Deletes storageclasses | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/volumeattachments/read | Reads volumeattachments | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/volumeattachments/write | Writes volumeattachments | +> | Microsoft.Kubernetes/connectedClusters/storage.k8s.io/volumeattachments/delete | Deletes volumeattachments | +> | Microsoft.Kubernetes/connectedClusters/swagger-api/read | Reads swagger-api | +> | Microsoft.Kubernetes/connectedClusters/swagger-ui/read | Reads swagger-ui | +> | Microsoft.Kubernetes/connectedClusters/ui/read | Reads ui | +> | Microsoft.Kubernetes/connectedClusters/users/impersonate/action | Impersonate users | +> | Microsoft.Kubernetes/connectedClusters/version/read | Reads version | ++## Microsoft.KubernetesConfiguration ++Azure service: [Azure Kubernetes Service (AKS)](/azure/aks/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.KubernetesConfiguration/register/action | Registers subscription to Microsoft.KubernetesConfiguration resource provider. | +> | Microsoft.KubernetesConfiguration/unregister/action | Unregisters subscription from Microsoft.KubernetesConfiguration resource provider. | +> | Microsoft.KubernetesConfiguration/extensions/write | Creates or updates extension resource. | +> | Microsoft.KubernetesConfiguration/extensions/read | Gets extension instance resource. | +> | Microsoft.KubernetesConfiguration/extensions/delete | Deletes extension instance resource. | +> | Microsoft.KubernetesConfiguration/extensions/operations/read | Gets Async Operation status. | +> | Microsoft.KubernetesConfiguration/extensionTypes/read | Gets extension type. | +> | Microsoft.KubernetesConfiguration/fluxConfigurations/write | Creates or updates flux configuration. | +> | Microsoft.KubernetesConfiguration/fluxConfigurations/read | Gets flux configuration. | +> | Microsoft.KubernetesConfiguration/fluxConfigurations/delete | Deletes flux configuration. | +> | Microsoft.KubernetesConfiguration/fluxConfigurations/operations/read | Gets Async Operation status for flux configuration. | +> | Microsoft.KubernetesConfiguration/namespaces/read | Get Namespace Resource | +> | Microsoft.KubernetesConfiguration/namespaces/listUserCredential/action | Get User Credentials for the parent cluster of the namespace resource. | +> | Microsoft.KubernetesConfiguration/operations/read | Gets available operations of the Microsoft.KubernetesConfiguration resource provider. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/write | Creates or updates private link scope. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/delete | Deletes private link scope. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/read | Gets private link scope | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies/write | Creates or updates private endpoint connection proxy. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies/delete | Deletes private endpoint connection proxy | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies/read | Gets private endpoint connection proxy. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies/validate/action | Validates private endpoint connection proxy object. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action | Updates patch on private endpoint connection proxy. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies/operations/read | Gets private endpoint connection proxies operation. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections/write | Creates or updates private endpoint connection. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections/delete | Deletes private endpoint connection. | +> | Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections/read | Gets private endpoint connection. | +> | Microsoft.KubernetesConfiguration/sourceControlConfigurations/write | Creates or updates source control configuration. | +> | Microsoft.KubernetesConfiguration/sourceControlConfigurations/read | Gets source control configuration. | +> | Microsoft.KubernetesConfiguration/sourceControlConfigurations/delete | Deletes source control configuration. | ++## Microsoft.RedHatOpenShift ++Azure service: [Azure Red Hat OpenShift](/azure/openshift/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.RedHatOpenShift/locations/listInstallVersions/read | | +> | Microsoft.RedHatOpenShift/locations/operationresults/read | | +> | Microsoft.RedHatOpenShift/locations/operationsstatus/read | | +> | Microsoft.RedHatOpenShift/openShiftClusters/read | | +> | Microsoft.RedHatOpenShift/openShiftClusters/write | | +> | Microsoft.RedHatOpenShift/openShiftClusters/delete | | +> | Microsoft.RedHatOpenShift/openShiftClusters/listCredentials/action | | +> | Microsoft.RedHatOpenShift/openShiftClusters/listAdminCredentials/action | | +> | Microsoft.RedHatOpenShift/openShiftClusters/detectors/read | | +> | Microsoft.RedHatOpenShift/openShiftClusters/machinePools/read | | +> | Microsoft.RedHatOpenShift/openShiftClusters/machinePools/write | | +> | Microsoft.RedHatOpenShift/openShiftClusters/machinePools/delete | | +> | Microsoft.RedHatOpenShift/openShiftClusters/syncIdentityProviders/read | | +> | Microsoft.RedHatOpenShift/openShiftClusters/syncIdentityProviders/write | | +> | Microsoft.RedHatOpenShift/openShiftClusters/syncIdentityProviders/delete | | +> | Microsoft.RedHatOpenShift/openShiftClusters/syncSets/read | | +> | Microsoft.RedHatOpenShift/openShiftClusters/syncSets/write | | +> | Microsoft.RedHatOpenShift/openShiftClusters/syncSets/delete | | +> | Microsoft.RedHatOpenShift/operations/read | | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Databases | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/databases.md | + + Title: Azure permissions for Databases - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Databases category. +++++ Last updated : 02/07/2024++++# Azure permissions for Databases ++This article lists the permissions for the Azure resource providers in the Databases category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.Cache ++Azure service: [Azure Cache for Redis](/azure/azure-cache-for-redis/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Cache/checknameavailability/action | Checks if a name is available for use with a new Redis Cache | +> | Microsoft.Cache/register/action | Registers the 'Microsoft.Cache' resource provider with a subscription | +> | Microsoft.Cache/unregister/action | Unregisters the 'Microsoft.Cache' resource provider with a subscription | +> | Microsoft.Cache/locations/checknameavailability/action | Checks if a name is available for use with a new Redis Enterprise cache | +> | Microsoft.Cache/locations/asyncOperations/read | Read an Async Operation's Status | +> | Microsoft.Cache/locations/operationResults/read | Gets the result of a long running operation for which the 'Location' header was previously returned to the client | +> | Microsoft.Cache/locations/operationsStatus/read | View the status of a long running operation for which the 'AzureAsync' header was previously returned to the client | +> | Microsoft.Cache/operations/read | Lists the operations that 'Microsoft.Cache' provider supports. | +> | Microsoft.Cache/redis/write | Modify the Redis Cache's settings and configuration in the management portal | +> | Microsoft.Cache/redis/read | View the Redis Cache's settings and configuration in the management portal | +> | Microsoft.Cache/redis/delete | Delete the entire Redis Cache | +> | Microsoft.Cache/redis/listKeys/action | View the value of Redis Cache access keys in the management portal | +> | Microsoft.Cache/redis/regenerateKey/action | Change the value of Redis Cache access keys in the management portal | +> | Microsoft.Cache/redis/import/action | Import data of a specified format from multiple blobs into Redis | +> | Microsoft.Cache/redis/export/action | Export Redis data to prefixed storage blobs in specified format | +> | Microsoft.Cache/redis/forceReboot/action | Force reboot a cache instance, potentially with data loss. | +> | Microsoft.Cache/redis/stop/action | Stop an Azure Cache for Redis, potentially with data loss. | +> | Microsoft.Cache/redis/start/action | Start an Azure Cache for Redis | +> | Microsoft.Cache/redis/flush/action | Deletes all of the keys in a cache. | +> | Microsoft.Cache/redis/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connections | +> | Microsoft.Cache/redis/accessPolicies/read | Get Redis Access Policies | +> | Microsoft.Cache/redis/accessPolicies/write | Modify Redis Access Policies | +> | Microsoft.Cache/redis/accessPolicies/delete | Delete Redis Access Policies | +> | Microsoft.Cache/redis/accessPolicyAssignments/read | Get Redis Access Policy Assignments | +> | Microsoft.Cache/redis/accessPolicyAssignments/write | Modify Redis Access Policy Assignments | +> | Microsoft.Cache/redis/accessPolicyAssignments/delete | Delete Access Policy Assignments | +> | Microsoft.Cache/redis/detectors/read | Get the properties of one or all detectors for an Azure Cache for Redis cache | +> | Microsoft.Cache/redis/eventGridFilters/read | Get Redis Cache Event Grid Filter | +> | Microsoft.Cache/redis/eventGridFilters/write | Update Redis Cache Event Grid Filters | +> | Microsoft.Cache/redis/eventGridFilters/delete | Delete Redis Cache Event Grid Filters | +> | Microsoft.Cache/redis/firewallRules/read | Get the IP firewall rules of a Redis Cache | +> | Microsoft.Cache/redis/firewallRules/write | Edit the IP firewall rules of a Redis Cache | +> | Microsoft.Cache/redis/firewallRules/delete | Delete IP firewall rules of a Redis Cache | +> | Microsoft.Cache/redis/linkedServers/read | Get Linked Servers associated with a redis cache. | +> | Microsoft.Cache/redis/linkedServers/write | Add Linked Server to a Redis Cache | +> | Microsoft.Cache/redis/linkedServers/delete | Delete Linked Server from a Redis Cache | +> | Microsoft.Cache/redis/metricDefinitions/read | Gets the available metrics for a Redis Cache | +> | Microsoft.Cache/redis/patchSchedules/read | Gets the patching schedule of a Redis Cache | +> | Microsoft.Cache/redis/patchSchedules/write | Modify the patching schedule of a Redis Cache | +> | Microsoft.Cache/redis/patchSchedules/delete | Delete the patch schedule of a Redis Cache | +> | Microsoft.Cache/redis/privateEndpointConnectionProxies/validate/action | Validate the private endpoint connection proxy | +> | Microsoft.Cache/redis/privateEndpointConnectionProxies/read | Get the private endpoint connection proxy | +> | Microsoft.Cache/redis/privateEndpointConnectionProxies/write | Create the private endpoint connection proxy | +> | Microsoft.Cache/redis/privateEndpointConnectionProxies/delete | Delete the private endpoint connection proxy | +> | Microsoft.Cache/redis/privateEndpointConnections/read | Read a private endpoint connection | +> | Microsoft.Cache/redis/privateEndpointConnections/write | Write a private endpoint connection | +> | Microsoft.Cache/redis/privateEndpointConnections/delete | Delete a private endpoint connection | +> | Microsoft.Cache/redis/privateLinkResources/read | Read 'groupId' of redis subresource that a private link can be connected to | +> | Microsoft.Cache/redisEnterprise/delete | Delete the entire Redis Enterprise cache | +> | Microsoft.Cache/redisEnterprise/read | View the Redis Enterprise cache's settings and configuration in the management portal | +> | Microsoft.Cache/redisEnterprise/write | Modify the Redis Enterprise cache's settings and configuration in the management portal | +> | Microsoft.Cache/redisEnterprise/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connections | +> | Microsoft.Cache/redisEnterprise/databases/delete | Deletes a Redis Enterprise database and its contents | +> | Microsoft.Cache/redisEnterprise/databases/read | View the Redis Enterprise cache database's settings and configuration in the management portal | +> | Microsoft.Cache/redisEnterprise/databases/write | Modify the Redis Enterprise cache database's settings and configuration in the management portal | +> | Microsoft.Cache/redisEnterprise/databases/export/action | Export data to storage blobs from a Redis Enterprise database | +> | Microsoft.Cache/redisEnterprise/databases/forceUnlink/action | Forcibly unlink a georeplica Redis Enterprise database from its peers | +> | Microsoft.Cache/redisEnterprise/databases/import/action | Import data from storage blobs to a Redis Enterprise database | +> | Microsoft.Cache/redisEnterprise/databases/listKeys/action | View the value of Redis Enterprise database access keys in the management portal | +> | Microsoft.Cache/redisEnterprise/databases/regenerateKey/action | Change the value of Redis Enterprise database access keys in the management portal | +> | Microsoft.Cache/redisEnterprise/databases/operationResults/read | View the result of Redis Enterprise database operations in the management portal | +> | Microsoft.Cache/redisEnterprise/operationResults/read | View the result of Redis Enterprise operations in the management portal | +> | Microsoft.Cache/redisEnterprise/privateEndpointConnectionProxies/validate/action | Validate the private endpoint connection proxy | +> | Microsoft.Cache/redisEnterprise/privateEndpointConnectionProxies/read | Get the private endpoint connection proxy | +> | Microsoft.Cache/redisEnterprise/privateEndpointConnectionProxies/write | Create the private endpoint connection proxy | +> | Microsoft.Cache/redisEnterprise/privateEndpointConnectionProxies/delete | Delete the private endpoint connection proxy | +> | Microsoft.Cache/redisEnterprise/privateEndpointConnectionProxies/operationResults/read | View the result of private endpoint connection operations in the management portal | +> | Microsoft.Cache/redisEnterprise/privateEndpointConnections/read | Read a private endpoint connection | +> | Microsoft.Cache/redisEnterprise/privateEndpointConnections/write | Write a private endpoint connection | +> | Microsoft.Cache/redisEnterprise/privateEndpointConnections/delete | Delete a private endpoint connection | +> | Microsoft.Cache/redisEnterprise/privateLinkResources/read | Read 'groupId' of redis subresource that a private link can be connected to | +> | Microsoft.Cache/redisEnterprise/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for a Redis Enterprise Cache | ++## Microsoft.DataFactory ++Azure service: [Data Factory](/azure/data-factory/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DataFactory/register/action | Registers the subscription for the Data Factory Resource Provider. | +> | Microsoft.DataFactory/unregister/action | Unregisters the subscription for the Data Factory Resource Provider. | +> | Microsoft.DataFactory/checkazuredatafactorynameavailability/read | Checks if the Data Factory Name is available to use. | +> | Microsoft.DataFactory/datafactories/read | Reads the Data Factory. | +> | Microsoft.DataFactory/datafactories/write | Creates or Updates the Data Factory. | +> | Microsoft.DataFactory/datafactories/delete | Deletes the Data Factory. | +> | Microsoft.DataFactory/datafactories/activitywindows/read | Reads Activity Windows in the Data Factory with specified parameters. | +> | Microsoft.DataFactory/datafactories/datapipelines/read | Reads any Pipeline. | +> | Microsoft.DataFactory/datafactories/datapipelines/delete | Deletes any Pipeline. | +> | Microsoft.DataFactory/datafactories/datapipelines/pause/action | Pauses any Pipeline. | +> | Microsoft.DataFactory/datafactories/datapipelines/resume/action | Resumes any Pipeline. | +> | Microsoft.DataFactory/datafactories/datapipelines/update/action | Updates any Pipeline. | +> | Microsoft.DataFactory/datafactories/datapipelines/write | Creates or Updates any Pipeline. | +> | Microsoft.DataFactory/datafactories/datapipelines/activities/activitywindows/read | Reads Activity Windows for the Pipeline Activity with specified parameters. | +> | Microsoft.DataFactory/datafactories/datapipelines/activitywindows/read | Reads Activity Windows for the Pipeline with specified parameters. | +> | Microsoft.DataFactory/datafactories/datasets/read | Reads any Dataset. | +> | Microsoft.DataFactory/datafactories/datasets/delete | Deletes any Dataset. | +> | Microsoft.DataFactory/datafactories/datasets/write | Creates or Updates any Dataset. | +> | Microsoft.DataFactory/datafactories/datasets/activitywindows/read | Reads Activity Windows for the Dataset with specified parameters. | +> | Microsoft.DataFactory/datafactories/datasets/sliceruns/read | Reads the Data Slice Run for the given dataset with the given start time. | +> | Microsoft.DataFactory/datafactories/datasets/slices/read | Gets the Data Slices in the given period. | +> | Microsoft.DataFactory/datafactories/datasets/slices/write | Update the Status of the Data Slice. | +> | Microsoft.DataFactory/datafactories/gateways/read | Reads any Gateway. | +> | Microsoft.DataFactory/datafactories/gateways/write | Creates or Updates any Gateway. | +> | Microsoft.DataFactory/datafactories/gateways/delete | Deletes any Gateway. | +> | Microsoft.DataFactory/datafactories/gateways/connectioninfo/action | Reads the Connection Info for any Gateway. | +> | Microsoft.DataFactory/datafactories/gateways/listauthkeys/action | Lists the Authentication Keys for any Gateway. | +> | Microsoft.DataFactory/datafactories/gateways/regenerateauthkey/action | Regenerates the Authentication Keys for any Gateway. | +> | Microsoft.DataFactory/datafactories/linkedServices/read | Reads any Linked Service. | +> | Microsoft.DataFactory/datafactories/linkedServices/delete | Deletes any Linked Service. | +> | Microsoft.DataFactory/datafactories/linkedServices/write | Creates or Updates any Linked Service. | +> | Microsoft.DataFactory/datafactories/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.DataFactory/datafactories/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.DataFactory/datafactories/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for datafactories | +> | Microsoft.DataFactory/datafactories/runs/loginfo/read | Reads a SAS URI to a blob container containing the logs. | +> | Microsoft.DataFactory/datafactories/tables/read | Reads any Dataset. | +> | Microsoft.DataFactory/datafactories/tables/delete | Deletes any Dataset. | +> | Microsoft.DataFactory/datafactories/tables/write | Creates or Updates any Dataset. | +> | Microsoft.DataFactory/factories/read | Reads Data Factory. | +> | Microsoft.DataFactory/factories/write | Create or Update Data Factory | +> | Microsoft.DataFactory/factories/delete | Deletes Data Factory. | +> | Microsoft.DataFactory/factories/createdataflowdebugsession/action | Creates a Data Flow debug session. | +> | Microsoft.DataFactory/factories/startdataflowdebugsession/action | Starts a Data Flow debug session. | +> | Microsoft.DataFactory/factories/addDataFlowToDebugSession/action | Add Data Flow to debug session for preview. | +> | Microsoft.DataFactory/factories/executeDataFlowDebugCommand/action | Execute Data Flow debug command. | +> | Microsoft.DataFactory/factories/deletedataflowdebugsession/action | Deletes a Data Flow debug session. | +> | Microsoft.DataFactory/factories/querydataflowdebugsessions/action | Queries a Data Flow debug session. | +> | Microsoft.DataFactory/factories/cancelpipelinerun/action | Cancels the pipeline run specified by the run ID. | +> | Microsoft.DataFactory/factories/cancelSandboxPipelineRun/action | Cancels a debug run for the Pipeline. | +> | Microsoft.DataFactory/factories/sandboxpipelineruns/action | Queries the Debug Pipeline Runs. | +> | Microsoft.DataFactory/factories/querytriggers/action | Queries the Triggers. | +> | Microsoft.DataFactory/factories/getFeatureValue/action | Get exposure control feature value for the specific location. | +> | Microsoft.DataFactory/factories/queryFeaturesValue/action | Get exposure control feature values for a list of features | +> | Microsoft.DataFactory/factories/getDataPlaneAccess/action | Gets access to ADF DataPlane service. | +> | Microsoft.DataFactory/factories/getGitHubAccessToken/action | Gets GitHub access token. | +> | Microsoft.DataFactory/factories/querytriggerruns/action | Queries the Trigger Runs. | +> | Microsoft.DataFactory/factories/querypipelineruns/action | Queries the Pipeline Runs. | +> | Microsoft.DataFactory/factories/querydebugpipelineruns/action | Queries the Debug Pipeline Runs. | +> | Microsoft.DataFactory/factories/adfcdcs/read | Reads ADF Change data capture. | +> | Microsoft.DataFactory/factories/adfcdcs/delete | Deletes ADF Change data capture. | +> | Microsoft.DataFactory/factories/adfcdcs/write | Create or update ADF Change data capture. | +> | Microsoft.DataFactory/factories/adflinkconnections/read | Reads ADF Link Connection. | +> | Microsoft.DataFactory/factories/adflinkconnections/delete | Deletes ADF Link Connection. | +> | Microsoft.DataFactory/factories/adflinkconnections/write | Create or update ADF Link Connection | +> | Microsoft.DataFactory/factories/credentials/read | Reads any Credential. | +> | Microsoft.DataFactory/factories/credentials/write | Writes any Credential. | +> | Microsoft.DataFactory/factories/credentials/delete | Deletes any Credential. | +> | Microsoft.DataFactory/factories/dataflows/read | Reads Data Flow. | +> | Microsoft.DataFactory/factories/dataflows/delete | Deletes Data Flow. | +> | Microsoft.DataFactory/factories/dataflows/write | Create or update Data Flow | +> | Microsoft.DataFactory/factories/dataMappers/read | Reads Data Mapping. | +> | Microsoft.DataFactory/factories/dataMappers/delete | Deletes Data Mapping. | +> | Microsoft.DataFactory/factories/dataMappers/write | Create or update Data Mapping | +> | Microsoft.DataFactory/factories/datasets/read | Reads any Dataset. | +> | Microsoft.DataFactory/factories/datasets/delete | Deletes any Dataset. | +> | Microsoft.DataFactory/factories/datasets/write | Creates or Updates any Dataset. | +> | Microsoft.DataFactory/factories/debugpipelineruns/cancel/action | Cancels a debug run for the Pipeline. | +> | Microsoft.DataFactory/factories/getDataPlaneAccess/read | Reads access to ADF DataPlane service. | +> | Microsoft.DataFactory/factories/getFeatureValue/read | Reads exposure control feature value for the specific location. | +> | Microsoft.DataFactory/factories/globalParameters/read | Reads GlobalParameter. | +> | Microsoft.DataFactory/factories/globalParameters/delete | Deletes GlobalParameter. | +> | Microsoft.DataFactory/factories/globalParameters/write | Create or Update GlobalParameter. | +> | Microsoft.DataFactory/factories/integrationruntimes/read | Reads any Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/write | Creates or Updates any Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/delete | Deletes any Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/start/action | Starts any Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/stop/action | Stops any Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/getconnectioninfo/action | Reads Integration Runtime Connection Info. | +> | Microsoft.DataFactory/factories/integrationruntimes/listauthkeys/action | Lists the Authentication Keys for any Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/synccredentials/action | Syncs the Credentials for the specified Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/upgrade/action | Upgrades the specified Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/createexpressshirinstalllink/action | Create express install link for self hosted Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/regenerateauthkey/action | Regenerates the Authentication Keys for the specified Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/removelinks/action | Removes Linked Integration Runtime References from the specified Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/linkedIntegrationRuntime/action | Create Linked Integration Runtime Reference on the Specified Shared Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/getObjectMetadata/action | Get SSIS Integration Runtime metadata for the specified Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/refreshObjectMetadata/action | Refresh SSIS Integration Runtime metadata for the specified Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/enableInteractiveQuery/action | Enable interactive authoring session. | +> | Microsoft.DataFactory/factories/integrationruntimes/disableInteractiveQuery/action | Disable interactive authoring session. | +> | Microsoft.DataFactory/factories/integrationruntimes/getstatus/read | Reads Integration Runtime Status. | +> | Microsoft.DataFactory/factories/integrationruntimes/monitoringdata/read | Gets the Monitoring Data for any Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/nodes/read | Reads the Node for the specified Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/nodes/delete | Deletes the Node for the specified Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/nodes/write | Updates a self-hosted Integration Runtime Node. | +> | Microsoft.DataFactory/factories/integrationruntimes/nodes/ipAddress/action | Returns the IP Address for the specified node of the Integration Runtime. | +> | Microsoft.DataFactory/factories/integrationruntimes/outboundNetworkDependenciesEndpoints/read | Get Azure-SSIS Integration Runtime outbound network dependency endpoints for the specified Integration Runtime. | +> | Microsoft.DataFactory/factories/linkedServices/read | Reads Linked Service. | +> | Microsoft.DataFactory/factories/linkedServices/delete | Deletes Linked Service. | +> | Microsoft.DataFactory/factories/linkedServices/write | Create or Update Linked Service | +> | Microsoft.DataFactory/factories/managedVirtualNetworks/read | Read Managed Virtual Network. | +> | Microsoft.DataFactory/factories/managedVirtualNetworks/write | Create or Update Managed Virtual Network. | +> | Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints/read | Read Managed Private Endpoint. | +> | Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints/write | Create or Update Managed Private Endpoint. | +> | Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints/delete | Delete Managed Private Endpoint. | +> | Microsoft.DataFactory/factories/operationResults/read | Gets operation results. | +> | Microsoft.DataFactory/factories/pipelineruns/read | Reads the Pipeline Runs. | +> | Microsoft.DataFactory/factories/pipelineruns/cancel/action | Cancels the pipeline run specified by the run ID. | +> | Microsoft.DataFactory/factories/pipelineruns/queryactivityruns/action | Queries the activity runs for the specified pipeline run ID. | +> | Microsoft.DataFactory/factories/pipelineruns/activityruns/read | Reads the activity runs for the specified pipeline run ID. | +> | Microsoft.DataFactory/factories/pipelineruns/queryactivityruns/read | Reads the result of query activity runs for the specified pipeline run ID. | +> | Microsoft.DataFactory/factories/pipelines/read | Reads Pipeline. | +> | Microsoft.DataFactory/factories/pipelines/delete | Deletes Pipeline. | +> | Microsoft.DataFactory/factories/pipelines/write | Create or Update Pipeline | +> | Microsoft.DataFactory/factories/pipelines/createrun/action | Creates a run for the Pipeline. | +> | Microsoft.DataFactory/factories/pipelines/sandbox/action | Creates a debug run environment for the Pipeline. | +> | Microsoft.DataFactory/factories/pipelines/pipelineruns/read | Reads the Pipeline Run. | +> | Microsoft.DataFactory/factories/pipelines/pipelineruns/activityruns/progress/read | Gets the Progress of Activity Runs. | +> | Microsoft.DataFactory/factories/pipelines/sandbox/create/action | Creates a debug run environment for the Pipeline. | +> | Microsoft.DataFactory/factories/pipelines/sandbox/run/action | Creates a debug run for the Pipeline. | +> | Microsoft.DataFactory/factories/privateEndpointConnectionProxies/read | Read Private Endpoint Connection Proxy. | +> | Microsoft.DataFactory/factories/privateEndpointConnectionProxies/write | Create or Update private Endpoint Connection Proxy. | +> | Microsoft.DataFactory/factories/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy. | +> | Microsoft.DataFactory/factories/privateEndpointConnectionProxies/validate/action | Validate a Private Endpoint Connection Proxy. | +> | Microsoft.DataFactory/factories/privateEndpointConnectionProxies/operationresults/read | Read the results of creating a Private Endpoint Connection Proxy. | +> | Microsoft.DataFactory/factories/privateEndpointConnectionProxies/operationstatuses/read | Read the status of creating a Private Endpoint Connection Proxy. | +> | Microsoft.DataFactory/factories/privateEndpointConnections/read | Read Private Endpoint Connection. | +> | Microsoft.DataFactory/factories/privateEndpointConnections/write | Create or Update Private Endpoint Connection. | +> | Microsoft.DataFactory/factories/privateEndpointConnections/delete | Delete Private Endpoint Connection. | +> | Microsoft.DataFactory/factories/privateLinkResources/read | Read Private Link Resource. | +> | Microsoft.DataFactory/factories/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.DataFactory/factories/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.DataFactory/factories/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for factories | +> | Microsoft.DataFactory/factories/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for factories | +> | Microsoft.DataFactory/factories/queryFeaturesValue/read | Reads exposure control feature values for a list of features. | +> | Microsoft.DataFactory/factories/querypipelineruns/read | Reads the Result of Query Pipeline Runs. | +> | Microsoft.DataFactory/factories/querytriggerruns/read | Reads the Result of Trigger Runs. | +> | Microsoft.DataFactory/factories/sandboxpipelineruns/read | Gets the debug run info for the Pipeline. | +> | Microsoft.DataFactory/factories/sandboxpipelineruns/sandboxActivityRuns/read | Gets the debug run info for the Activity. | +> | Microsoft.DataFactory/factories/sessions/write | Writes any Session. | +> | Microsoft.DataFactory/factories/triggerruns/read | Reads the Trigger Runs. | +> | Microsoft.DataFactory/factories/triggers/read | Reads any Trigger. | +> | Microsoft.DataFactory/factories/triggers/write | Creates or Updates any Trigger. | +> | Microsoft.DataFactory/factories/triggers/delete | Deletes any Trigger. | +> | Microsoft.DataFactory/factories/triggers/subscribetoevents/action | Subscribe to Events. | +> | Microsoft.DataFactory/factories/triggers/geteventsubscriptionstatus/action | Event Subscription Status. | +> | Microsoft.DataFactory/factories/triggers/unsubscribefromevents/action | Unsubscribe from Events. | +> | Microsoft.DataFactory/factories/triggers/querysubscriptionevents/action | Query subscription events. | +> | Microsoft.DataFactory/factories/triggers/deletequeuedsubscriptionevents/action | Delete queued subscription events. | +> | Microsoft.DataFactory/factories/triggers/start/action | Starts any Trigger. | +> | Microsoft.DataFactory/factories/triggers/stop/action | Stops any Trigger. | +> | Microsoft.DataFactory/factories/triggers/triggerruns/read | Reads the Trigger Runs. | +> | Microsoft.DataFactory/factories/triggers/triggerruns/cancel/action | Cancel the Trigger Run with the given trigger run id. | +> | Microsoft.DataFactory/factories/triggers/triggerruns/rerun/action | Rerun the Trigger Run with the given trigger run id. | +> | Microsoft.DataFactory/locations/configureFactoryRepo/action | Configures the repository for the factory. | +> | Microsoft.DataFactory/locations/getFeatureValue/action | Get exposure control feature value for the specific location. | +> | Microsoft.DataFactory/locations/getFeatureValue/read | Reads exposure control feature value for the specific location. | +> | Microsoft.DataFactory/operations/read | Reads all Operations in Microsoft Data Factory Provider. | +> | **DataAction** | **Description** | +> | Microsoft.DataFactory/factories/credentials/useSecrets/action | Uses any Credential Secret. | ++## Microsoft.DataMigration ++Azure service: [Azure Database Migration Service](/azure/dms/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DataMigration/register/action | Registers the subscription with the Azure Database Migration Service provider | +> | Microsoft.DataMigration/databaseMigrations/write | Create or Update Database Migration resource | +> | Microsoft.DataMigration/databaseMigrations/delete | Delete Database Migration resource | +> | Microsoft.DataMigration/databaseMigrations/read | Retrieve the Database Migration resource | +> | Microsoft.DataMigration/databaseMigrations/cancel/action | Stop ongoing migration for the database | +> | Microsoft.DataMigration/databaseMigrations/cutover/action | Cutover online migration operation for the database | +> | Microsoft.DataMigration/locations/migrationServiceOperationResults/read | Retrieve Service Operation Results | +> | Microsoft.DataMigration/locations/operationResults/read | Get the status of a long-running operation related to a 202 Accepted response | +> | Microsoft.DataMigration/locations/operationStatuses/read | Get the status of a long-running operation related to a 202 Accepted response | +> | Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read | Retrieve Service Operation Results | +> | Microsoft.DataMigration/migrationServices/write | Create a new or change properties of existing Service | +> | Microsoft.DataMigration/migrationServices/delete | Delete existing Service | +> | Microsoft.DataMigration/migrationServices/read | Retrieve details of Migration Service | +> | Microsoft.DataMigration/migrationServices/read | Retrieve details of Migration Services in a Resource Group | +> | Microsoft.DataMigration/migrationServices/read | Retrieve all services in the Subscription | +> | Microsoft.DataMigration/migrationServices/listMigrations/read | | +> | Microsoft.DataMigration/operations/read | Get all REST Operations | +> | Microsoft.DataMigration/services/read | Read information about resources | +> | Microsoft.DataMigration/services/write | Create or update resources and their properties | +> | Microsoft.DataMigration/services/delete | Deletes a resource and all of its children | +> | Microsoft.DataMigration/services/stop/action | Stop the Azure Database Migration Service to minimize its cost | +> | Microsoft.DataMigration/services/start/action | Start the Azure Database Migration Service to allow it to process migrations again | +> | Microsoft.DataMigration/services/checkStatus/action | Check whether the service is deployed and running | +> | Microsoft.DataMigration/services/configureWorker/action | Configures an Azure Database Migration Service worker to the Service's availiable workers | +> | Microsoft.DataMigration/services/addWorker/action | Adds an Azure Database Migration Service worker to the Service's availiable workers | +> | Microsoft.DataMigration/services/removeWorker/action | Removes an Azure Database Migration Service worker to the Service's availiable workers | +> | Microsoft.DataMigration/services/updateAgentConfig/action | Updates Azure Database Migration Service agent configuration with provided values. | +> | Microsoft.DataMigration/services/getHybridDownloadLink/action | Gets an Azure Database Migration Service worker package download link from RP Blob Storage. | +> | Microsoft.DataMigration/services/projects/read | Read information about resources | +> | Microsoft.DataMigration/services/projects/write | Run tasks Azure Database Migration Service tasks | +> | Microsoft.DataMigration/services/projects/delete | Deletes a resource and all of its children | +> | Microsoft.DataMigration/services/projects/accessArtifacts/action | Generate a URL that can be used to GET or PUT project artifacts | +> | Microsoft.DataMigration/services/projects/tasks/read | Read information about resources | +> | Microsoft.DataMigration/services/projects/tasks/write | Run tasks Azure Database Migration Service tasks | +> | Microsoft.DataMigration/services/projects/tasks/delete | Deletes a resource and all of its children | +> | Microsoft.DataMigration/services/projects/tasks/cancel/action | Cancel the task if it's currently running | +> | Microsoft.DataMigration/services/serviceTasks/read | Read information about resources | +> | Microsoft.DataMigration/services/serviceTasks/write | Run tasks Azure Database Migration Service tasks | +> | Microsoft.DataMigration/services/serviceTasks/delete | Deletes a resource and all of its children | +> | Microsoft.DataMigration/services/serviceTasks/cancel/action | Cancel the task if it's currently running | +> | Microsoft.DataMigration/services/slots/read | Read information about resources | +> | Microsoft.DataMigration/services/slots/write | Create or update resources and their properties | +> | Microsoft.DataMigration/services/slots/delete | Deletes a resource and all of its children | +> | Microsoft.DataMigration/skus/read | Get a list of SKUs supported by Azure Database Migration Service resources. | +> | Microsoft.DataMigration/sqlMigrationServices/write | Create a new or change properties of existing Service | +> | Microsoft.DataMigration/sqlMigrationServices/delete | Delete existing Service | +> | Microsoft.DataMigration/sqlMigrationServices/read | Retrieve details of Migration Service | +> | Microsoft.DataMigration/sqlMigrationServices/read | Retrieve details of Migration Services in a Resource Group | +> | Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action | Retrieve the List of Authentication Keys | +> | Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action | Regenerate the Authentication Keys | +> | Microsoft.DataMigration/sqlMigrationServices/deleteNode/action | | +> | Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action | Retrieve the Monitoring Data | +> | Microsoft.DataMigration/sqlMigrationServices/validateIR/action | | +> | Microsoft.DataMigration/sqlMigrationServices/read | Retrieve all services in the Subscription | +> | Microsoft.DataMigration/sqlMigrationServices/listMigrations/read | | +> | Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read | Retrieve the Monitoring Data | +> | Microsoft.DataMigration/sqlMigrationServices/tasks/write | Create or Update Migration Service task | +> | Microsoft.DataMigration/sqlMigrationServices/tasks/delete | | +> | Microsoft.DataMigration/sqlMigrationServices/tasks/read | Get Migration Service task details | ++## Microsoft.DBforMariaDB ++Azure service: [Azure Database for MariaDB](/azure/mariadb/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DBforMariaDB/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection | +> | Microsoft.DBforMariaDB/register/action | Register MariaDB Resource Provider | +> | Microsoft.DBforMariaDB/checkNameAvailability/action | Verify whether given server name is available for provisioning worldwide for a given subscription. | +> | Microsoft.DBforMariaDB/locations/administratorAzureAsyncOperation/read | Gets in-progress operations on MariaDB server administrators | +> | Microsoft.DBforMariaDB/locations/administratorOperationResults/read | Return MariaDB Server administrator operation results | +> | Microsoft.DBforMariaDB/locations/azureAsyncOperation/read | Return MariaDB Server Operation Results | +> | Microsoft.DBforMariaDB/locations/operationResults/read | Return ResourceGroup based MariaDB Server Operation Results | +> | Microsoft.DBforMariaDB/locations/operationResults/read | Return MariaDB Server Operation Results | +> | Microsoft.DBforMariaDB/locations/performanceTiers/read | Returns the list of Performance Tiers available. | +> | Microsoft.DBforMariaDB/locations/privateEndpointConnectionAzureAsyncOperation/read | Gets the result for a private endpoint connection operation | +> | Microsoft.DBforMariaDB/locations/privateEndpointConnectionOperationResults/read | Gets the result for a private endpoint connection operation | +> | Microsoft.DBforMariaDB/locations/privateEndpointConnectionProxyAzureAsyncOperation/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.DBforMariaDB/locations/privateEndpointConnectionProxyOperationResults/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.DBforMariaDB/locations/securityAlertPoliciesAzureAsyncOperation/read | Return the list of Server threat detection operation result. | +> | Microsoft.DBforMariaDB/locations/securityAlertPoliciesOperationResults/read | Return the list of Server threat detection operation result. | +> | Microsoft.DBforMariaDB/locations/serverKeyAzureAsyncOperation/read | Gets in-progress operations on data encryption server keys | +> | Microsoft.DBforMariaDB/locations/serverKeyOperationResults/read | Gets in-progress operations on transparent data encryption server keys | +> | Microsoft.DBforMariaDB/operations/read | Return the list of MariaDB Operations. | +> | Microsoft.DBforMariaDB/performanceTiers/read | Returns the list of Performance Tiers available. | +> | Microsoft.DBforMariaDB/servers/start/action | Starts a specific server. | +> | Microsoft.DBforMariaDB/servers/stop/action | Stops a specific server. | +> | Microsoft.DBforMariaDB/servers/resetQueryPerformanceInsightData/action | Reset Query Performance Insight data | +> | Microsoft.DBforMariaDB/servers/queryTexts/action | Return the texts for a list of queries | +> | Microsoft.DBforMariaDB/servers/queryTexts/action | Return the text of a query | +> | Microsoft.DBforMariaDB/servers/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection | +> | Microsoft.DBforMariaDB/servers/read | Return the list of servers or gets the properties for the specified server. | +> | Microsoft.DBforMariaDB/servers/write | Creates a server with the specified parameters or update the properties or tags for the specified server. | +> | Microsoft.DBforMariaDB/servers/delete | Deletes an existing server. | +> | Microsoft.DBforMariaDB/servers/restart/action | Restarts a specific server. | +> | Microsoft.DBforMariaDB/servers/updateConfigurations/action | Update configurations for the specified server | +> | Microsoft.DBforMariaDB/servers/administrators/read | Gets a list of MariaDB server administrators. | +> | Microsoft.DBforMariaDB/servers/administrators/write | Creates or updates MariaDB server administrator with the specified parameters. | +> | Microsoft.DBforMariaDB/servers/administrators/delete | Deletes an existing administrator of MariaDB server. | +> | Microsoft.DBforMariaDB/servers/advisors/read | Return the list of advisors | +> | Microsoft.DBforMariaDB/servers/advisors/read | Return an advisor | +> | Microsoft.DBforMariaDB/servers/advisors/createRecommendedActionSession/action | Create a new recommendation action session | +> | Microsoft.DBforMariaDB/servers/advisors/recommendedActions/read | Return the list of recommended actions | +> | Microsoft.DBforMariaDB/servers/advisors/recommendedActions/read | Return a recommended action | +> | Microsoft.DBforMariaDB/servers/configurations/read | Return the list of configurations for a server or gets the properties for the specified configuration. | +> | Microsoft.DBforMariaDB/servers/configurations/write | Update the value for the specified configuration | +> | Microsoft.DBforMariaDB/servers/databases/read | Return the list of MariaDB Databases or gets the properties for the specified Database. | +> | Microsoft.DBforMariaDB/servers/databases/write | Creates a MariaDB Database with the specified parameters or update the properties for the specified Database. | +> | Microsoft.DBforMariaDB/servers/databases/delete | Deletes an existing MariaDB Database. | +> | Microsoft.DBforMariaDB/servers/firewallRules/read | Return the list of firewall rules for a server or gets the properties for the specified firewall rule. | +> | Microsoft.DBforMariaDB/servers/firewallRules/write | Creates a firewall rule with the specified parameters or update an existing rule. | +> | Microsoft.DBforMariaDB/servers/firewallRules/delete | Deletes an existing firewall rule. | +> | Microsoft.DBforMariaDB/servers/keys/read | Return the list of server keys or gets the properties for the specified server key. | +> | Microsoft.DBforMariaDB/servers/keys/write | Creates a key with the specified parameters or update the properties or tags for the specified server key. | +> | Microsoft.DBforMariaDB/servers/keys/delete | Deletes an existing server key. | +> | Microsoft.DBforMariaDB/servers/logFiles/read | Return the list of MariaDB LogFiles. | +> | Microsoft.DBforMariaDB/servers/performanceTiers/read | Returns the list of Performance Tiers available. | +> | Microsoft.DBforMariaDB/servers/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection create call from NRP side | +> | Microsoft.DBforMariaDB/servers/privateEndpointConnectionProxies/read | Returns the list of private endpoint connection proxies or gets the properties for the specified private endpoint connection proxy. | +> | Microsoft.DBforMariaDB/servers/privateEndpointConnectionProxies/write | Creates a private endpoint connection proxy with the specified parameters or updates the properties or tags for the specified private endpoint connection proxy. | +> | Microsoft.DBforMariaDB/servers/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection proxy | +> | Microsoft.DBforMariaDB/servers/privateEndpointConnections/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connection. | +> | Microsoft.DBforMariaDB/servers/privateEndpointConnections/delete | Deletes an existing private endpoint connection | +> | Microsoft.DBforMariaDB/servers/privateEndpointConnections/write | Approves or rejects an existing private endpoint connection | +> | Microsoft.DBforMariaDB/servers/privateLinkResources/read | Get the private link resources for the corresponding MariaDB Server | +> | Microsoft.DBforMariaDB/servers/providers/Microsoft.Insights/diagnosticSettings/read | Gets the disagnostic setting for the resource | +> | Microsoft.DBforMariaDB/servers/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.DBforMariaDB/servers/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for MariaDB servers | +> | Microsoft.DBforMariaDB/servers/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for databases | +> | Microsoft.DBforMariaDB/servers/recoverableServers/read | Return the recoverable MariaDB Server info | +> | Microsoft.DBforMariaDB/servers/replicas/read | Get read replicas of a MariaDB server | +> | Microsoft.DBforMariaDB/servers/securityAlertPolicies/read | Retrieve details of the server threat detection policy configured on a given server | +> | Microsoft.DBforMariaDB/servers/securityAlertPolicies/write | Change the server threat detection policy for a given server | +> | Microsoft.DBforMariaDB/servers/securityAlertPolicies/read | Retrieve a list of server threat detection policies configured for a given server | +> | Microsoft.DBforMariaDB/servers/topQueryStatistics/read | Return the list of Query Statistics for the top queries. | +> | Microsoft.DBforMariaDB/servers/topQueryStatistics/read | Return a Query Statistic | +> | Microsoft.DBforMariaDB/servers/virtualNetworkRules/read | Return the list of virtual network rules or gets the properties for the specified virtual network rule. | +> | Microsoft.DBforMariaDB/servers/virtualNetworkRules/write | Creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule. | +> | Microsoft.DBforMariaDB/servers/virtualNetworkRules/delete | Deletes an existing Virtual Network Rule | +> | Microsoft.DBforMariaDB/servers/waitStatistics/read | Return wait statistics for an instance | +> | Microsoft.DBforMariaDB/servers/waitStatistics/read | Return a wait statistic | ++## Microsoft.DBforMySQL ++Azure service: [Azure Database for MySQL](/azure/mysql/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DBforMySQL/getPrivateDnsZoneSuffix/action | Gets the private dns zone suffix. | +> | Microsoft.DBforMySQL/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection | +> | Microsoft.DBforMySQL/register/action | Register MySQL Resource Provider | +> | Microsoft.DBforMySQL/checkNameAvailability/action | Verify whether given server name is available for provisioning worldwide for a given subscription. | +> | Microsoft.DBforMySQL/flexibleServers/resetGtid/action | | +> | Microsoft.DBforMySQL/flexibleServers/read | Returns the list of servers or gets the properties for the specified server. | +> | Microsoft.DBforMySQL/flexibleServers/write | Creates a server with the specified parameters or updates the properties or tags for the specified server. | +> | Microsoft.DBforMySQL/flexibleServers/delete | Deletes an existing server. | +> | Microsoft.DBforMySQL/flexibleServers/checkServerVersionUpgradeAvailability/action | | +> | Microsoft.DBforMySQL/flexibleServers/backupAndExport/action | Creates a server backup for long term with specific backup name and export it. | +> | Microsoft.DBforMySQL/flexibleServers/validateBackup/action | Validate that the server is ready for backup. | +> | Microsoft.DBforMySQL/flexibleServers/checkHaReplica/action | | +> | Microsoft.DBforMySQL/flexibleServers/updateConfigurations/action | Updates configurations for the specified server. | +> | Microsoft.DBforMySQL/flexibleServers/cutoverMigration/action | Performs a migration cutover with the specified parameters. | +> | Microsoft.DBforMySQL/flexibleServers/failover/action | Failovers a specific server. | +> | Microsoft.DBforMySQL/flexibleServers/restart/action | Restarts a specific server. | +> | Microsoft.DBforMySQL/flexibleServers/start/action | Starts a specific server. | +> | Microsoft.DBforMySQL/flexibleServers/stop/action | Stops a specific server. | +> | Microsoft.DBforMySQL/flexibleServers/administrators/read | Returns the list of administrators for a server or gets the properties for the specified administrator | +> | Microsoft.DBforMySQL/flexibleServers/administrators/write | Creates an administrator with the specified parameters or updates an existing administrator | +> | Microsoft.DBforMySQL/flexibleServers/administrators/delete | Deletes an existing server administrator. | +> | Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings/read | Returns the list of Advanced Threat Protection settings for a server or gets the properties for the specified Advanced Threat Protection setting. | +> | Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings/write | Update the server's advanced threat protection setting. | +> | Microsoft.DBforMySQL/flexibleServers/backups/write | Creates a server backup with specific backup name. | +> | Microsoft.DBforMySQL/flexibleServers/backups/read | Returns the list of backups for a server or gets the properties for the specified backup. | +> | Microsoft.DBforMySQL/flexibleServers/configurations/read | Returns the list of MySQL server configurations or gets the configurations for the specified server. | +> | Microsoft.DBforMySQL/flexibleServers/configurations/write | Updates the configuration of a MySQL server. | +> | Microsoft.DBforMySQL/flexibleServers/databases/read | Returns the list of databases for a server or gets the properties for the specified database. | +> | Microsoft.DBforMySQL/flexibleServers/databases/write | Creates a database with the specified parameters or updates an existing database. | +> | Microsoft.DBforMySQL/flexibleServers/databases/delete | Deletes an existing database. | +> | Microsoft.DBforMySQL/flexibleServers/firewallRules/write | Creates a firewall rule with the specified parameters or updates an existing rule. | +> | Microsoft.DBforMySQL/flexibleServers/firewallRules/read | Returns the list of firewall rules for a server or gets the properties for the specified firewall rule. | +> | Microsoft.DBforMySQL/flexibleServers/firewallRules/delete | Deletes an existing firewall rule. | +> | Microsoft.DBforMySQL/flexibleServers/logFiles/read | Return a list of server log files for a server with file download links | +> | Microsoft.DBforMySQL/flexibleServers/maintenances/read | | +> | Microsoft.DBforMySQL/flexibleServers/maintenances/write | | +> | Microsoft.DBforMySQL/flexibleServers/outboundIp/read | Get the outbound ip of server | +> | Microsoft.DBforMySQL/flexibleServers/privateEndpointConnectionProxies/read | Returns the list of private endpoint connection proxies or gets the properties for the specified private endpoint connection proxy. | +> | Microsoft.DBforMySQL/flexibleServers/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection proxy | +> | Microsoft.DBforMySQL/flexibleServers/privateEndpointConnectionProxies/write | Creates a private endpoint connection proxy with the specified parameters or updates the properties or tags for the specified private endpoint connection proxy. | +> | Microsoft.DBforMySQL/flexibleServers/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection create call from NRP side | +> | Microsoft.DBforMySQL/flexibleServers/privateEndpointConnections/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connection. | +> | Microsoft.DBforMySQL/flexibleServers/privateEndpointConnections/read | | +> | Microsoft.DBforMySQL/flexibleServers/privateEndpointConnections/delete | Deletes an existing private endpoint connection | +> | Microsoft.DBforMySQL/flexibleServers/privateEndpointConnections/write | Approves or rejects an existing private endpoint connection | +> | Microsoft.DBforMySQL/flexibleServers/privateLinkResources/read | | +> | Microsoft.DBforMySQL/flexibleServers/privateLinkResources/read | Get the private link resources for the corresponding MySQL Server | +> | Microsoft.DBforMySQL/flexibleServers/providers/Microsoft.Insights/diagnosticSettings/read | Gets the disagnostic setting for the resource | +> | Microsoft.DBforMySQL/flexibleServers/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.DBforMySQL/flexibleServers/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for MySQL servers | +> | Microsoft.DBforMySQL/flexibleServers/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for databases | +> | Microsoft.DBforMySQL/flexibleServers/replicas/read | Returns the list of read replicas for a MySQL server | +> | Microsoft.DBforMySQL/locations/checkVirtualNetworkSubnetUsage/action | Checks the subnet usage for speicifed delegated virtual network. | +> | Microsoft.DBforMySQL/locations/checkNameAvailability/action | Verify whether given server name is available for provisioning worldwide for a given subscription. | +> | Microsoft.DBforMySQL/locations/listMigrations/action | Return the List of MySQL scheduled auto migrations | +> | Microsoft.DBforMySQL/locations/assessForMigration/action | Performs a migration assessment with the specified parameters. | +> | Microsoft.DBforMySQL/locations/updateMigration/action | Updates the scheduled migration for MySQL Server | +> | Microsoft.DBforMySQL/locations/administratorAzureAsyncOperation/read | Gets in-progress operations on MySQL server administrators | +> | Microsoft.DBforMySQL/locations/administratorOperationResults/read | Return MySQL Server administrator operation results | +> | Microsoft.DBforMySQL/locations/azureAsyncOperation/read | Return MySQL Server Operation Results | +> | Microsoft.DBforMySQL/locations/capabilities/read | Gets the capabilities for this subscription in a given location | +> | Microsoft.DBforMySQL/locations/capabilitySets/read | | +> | Microsoft.DBforMySQL/locations/operationResults/read | Return ResourceGroup based MySQL Server Operation Results | +> | Microsoft.DBforMySQL/locations/operationResults/read | Return MySQL Server Operation Results | +> | Microsoft.DBforMySQL/locations/performanceTiers/read | Returns the list of Performance Tiers available. | +> | Microsoft.DBforMySQL/locations/privateEndpointConnectionAzureAsyncOperation/read | Gets the result for a private endpoint connection operation | +> | Microsoft.DBforMySQL/locations/privateEndpointConnectionOperationResults/read | Gets the result for a private endpoint connection operation | +> | Microsoft.DBforMySQL/locations/privateEndpointConnectionProxyAzureAsyncOperation/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.DBforMySQL/locations/privateEndpointConnectionProxyOperationResults/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.DBforMySQL/locations/securityAlertPoliciesAzureAsyncOperation/read | Return the list of Server threat detection operation result. | +> | Microsoft.DBforMySQL/locations/securityAlertPoliciesOperationResults/read | Return the list of Server threat detection operation result. | +> | Microsoft.DBforMySQL/locations/serverKeyAzureAsyncOperation/read | Gets in-progress operations on transparent data encryption server keys | +> | Microsoft.DBforMySQL/locations/serverKeyOperationResults/read | Gets in-progress operations on data encryption server keys | +> | Microsoft.DBforMySQL/operations/read | Return the list of MySQL Operations. | +> | Microsoft.DBforMySQL/performanceTiers/read | Returns the list of Performance Tiers available. | +> | Microsoft.DBforMySQL/servers/upgrade/action | | +> | Microsoft.DBforMySQL/servers/start/action | Starts a specific server. | +> | Microsoft.DBforMySQL/servers/stop/action | Stops a specific server. | +> | Microsoft.DBforMySQL/servers/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection | +> | Microsoft.DBforMySQL/servers/resetQueryPerformanceInsightData/action | Reset Query Performance Insight data | +> | Microsoft.DBforMySQL/servers/queryTexts/action | Return the texts for a list of queries | +> | Microsoft.DBforMySQL/servers/queryTexts/action | Return the text of a query | +> | Microsoft.DBforMySQL/servers/read | Return the list of servers or gets the properties for the specified server. | +> | Microsoft.DBforMySQL/servers/write | Creates a server with the specified parameters or update the properties or tags for the specified server. | +> | Microsoft.DBforMySQL/servers/delete | Deletes an existing server. | +> | Microsoft.DBforMySQL/servers/restart/action | Restarts a specific server. | +> | Microsoft.DBforMySQL/servers/updateConfigurations/action | Update configurations for the specified server | +> | Microsoft.DBforMySQL/servers/administrators/read | Gets a list of MySQL server administrators. | +> | Microsoft.DBforMySQL/servers/administrators/write | Creates or updates MySQL server administrator with the specified parameters. | +> | Microsoft.DBforMySQL/servers/administrators/delete | Deletes an existing administrator of MySQL server. | +> | Microsoft.DBforMySQL/servers/advisors/read | Return the list of advisors | +> | Microsoft.DBforMySQL/servers/advisors/read | Return an advisor | +> | Microsoft.DBforMySQL/servers/advisors/createRecommendedActionSession/action | Create a new recommendation action session | +> | Microsoft.DBforMySQL/servers/advisors/recommendedActions/read | Return the list of recommended actions | +> | Microsoft.DBforMySQL/servers/advisors/recommendedActions/read | Return a recommended action | +> | Microsoft.DBforMySQL/servers/configurations/read | Return the list of configurations for a server or gets the properties for the specified configuration. | +> | Microsoft.DBforMySQL/servers/configurations/write | Update the value for the specified configuration | +> | Microsoft.DBforMySQL/servers/databases/read | Return the list of MySQL Databases or gets the properties for the specified Database. | +> | Microsoft.DBforMySQL/servers/databases/write | Creates a MySQL Database with the specified parameters or update the properties for the specified Database. | +> | Microsoft.DBforMySQL/servers/databases/delete | Deletes an existing MySQL Database. | +> | Microsoft.DBforMySQL/servers/exports/write | | +> | Microsoft.DBforMySQL/servers/exports/read | | +> | Microsoft.DBforMySQL/servers/firewallRules/read | Return the list of firewall rules for a server or gets the properties for the specified firewall rule. | +> | Microsoft.DBforMySQL/servers/firewallRules/write | Creates a firewall rule with the specified parameters or update an existing rule. | +> | Microsoft.DBforMySQL/servers/firewallRules/delete | Deletes an existing firewall rule. | +> | Microsoft.DBforMySQL/servers/keys/read | Return the list of server keys or gets the properties for the specified server key. | +> | Microsoft.DBforMySQL/servers/keys/write | Creates a key with the specified parameters or update the properties or tags for the specified server key. | +> | Microsoft.DBforMySQL/servers/keys/delete | Deletes an existing server key. | +> | Microsoft.DBforMySQL/servers/logFiles/read | Return the list of MySQL LogFiles. | +> | Microsoft.DBforMySQL/servers/performanceTiers/read | Returns the list of Performance Tiers available. | +> | Microsoft.DBforMySQL/servers/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection create call from NRP side | +> | Microsoft.DBforMySQL/servers/privateEndpointConnectionProxies/read | Returns the list of private endpoint connection proxies or gets the properties for the specified private endpoint connection proxy. | +> | Microsoft.DBforMySQL/servers/privateEndpointConnectionProxies/write | Creates a private endpoint connection proxy with the specified parameters or updates the properties or tags for the specified private endpoint connection proxy. | +> | Microsoft.DBforMySQL/servers/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection proxy | +> | Microsoft.DBforMySQL/servers/privateEndpointConnections/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connection. | +> | Microsoft.DBforMySQL/servers/privateEndpointConnections/delete | Deletes an existing private endpoint connection | +> | Microsoft.DBforMySQL/servers/privateEndpointConnections/write | Approves or rejects an existing private endpoint connection | +> | Microsoft.DBforMySQL/servers/privateLinkResources/read | Get the private link resources for the corresponding MySQL Server | +> | Microsoft.DBforMySQL/servers/providers/Microsoft.Insights/diagnosticSettings/read | Gets the disagnostic setting for the resource | +> | Microsoft.DBforMySQL/servers/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.DBforMySQL/servers/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for MySQL servers | +> | Microsoft.DBforMySQL/servers/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for databases | +> | Microsoft.DBforMySQL/servers/recoverableServers/read | Return the recoverable MySQL Server info | +> | Microsoft.DBforMySQL/servers/replicas/read | Get read replicas of a MySQL server | +> | Microsoft.DBforMySQL/servers/securityAlertPolicies/read | Retrieve details of the server threat detection policy configured on a given server | +> | Microsoft.DBforMySQL/servers/securityAlertPolicies/write | Change the server threat detection policy for a given server | +> | Microsoft.DBforMySQL/servers/securityAlertPolicies/read | Retrieve a list of server threat detection policies configured for a given server | +> | Microsoft.DBforMySQL/servers/topQueryStatistics/read | Return the list of Query Statistics for the top queries. | +> | Microsoft.DBforMySQL/servers/topQueryStatistics/read | Return a Query Statistic | +> | Microsoft.DBforMySQL/servers/virtualNetworkRules/read | Return the list of virtual network rules or gets the properties for the specified virtual network rule. | +> | Microsoft.DBforMySQL/servers/virtualNetworkRules/write | Creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule. | +> | Microsoft.DBforMySQL/servers/virtualNetworkRules/delete | Deletes an existing Virtual Network Rule | +> | Microsoft.DBforMySQL/servers/waitStatistics/read | Return wait statistics for an instance | +> | Microsoft.DBforMySQL/servers/waitStatistics/read | Return a wait statistic | ++## Microsoft.DBforPostgreSQL ++Azure service: [Azure Database for PostgreSQL](/azure/postgresql/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DBforPostgreSQL/assessForMigration/action | Performs a migration assessment with the specified parameters | +> | Microsoft.DBforPostgreSQL/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection | +> | Microsoft.DBforPostgreSQL/register/action | Register PostgreSQL Resource Provider | +> | Microsoft.DBforPostgreSQL/checkNameAvailability/action | Verify whether given server name is available for provisioning worldwide for a given subscription. | +> | Microsoft.DBforPostgreSQL/flexibleServers/read | Return the list of servers or gets the properties for the specified server. | +> | Microsoft.DBforPostgreSQL/flexibleServers/write | Creates a server with the specified parameters or update the properties or tags for the specified server. | +> | Microsoft.DBforPostgreSQL/flexibleServers/delete | Deletes an existing server. | +> | Microsoft.DBforPostgreSQL/flexibleServers/waitStatistics/action | | +> | Microsoft.DBforPostgreSQL/flexibleServers/resetQueryPerformanceInsightData/action | | +> | Microsoft.DBforPostgreSQL/flexibleServers/checkMigrationNameAvailability/action | Checks the availability of the given migration name. | +> | Microsoft.DBforPostgreSQL/flexibleServers/administrators/action | Creates a server administrator with the specified parameters or update the properties or tags for the specified server administrator. | +> | Microsoft.DBforPostgreSQL/flexibleServers/restart/action | Restarts an existing server | +> | Microsoft.DBforPostgreSQL/flexibleServers/start/action | Starts an existing server | +> | Microsoft.DBforPostgreSQL/flexibleServers/stop/action | Stops an existing server | +> | Microsoft.DBforPostgreSQL/flexibleServers/getSourceDatabaseList/action | | +> | Microsoft.DBforPostgreSQL/flexibleServers/testConnectivity/action | | +> | Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action | Start long term backup for a server | +> | Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action | Checks if a server is ready for a long term backup | +> | Microsoft.DBforPostgreSQL/flexibleServers/administrators/read | Return the list of server administrators or gets the properties for the specified server administrator. | +> | Microsoft.DBforPostgreSQL/flexibleServers/administrators/delete | Deletes an existing PostgreSQL server administrator. | +> | Microsoft.DBforPostgreSQL/flexibleServers/administrators/write | Creates a server administrator with the specified parameters or update the properties or tags for the specified server administrator. | +> | Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/read | Returns the list of Advanced Threat Protection or gets the properties for the specified Advanced Threat Protection. | +> | Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/write | Enables/Disables Azure Database for PostgreSQL Flexible Server Advanced Threat Protection | +> | Microsoft.DBforPostgreSQL/flexibleServers/advisors/read | | +> | Microsoft.DBforPostgreSQL/flexibleServers/advisors/recommendedActions/read | | +> | Microsoft.DBforPostgreSQL/flexibleServers/backups/read | | +> | Microsoft.DBforPostgreSQL/flexibleServers/capabilities/read | Gets the capabilities for this subscription in a given location | +> | Microsoft.DBforPostgreSQL/flexibleServers/configurations/read | Returns the list of PostgreSQL server configurations or gets the configurations for the specified server. | +> | Microsoft.DBforPostgreSQL/flexibleServers/configurations/write | Updates the configuration of a PostgreSQL server. | +> | Microsoft.DBforPostgreSQL/flexibleServers/databases/read | Returns the list of PostgreSQL server databases or gets the database for the specified server. | +> | Microsoft.DBforPostgreSQL/flexibleServers/databases/write | Creates or Updates the database of a PostgreSQL server. | +> | Microsoft.DBforPostgreSQL/flexibleServers/databases/delete | Delete the database of a PostgreSQL server | +> | Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write | Creates a firewall rule with the specified parameters or update an existing rule. | +> | Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read | Return the list of firewall rules for a server or gets the properties for the specified firewall rule. | +> | Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/delete | Deletes an existing firewall rule. | +> | Microsoft.DBforPostgreSQL/flexibleServers/logFiles/read | Return a list of server log Files for a PostgreSQL Flexible server with File download links | +> | Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read | Returns the PostgreSQL server long term backup operation tracking by backup name. | +> | Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read | Returns the list of PostgreSQL server long term backup operation tracking. | +> | Microsoft.DBforPostgreSQL/flexibleServers/migrations/write | Creates a migration with the specified parameters. | +> | Microsoft.DBforPostgreSQL/flexibleServers/migrations/read | Gets the properties for the specified migration workflow. | +> | Microsoft.DBforPostgreSQL/flexibleServers/migrations/read | List of migration workflows for the specified database server. | +> | Microsoft.DBforPostgreSQL/flexibleServers/migrations/write | Update the properties for the specified migration. | +> | Microsoft.DBforPostgreSQL/flexibleServers/migrations/delete | Deletes an existing migration workflow. | +> | Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnectionProxies/read | Returns the list of private endpoint connection proxies or gets the properties for the specified private endpoint connection proxy. | +> | Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection proxy resource. | +> | Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnectionProxies/write | Creates a private endpoint connection proxy with the specified parameters or updates the properties or tags for the specified private endpoint connection proxy | +> | Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection create call from NRP side | +> | Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnections/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connection. | +> | Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnections/read | | +> | Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnections/delete | Deletes an existing private endpoint connection | +> | Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnections/write | Approves or rejects an existing private endpoint connection | +> | Microsoft.DBforPostgreSQL/flexibleServers/privateLinkResources/read | Return a list containing private link resource or gets the specified private link resource. | +> | Microsoft.DBforPostgreSQL/flexibleServers/providers/Microsoft.Insights/diagnosticSettings/read | Gets the disagnostic setting for the resource | +> | Microsoft.DBforPostgreSQL/flexibleServers/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.DBforPostgreSQL/flexibleServers/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for PostgreSQL servers | +> | Microsoft.DBforPostgreSQL/flexibleServers/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for databases | +> | Microsoft.DBforPostgreSQL/flexibleServers/queryStatistics/read | | +> | Microsoft.DBforPostgreSQL/flexibleServers/queryTexts/read | | +> | Microsoft.DBforPostgreSQL/flexibleServers/replicas/read | | +> | Microsoft.DBforPostgreSQL/flexibleServers/topQueryStatistics/read | | +> | Microsoft.DBforPostgreSQL/flexibleServers/virtualendpoints/write | Creates or Updates VirtualEndpoint | +> | Microsoft.DBforPostgreSQL/flexibleServers/virtualendpoints/write | Patches the VirtualEndpoint. Currently patch does a full replace | +> | Microsoft.DBforPostgreSQL/flexibleServers/virtualendpoints/delete | Deletes the VirtualEndpoint | +> | Microsoft.DBforPostgreSQL/flexibleServers/virtualendpoints/read | Gets the VirtualEndpoint details | +> | Microsoft.DBforPostgreSQL/flexibleServers/virtualendpoints/read | Lists the VirtualEndpoints | +> | Microsoft.DBforPostgreSQL/locations/administratorAzureAsyncOperation/read | Gets in-progress operations on PostgreSQL server administrators | +> | Microsoft.DBforPostgreSQL/locations/administratorOperationResults/read | Return PostgreSQL Server administrator operation results | +> | Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read | Return PostgreSQL Server Operation Results | +> | Microsoft.DBforPostgreSQL/locations/capabilities/read | Gets the capabilities for this subscription in a given location | +> | Microsoft.DBforPostgreSQL/locations/capabilities/{serverName}/read | Gets the capabilities for this subscription in a given location | +> | Microsoft.DBforPostgreSQL/locations/operationResults/read | Return ResourceGroup based PostgreSQL Server Operation Results | +> | Microsoft.DBforPostgreSQL/locations/operationResults/read | Return PostgreSQL Server Operation Results | +> | Microsoft.DBforPostgreSQL/locations/performanceTiers/read | Returns the list of Performance Tiers available. | +> | Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionAzureAsyncOperation/read | Gets the result for a private endpoint connection operation | +> | Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionOperationResults/read | Gets the result for a private endpoint connection operation | +> | Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionProxyAzureAsyncOperation/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionProxyOperationResults/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.DBforPostgreSQL/locations/securityAlertPoliciesAzureAsyncOperation/read | Return the list of Server threat detection operation result. | +> | Microsoft.DBforPostgreSQL/locations/securityAlertPoliciesOperationResults/read | Return the list of Server threat detection operation result. | +> | Microsoft.DBforPostgreSQL/locations/serverKeyAzureAsyncOperation/read | Gets in-progress operations on data encryption server keys | +> | Microsoft.DBforPostgreSQL/locations/serverKeyOperationResults/read | Gets in-progress operations on data encryption server keys | +> | Microsoft.DBforPostgreSQL/operations/read | Return the list of PostgreSQL Operations. | +> | Microsoft.DBforPostgreSQL/performanceTiers/read | Returns the list of Performance Tiers available. | +> | Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection for PostgreSQL SGv2 | +> | Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnectionProxies/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connection via proxy | +> | Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnectionProxies/write | Creates a private endpoint connection with the specified parameters or updates the properties or tags for the specified private endpoint connection via proxy | +> | Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection via proxy | +> | Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection creation by NRP | +> | Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnections/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connection | +> | Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnections/write | Approves or rejects an existing private endpoint connection | +> | Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnections/delete | Deletes an existing private endpoint connection | +> | Microsoft.DBforPostgreSQL/serverGroupsv2/privateLinkResources/read | Get the private link resources for the corresponding PostgreSQL SGv2 | +> | Microsoft.DBforPostgreSQL/servers/queryTexts/action | Return the text of a query | +> | Microsoft.DBforPostgreSQL/servers/resetQueryPerformanceInsightData/action | Reset Query Performance Insight data | +> | Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection | +> | Microsoft.DBforPostgreSQL/servers/read | Return the list of servers or gets the properties for the specified server. | +> | Microsoft.DBforPostgreSQL/servers/write | Creates a server with the specified parameters or update the properties or tags for the specified server. | +> | Microsoft.DBforPostgreSQL/servers/delete | Deletes an existing server. | +> | Microsoft.DBforPostgreSQL/servers/restart/action | Restarts a specific server. | +> | Microsoft.DBforPostgreSQL/servers/updateConfigurations/action | Update configurations for the specified server | +> | Microsoft.DBforPostgreSQL/servers/administrators/read | Gets a list of PostgreSQL server administrators. | +> | Microsoft.DBforPostgreSQL/servers/administrators/write | Creates or updates PostgreSQL server administrator with the specified parameters. | +> | Microsoft.DBforPostgreSQL/servers/administrators/delete | Deletes an existing administrator of PostgreSQL server. | +> | Microsoft.DBforPostgreSQL/servers/advisors/read | Return the list of advisors | +> | Microsoft.DBforPostgreSQL/servers/advisors/recommendedActionSessions/action | Make recommendations | +> | Microsoft.DBforPostgreSQL/servers/advisors/recommendedActions/read | Return the list of recommended actions | +> | Microsoft.DBforPostgreSQL/servers/configurations/read | Return the list of configurations for a server or gets the properties for the specified configuration. | +> | Microsoft.DBforPostgreSQL/servers/configurations/write | Update the value for the specified configuration | +> | Microsoft.DBforPostgreSQL/servers/databases/read | Return the list of PostgreSQL Databases or gets the properties for the specified Database. | +> | Microsoft.DBforPostgreSQL/servers/databases/write | Creates a PostgreSQL Database with the specified parameters or update the properties for the specified Database. | +> | Microsoft.DBforPostgreSQL/servers/databases/delete | Deletes an existing PostgreSQL Database. | +> | Microsoft.DBforPostgreSQL/servers/firewallRules/read | Return the list of firewall rules for a server or gets the properties for the specified firewall rule. | +> | Microsoft.DBforPostgreSQL/servers/firewallRules/write | Creates a firewall rule with the specified parameters or update an existing rule. | +> | Microsoft.DBforPostgreSQL/servers/firewallRules/delete | Deletes an existing firewall rule. | +> | Microsoft.DBforPostgreSQL/servers/keys/read | Return the list of server keys or gets the properties for the specified server key. | +> | Microsoft.DBforPostgreSQL/servers/keys/write | Creates a key with the specified parameters or update the properties or tags for the specified server key. | +> | Microsoft.DBforPostgreSQL/servers/keys/delete | Deletes an existing server key. | +> | Microsoft.DBforPostgreSQL/servers/logFiles/read | Return the list of PostgreSQL LogFiles. | +> | Microsoft.DBforPostgreSQL/servers/performanceTiers/read | Returns the list of Performance Tiers available. | +> | Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection create call from NRP side | +> | Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionProxies/read | Returns the list of private endpoint connection proxies or gets the properties for the specified private endpoint connection proxy. | +> | Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionProxies/write | Creates a private endpoint connection proxy with the specified parameters or updates the properties or tags for the specified private endpoint connection proxy. | +> | Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection proxy | +> | Microsoft.DBforPostgreSQL/servers/privateEndpointConnections/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connection. | +> | Microsoft.DBforPostgreSQL/servers/privateEndpointConnections/delete | Deletes an existing private endpoint connection | +> | Microsoft.DBforPostgreSQL/servers/privateEndpointConnections/write | Approves or rejects an existing private endpoint connection | +> | Microsoft.DBforPostgreSQL/servers/privateLinkResources/read | Get the private link resources for the corresponding PostgreSQL Server | +> | Microsoft.DBforPostgreSQL/servers/providers/Microsoft.Insights/diagnosticSettings/read | Gets the disagnostic setting for the resource | +> | Microsoft.DBforPostgreSQL/servers/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.DBforPostgreSQL/servers/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for PostgreSQL servers | +> | Microsoft.DBforPostgreSQL/servers/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for databases | +> | Microsoft.DBforPostgreSQL/servers/queryTexts/read | Return the texts for a list of queries | +> | Microsoft.DBforPostgreSQL/servers/recoverableServers/read | Return the recoverable PostgreSQL Server info | +> | Microsoft.DBforPostgreSQL/servers/replicas/read | Get read replicas of a PostgreSQL server | +> | Microsoft.DBforPostgreSQL/servers/securityAlertPolicies/read | Retrieve details of the server threat detection policy configured on a given server | +> | Microsoft.DBforPostgreSQL/servers/securityAlertPolicies/write | Change the server threat detection policy for a given server | +> | Microsoft.DBforPostgreSQL/servers/topQueryStatistics/read | Return the list of Query Statistics for the top queries. | +> | Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/read | Return the list of virtual network rules or gets the properties for the specified virtual network rule. | +> | Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/write | Creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule. | +> | Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/delete | Deletes an existing Virtual Network Rule | +> | Microsoft.DBforPostgreSQL/servers/waitStatistics/read | Return wait statistics for an instance | +> | Microsoft.DBforPostgreSQL/serversv2/read | Return the list of servers or gets the properties for the specified server. | +> | Microsoft.DBforPostgreSQL/serversv2/write | Creates a server with the specified parameters or update the properties or tags for the specified server. | +> | Microsoft.DBforPostgreSQL/serversv2/delete | Deletes an existing server. | +> | Microsoft.DBforPostgreSQL/serversv2/updateConfigurations/action | Update configurations for the specified server | +> | Microsoft.DBforPostgreSQL/serversv2/configurations/read | Return the list of configurations for a server or gets the properties for the specified configuration. | +> | Microsoft.DBforPostgreSQL/serversv2/configurations/write | Update the value for the specified configuration | +> | Microsoft.DBforPostgreSQL/serversv2/firewallRules/read | Return the list of firewall rules for a server or gets the properties for the specified firewall rule. | +> | Microsoft.DBforPostgreSQL/serversv2/firewallRules/write | Creates a firewall rule with the specified parameters or update an existing rule. | +> | Microsoft.DBforPostgreSQL/serversv2/firewallRules/delete | Deletes an existing firewall rule. | +> | Microsoft.DBforPostgreSQL/serversv2/providers/Microsoft.Insights/diagnosticSettings/read | Gets the disagnostic setting for the resource | +> | Microsoft.DBforPostgreSQL/serversv2/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.DBforPostgreSQL/serversv2/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for PostgreSQL servers | +> | Microsoft.DBforPostgreSQL/serversv2/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for databases | ++## Microsoft.DocumentDB ++Azure service: [Azure Cosmos DB](/azure/cosmos-db/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DocumentDB/register/action | Register the Microsoft DocumentDB resource provider for the subscription | +> | Microsoft.DocumentDB/cassandraClusters/read | Read a managed Cassandra cluster or list all managed Cassandra clusters | +> | Microsoft.DocumentDB/cassandraClusters/write | Create or update a managed Cassandra cluster | +> | Microsoft.DocumentDB/cassandraClusters/delete | Delete a managed Cassandra cluster | +> | Microsoft.DocumentDB/cassandraClusters/repair/action | Request a repair of a managed Cassandra keyspace | +> | Microsoft.DocumentDB/cassandraClusters/fetchNodeStatus/action | Asynchronously fetch node status of all nodes in a managed Cassandra cluster | +> | Microsoft.DocumentDB/cassandraClusters/dataCenters/read | Read a data center in a managed Cassandra cluster or list all data centers in a managed Cassandra cluster | +> | Microsoft.DocumentDB/cassandraClusters/dataCenters/write | Create or update a data center in a managed Cassandra cluster | +> | Microsoft.DocumentDB/cassandraClusters/dataCenters/delete | Delete a data center in a managed Cassandra cluster | +> | Microsoft.DocumentDB/databaseAccountNames/read | Checks for name availability. | +> | Microsoft.DocumentDB/databaseAccounts/read | Reads a database account. | +> | Microsoft.DocumentDB/databaseAccounts/write | Update a database accounts. | +> | Microsoft.DocumentDB/databaseAccounts/listKeys/action | List keys of a database account | +> | Microsoft.DocumentDB/databaseAccounts/readonlykeys/action | Reads the database account readonly keys. | +> | Microsoft.DocumentDB/databaseAccounts/regenerateKey/action | Rotate keys of a database account | +> | Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action | Get the connection strings for a database account | +> | Microsoft.DocumentDB/databaseAccounts/changeResourceGroup/action | Change resource group of a database account | +> | Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action | Change failover priorities of regions of a database account. This is used to perform manual failover operation | +> | Microsoft.DocumentDB/databaseAccounts/offlineRegion/action | Offline a region of a database account. | +> | Microsoft.DocumentDB/databaseAccounts/onlineRegion/action | Online a region of a database account. | +> | Microsoft.DocumentDB/databaseAccounts/refreshDelegatedResourceIdentity/action | Update existing delegate resources on database account. | +> | Microsoft.DocumentDB/databaseAccounts/delete | Deletes the database accounts. | +> | Microsoft.DocumentDB/databaseAccounts/getBackupPolicy/action | Get the backup policy of database account | +> | Microsoft.DocumentDB/databaseAccounts/PrivateEndpointConnectionsApproval/action | Manage a private endpoint connection of Database Account | +> | Microsoft.DocumentDB/databaseAccounts/joinPerimeter/action | Joins a database account to a Network Security Perimeter | +> | Microsoft.DocumentDB/databaseAccounts/restore/action | Submit a restore request | +> | Microsoft.DocumentDB/databaseAccounts/backup/action | Submit a request to configure backup | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/write | (Deprecated. Please use resource paths without '/apis/' segment) Create a database. Only applicable to API types: 'sql', 'mongodb', 'gremlin'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a database or list all the databases. Only applicable to API types: 'sql', 'mongodb', 'gremlin'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/delete | (Deprecated. Please use resource paths without '/apis/' segment) Delete a database. Only applicable to API types: 'sql', 'mongodb', 'gremlin'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/collections/write | (Deprecated. Please use resource paths without '/apis/' segment) Create or update a collection. Only applicable to API types: 'mongodb'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/collections/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a collection or list all the collections. Only applicable to API types: 'mongodb'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/collections/delete | (Deprecated. Please use resource paths without '/apis/' segment) Delete a collection. Only applicable to API types: 'mongodb'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/collections/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'mongodb'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/collections/settings/write | (Deprecated. Please use resource paths without '/apis/' segment) Update a collection throughput. Only applicable to API types: 'mongodb'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/collections/settings/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a collection throughput. Only applicable to API types: 'mongodb'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/collections/settings/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'mongodb'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/containers/write | (Deprecated. Please use resource paths without '/apis/' segment) Create or update a container. Only applicable to API types: 'sql'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/containers/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a container or list all the containers. Only applicable to API types: 'sql'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/containers/delete | (Deprecated. Please use resource paths without '/apis/' segment) Delete a container. Only applicable to API types: 'sql'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/containers/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'sql'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/containers/settings/write | (Deprecated. Please use resource paths without '/apis/' segment) Update a container throughput. Only applicable to API types: 'sql'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/containers/settings/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a container throughput. Only applicable to API types: 'sql'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/containers/settings/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'sql'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/graphs/write | (Deprecated. Please use resource paths without '/apis/' segment) Create or update a graph. Only applicable to API types: 'gremlin'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/graphs/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a graph or list all the graphs. Only applicable to API types: 'gremlin'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/graphs/delete | (Deprecated. Please use resource paths without '/apis/' segment) Delete a graph. Only applicable to API types: 'gremlin'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/graphs/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'gremlin'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/graphs/settings/write | (Deprecated. Please use resource paths without '/apis/' segment) Update a graph throughput. Only applicable to API types: 'gremlin'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/graphs/settings/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a graph throughput. Only applicable to API types: 'gremlin'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/graphs/settings/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'gremlin'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'sql', 'mongodb', 'gremlin'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/settings/write | (Deprecated. Please use resource paths without '/apis/' segment) Update a database throughput. Only applicable to API types: 'sql', 'mongodb', 'gremlin'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/settings/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a database throughput. Only applicable to API types: 'sql', 'mongodb', 'gremlin'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/databases/settings/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'sql', 'mongodb', 'gremlin'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/write | (Deprecated. Please use resource paths without '/apis/' segment) Create a keyspace. Only applicable to API types: 'cassandra'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a keyspace or list all the keyspaces. Only applicable to API types: 'cassandra'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/delete | (Deprecated. Please use resource paths without '/apis/' segment) Delete a keyspace. Only applicable to API types: 'cassandra'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'cassandra'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/settings/write | (Deprecated. Please use resource paths without '/apis/' segment) Update a keyspace throughput. Only applicable to API types: 'cassandra'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/settings/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a keyspace throughput. Only applicable to API types: 'cassandra'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/settings/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'cassandra'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/tables/write | (Deprecated. Please use resource paths without '/apis/' segment) Create or update a table. Only applicable to API types: 'cassandra'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/tables/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a table or list all the tables. Only applicable to API types: 'cassandra'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/tables/delete | (Deprecated. Please use resource paths without '/apis/' segment) Delete a table. Only applicable to API types: 'cassandra'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/tables/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'cassandra'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/tables/settings/write | (Deprecated. Please use resource paths without '/apis/' segment) Update a table throughput. Only applicable to API types: 'cassandra'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/tables/settings/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a table throughput. Only applicable to API types: 'cassandra'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/keyspaces/tables/settings/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'cassandra'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/tables/write | (Deprecated. Please use resource paths without '/apis/' segment) Create or update a table. Only applicable to API types: 'table'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/tables/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a table or list all the tables. Only applicable to API types: 'table'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/tables/delete | (Deprecated. Please use resource paths without '/apis/' segment) Delete a table. Only applicable to API types: 'table'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/tables/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'table'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/tables/settings/write | (Deprecated. Please use resource paths without '/apis/' segment) Update a table throughput. Only applicable to API types: 'table'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/tables/settings/read | (Deprecated. Please use resource paths without '/apis/' segment) Read a table throughput. Only applicable to API types: 'table'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/apis/tables/settings/operationResults/read | (Deprecated. Please use resource paths without '/apis/' segment) Read status of the asynchronous operation. Only applicable to API types: 'table'. Only applicable for setting types: 'throughput'. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/write | Create a Cassandra keyspace. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/read | Read a Cassandra keyspace or list all the Cassandra keyspaces. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/delete | Delete a Cassandra keyspace. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/write | Create or update a Cassandra table. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/read | Read a Cassandra table or list all the Cassandra tables. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/delete | Delete a Cassandra table. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/write | Update a Cassandra table throughput. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/read | Read a Cassandra table throughput. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/migrateToAutoscale/action | Migrate Cassandra table offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/migrateToManualThroughput/action | Migrate Cassandra table offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/write | Update a Cassandra keyspace throughput. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/read | Read a Cassandra keyspace throughput. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/migrateToAutoscale/action | Migrate Cassandra keyspace offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/migrateToManualThroughput/action | Migrate Cassandra keyspace offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/write | Create or update a Cassandra view. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/read | Read a Cassandra table or list all the Cassandra views. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/delete | Delete a Cassandra view. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/throughputSettings/write | Update a Cassandra view throughput. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/throughputSettings/read | Read a Cassandra view throughput. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/throughputSettings/migrateToAutoscale/action | Migrate Cassandra view offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/throughputSettings/migrateToManualThroughput/action | Migrate Cassandra view offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/databases/collections/metricDefinitions/read | Reads the collection metric definitions. | +> | Microsoft.DocumentDB/databaseAccounts/databases/collections/metrics/read | Reads the collection metrics. | +> | Microsoft.DocumentDB/databaseAccounts/databases/collections/partitionKeyRangeId/metrics/read | Read database account partition key level metrics | +> | Microsoft.DocumentDB/databaseAccounts/databases/collections/partitions/read | Read database account partitions in a collection | +> | Microsoft.DocumentDB/databaseAccounts/databases/collections/partitions/metrics/read | Read database account partition level metrics | +> | Microsoft.DocumentDB/databaseAccounts/databases/collections/partitions/usages/read | Read database account partition level usages | +> | Microsoft.DocumentDB/databaseAccounts/databases/collections/usages/read | Reads the collection usages. | +> | Microsoft.DocumentDB/databaseAccounts/databases/metricDefinitions/read | Reads the database metric definitions | +> | Microsoft.DocumentDB/databaseAccounts/databases/metrics/read | Reads the database metrics. | +> | Microsoft.DocumentDB/databaseAccounts/databases/usages/read | Reads the database usages. | +> | Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/read | Read container copy job or List all container copy jobs in a database account | +> | Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/write | Create container copy job in a database account | +> | Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/pause/action | Pause a container copy job in a database account | +> | Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/resume/action | Resume container copy job in a database account | +> | Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/cancel/action | Cancel container copy job in a database account | +> | Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/complete/action | Complete an online container copy job in a database account | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/write | Create a Gremlin database. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read | Read a Gremlin database or list all the Gremlin databases. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/delete | Delete a Gremlin database. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/write | Create or update a Gremlin graph. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read | Read a Gremlin graph or list all the Gremlin graphs. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/delete | Delete a Gremlin graph. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/write | Update a Gremlin graph throughput. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/read | Read a Gremlin graph throughput. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/migrateToAutoscale/action | Migrate Gremlin graph offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/migrateToManualThroughput/action | Migrate Gremlin graph offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/write | Update a Gremlin database throughput. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/read | Read a Gremlin database throughput. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/migrateToAutoscale/action | Migrate Gremlin Database offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/migrateToManualThroughput/action | Migrate Gremlin Database offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/metricDefinitions/read | Reads the database account metrics definitions. | +> | Microsoft.DocumentDB/databaseAccounts/metrics/read | Reads the database account metrics. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write | Create a MongoDB database. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read | Read a MongoDB database or list all the MongoDB databases. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/delete | Delete a MongoDB database. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write | Create or update a MongoDB collection. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read | Read a MongoDB collection or list all the MongoDB collections. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/delete | Delete a MongoDB collection. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/partitionMerge/action | Merge the physical partitions of a MongoDB collection | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/partitionMerge/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/write | Update a MongoDB collection throughput. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read | Read a MongoDB collection throughput. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/migrateToAutoscale/action | Migrate MongoDB collection offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/migrateToManualThroughput/action | Migrate MongoDB collection offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/redistributeThroughput/action | Redistribute throughput for the specified physical partitions of the MongoDB collection. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/retrieveThroughputDistribution/action | Retrieve throughput for the specified physical partitions of the MongoDB collection. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/write | Update a MongoDB database throughput. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/read | Read a MongoDB database throughput. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/migrateToAutoscale/action | Migrate MongoDB database offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/migrateToManualThroughput/action | Migrate MongoDB database offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/redistributeThroughput/action | Redistribute throughput for the specified physical partitions of the MongoDB database. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/retrieveThroughputDistribution/action | Retrieve throughput for the specified physical partitions of the MongoDB database. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read | Read a MongoDB Role Definition | +> | Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write | Create or update a Mongo Role Definition | +> | Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete | Delete a MongoDB Role Definition | +> | Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read | Read a MongoDB User Definition | +> | Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write | Create or update a MongoDB User Definition | +> | Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete | Delete a MongoDB User Definition | +> | Microsoft.DocumentDB/databaseAccounts/networkSecurityPerimeterAssociationProxies/read | Read association proxies related to network security perimeter | +> | Microsoft.DocumentDB/databaseAccounts/networkSecurityPerimeterAssociationProxies/write | Write association proxies related to network security perimeter | +> | Microsoft.DocumentDB/databaseAccounts/networkSecurityPerimeterAssociationProxies/delete | Deletes association proxies related to network security perimeter | +> | Microsoft.DocumentDB/databaseAccounts/networkSecurityPerimeterConfigurations/read | Get Effective configuration for Network Security Perimeter | +> | Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces/write | Create or update a notebook workspace | +> | Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces/read | Read a notebook workspace | +> | Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces/delete | Delete a notebook workspace | +> | Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces/listConnectionInfo/action | List the connection info for a notebook workspace | +> | Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces/operationResults/read | Read the status of an asynchronous operation on notebook workspaces | +> | Microsoft.DocumentDB/databaseAccounts/operationResults/read | Read status of the asynchronous operation | +> | Microsoft.DocumentDB/databaseAccounts/percentile/read | Read percentiles of replication latencies | +> | Microsoft.DocumentDB/databaseAccounts/percentile/metrics/read | Read latency metrics | +> | Microsoft.DocumentDB/databaseAccounts/percentile/sourceRegion/targetRegion/metrics/read | Read latency metrics for a specific source and target region | +> | Microsoft.DocumentDB/databaseAccounts/percentile/targetRegion/metrics/read | Read latency metrics for a specific target region | +> | Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionProxies/read | Read a private endpoint connection proxy of Database Account | +> | Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionProxies/write | Create or update a private endpoint connection proxy of Database Account | +> | Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionProxies/delete | Delete a private endpoint connection proxy of Database Account | +> | Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionProxies/validate/action | Validate a private endpoint connection proxy of Database Account | +> | Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionProxies/operationResults/read | Read Status of private endpoint connection proxy asynchronous operation | +> | Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/read | Read a private endpoint connection or list all the private endpoint connections of a Database Account | +> | Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/write | Create or update a private endpoint connection of a Database Account | +> | Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/delete | Delete a private endpoint connection of a Database Account | +> | Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/operationResults/read | Read Status of privateEndpointConnenctions asynchronous operation | +> | Microsoft.DocumentDB/databaseAccounts/privateLinkResources/read | Read a private link resource or list all the private link resources of a Database Account | +> | Microsoft.DocumentDB/databaseAccounts/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.DocumentDB/databaseAccounts/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.DocumentDB/databaseAccounts/providers/Microsoft.Insights/logDefinitions/read | Gets the available log catageries for Database Account | +> | Microsoft.DocumentDB/databaseAccounts/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for the database Account | +> | Microsoft.DocumentDB/databaseAccounts/readonlykeys/read | Reads the database account readonly keys. | +> | Microsoft.DocumentDB/databaseAccounts/region/databases/collections/metrics/read | Reads the regional collection metrics. | +> | Microsoft.DocumentDB/databaseAccounts/region/databases/collections/partitionKeyRangeId/metrics/read | Read regional database account partition key level metrics | +> | Microsoft.DocumentDB/databaseAccounts/region/databases/collections/partitions/read | Read regional database account partitions in a collection | +> | Microsoft.DocumentDB/databaseAccounts/region/databases/collections/partitions/metrics/read | Read regional database account partition level metrics | +> | Microsoft.DocumentDB/databaseAccounts/region/metrics/read | Reads the region and database account metrics. | +> | Microsoft.DocumentDB/databaseAccounts/services/read | Reads a CosmosDB Service Resource | +> | Microsoft.DocumentDB/databaseAccounts/services/write | Writes a CosmosDB Service Resource | +> | Microsoft.DocumentDB/databaseAccounts/services/delete | Deletes a CosmosDB Service Resource | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write | Create a SQL database. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read | Read a SQL database or list all the SQL databases. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/delete | Delete a SQL database. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/clientEncryptionKeys/write | Create or update a Client Encryption Key. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/clientEncryptionKeys/read | Read a Client Encryption Key or list all the Client Encryption Keys. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/clientEncryptionKeys/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write | Create or update a SQL container. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read | Read a SQL container or list all the SQL containers. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/delete | Delete a SQL container. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/partitionMerge/action | Merge the physical partitions of a SQL container. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/partitionMerge/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write | Create or update a SQL stored procedure. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read | Read a SQL stored procedure or list all the SQL stored procedures. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/delete | Delete a SQL stored procedure. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/write | Update a SQL container throughput. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/read | Read a SQL container throughput. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/migrateToAutoscale/action | Migrate SQL container offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/migrateToManualThroughput/action | Migrate a SQL container throughput offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/redistributeThroughput/action | Redistribute throughput for the specified physical partitions of the SQL container. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/retrieveThroughputDistribution/action | Retrieve throughput information for each physical partition of the SQL container. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write | Create or update a SQL trigger. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read | Read a SQL trigger or list all the SQL triggers. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/delete | Delete a SQL trigger. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write | Create or update a SQL user defined function. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read | Read a SQL user defined function or list all the SQL user defined functions. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/delete | Delete a SQL user defined function. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/write | Update a SQL database throughput. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/read | Read a SQL database throughput. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/migrateToAutoscale/action | Migrate SQL database offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/migrateToManualThroughput/action | Migrate a SQL database throughput offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/redistributeThroughput/action | Redistribute throughput for the specified physical partitions of the database. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/retrieveThroughputDistribution/action | Retrieve throughput information for each physical partition of the database. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read | Read a SQL Role Assignment | +> | Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write | Create or update a SQL Role Assignment | +> | Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete | Delete a SQL Role Assignment | +> | Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read | Read a SQL Role Definition | +> | Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write | Create or update a SQL Role Definition | +> | Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete | Delete a SQL Role Definition | +> | Microsoft.DocumentDB/databaseAccounts/tables/write | Create or update a table. | +> | Microsoft.DocumentDB/databaseAccounts/tables/read | Read a table or list all the tables. | +> | Microsoft.DocumentDB/databaseAccounts/tables/delete | Delete a table. | +> | Microsoft.DocumentDB/databaseAccounts/tables/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/write | Update a table throughput. | +> | Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/read | Read a table throughput. | +> | Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/migrateToAutoscale/action | Migrate table offer to autoscale. | +> | Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/migrateToManualThroughput/action | Migrate table offer to manual throughput. | +> | Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/migrateToAutoscale/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/migrateToManualThroughput/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/operationResults/read | Read status of the asynchronous operation. | +> | Microsoft.DocumentDB/databaseAccounts/usages/read | Reads the database account usages. | +> | Microsoft.DocumentDB/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action | Notifies Microsoft.DocumentDB that updates are available for networksecurityperimeter | +> | Microsoft.DocumentDB/locations/deleteVirtualNetworkOrSubnets/action | Notifies Microsoft.DocumentDB that VirtualNetwork or Subnet is being deleted | +> | Microsoft.DocumentDB/locations/read | Read the metadata of a location or List all location metadata | +> | Microsoft.DocumentDB/locations/deleteVirtualNetworkOrSubnets/operationResults/read | Read Status of deleteVirtualNetworkOrSubnets asynchronous operation | +> | Microsoft.DocumentDB/locations/operationsStatus/read | Reads Status of Asynchronous Operations | +> | Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read | Read a restorable database account or List all the restorable database accounts | +> | Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action | Submit a restore request | +> | Microsoft.DocumentDB/mongoClusters/read | Reads a Mongo Cluster or list all Mongo Clusters. | +> | Microsoft.DocumentDB/mongoClusters/write | Create or Update the properties or tags of the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/delete | Deletes the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/PrivateEndpointConnectionsApproval/action | Manage a private endpoint connection of Mongo Cluster | +> | Microsoft.DocumentDB/mongoClusters/listConnectionStrings/action | List connection strings for a given Mongo Cluster | +> | Microsoft.DocumentDB/mongoClusters/firewallRules/read | Reads a firewall rule or lists all firewall rules for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/firewallRules/write | Create or Update a firewall rule on a specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/firewallRules/delete | Deletes an existing firewall rule for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/privateEndpointConnectionProxies/read | Reads a private endpoint connection proxy for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/privateEndpointConnectionProxies/write | Create or Update a private endpoint connection proxy on a specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection proxy for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/privateEndpointConnectionProxies/validate/action | Validates private endpoint connection proxy for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/privateEndpointConnections/read | Reads a private endpoint connection or lists all private endpoint connection for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/privateEndpointConnections/write | Create or Update a private endpoint connection on a specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/privateEndpointConnections/delete | Deletes an existing private endpoint connection for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/privateLinkResources/read | Reads a private link resource or lists all private link resource for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/users/read | Reads a user or lists all users for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/users/write | Create or Update a user on a specified Mongo Cluster. | +> | Microsoft.DocumentDB/mongoClusters/users/delete | Deletes an existing user for the specified Mongo Cluster. | +> | Microsoft.DocumentDB/operationResults/read | Read status of the asynchronous operation | +> | Microsoft.DocumentDB/operations/read | Read operations available for the Microsoft DocumentDB | +> | Microsoft.DocumentDB/throughputPool/throughputPoolAccounts/read | Read throughputPool account in throughputPool | +> | Microsoft.DocumentDB/throughputPool/throughputPoolAccounts/write | Create throughputPool account in throughputPool | ++## Microsoft.Sql ++Azure service: [Azure SQL Database](/azure/azure-sql/database/index), [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/index), [Azure Synapse Analytics](/azure/synapse-analytics/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Sql/checkNameAvailability/action | Verify whether given server name is available for provisioning worldwide for a given subscription. | +> | Microsoft.Sql/register/action | Registers the subscription for the Microsoft SQL Database resource provider and enables the creation of Microsoft SQL Databases. | +> | Microsoft.Sql/unregister/action | Unregisters the subscription for the Azure SQL Database resource provider and disables the creation of Azure SQL Databases. | +> | Microsoft.Sql/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection | +> | Microsoft.Sql/instancePools/read | Gets an instance pool | +> | Microsoft.Sql/instancePools/write | Creates or updates an instance pool | +> | Microsoft.Sql/instancePools/delete | Deletes an instance pool | +> | Microsoft.Sql/instancePools/usages/read | Gets an instance pool's usage info | +> | Microsoft.Sql/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action | Notify of NSP Update | +> | Microsoft.Sql/locations/deleteVirtualNetworkOrSubnets/action | Deletes Virtual network rules associated to a virtual network or subnet | +> | Microsoft.Sql/locations/read | Gets the available locations for a given subscription | +> | Microsoft.Sql/locations/administratorAzureAsyncOperation/read | Gets the Managed instance azure async administrator operations result. | +> | Microsoft.Sql/locations/administratorOperationResults/read | Gets the Managed instance administrator operations result. | +> | Microsoft.Sql/locations/advancedThreatProtectionAzureAsyncOperation/read | Retrieve results of the server Advanced Threat Protection settings write operation | +> | Microsoft.Sql/locations/advancedThreatProtectionOperationResults/read | Retrieve results of the server Advanced Threat Protection settings write operation | +> | Microsoft.Sql/locations/auditingSettingsAzureAsyncOperation/read | Retrieve result of the extended server blob auditing policy Set operation | +> | Microsoft.Sql/locations/auditingSettingsOperationResults/read | Retrieve result of the server blob auditing policy Set operation | +> | Microsoft.Sql/locations/capabilities/read | Gets the capabilities for this subscription in a given location | +> | Microsoft.Sql/locations/changeLongTermRetentionBackupAccessTierAzureAsyncOperation/read | Gets the async operation status of changing long term retention backup access tier operation. | +> | Microsoft.Sql/locations/changeLongTermRetentionBackupAccessTierOperationResults/read | Gets the changing LTR backup access tier operation result. | +> | Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read | Gets the in progress operation of server connection policy update. | +> | Microsoft.Sql/locations/connectionPoliciesOperationResults/read | Gets the in progress operation of server connection policy update. | +> | Microsoft.Sql/locations/databaseAzureAsyncOperation/read | Gets the status of a database operation. | +> | Microsoft.Sql/locations/databaseEncryptionProtectorRevalidateAzureAsyncOperation/read | Revalidate key for azure sql database azure async operation | +> | Microsoft.Sql/locations/databaseEncryptionProtectorRevalidateOperationResults/read | Revalidate key for azure sql database operation results | +> | Microsoft.Sql/locations/databaseEncryptionProtectorRevertAzureAsyncOperation/read | Revert key for azure sql database azure async operation | +> | Microsoft.Sql/locations/databaseEncryptionProtectorRevertOperationResults/read | Revert key for azure sql database operation results | +> | Microsoft.Sql/locations/databaseOperationResults/read | Gets the status of a database operation. | +> | Microsoft.Sql/locations/deletedServerAsyncOperation/read | Gets in-progress operations on deleted server | +> | Microsoft.Sql/locations/deletedServerOperationResults/read | Gets in-progress operations on deleted server | +> | Microsoft.Sql/locations/deletedServers/read | Return the list of deleted servers or gets the properties for the specified deleted server. | +> | Microsoft.Sql/locations/deletedServers/recover/action | Recover a deleted server | +> | Microsoft.Sql/locations/devOpsAuditingSettingsAzureAsyncOperation/read | Retrieve result of the server DevOps audit policy Set operation | +> | Microsoft.Sql/locations/devOpsAuditingSettingsOperationResults/read | Retrieve result of the server DevOps audit policy Set operation | +> | Microsoft.Sql/locations/distributedAvailabilityGroupsAzureAsyncOperation/read | Gets the status of a long term distributed availability groups async operation on Azure Sql Managed Instance. | +> | Microsoft.Sql/locations/distributedAvailabilityGroupsOperationResults/read | Gets the status of a long term distributed availability groups async operation. | +> | Microsoft.Sql/locations/elasticPoolAzureAsyncOperation/read | Gets the azure async operation for an elastic pool async operation | +> | Microsoft.Sql/locations/elasticPoolOperationResults/read | Gets the result of an elastic pool operation. | +> | Microsoft.Sql/locations/encryptionProtectorAzureAsyncOperation/read | Gets in-progress operations on transparent data encryption encryption protector | +> | Microsoft.Sql/locations/encryptionProtectorOperationResults/read | Gets in-progress operations on transparent data encryption encryption protector | +> | Microsoft.Sql/locations/extendedAuditingSettingsAzureAsyncOperation/read | Retrieve result of the extended server blob auditing policy Set operation | +> | Microsoft.Sql/locations/extendedAuditingSettingsOperationResults/read | Retrieve result of the extended server blob auditing policy Set operation | +> | Microsoft.Sql/locations/externalPolicyBasedAuthorizationsAzureAsycOperation/read | External policy based authorization async operation results | +> | Microsoft.Sql/locations/externalPolicyBasedAuthorizationsOperationResults/read | External policy based authorization operation results | +> | Microsoft.Sql/locations/firewallRulesAzureAsyncOperation/read | Gets the status of a firewall rule operation. | +> | Microsoft.Sql/locations/firewallRulesOperationResults/read | Gets the status of a firewall rule operation. | +> | Microsoft.Sql/locations/hybridCertificateAzureAsyncOperation/read | Gets the status of a long term hybrid certificate async operation on Azure Sql Managed Instance. | +> | Microsoft.Sql/locations/hybridCertificateOperationResults/read | Gets the status of a long term hybrid certificate async operation. | +> | Microsoft.Sql/locations/hybridLinkAzureAsyncOperation/read | Gets the status of a long term hybrid link async operation on Azure Sql Managed Instance. | +> | Microsoft.Sql/locations/hybridLinkOperationResults/read | Gets the status of a long term hybrid link async operation. | +> | Microsoft.Sql/locations/instanceFailoverGroups/read | Returns the list of instance failover groups or gets the properties for the specified instance failover group. | +> | Microsoft.Sql/locations/instanceFailoverGroups/write | Creates an instance failover group with the specified parameters or updates the properties or tags for the specified instance failover group. | +> | Microsoft.Sql/locations/instanceFailoverGroups/delete | Deletes an existing instance failover group. | +> | Microsoft.Sql/locations/instanceFailoverGroups/failover/action | Executes planned failover in an existing instance failover group. | +> | Microsoft.Sql/locations/instanceFailoverGroups/forceFailoverAllowDataLoss/action | Executes forced failover in an existing instance failover group. | +> | Microsoft.Sql/locations/instancePoolAzureAsyncOperation/read | Gets the status of an instance pool operation | +> | Microsoft.Sql/locations/instancePoolOperationResults/read | Gets the result for an instance pool operation | +> | Microsoft.Sql/locations/ipv6FirewallRulesAzureAsyncOperation/read | Gets the status of a firewall rule operation. | +> | Microsoft.Sql/locations/ipv6FirewallRulesOperationResults/read | Gets the status of a firewall rule operation. | +> | Microsoft.Sql/locations/jobAgentAzureAsyncOperation/read | Gets the status of an job agent operation. | +> | Microsoft.Sql/locations/jobAgentOperationResults/read | Gets the result of an job agent operation. | +> | Microsoft.Sql/locations/jobAgentPrivateEndpointAzureAsyncOperation/read | Gets the status of a job agent private endpoint operation | +> | Microsoft.Sql/locations/jobAgentPrivateEndpointOperationResults/read | Gets the result of a job agent private endpoint operation | +> | Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read | Gets in-progress operations of ledger digest upload settings | +> | Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read | Gets in-progress operations of ledger digest upload settings | +> | Microsoft.Sql/locations/longTermRetentionBackupAzureAsyncOperation/read | Get the status of long term retention backup operation | +> | Microsoft.Sql/locations/longTermRetentionBackupOperationResults/read | Get the status of long term retention backup operation | +> | Microsoft.Sql/locations/longTermRetentionBackups/read | Lists the long term retention backups for every database on every server in a location | +> | Microsoft.Sql/locations/longTermRetentionManagedInstanceBackupAzureAsyncOperation/read | Get the status of managed instance long term retention backup operation | +> | Microsoft.Sql/locations/longTermRetentionManagedInstanceBackupOperationResults/read | Get the status of managed instance long term retention backup operation | +> | Microsoft.Sql/locations/longTermRetentionManagedInstanceBackups/read | Returns a list of managed instance LTR backups for a specific location | +> | Microsoft.Sql/locations/longTermRetentionManagedInstances/longTermRetentionDatabases/longTermRetentionManagedInstanceBackups/read | Returns a list of LTR backups for a managed instance database | +> | Microsoft.Sql/locations/longTermRetentionManagedInstances/longTermRetentionDatabases/longTermRetentionManagedInstanceBackups/delete | Deletes an LTR backup for a managed instance database | +> | Microsoft.Sql/locations/longTermRetentionManagedInstances/longTermRetentionManagedInstanceBackups/read | Returns a list of managed instance LTR backups for a specific managed instance | +> | Microsoft.Sql/locations/longTermRetentionPolicyAzureAsyncOperation/read | Gets the status of a long term retention policy operation | +> | Microsoft.Sql/locations/longTermRetentionPolicyOperationResults/read | Gets the status of a long term retention policy operation | +> | Microsoft.Sql/locations/longTermRetentionServers/longTermRetentionBackups/read | Lists the long term retention backups for every database on a server | +> | Microsoft.Sql/locations/longTermRetentionServers/longTermRetentionDatabases/longTermRetentionBackups/copy/action | Copy a long term retention backup | +> | Microsoft.Sql/locations/longTermRetentionServers/longTermRetentionDatabases/longTermRetentionBackups/update/action | Update a long term retention backup | +> | Microsoft.Sql/locations/longTermRetentionServers/longTermRetentionDatabases/longTermRetentionBackups/read | Lists the long term retention backups for a database | +> | Microsoft.Sql/locations/longTermRetentionServers/longTermRetentionDatabases/longTermRetentionBackups/delete | Deletes a long term retention backup | +> | Microsoft.Sql/locations/longTermRetentionServers/longTermRetentionDatabases/longTermRetentionBackups/changeAccessTier/action | Change long term retention backup access tier operation. | +> | Microsoft.Sql/locations/managedDatabaseMoveAzureAsyncOperation/read | Gets Managed Instance database move Azure async operation. | +> | Microsoft.Sql/locations/managedDatabaseMoveOperationResults/read | Gets Managed Instance database move operation result. | +> | Microsoft.Sql/locations/managedDatabaseRestoreAzureAsyncOperation/completeRestore/action | Completes managed database restore operation | +> | Microsoft.Sql/locations/managedInstanceAdvancedThreatProtectionAzureAsyncOperation/read | Retrieve results of the managed instance Advanced Threat Protection settings write operation | +> | Microsoft.Sql/locations/managedInstanceAdvancedThreatProtectionOperationResults/read | Retrieve results of the managed instance Advanced Threat Protection settings write operation | +> | Microsoft.Sql/locations/managedInstanceDtcAzureAsyncOperation/read | Gets the status of Azure SQL Managed Instance DTC Azure async operation. | +> | Microsoft.Sql/locations/managedInstanceEncryptionProtectorAzureAsyncOperation/read | Gets in-progress operations on transparent data encryption managed instance encryption protector | +> | Microsoft.Sql/locations/managedInstanceEncryptionProtectorOperationResults/read | Gets in-progress operations on transparent data encryption managed instance encryption protector | +> | Microsoft.Sql/locations/managedInstanceKeyAzureAsyncOperation/read | Gets in-progress operations on transparent data encryption managed instance keys | +> | Microsoft.Sql/locations/managedInstanceKeyOperationResults/read | Gets in-progress operations on transparent data encryption managed instance keys | +> | Microsoft.Sql/locations/managedInstanceLongTermRetentionPolicyAzureAsyncOperation/read | Gets the status of a long term retention policy operation for a managed database | +> | Microsoft.Sql/locations/managedInstanceLongTermRetentionPolicyOperationResults/read | Gets the status of a long term retention policy operation for a managed database | +> | Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionAzureAsyncOperation/read | Gets the result for a private endpoint connection operation | +> | Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionOperationResults/read | Gets the result for a private endpoint connection operation | +> | Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionProxyAzureAsyncOperation/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionProxyOperationResults/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.Sql/locations/managedLedgerDigestUploadsAzureAsyncOperation/read | Gets in-progress operations of ledger digest upload settings | +> | Microsoft.Sql/locations/managedLedgerDigestUploadsOperationResults/read | Gets in-progress operations of ledger digest upload settings | +> | Microsoft.Sql/locations/managedShortTermRetentionPolicyAzureAsyncOperation/read | Gets the status of a short term retention policy operation | +> | Microsoft.Sql/locations/managedShortTermRetentionPolicyOperationResults/read | Gets the status of a short term retention policy operation | +> | Microsoft.Sql/locations/managedTransparentDataEncryptionAzureAsyncOperation/read | Gets in-progress operations on managed database transparent data encryption | +> | Microsoft.Sql/locations/managedTransparentDataEncryptionOperationResults/read | Gets in-progress operations on managed database transparent data encryption | +> | Microsoft.Sql/locations/networkSecurityPerimeterAssociationProxyAzureAsyncOperation/read | Get network security perimeter proxy azure async operation | +> | Microsoft.Sql/locations/networkSecurityPerimeterAssociationProxyOperationResults/read | Get network security perimeter operation result | +> | Microsoft.Sql/locations/networkSecurityPerimeterConfigurationsReconcileAzureAsyncOperation/read | Sync sql server network security perimeter effective configuration with Network Provider | +> | Microsoft.Sql/locations/networkSecurityPerimeterConfigurationsReconcileOperationResults/read | Get Reconcile Network Security Perimeter Operation Result | +> | Microsoft.Sql/locations/networkSecurityPerimeterUpdatesAvailableAzureAsyncOperation/read | Get network security perimeter updates available azure async operation | +> | Microsoft.Sql/locations/privateEndpointConnectionAzureAsyncOperation/read | Gets the result for a private endpoint connection operation | +> | Microsoft.Sql/locations/privateEndpointConnectionOperationResults/read | Gets the result for a private endpoint connection operation | +> | Microsoft.Sql/locations/privateEndpointConnectionProxyAzureAsyncOperation/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.Sql/locations/privateEndpointConnectionProxyOperationResults/read | Gets the result for a private endpoint connection proxy operation | +> | Microsoft.Sql/locations/refreshExternalGovernanceStatusAzureAsyncOperation/read | Refresh external governance enablement status async operation | +> | Microsoft.Sql/locations/refreshExternalGovernanceStatusMIAzureAsyncOperation/read | Refresh external governance enablement status async operation | +> | Microsoft.Sql/locations/refreshExternalGovernanceStatusMIOperationResults/read | Refresh external governance enablement status operation results | +> | Microsoft.Sql/locations/refreshExternalGovernanceStatusOperationResults/read | Refresh external governance enablement status operation results | +> | Microsoft.Sql/locations/replicationLinksAzureAsyncOperation/read | Return the get result of replication links async operation. | +> | Microsoft.Sql/locations/replicationLinksOperationResults/read | Return the get result of replication links operation. | +> | Microsoft.Sql/locations/serverAdministratorAzureAsyncOperation/read | Server Azure Active Directory administrator async operation results | +> | Microsoft.Sql/locations/serverAdministratorOperationResults/read | Server Azure Active Directory administrator operation results | +> | Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read | Gets the status of Azure SQL Managed Instance Server Configuration Option Azure async operation. | +> | Microsoft.Sql/locations/serverKeyAzureAsyncOperation/read | Gets in-progress operations on transparent data encryption server keys | +> | Microsoft.Sql/locations/serverKeyOperationResults/read | Gets in-progress operations on transparent data encryption server keys | +> | Microsoft.Sql/locations/serverTrustCertificatesAzureAsyncOperation/read | Gets the status of a long term server trust certificate async operation on Azure Sql Managed Instance. | +> | Microsoft.Sql/locations/serverTrustCertificatesOperationResults/read | Gets the status of a server trust certificate hybrid link async operation. | +> | Microsoft.Sql/locations/serverTrustGroupAzureAsyncOperation/read | Get the status of Server Trust Group async operation | +> | Microsoft.Sql/locations/serverTrustGroupOperationResults/read | Get the result of Server Trust Group operation | +> | Microsoft.Sql/locations/serverTrustGroups/write | Creates a Server Trust Group with the specified parameters | +> | Microsoft.Sql/locations/serverTrustGroups/delete | Deletes the existing SQL Server Trust Group | +> | Microsoft.Sql/locations/serverTrustGroups/read | Returns the existing SQL Server Trust Groups | +> | Microsoft.Sql/locations/shortTermRetentionPolicyOperationResults/read | Gets the status of a short term retention policy operation | +> | Microsoft.Sql/locations/sqlVulnerabilityAssessmentAzureAsyncOperation/read | Get a sql database vulnerability assessment scan azure async operation. | +> | Microsoft.Sql/locations/sqlVulnerabilityAssessmentOperationResults/read | Get a sql database vulnerability assessment scan operation results. | +> | Microsoft.Sql/locations/startManagedInstanceAzureAsyncOperation/read | Gets Azure SQL Managed Instance Start Azure async operation. | +> | Microsoft.Sql/locations/startManagedInstanceOperationResults/read | Gets Azure SQL Managed Instance Start operation result. | +> | Microsoft.Sql/locations/stopManagedInstanceAzureAsyncOperation/read | Gets Azure SQL Managed Instance Stop Azure async operation. | +> | Microsoft.Sql/locations/stopManagedInstanceOperationResults/read | Gets Azure SQL Managed Instance Stop operation result. | +> | Microsoft.Sql/locations/syncAgentOperationResults/read | Retrieve result of the sync agent resource operation | +> | Microsoft.Sql/locations/syncDatabaseIds/read | Retrieve the sync database ids for a particular region and subscription | +> | Microsoft.Sql/locations/syncGroupAzureAsyncOperation/read | Retrieve result of the sync group resource operation | +> | Microsoft.Sql/locations/syncGroupOperationResults/read | Retrieve result of the sync group resource operation | +> | Microsoft.Sql/locations/syncMemberOperationResults/read | Retrieve result of the sync member resource operation | +> | Microsoft.Sql/locations/timeZones/read | Return the list of managed instance time zones by location. | +> | Microsoft.Sql/locations/transparentDataEncryptionAzureAsyncOperation/read | Gets in-progress operations on logical database transparent data encryption | +> | Microsoft.Sql/locations/transparentDataEncryptionOperationResults/read | Gets in-progress operations on logical database transparent data encryption | +> | Microsoft.Sql/locations/usages/read | Gets a collection of usage metrics for this subscription in a location | +> | Microsoft.Sql/locations/virtualNetworkRulesAzureAsyncOperation/read | Returns the details of the specified virtual network rules azure async operation | +> | Microsoft.Sql/locations/virtualNetworkRulesOperationResults/read | Returns the details of the specified virtual network rules operation | +> | Microsoft.Sql/managedInstances/tdeCertificates/action | Create/Update TDE certificate | +> | Microsoft.Sql/managedInstances/joinServerTrustGroup/action | Determine if a user is allowed to join Managed Server into a Server Trust Group | +> | Microsoft.Sql/managedInstances/hybridCertificate/action | Creates or updates hybrid certificate with a specified parameters. | +> | Microsoft.Sql/managedInstances/read | Return the list of managed instances or gets the properties for the specified managed instance. | +> | Microsoft.Sql/managedInstances/write | Creates a managed instance with the specified parameters or update the properties or tags for the specified managed instance. | +> | Microsoft.Sql/managedInstances/delete | Deletes an existing managed instance. | +> | Microsoft.Sql/managedInstances/start/action | Starts a given Azure SQL Managed Instance. | +> | Microsoft.Sql/managedInstances/stop/action | Stops a given Azure SQL Managed Instance. | +> | Microsoft.Sql/managedInstances/failover/action | Customer initiated managed instance failover. | +> | Microsoft.Sql/managedInstances/refreshExternalGovernanceStatus/action | Refreshes external governance enablemement status | +> | Microsoft.Sql/managedInstances/crossSubscriptionPITR/action | Determine if user is allowed to do cross subscription PITR operations | +> | Microsoft.Sql/managedInstances/administrators/read | Gets a list of managed instance administrators. | +> | Microsoft.Sql/managedInstances/administrators/write | Creates or updates managed instance administrator with the specified parameters. | +> | Microsoft.Sql/managedInstances/administrators/delete | Deletes an existing administrator of managed instance. | +> | Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write | Change the managed instance Advanced Threat Protection settings for a given managed instance | +> | Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read | Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance | +> | Microsoft.Sql/managedInstances/azureADOnlyAuthentications/read | Reads a specific managed server Azure Active Directory only authentication object | +> | Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | Adds or updates a specific managed server Azure Active Directory only authentication object | +> | Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete | Deletes a specific managed server Azure Active Directory only authentication object | +> | Microsoft.Sql/managedInstances/databases/read | Gets existing managed database | +> | Microsoft.Sql/managedInstances/databases/delete | Deletes an existing managed database | +> | Microsoft.Sql/managedInstances/databases/write | Creates a new database or updates an existing database. | +> | Microsoft.Sql/managedInstances/databases/cancelMove/action | Cancels Managed Instance database move. | +> | Microsoft.Sql/managedInstances/databases/completeMove/action | Completes Managed Instance database move. | +> | Microsoft.Sql/managedInstances/databases/startMove/action | Starts Managed Instance database move. | +> | Microsoft.Sql/managedInstances/databases/completeRestore/action | Completes managed database restore operation | +> | Microsoft.Sql/managedInstances/databases/readBackups/action | Determine if user is allowed to read backups | +> | Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given managed database | +> | Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read | Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database | +> | Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies/write | Updates a long term retention policy for a managed database | +> | Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies/read | Gets a long term retention policy for a managed database | +> | Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies/delete | Updates a long term retention policy for a managed database | +> | Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies/read | Gets a short term retention policy for a managed database | +> | Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies/write | Updates a short term retention policy for a managed database | +> | Microsoft.Sql/managedInstances/databases/columns/read | Return a list of columns for a managed database | +> | Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/read | List sensitivity labels of a given database | +> | Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/write | Batch update sensitivity labels | +> | Microsoft.Sql/managedInstances/databases/ledgerDigestUploads/read | Read ledger digest upload settings | +> | Microsoft.Sql/managedInstances/databases/ledgerDigestUploads/write | Enable uploading ledger digests | +> | Microsoft.Sql/managedInstances/databases/ledgerDigestUploads/disable/action | Disable uploading ledger digests | +> | Microsoft.Sql/managedInstances/databases/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Sql/managedInstances/databases/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Sql/managedInstances/databases/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for managed instance databases | +> | Microsoft.Sql/managedInstances/databases/queries/read | Get query text by query id | +> | Microsoft.Sql/managedInstances/databases/queries/statistics/read | Get query execution statistics by query id | +> | Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/read | List the recommended sensitivity labels for a given database | +> | Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/write | Batch update recommended sensitivity labels | +> | Microsoft.Sql/managedInstances/databases/restoreDetails/read | Returns managed database restore details while restore is in progress. | +> | Microsoft.Sql/managedInstances/databases/schemas/read | Get a managed database schema. | +> | Microsoft.Sql/managedInstances/databases/schemas/tables/read | Get a managed database table | +> | Microsoft.Sql/managedInstances/databases/schemas/tables/columns/read | Get a managed database column | +> | Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/read | Get the sensitivity label of a given column | +> | Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/write | Create or update the sensitivity label of a given column | +> | Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/delete | Delete the sensitivity label of a given column | +> | Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/disable/action | Disable sensitivity recommendations on a given column | +> | Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/enable/action | Enable sensitivity recommendations on a given column | +> | Microsoft.Sql/managedInstances/databases/securityAlertPolicies/write | Change the database threat detection policy for a given managed database | +> | Microsoft.Sql/managedInstances/databases/securityAlertPolicies/read | Retrieve a list of managed database threat detection policies configured for a given server | +> | Microsoft.Sql/managedInstances/databases/securityEvents/read | Retrieves the managed database security events | +> | Microsoft.Sql/managedInstances/databases/sensitivityLabels/read | List sensitivity labels of a given database | +> | Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read | Retrieve details of the database Transparent Data Encryption on a given managed database | +> | Microsoft.Sql/managedInstances/databases/transparentDataEncryption/write | Change the database Transparent Data Encryption for a given managed database | +> | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/write | Change the vulnerability assessment for a given database | +> | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/delete | Remove the vulnerability assessment for a given database | +> | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/read | Retrieve the vulnerability assessment policies on a givendatabase | +> | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/rules/baselines/delete | Remove the vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/rules/baselines/write | Change the vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/rules/baselines/read | Get the vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/scans/initiateScan/action | Execute vulnerability assessment database scan. | +> | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/scans/export/action | Convert an existing scan result to a human readable format. If already exists nothing happens | +> | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/scans/read | Return the list of database vulnerability assessment scan records or get the scan record for the specified scan ID. | +> | Microsoft.Sql/managedInstances/distributedAvailabilityGroups/read | Return the list of distributed availability groups or gets the properties for the specified distributed availability group. | +> | Microsoft.Sql/managedInstances/distributedAvailabilityGroups/write | Creates distributed availability groups with a specified parameters. | +> | Microsoft.Sql/managedInstances/distributedAvailabilityGroups/delete | Deletes a distributed availability group. | +> | Microsoft.Sql/managedInstances/distributedAvailabilityGroups/setRole/action | Set Role for Azure SQL Managed Instance Link to Primary or Secondary. | +> | Microsoft.Sql/managedInstances/distributedAvailabilityGroups/failover/action | Performs requested failover type in this distributed availability group. | +> | Microsoft.Sql/managedInstances/dnsAliases/read | Return the list of Azure SQL Managed Instance Dns Aliases for the specified instance. | +> | Microsoft.Sql/managedInstances/dnsAliases/write | Creates an Azure SQL Managed Instance Dns Alias with the specified parameters or updates the properties for the specified Azure SQL Managed Instance Dns Alias. | +> | Microsoft.Sql/managedInstances/dnsAliases/delete | Deletes an existing Azure SQL Managed Instance Dns Alias. | +> | Microsoft.Sql/managedInstances/dnsAliases/acquire/action | Acquire Azure SQL Managed Instance Dns Alias from another Managed Instance. | +> | Microsoft.Sql/managedInstances/dtc/read | Gets properties for the specified Azure SQL Managed Instance DTC. | +> | Microsoft.Sql/managedInstances/dtc/write | Updates Azure SQL Managed Instance's DTC properties for the specified instance. | +> | Microsoft.Sql/managedInstances/encryptionProtector/revalidate/action | Update the properties for the specified Server Encryption Protector. | +> | Microsoft.Sql/managedInstances/encryptionProtector/read | Returns a list of server encryption protectors or gets the properties for the specified server encryption protector. | +> | Microsoft.Sql/managedInstances/encryptionProtector/write | Update the properties for the specified Server Encryption Protector. | +> | Microsoft.Sql/managedInstances/endpointCertificates/read | Get the endpoint certificate. | +> | Microsoft.Sql/managedInstances/hybridLink/read | Return the list of hybrid links or gets the properties for the specified distributed availability group. | +> | Microsoft.Sql/managedInstances/hybridLink/write | Creates or updates hybrid link with a specified parameters. | +> | Microsoft.Sql/managedInstances/hybridLink/delete | Deletes a hybrid link with a specified distributed availability group. | +> | Microsoft.Sql/managedInstances/inaccessibleManagedDatabases/read | Gets a list of inaccessible managed databases in a managed instance | +> | Microsoft.Sql/managedInstances/keys/read | Return the list of managed instance keys or gets the properties for the specified managed instance key. | +> | Microsoft.Sql/managedInstances/keys/write | Creates a key with the specified parameters or update the properties or tags for the specified managed instance key. | +> | Microsoft.Sql/managedInstances/keys/delete | Deletes an existing Azure SQL Managed Instance key. | +> | Microsoft.Sql/managedInstances/metricDefinitions/read | Get managed instance metric definitions | +> | Microsoft.Sql/managedInstances/metrics/read | Get managed instance metrics | +> | Microsoft.Sql/managedInstances/operations/read | Get managed instance operations | +> | Microsoft.Sql/managedInstances/operations/cancel/action | Cancels Azure SQL Managed Instance pending asynchronous operation that is not finished yet. | +> | Microsoft.Sql/managedInstances/outboundNetworkDependenciesEndpoints/read | Gets the list of the outbound network dependencies for the given managed instance. | +> | Microsoft.Sql/managedInstances/privateEndpointConnectionProxies/read | Returns the list of private endpoint connection proxies or gets the properties for the specified private endpoint connection proxy. | +> | Microsoft.Sql/managedInstances/privateEndpointConnectionProxies/write | Creates a private endpoint connection proxy with the specified parameters or updates the properties or tags for the specified private endpoint connection proxy. | +> | Microsoft.Sql/managedInstances/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection proxy | +> | Microsoft.Sql/managedInstances/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection create call from NRP side | +> | Microsoft.Sql/managedInstances/privateEndpointConnections/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connection. | +> | Microsoft.Sql/managedInstances/privateEndpointConnections/delete | Deletes an existing private endpoint connection | +> | Microsoft.Sql/managedInstances/privateEndpointConnections/write | Approves or rejects an existing private endpoint connection | +> | Microsoft.Sql/managedInstances/privateLinkResources/read | Get the private link resources for the corresponding sql server | +> | Microsoft.Sql/managedInstances/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Sql/managedInstances/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Sql/managedInstances/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for managed instances | +> | Microsoft.Sql/managedInstances/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for managed instances | +> | Microsoft.Sql/managedInstances/recoverableDatabases/read | Returns a list of recoverable managed databases | +> | Microsoft.Sql/managedInstances/restorableDroppedDatabases/read | Returns a list of restorable dropped managed databases. | +> | Microsoft.Sql/managedInstances/restorableDroppedDatabases/backupShortTermRetentionPolicies/read | Gets a short term retention policy for a dropped managed database | +> | Microsoft.Sql/managedInstances/restorableDroppedDatabases/backupShortTermRetentionPolicies/write | Updates a short term retention policy for a dropped managed database | +> | Microsoft.Sql/managedInstances/securityAlertPolicies/write | Change the managed server threat detection policy for a given managed server | +> | Microsoft.Sql/managedInstances/securityAlertPolicies/read | Retrieve a list of managed server threat detection policies configured for a given server | +> | Microsoft.Sql/managedInstances/serverConfigurationOptions/read | Gets properties for the specified Azure SQL Managed Instance Server Configuration Option. | +> | Microsoft.Sql/managedInstances/serverConfigurationOptions/write | Updates Azure SQL Managed Instance's Server Configuration Option properties for the specified instance. | +> | Microsoft.Sql/managedInstances/serverTrustCertificates/write | Creates or updates server trust certificate with specified parameters. | +> | Microsoft.Sql/managedInstances/serverTrustCertificates/delete | Delete server trust certificate with a given name | +> | Microsoft.Sql/managedInstances/serverTrustCertificates/read | Return the list of server trust certificates. | +> | Microsoft.Sql/managedInstances/serverTrustGroups/read | Returns the existing SQL Server Trust Groups by Managed Instance name | +> | Microsoft.Sql/managedInstances/startStopSchedules/write | Creates Azure SQL Managed Instance's Start-Stop schedule with the specified parameters or updates the properties of the schedule for the specified instance. | +> | Microsoft.Sql/managedInstances/startStopSchedules/delete | Deletes Azure SQL Managed Instance's Start-Stop schedule. | +> | Microsoft.Sql/managedInstances/startStopSchedules/read | Get properties for specified Start-Stop schedule for the Azure SQL Managed Instance or a List of all Start-Stop schedules. | +> | Microsoft.Sql/managedInstances/topqueries/read | Get top resource consuming queries of a managed instance | +> | Microsoft.Sql/managedInstances/vulnerabilityAssessments/write | Change the vulnerability assessment for a given managed instance | +> | Microsoft.Sql/managedInstances/vulnerabilityAssessments/delete | Remove the vulnerability assessment for a given managed instance | +> | Microsoft.Sql/managedInstances/vulnerabilityAssessments/read | Retrieve the vulnerability assessment policies on a given managed instance | +> | Microsoft.Sql/operations/read | Gets available REST operations | +> | Microsoft.Sql/servers/tdeCertificates/action | Create/Update TDE certificate | +> | Microsoft.Sql/servers/read | Return the list of servers or gets the properties for the specified server. | +> | Microsoft.Sql/servers/write | Creates a server with the specified parameters or update the properties or tags for the specified server. | +> | Microsoft.Sql/servers/delete | Deletes an existing server. | +> | Microsoft.Sql/servers/import/action | Import new Azure SQL Database | +> | Microsoft.Sql/servers/privateEndpointConnectionsApproval/action | Determines if user is allowed to approve a private endpoint connection | +> | Microsoft.Sql/servers/refreshExternalGovernanceStatus/action | Refreshes external governance enablemement status | +> | Microsoft.Sql/servers/administratorOperationResults/read | Gets in-progress operations on server administrators | +> | Microsoft.Sql/servers/administrators/read | Gets a specific Azure Active Directory administrator object | +> | Microsoft.Sql/servers/administrators/write | Adds or updates a specific Azure Active Directory administrator object | +> | Microsoft.Sql/servers/administrators/delete | Deletes a specific Azure Active Directory administrator object | +> | Microsoft.Sql/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server | +> | Microsoft.Sql/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server | +> | Microsoft.Sql/servers/advisors/read | Returns list of advisors available for the server | +> | Microsoft.Sql/servers/advisors/write | Updates auto-execute status of an advisor on server level. | +> | Microsoft.Sql/servers/advisors/recommendedActions/read | Returns list of recommended actions of specified advisor for the server | +> | Microsoft.Sql/servers/advisors/recommendedActions/write | Apply the recommended action on the server | +> | Microsoft.Sql/servers/auditingSettings/read | Retrieve details of the server blob auditing policy configured on a given server | +> | Microsoft.Sql/servers/auditingSettings/write | Change the server blob auditing for a given server | +> | Microsoft.Sql/servers/auditingSettings/operationResults/read | Retrieve result of the server blob auditing policy Set operation | +> | Microsoft.Sql/servers/automaticTuning/read | Returns automatic tuning settings for the server | +> | Microsoft.Sql/servers/automaticTuning/write | Updates automatic tuning settings for the server and returns updated settings | +> | Microsoft.Sql/servers/azureADOnlyAuthentications/read | Reads a specific server Azure Active Directory only authentication object | +> | Microsoft.Sql/servers/azureADOnlyAuthentications/write | Adds or updates a specific server Azure Active Directory only authentication object | +> | Microsoft.Sql/servers/azureADOnlyAuthentications/delete | Deletes a specific server Azure Active Directory only authentication object | +> | Microsoft.Sql/servers/communicationLinks/read | Return the list of communication links of a specified server. | +> | Microsoft.Sql/servers/communicationLinks/write | Create or update a server communication link. | +> | Microsoft.Sql/servers/communicationLinks/delete | Deletes an existing server communication link. | +> | Microsoft.Sql/servers/connectionPolicies/read | Return the list of server connection policies of a specified server. | +> | Microsoft.Sql/servers/connectionPolicies/write | Create or update a server connection policy. | +> | Microsoft.Sql/servers/databases/read | Return the list of databases or gets the properties for the specified database. | +> | Microsoft.Sql/servers/databases/write | Creates a database with the specified parameters or update the properties or tags for the specified database. | +> | Microsoft.Sql/servers/databases/delete | Deletes an existing database. | +> | Microsoft.Sql/servers/databases/pause/action | Pause Azure SQL Datawarehouse Database | +> | Microsoft.Sql/servers/databases/resume/action | Resume Azure SQL Datawarehouse Database | +> | Microsoft.Sql/servers/databases/export/action | Export Azure SQL Database | +> | Microsoft.Sql/servers/databases/upgradeDataWarehouse/action | Upgrade Azure SQL Datawarehouse Database | +> | Microsoft.Sql/servers/databases/move/action | Change the name of an existing database. | +> | Microsoft.Sql/servers/databases/restorePoints/action | Creates a new restore point | +> | Microsoft.Sql/servers/databases/import/action | Import Azure SQL Database | +> | Microsoft.Sql/servers/databases/failover/action | Customer initiated database failover. | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/action | Execute vulnerability assessment database scan. | +> | Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database | +> | Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database | +> | Microsoft.Sql/servers/databases/advisors/read | Returns list of advisors available for the database | +> | Microsoft.Sql/servers/databases/advisors/write | Update auto-execute status of an advisor on database level. | +> | Microsoft.Sql/servers/databases/advisors/recommendedActions/read | Returns list of recommended actions of specified advisor for the database | +> | Microsoft.Sql/servers/databases/advisors/recommendedActions/write | Apply the recommended action on the database | +> | Microsoft.Sql/servers/databases/auditingSettings/read | Retrieve details of the blob auditing policy configured on a given database | +> | Microsoft.Sql/servers/databases/auditingSettings/write | Change the blob auditing policy for a given database | +> | Microsoft.Sql/servers/databases/auditRecords/read | Retrieve the database blob audit records | +> | Microsoft.Sql/servers/databases/automaticTuning/read | Returns automatic tuning settings for a database | +> | Microsoft.Sql/servers/databases/automaticTuning/write | Updates automatic tuning settings for a database and returns updated settings | +> | Microsoft.Sql/servers/databases/azureAsyncOperation/read | Gets the status of a database operation. | +> | Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/write | Sets a long term retention policy for a database | +> | Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/read | Gets a long term retention policy for a database | +> | Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies/read | Gets a short term retention policy for a database | +> | Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies/write | Updates a short term retention policy for a database | +> | Microsoft.Sql/servers/databases/columns/read | Return a list of columns for a database | +> | Microsoft.Sql/servers/databases/currentSensitivityLabels/read | List sensitivity labels of a given database | +> | Microsoft.Sql/servers/databases/currentSensitivityLabels/write | Batch update sensitivity labels | +> | Microsoft.Sql/servers/databases/dataMaskingPolicies/read | Return the list of database data masking policies. | +> | Microsoft.Sql/servers/databases/dataMaskingPolicies/write | Change data masking policy for a given database | +> | Microsoft.Sql/servers/databases/dataMaskingPolicies/rules/read | Retrieve details of the data masking policy rule configured on a given database | +> | Microsoft.Sql/servers/databases/dataMaskingPolicies/rules/write | Change data masking policy rule for a given database | +> | Microsoft.Sql/servers/databases/dataWarehouseQueries/read | Returns the data warehouse distribution query information for selected query ID | +> | Microsoft.Sql/servers/databases/dataWarehouseQueries/dataWarehouseQuerySteps/read | Returns the distributed query step information of data warehouse query for selected step ID | +> | Microsoft.Sql/servers/databases/dataWarehouseUserActivities/read | Retrieves the user activities of a SQL Data Warehouse instance which includes running and suspended queries | +> | Microsoft.Sql/servers/databases/encryptionProtector/revalidate/action | Revalidate the database encryption protector | +> | Microsoft.Sql/servers/databases/encryptionProtector/revert/action | Revertthe database encryption protector | +> | Microsoft.Sql/servers/databases/extendedAuditingSettings/read | Retrieve details of the extended blob auditing policy configured on a given database | +> | Microsoft.Sql/servers/databases/extendedAuditingSettings/write | Change the extended blob auditing policy for a given database | +> | Microsoft.Sql/servers/databases/extensions/write | Performs a database extension operation. | +> | Microsoft.Sql/servers/databases/extensions/read | Get database extensions operation. | +> | Microsoft.Sql/servers/databases/extensions/importExtensionOperationResults/read | Gets in-progress import operations | +> | Microsoft.Sql/servers/databases/geoBackupPolicies/read | Retrieve geo backup policies for a given database | +> | Microsoft.Sql/servers/databases/geoBackupPolicies/write | Create or update a database geobackup policy | +> | Microsoft.Sql/servers/databases/importExportAzureAsyncOperation/read | Gets in-progress import/export operations | +> | Microsoft.Sql/servers/databases/importExportOperationResults/read | Gets in-progress import/export operations | +> | Microsoft.Sql/servers/databases/ledgerDigestUploads/read | Read ledger digest upload settings | +> | Microsoft.Sql/servers/databases/ledgerDigestUploads/write | Enable uploading ledger digests | +> | Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action | Disable uploading ledger digests | +> | Microsoft.Sql/servers/databases/linkWorkspaces/read | Return the list of synapselink workspaces for the specified database | +> | Microsoft.Sql/servers/databases/maintenanceWindowOptions/read | Gets a list of available maintenance windows for a selected database. | +> | Microsoft.Sql/servers/databases/maintenanceWindows/read | Gets maintenance windows settings for a selected database. | +> | Microsoft.Sql/servers/databases/maintenanceWindows/write | Sets maintenance windows settings for a selected database. | +> | Microsoft.Sql/servers/databases/metricDefinitions/read | Return types of metrics that are available for databases | +> | Microsoft.Sql/servers/databases/metrics/read | Return metrics for databases | +> | Microsoft.Sql/servers/databases/operationResults/read | Gets the status of a database operation. | +> | Microsoft.Sql/servers/databases/operations/cancel/action | Cancels Azure SQL Database pending asynchronous operation that is not finished yet. | +> | Microsoft.Sql/servers/databases/operations/read | Return the list of operations performed on the database | +> | Microsoft.Sql/servers/databases/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Sql/servers/databases/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Sql/servers/databases/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for databases | +> | Microsoft.Sql/servers/databases/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for databases | +> | Microsoft.Sql/servers/databases/queryStore/read | Returns current values of Query Store settings for the database. | +> | Microsoft.Sql/servers/databases/queryStore/write | Updates Query Store setting for the database | +> | Microsoft.Sql/servers/databases/queryStore/queryTexts/read | Returns the collection of query texts that correspond to the specified parameters. | +> | Microsoft.Sql/servers/databases/recommendedSensitivityLabels/read | List the recommended sensitivity labels for a given database | +> | Microsoft.Sql/servers/databases/recommendedSensitivityLabels/write | Batch update recommended sensitivity labels | +> | Microsoft.Sql/servers/databases/replicationLinks/read | Return the list of replication links or gets the properties for the specified replication links. | +> | Microsoft.Sql/servers/databases/replicationLinks/write | Updates the replication link type | +> | Microsoft.Sql/servers/databases/replicationLinks/delete | Execute deletion of an existing replication link. | +> | Microsoft.Sql/servers/databases/replicationLinks/failover/action | Execute planned failover of an existing replication link. | +> | Microsoft.Sql/servers/databases/replicationLinks/forceFailoverAllowDataLoss/action | Execute forced failover of an existing replication link. | +> | Microsoft.Sql/servers/databases/replicationLinks/updateReplicationMode/action | Update replication mode for link to synchronous or asynchronous mode | +> | Microsoft.Sql/servers/databases/replicationLinks/unlink/action | Terminate the replication relationship forcefully or after synchronizing with the partner | +> | Microsoft.Sql/servers/databases/restorePoints/read | Returns restore points for the database. | +> | Microsoft.Sql/servers/databases/restorePoints/delete | Deletes a restore point for the database. | +> | Microsoft.Sql/servers/databases/schemas/read | Get a database schema. | +> | Microsoft.Sql/servers/databases/schemas/tables/read | Get a database table. | +> | Microsoft.Sql/servers/databases/schemas/tables/columns/read | Get a database column. | +> | Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/enable/action | Enable sensitivity recommendations on a given column | +> | Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/disable/action | Disable sensitivity recommendations on a given column | +> | Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/read | Get the sensitivity label of a given column | +> | Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/write | Create or update the sensitivity label of a given column | +> | Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/delete | Delete the sensitivity label of a given column | +> | Microsoft.Sql/servers/databases/schemas/tables/recommendedIndexes/read | Retrieve list of index recommendations on a database | +> | Microsoft.Sql/servers/databases/schemas/tables/recommendedIndexes/write | Apply index recommendation | +> | Microsoft.Sql/servers/databases/securityAlertPolicies/write | Change the database threat detection policy for a given database | +> | Microsoft.Sql/servers/databases/securityAlertPolicies/read | Retrieve a list of database threat detection policies configured for a given server | +> | Microsoft.Sql/servers/databases/securityMetrics/read | Gets a collection of database security metrics | +> | Microsoft.Sql/servers/databases/sensitivityLabels/read | List sensitivity labels of a given database | +> | Microsoft.Sql/servers/databases/serviceTierAdvisors/read | Return suggestion about scaling database up or down based on query execution statistics to improve performance or reduce cost | +> | Microsoft.Sql/servers/databases/skus/read | Gets a collection of skus available for a database | +> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/read | Retrieve SQL Vulnerability Assessment policies on a given database | +> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/initiateScan/action | Execute vulnerability assessment database scan. | +> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/write | Change the sql vulnerability assessment baseline set for a given database | +> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/read | List the Sql Vulnerability Assessment baseline set by Sql Vulnerability Assessments | +> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/rules/delete | Remove the sql vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/rules/write | Change the sql vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/rules/read | Get the sql vulnerability assessment rule baseline list for a given database | +> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/read | Retrieve the scan record of the database SQL vulnerability assessment scan | +> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/scans/scanResults/read | Retrieve the scan results of the database SQL vulnerability assessment scan | +> | Microsoft.Sql/servers/databases/syncGroups/refreshHubSchema/action | Refresh sync hub database schema | +> | Microsoft.Sql/servers/databases/syncGroups/cancelSync/action | Cancel sync group synchronization | +> | Microsoft.Sql/servers/databases/syncGroups/triggerSync/action | Trigger sync group synchronization | +> | Microsoft.Sql/servers/databases/syncGroups/read | Return the list of sync groups or gets the properties for the specified sync group. | +> | Microsoft.Sql/servers/databases/syncGroups/write | Creates a sync group with the specified parameters or update the properties for the specified sync group. | +> | Microsoft.Sql/servers/databases/syncGroups/delete | Deletes an existing sync group. | +> | Microsoft.Sql/servers/databases/syncGroups/hubSchemas/read | Return the list of sync hub database schemas | +> | Microsoft.Sql/servers/databases/syncGroups/logs/read | Return the list of sync group logs | +> | Microsoft.Sql/servers/databases/syncGroups/refreshHubSchemaOperationResults/read | Retrieve result of the sync hub schema refresh operation | +> | Microsoft.Sql/servers/databases/syncGroups/syncMembers/read | Return the list of sync members or gets the properties for the specified sync member. | +> | Microsoft.Sql/servers/databases/syncGroups/syncMembers/write | Creates a sync member with the specified parameters or update the properties for the specified sync member. | +> | Microsoft.Sql/servers/databases/syncGroups/syncMembers/delete | Deletes an existing sync member. | +> | Microsoft.Sql/servers/databases/syncGroups/syncMembers/refreshSchema/action | Refresh sync member schema | +> | Microsoft.Sql/servers/databases/syncGroups/syncMembers/refreshSchemaOperationResults/read | Retrieve result of the sync member schema refresh operation | +> | Microsoft.Sql/servers/databases/syncGroups/syncMembers/schemas/read | Return the list of sync member database schemas | +> | Microsoft.Sql/servers/databases/topQueries/queryText/action | Returns the Transact-SQL text for selected query ID | +> | Microsoft.Sql/servers/databases/topQueries/read | Returns aggregated runtime statistics for selected query in selected time period | +> | Microsoft.Sql/servers/databases/topQueries/statistics/read | Returns aggregated runtime statistics for selected query in selected time period | +> | Microsoft.Sql/servers/databases/transparentDataEncryption/read | Retrieve details of the logical database Transparent Data Encryption on a given managed database | +> | Microsoft.Sql/servers/databases/transparentDataEncryption/write | Change the database Transparent Data Encryption for a given logical database | +> | Microsoft.Sql/servers/databases/transparentDataEncryption/operationResults/read | Gets in-progress operations on transparent data encryption | +> | Microsoft.Sql/servers/databases/usages/read | Gets the Azure SQL Database usages information | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessments/write | Change the vulnerability assessment for a given database | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessments/delete | Remove the vulnerability assessment for a given database | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessments/read | Retrieve the vulnerability assessment policies on a givendatabase | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines/delete | Remove the vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines/write | Change the vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines/read | Get the vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans/initiateScan/action | Execute vulnerability assessment database scan. | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans/read | Return the list of database vulnerability assessment scan records or get the scan record for the specified scan ID. | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessments/scans/export/action | Convert an existing scan result to a human readable format. If already exists nothing happens | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/operationResults/read | Retrieve the result of the database vulnerability assessment scan Execute operation | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/read | Retrieve details of the vulnerability assessment configured on a given database | +> | Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/write | Change the vulnerability assessment for a given database | +> | Microsoft.Sql/servers/databases/workloadGroups/read | Lists the workload groups for a selected database. | +> | Microsoft.Sql/servers/databases/workloadGroups/write | Sets the properties for a specific workload group. | +> | Microsoft.Sql/servers/databases/workloadGroups/delete | Drops a specific workload group. | +> | Microsoft.Sql/servers/databases/workloadGroups/workloadClassifiers/read | Lists the workload classifiers for a selected database. | +> | Microsoft.Sql/servers/databases/workloadGroups/workloadClassifiers/write | Sets the properties for a specific workload classifier. | +> | Microsoft.Sql/servers/databases/workloadGroups/workloadClassifiers/delete | Drops a specific workload classifier. | +> | Microsoft.Sql/servers/devOpsAuditingSettings/read | Retrieve details of the server DevOps audit policy configured on a given server | +> | Microsoft.Sql/servers/devOpsAuditingSettings/write | Change the server DevOps audit policy for a given server | +> | Microsoft.Sql/servers/disasterRecoveryConfiguration/read | Gets a collection of disaster recovery configurations that include this server | +> | Microsoft.Sql/servers/disasterRecoveryConfiguration/write | Change server disaster recovery configuration | +> | Microsoft.Sql/servers/disasterRecoveryConfiguration/delete | Deletes an existing disaster recovery configurations for a given server | +> | Microsoft.Sql/servers/disasterRecoveryConfiguration/failover/action | Failover a DisasterRecoveryConfiguration | +> | Microsoft.Sql/servers/disasterRecoveryConfiguration/forceFailoverAllowDataLoss/action | Force Failover a DisasterRecoveryConfiguration | +> | Microsoft.Sql/servers/dnsAliases/read | Return the list of Server Dns Aliases for the specified server. | +> | Microsoft.Sql/servers/dnsAliases/write | Creates a Server Dns Alias with the specified parameters or update the properties or tags for the specified Server Dns Alias. | +> | Microsoft.Sql/servers/dnsAliases/delete | Deletes an existing Server Dns Alias. | +> | Microsoft.Sql/servers/dnsAliases/acquire/action | Acquire Server Dns Alias from the current server and repoint it to another server. | +> | Microsoft.Sql/servers/elasticPoolEstimates/read | Returns list of elastic pool estimates already created for this server | +> | Microsoft.Sql/servers/elasticPoolEstimates/write | Creates new elastic pool estimate for list of databases provided | +> | Microsoft.Sql/servers/elasticPools/read | Retrieve details of elastic pool on a given server | +> | Microsoft.Sql/servers/elasticPools/write | Create a new or change properties of existing elastic pool | +> | Microsoft.Sql/servers/elasticPools/delete | Delete existing elastic pool | +> | Microsoft.Sql/servers/elasticPools/failover/action | Customer initiated elastic pool failover. | +> | Microsoft.Sql/servers/elasticPools/advisors/read | Returns list of advisors available for the elastic pool | +> | Microsoft.Sql/servers/elasticPools/advisors/write | Update auto-execute status of an advisor on elastic pool level. | +> | Microsoft.Sql/servers/elasticPools/advisors/recommendedActions/read | Returns list of recommended actions of specified advisor for the elastic pool | +> | Microsoft.Sql/servers/elasticPools/advisors/recommendedActions/write | Apply the recommended action on the elastic pool | +> | Microsoft.Sql/servers/elasticPools/databases/read | Gets a list of databases for an elastic pool | +> | Microsoft.Sql/servers/elasticPools/elasticPoolActivity/read | Retrieve activities and details on a given elastic database pool | +> | Microsoft.Sql/servers/elasticPools/elasticPoolDatabaseActivity/read | Retrieve activities and details on a given database that is part of elastic database pool | +> | Microsoft.Sql/servers/elasticPools/metricDefinitions/read | Return types of metrics that are available for elastic database pools | +> | Microsoft.Sql/servers/elasticPools/metrics/read | Return metrics for elastic database pools | +> | Microsoft.Sql/servers/elasticPools/operations/cancel/action | Cancels Azure SQL elastic pool pending asynchronous operation that is not finished yet. | +> | Microsoft.Sql/servers/elasticPools/operations/read | Return the list of operations performed on the elastic pool | +> | Microsoft.Sql/servers/elasticPools/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Sql/servers/elasticPools/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Sql/servers/elasticPools/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for elastic database pools | +> | Microsoft.Sql/servers/elasticPools/skus/read | Gets a collection of skus available for an elastic pool | +> | Microsoft.Sql/servers/encryptionProtector/revalidate/action | Update the properties for the specified Server Encryption Protector. | +> | Microsoft.Sql/servers/encryptionProtector/read | Returns a list of server encryption protectors or gets the properties for the specified server encryption protector. | +> | Microsoft.Sql/servers/encryptionProtector/write | Update the properties for the specified Server Encryption Protector. | +> | Microsoft.Sql/servers/extendedAuditingSettings/read | Retrieve details of the extended server blob auditing policy configured on a given server | +> | Microsoft.Sql/servers/extendedAuditingSettings/write | Change the extended server blob auditing for a given server | +> | Microsoft.Sql/servers/externalPolicyBasedAuthorizations/read | Reads a specific server external policy based authorization property | +> | Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write | Adds or updates a specific server external policy based authorization property | +> | Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete | Deletes a specific server external policy based authorization property | +> | Microsoft.Sql/servers/failoverGroups/read | Returns the list of failover groups or gets the properties for the specified failover group. | +> | Microsoft.Sql/servers/failoverGroups/write | Creates a failover group with the specified parameters or updates the properties or tags for the specified failover group. | +> | Microsoft.Sql/servers/failoverGroups/delete | Deletes an existing failover group. | +> | Microsoft.Sql/servers/failoverGroups/failover/action | Executes planned failover in an existing failover group. | +> | Microsoft.Sql/servers/failoverGroups/forceFailoverAllowDataLoss/action | Executes forced failover in an existing failover group. | +> | Microsoft.Sql/servers/failoverGroups/tryPlannedBeforeForcedFailover/action | Executes try planned before forced failover in an existing failover group. | +> | Microsoft.Sql/servers/firewallRules/write | Creates a server firewall rule with the specified parameters, update the properties for the specified rule or overwrite all existing rules with new server firewall rule(s). | +> | Microsoft.Sql/servers/firewallRules/read | Return the list of server firewall rules or gets the properties for the specified server firewall rule. | +> | Microsoft.Sql/servers/firewallRules/delete | Deletes an existing server firewall rule. | +> | Microsoft.Sql/servers/importExportOperationResults/read | Gets in-progress import/export operations | +> | Microsoft.Sql/servers/inaccessibleDatabases/read | Return a list of inaccessible database(s) in a logical server. | +> | Microsoft.Sql/servers/ipv6FirewallRules/write | Creates a IPv6 server firewall rule with the specified parameters, update the properties for the specified rule or overwrite all existing rules with new server firewall rule(s). | +> | Microsoft.Sql/servers/ipv6FirewallRules/read | Return the list of IPv6 server firewall rules or gets the properties for the specified server firewall rule. | +> | Microsoft.Sql/servers/ipv6FirewallRules/delete | Deletes an existing IPv6 server firewall rule. | +> | Microsoft.Sql/servers/jobAgents/read | Gets an Azure SQL DB job agent | +> | Microsoft.Sql/servers/jobAgents/write | Creates or updates an Azure SQL DB job agent | +> | Microsoft.Sql/servers/jobAgents/delete | Deletes an Azure SQL DB job agent | +> | Microsoft.Sql/servers/jobAgents/credentials/read | Gets an Azure SQL DB job credential | +> | Microsoft.Sql/servers/jobAgents/credentials/write | Creates or updates an Azure SQL DB job credential | +> | Microsoft.Sql/servers/jobAgents/credentials/delete | Deletes an Azure SQL DB job credential | +> | Microsoft.Sql/servers/jobAgents/executions/read | Gets all the job executions for the job agent | +> | Microsoft.Sql/servers/jobAgents/jobs/read | Gets an Azure SQL DB job | +> | Microsoft.Sql/servers/jobAgents/jobs/write | Creates or updates an Azure SQL DB job | +> | Microsoft.Sql/servers/jobAgents/jobs/delete | Deletes an Azure SQL DB job | +> | Microsoft.Sql/servers/jobAgents/jobs/executions/read | Get a job execution | +> | Microsoft.Sql/servers/jobAgents/jobs/executions/write | Creates or updates a job execution | +> | Microsoft.Sql/servers/jobAgents/jobs/executions/steps/read | Get a job step execution | +> | Microsoft.Sql/servers/jobAgents/jobs/executions/steps/targets/read | Get a target executoin | +> | Microsoft.Sql/servers/jobAgents/jobs/executions/targets/read | Gets the job target executions for a job execution | +> | Microsoft.Sql/servers/jobAgents/jobs/steps/read | Get a job step | +> | Microsoft.Sql/servers/jobAgents/jobs/steps/write | Create or update a job step | +> | Microsoft.Sql/servers/jobAgents/jobs/steps/delete | Delete a job step | +> | Microsoft.Sql/servers/jobAgents/jobs/versions/read | Get a job version | +> | Microsoft.Sql/servers/jobAgents/jobs/versions/steps/read | Gets the job step version | +> | Microsoft.Sql/servers/jobAgents/privateEndpoints/read | Get a private endpoint | +> | Microsoft.Sql/servers/jobAgents/privateEndpoints/write | Create or update a private endpoint | +> | Microsoft.Sql/servers/jobAgents/privateEndpoints/delete | Delete a private endpoint | +> | Microsoft.Sql/servers/jobAgents/targetGroups/read | Get a target group | +> | Microsoft.Sql/servers/jobAgents/targetGroups/write | Create or update a target group | +> | Microsoft.Sql/servers/jobAgents/targetGroups/delete | Delete a target group | +> | Microsoft.Sql/servers/keys/read | Return the list of server keys or gets the properties for the specified server key. | +> | Microsoft.Sql/servers/keys/write | Creates a key with the specified parameters or update the properties or tags for the specified server key. | +> | Microsoft.Sql/servers/keys/delete | Deletes an existing server key. | +> | Microsoft.Sql/servers/networkSecurityPerimeterAssociationProxies/read | Get network security perimeter association | +> | Microsoft.Sql/servers/networkSecurityPerimeterAssociationProxies/write | Create network security perimeter association | +> | Microsoft.Sql/servers/networkSecurityPerimeterAssociationProxies/delete | Drop network security perimeter association | +> | Microsoft.Sql/servers/networkSecurityPerimeterConfigurations/read | Get sql server network security perimeter effective configuration | +> | Microsoft.Sql/servers/networkSecurityPerimeterConfigurations/reconcile/action | Reconcile Network Security Perimeter | +> | Microsoft.Sql/servers/operationResults/read | Gets in-progress server operations | +> | Microsoft.Sql/servers/operations/read | Return the list of operations performed on the server | +> | Microsoft.Sql/servers/outboundFirewallRules/read | Read outbound firewall rule | +> | Microsoft.Sql/servers/outboundFirewallRules/delete | Delete outbound firewall rule | +> | Microsoft.Sql/servers/outboundFirewallRules/write | Create outbound firewall rule | +> | Microsoft.Sql/servers/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action | Used by NRP to backfill properties to a private endpoint connection | +> | Microsoft.Sql/servers/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection create call from NRP side | +> | Microsoft.Sql/servers/privateEndpointConnectionProxies/read | Returns the list of private endpoint connection proxies or gets the properties for the specified private endpoint connection proxy. | +> | Microsoft.Sql/servers/privateEndpointConnectionProxies/write | Creates a private endpoint connection proxy with the specified parameters or updates the properties or tags for the specified private endpoint connection proxy. | +> | Microsoft.Sql/servers/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection proxy | +> | Microsoft.Sql/servers/privateEndpointConnections/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connection. | +> | Microsoft.Sql/servers/privateEndpointConnections/delete | Deletes an existing private endpoint connection | +> | Microsoft.Sql/servers/privateEndpointConnections/write | Approves or rejects an existing private endpoint connection | +> | Microsoft.Sql/servers/privateLinkResources/read | Get the private link resources for the corresponding sql server | +> | Microsoft.Sql/servers/providers/Microsoft.Insights/metricDefinitions/read | Return types of metrics that are available for servers | +> | Microsoft.Sql/servers/recommendedElasticPools/read | Retrieve recommendation for elastic database pools to reduce cost or improve performance based on historical resource utilization | +> | Microsoft.Sql/servers/recommendedElasticPools/databases/read | Retrieve metrics for recommended elastic database pools for a given server | +> | Microsoft.Sql/servers/recoverableDatabases/read | Return the list of recoverable databases or gets the properties for the specified recoverable database. | +> | Microsoft.Sql/servers/replicationLinks/read | Return the list of replication links or gets the properties for the specified replication links. | +> | Microsoft.Sql/servers/restorableDroppedDatabases/read | Get a list of databases that were dropped on a given server that are still within retention policy. | +> | Microsoft.Sql/servers/securityAlertPolicies/write | Change the server threat detection policy for a given server | +> | Microsoft.Sql/servers/securityAlertPolicies/read | Retrieve a list of server threat detection policies configured for a given server | +> | Microsoft.Sql/servers/securityAlertPolicies/operationResults/read | Retrieve results of the server threat detection policy write operation | +> | Microsoft.Sql/servers/serviceObjectives/read | Retrieve list of service level objectives (also known as performance tiers) available on a given server | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/write | Change SQL Vulnerability Assessment for a given server | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/delete | Remove SQL Vulnerability Assessment for a given server | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/read | Retrieve SQL Vulnerability Assessment policies on a given server | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/initiateScan/action | Execute vulnerability assessment database scan. | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines/write | Change the sql vulnerability assessment baseline set for a given system database | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines/read | Retrieve the Sql Vulnerability Assessment baseline set on a system database | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines/rules/read | Get the vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines/rules/delete | Remove the sql vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/baselines/rules/write | Change the sql vulnerability assessment rule baseline for a given database | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans/read | List SQL vulnerability assessment scan records by database. | +> | Microsoft.Sql/servers/sqlVulnerabilityAssessments/scans/scanResults/read | Retrieve the scan results of the database vulnerability assessment scan | +> | Microsoft.Sql/servers/syncAgents/read | Return the list of sync agents or gets the properties for the specified sync agent. | +> | Microsoft.Sql/servers/syncAgents/write | Creates a sync agent with the specified parameters or update the properties for the specified sync agent. | +> | Microsoft.Sql/servers/syncAgents/delete | Deletes an existing sync agent. | +> | Microsoft.Sql/servers/syncAgents/generateKey/action | Generate sync agent registration key | +> | Microsoft.Sql/servers/syncAgents/linkedDatabases/read | Return the list of sync agent linked databases | +> | Microsoft.Sql/servers/usages/read | Gets the Azure SQL Database Server usages information | +> | Microsoft.Sql/servers/virtualNetworkRules/read | Return the list of virtual network rules or gets the properties for the specified virtual network rule. | +> | Microsoft.Sql/servers/virtualNetworkRules/write | Creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule. | +> | Microsoft.Sql/servers/virtualNetworkRules/delete | Deletes an existing Virtual Network Rule | +> | Microsoft.Sql/servers/vulnerabilityAssessments/write | Change the vulnerability assessment for a given server | +> | Microsoft.Sql/servers/vulnerabilityAssessments/delete | Remove the vulnerability assessment for a given server | +> | Microsoft.Sql/servers/vulnerabilityAssessments/read | Retrieve the vulnerability assessment policies on a given server | +> | Microsoft.Sql/virtualClusters/updateManagedInstanceDnsServers/action | Performs virtual cluster dns servers. | +> | Microsoft.Sql/virtualClusters/read | Return the list of virtual clusters or gets the properties for the specified virtual cluster. | +> | Microsoft.Sql/virtualClusters/write | Creates or updates the virtual clusters. | +> | Microsoft.Sql/virtualClusters/delete | Deletes an existing virtual cluster. | ++## Microsoft.SqlVirtualMachine ++Azure service: [SQL Server on Azure Virtual Machines](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.SqlVirtualMachine/register/action | Register subscription with Microsoft.SqlVirtualMachine resource provider | +> | Microsoft.SqlVirtualMachine/unregister/action | Unregister subscription with Microsoft.SqlVirtualMachine resource provider | +> | Microsoft.SqlVirtualMachine/locations/registerSqlVmCandidate/action | Register SQL Vm Candidate | +> | Microsoft.SqlVirtualMachine/locations/availabilityGroupListenerOperationResults/read | Get result of an availability group listener operation | +> | Microsoft.SqlVirtualMachine/locations/sqlVirtualMachineGroupOperationResults/read | Get result of a SQL virtual machine group operation | +> | Microsoft.SqlVirtualMachine/locations/sqlVirtualMachineOperationResults/read | Get result of SQL virtual machine operation | +> | Microsoft.SqlVirtualMachine/operations/read | | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups/read | Retrieve details of SQL virtual machine group | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups/write | Create a new or change properties of existing SQL virtual machine group | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups/delete | Delete existing SQL virtual machine group | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups/availabilityGroupListeners/read | Retrieve details of SQL availability group listener on a given SQL virtual machine group | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups/availabilityGroupListeners/write | Create a new or changes properties of existing SQL availability group listener | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups/availabilityGroupListeners/delete | Delete existing availability group listener | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachineGroups/sqlVirtualMachines/read | List Sql virtual machines by a particular sql virtual virtual machine group | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachines/fetchDCAssessment/action | | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachines/redeploy/action | Redeploy existing SQL virtual machine | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachines/read | Retrieve details of SQL virtual machine | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachines/write | Create a new or change properties of existing SQL virtual machine | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachines/delete | Delete existing SQL virtual machine | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachines/startAssessment/action | Starts SQL best practices Assessment on SQL virtual machine | +> | Microsoft.SqlVirtualMachine/sqlVirtualMachines/troubleshoot/action | Start SQL virtual machine troubleshooting operation | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Devops | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/devops.md | + + Title: Azure permissions for DevOps - Azure RBAC +description: Lists the permissions for the Azure resource providers in the DevOps category. +++++ Last updated : 02/07/2024++++# Azure permissions for DevOps ++This article lists the permissions for the Azure resource providers in the DevOps category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.Chaos ++Azure service: [Azure Chaos Studio](/azure/chaos-studio/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Chaos/register/action | Registers the subscription for the Chaos Resource Provider and enables the creation of Chaos resources. | +> | Microsoft.Chaos/unregister/action | Unregisters the subscription for the Chaos Resource Provider and enables the creation of Chaos resources. | +> | Microsoft.Chaos/experiments/write | Creates or updates a Chaos Experiment resource in a resource group. | +> | Microsoft.Chaos/experiments/delete | Deletes a Chaos Experiment resource in a resource group. | +> | Microsoft.Chaos/experiments/read | Gets all Chaos Experiments in a resource group. | +> | Microsoft.Chaos/experiments/start/action | Starts a Chaos Experiment to inject faults. | +> | Microsoft.Chaos/experiments/cancel/action | Cancels a running Chaos Experiment to stop the fault injection. | +> | Microsoft.Chaos/experiments/executions/read | Gets all chaos experiment executions for a given chaos experiment. | +> | Microsoft.Chaos/experiments/executions/getExecutionDetails/action | Gets details of a chaos experiment execution for a given chaos experiment. | +> | Microsoft.Chaos/locations/operationResults/read | Gets an Operation Result. | +> | Microsoft.Chaos/locations/operationStatuses/read | Gets an Operation Status. | +> | Microsoft.Chaos/locations/targetTypes/read | Gets all TargetTypes. | +> | Microsoft.Chaos/locations/targetTypes/capabilityTypes/read | Gets all CapabilityType. | +> | Microsoft.Chaos/operations/read | Read the available Operations for Chaos Studio. | +> | Microsoft.Chaos/skus/read | Read the available SKUs for Chaos Studio. | +> | Microsoft.Chaos/targets/write | Creates or update a Target resource that extends a tracked resource. | +> | Microsoft.Chaos/targets/delete | Deletes a Target resource that extends a tracked resource. | +> | Microsoft.Chaos/targets/read | Gets all Targets that extend a tracked resource. | +> | Microsoft.Chaos/targets/capabilities/write | Creates or update a Capability resource that extends a Target resource. | +> | Microsoft.Chaos/targets/capabilities/delete | Deletes a Capability resource that extends a Target resource. | +> | Microsoft.Chaos/targets/capabilities/read | Gets all Capabilities that extend a Target resource. | ++## Microsoft.DevTestLab ++Azure service: [Azure Lab Services](/azure/lab-services/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DevTestLab/register/action | Registers the subscription | +> | Microsoft.DevTestLab/labCenters/delete | Delete lab centers. | +> | Microsoft.DevTestLab/labCenters/read | Read lab centers. | +> | Microsoft.DevTestLab/labCenters/write | Add or modify lab centers. | +> | Microsoft.DevTestLab/labs/delete | Delete labs. | +> | Microsoft.DevTestLab/labs/read | Read labs. | +> | Microsoft.DevTestLab/labs/write | Add or modify labs. | +> | Microsoft.DevTestLab/labs/ListVhds/action | List disk images available for custom image creation. | +> | Microsoft.DevTestLab/labs/GenerateUploadUri/action | Generate a URI for uploading custom disk images to a Lab. | +> | Microsoft.DevTestLab/labs/CreateEnvironment/action | Create virtual machines in a lab. | +> | Microsoft.DevTestLab/labs/ClaimAnyVm/action | Claim a random claimable virtual machine in the lab. | +> | Microsoft.DevTestLab/labs/ExportResourceUsage/action | Exports the lab resource usage into a storage account | +> | Microsoft.DevTestLab/labs/ImportVirtualMachine/action | Import a virtual machine into a different lab. | +> | Microsoft.DevTestLab/labs/EnsureCurrentUserProfile/action | Ensure the current user has a valid profile in the lab. | +> | Microsoft.DevTestLab/labs/artifactSources/delete | Delete artifact sources. | +> | Microsoft.DevTestLab/labs/artifactSources/read | Read artifact sources. | +> | Microsoft.DevTestLab/labs/artifactSources/write | Add or modify artifact sources. | +> | Microsoft.DevTestLab/labs/artifactSources/armTemplates/read | Read azure resource manager templates. | +> | Microsoft.DevTestLab/labs/artifactSources/artifacts/read | Read artifacts. | +> | Microsoft.DevTestLab/labs/artifactSources/artifacts/GenerateArmTemplate/action | Generates an Azure Resource Manager template for the given artifact, uploads the required files to a storage account, and validates the generated artifact. | +> | Microsoft.DevTestLab/labs/costs/read | Read costs. | +> | Microsoft.DevTestLab/labs/costs/write | Add or modify costs. | +> | Microsoft.DevTestLab/labs/customImages/delete | Delete custom images. | +> | Microsoft.DevTestLab/labs/customImages/read | Read custom images. | +> | Microsoft.DevTestLab/labs/customImages/write | Add or modify custom images. | +> | Microsoft.DevTestLab/labs/formulas/delete | Delete formulas. | +> | Microsoft.DevTestLab/labs/formulas/read | Read formulas. | +> | Microsoft.DevTestLab/labs/formulas/write | Add or modify formulas. | +> | Microsoft.DevTestLab/labs/galleryImages/read | Read gallery images. | +> | Microsoft.DevTestLab/labs/notificationChannels/delete | Delete notification channels. | +> | Microsoft.DevTestLab/labs/notificationChannels/read | Read notification channels. | +> | Microsoft.DevTestLab/labs/notificationChannels/write | Add or modify notification channels. | +> | Microsoft.DevTestLab/labs/notificationChannels/Notify/action | Send notification to provided channel. | +> | Microsoft.DevTestLab/labs/policySets/read | Read policy sets. | +> | Microsoft.DevTestLab/labs/policySets/EvaluatePolicies/action | Evaluates lab policy. | +> | Microsoft.DevTestLab/labs/policySets/policies/delete | Delete policies. | +> | Microsoft.DevTestLab/labs/policySets/policies/read | Read policies. | +> | Microsoft.DevTestLab/labs/policySets/policies/write | Add or modify policies. | +> | Microsoft.DevTestLab/labs/schedules/delete | Delete schedules. | +> | Microsoft.DevTestLab/labs/schedules/read | Read schedules. | +> | Microsoft.DevTestLab/labs/schedules/write | Add or modify schedules. | +> | Microsoft.DevTestLab/labs/schedules/Execute/action | Execute a schedule. | +> | Microsoft.DevTestLab/labs/schedules/ListApplicable/action | Lists all applicable schedules | +> | Microsoft.DevTestLab/labs/secrets/delete | Delete lab secrets. | +> | Microsoft.DevTestLab/labs/secrets/read | Read lab secrets. | +> | Microsoft.DevTestLab/labs/secrets/write | Add or modify lab secrets. | +> | Microsoft.DevTestLab/labs/serviceRunners/delete | Delete service runners. | +> | Microsoft.DevTestLab/labs/serviceRunners/read | Read service runners. | +> | Microsoft.DevTestLab/labs/serviceRunners/write | Add or modify service runners. | +> | Microsoft.DevTestLab/labs/sharedGalleries/delete | Delete shared galleries. | +> | Microsoft.DevTestLab/labs/sharedGalleries/read | Read shared galleries. | +> | Microsoft.DevTestLab/labs/sharedGalleries/write | Add or modify shared galleries. | +> | Microsoft.DevTestLab/labs/sharedGalleries/sharedImages/delete | Delete shared images. | +> | Microsoft.DevTestLab/labs/sharedGalleries/sharedImages/read | Read shared images. | +> | Microsoft.DevTestLab/labs/sharedGalleries/sharedImages/write | Add or modify shared images. | +> | Microsoft.DevTestLab/labs/users/delete | Delete user profiles. | +> | Microsoft.DevTestLab/labs/users/read | Read user profiles. | +> | Microsoft.DevTestLab/labs/users/write | Add or modify user profiles. | +> | Microsoft.DevTestLab/labs/users/disks/delete | Delete disks. | +> | Microsoft.DevTestLab/labs/users/disks/read | Read disks. | +> | Microsoft.DevTestLab/labs/users/disks/write | Add or modify disks. | +> | Microsoft.DevTestLab/labs/users/disks/Attach/action | Attach and create the lease of the disk to the virtual machine. | +> | Microsoft.DevTestLab/labs/users/disks/Detach/action | Detach and break the lease of the disk attached to the virtual machine. | +> | Microsoft.DevTestLab/labs/users/environments/delete | Delete environments. | +> | Microsoft.DevTestLab/labs/users/environments/read | Read environments. | +> | Microsoft.DevTestLab/labs/users/environments/write | Add or modify environments. | +> | Microsoft.DevTestLab/labs/users/secrets/delete | Delete secrets. | +> | Microsoft.DevTestLab/labs/users/secrets/read | Read secrets. | +> | Microsoft.DevTestLab/labs/users/secrets/write | Add or modify secrets. | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/delete | Delete service fabrics. | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/read | Read service fabrics. | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/write | Add or modify service fabrics. | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/Start/action | Start a service fabric. | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/Stop/action | Stop a service fabric | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/ListApplicableSchedules/action | Lists the applicable start/stop schedules, if any. | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/schedules/delete | Delete schedules. | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/schedules/read | Read schedules. | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/schedules/write | Add or modify schedules. | +> | Microsoft.DevTestLab/labs/users/serviceFabrics/schedules/Execute/action | Execute a schedule. | +> | Microsoft.DevTestLab/labs/virtualMachines/delete | Delete virtual machines. | +> | Microsoft.DevTestLab/labs/virtualMachines/read | Read virtual machines. | +> | Microsoft.DevTestLab/labs/virtualMachines/write | Add or modify virtual machines. | +> | Microsoft.DevTestLab/labs/virtualMachines/AddDataDisk/action | Attach a new or existing data disk to virtual machine. | +> | Microsoft.DevTestLab/labs/virtualMachines/ApplyArtifacts/action | Apply artifacts to virtual machine. | +> | Microsoft.DevTestLab/labs/virtualMachines/Claim/action | Take ownership of an existing virtual machine | +> | Microsoft.DevTestLab/labs/virtualMachines/ClearArtifactResults/action | Clears the artifact results of the virtual machine. | +> | Microsoft.DevTestLab/labs/virtualMachines/DetachDataDisk/action | Detach the specified disk from the virtual machine. | +> | Microsoft.DevTestLab/labs/virtualMachines/GetRdpFileContents/action | Gets a string that represents the contents of the RDP file for the virtual machine | +> | Microsoft.DevTestLab/labs/virtualMachines/ListApplicableSchedules/action | Lists the applicable start/stop schedules, if any. | +> | Microsoft.DevTestLab/labs/virtualMachines/Redeploy/action | Redeploy a virtual machine | +> | Microsoft.DevTestLab/labs/virtualMachines/Resize/action | Resize Virtual Machine. | +> | Microsoft.DevTestLab/labs/virtualMachines/Restart/action | Restart a virtual machine. | +> | Microsoft.DevTestLab/labs/virtualMachines/Start/action | Start a virtual machine. | +> | Microsoft.DevTestLab/labs/virtualMachines/Stop/action | Stop a virtual machine | +> | Microsoft.DevTestLab/labs/virtualMachines/TransferDisks/action | Transfers all data disks attached to the virtual machine to be owned by the current user. | +> | Microsoft.DevTestLab/labs/virtualMachines/UnClaim/action | Release ownership of an existing virtual machine | +> | Microsoft.DevTestLab/labs/virtualMachines/schedules/delete | Delete schedules. | +> | Microsoft.DevTestLab/labs/virtualMachines/schedules/read | Read schedules. | +> | Microsoft.DevTestLab/labs/virtualMachines/schedules/write | Add or modify schedules. | +> | Microsoft.DevTestLab/labs/virtualMachines/schedules/Execute/action | Execute a schedule. | +> | Microsoft.DevTestLab/labs/virtualNetworks/delete | Delete virtual networks. | +> | Microsoft.DevTestLab/labs/virtualNetworks/read | Read virtual networks. | +> | Microsoft.DevTestLab/labs/virtualNetworks/write | Add or modify virtual networks. | +> | Microsoft.DevTestLab/labs/virtualNetworks/bastionHosts/delete | Delete bastionhosts. | +> | Microsoft.DevTestLab/labs/virtualNetworks/bastionHosts/read | Read bastionhosts. | +> | Microsoft.DevTestLab/labs/virtualNetworks/bastionHosts/write | Add or modify bastionhosts. | +> | Microsoft.DevTestLab/labs/vmPools/delete | Delete virtual machine pools. | +> | Microsoft.DevTestLab/labs/vmPools/read | Read virtual machine pools. | +> | Microsoft.DevTestLab/labs/vmPools/write | Add or modify virtual machine pools. | +> | Microsoft.DevTestLab/locations/operations/read | Read operations. | +> | Microsoft.DevTestLab/schedules/delete | Delete schedules. | +> | Microsoft.DevTestLab/schedules/read | Read schedules. | +> | Microsoft.DevTestLab/schedules/write | Add or modify schedules. | +> | Microsoft.DevTestLab/schedules/Execute/action | Execute a schedule. | +> | Microsoft.DevTestLab/schedules/Retarget/action | Updates a schedule's target resource Id. | ++## Microsoft.LabServices ++Azure service: [Azure Lab Services](/azure/lab-services/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.LabServices/register/action | Register the subscription with the Lab Services provider and enable the creation of labs. | +> | Microsoft.LabServices/unregister/action | Unregister the subscription with the Lab Services provider. | +> | Microsoft.LabServices/labAccounts/delete | Delete lab accounts. | +> | Microsoft.LabServices/labAccounts/read | Read lab accounts. | +> | Microsoft.LabServices/labAccounts/write | Add or modify lab accounts. | +> | Microsoft.LabServices/labAccounts/CreateLab/action | Create a lab in a lab account. | +> | Microsoft.LabServices/labAccounts/GetRegionalAvailability/action | Get regional availability information for each size category configured under a lab account | +> | Microsoft.LabServices/labAccounts/GetPricingAndAvailability/action | Get the pricing and availability of combinations of sizes, geographies, and operating systems for the lab account. | +> | Microsoft.LabServices/labAccounts/GetRestrictionsAndUsage/action | Get core restrictions and usage for this subscription | +> | Microsoft.LabServices/labAccounts/galleryImages/delete | Delete gallery images. | +> | Microsoft.LabServices/labAccounts/galleryImages/read | Read gallery images. | +> | Microsoft.LabServices/labAccounts/galleryImages/write | Add or modify gallery images. | +> | Microsoft.LabServices/labAccounts/labs/delete | Delete labs. | +> | Microsoft.LabServices/labAccounts/labs/read | Read labs. | +> | Microsoft.LabServices/labAccounts/labs/write | Add or modify labs. | +> | Microsoft.LabServices/labAccounts/labs/AddUsers/action | Add users to a lab | +> | Microsoft.LabServices/labAccounts/labs/SendEmail/action | Send email with registration link to the lab | +> | Microsoft.LabServices/labAccounts/labs/GetLabPricingAndAvailability/action | Get the pricing per lab unit for this lab and the availability which indicates if this lab can scale up. | +> | Microsoft.LabServices/labAccounts/labs/SyncUserList/action | Syncs the changes from the AAD group to the userlist | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/delete | Delete environment setting. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/read | Read environment setting. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/write | Add or modify environment setting. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/Publish/action | Provisions/deprovisions required resources for an environment setting based on current state of the lab/environment setting. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/Start/action | Starts a template by starting all resources inside the template. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/Stop/action | Stops a template by stopping all resources inside the template. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/SaveImage/action | Saves current template image to the shared gallery in the lab account | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/ResetPassword/action | Resets password on the template virtual machine. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/environments/delete | Delete environments. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/environments/read | Read environments. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/environments/Start/action | Starts an environment by starting all resources inside the environment. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/environments/Stop/action | Stops an environment by stopping all resources inside the environment | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/environments/ResetPassword/action | Resets the user password on an environment | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/schedules/delete | Delete schedules. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/schedules/read | Read schedules. | +> | Microsoft.LabServices/labAccounts/labs/environmentSettings/schedules/write | Add or modify schedules. | +> | Microsoft.LabServices/labAccounts/labs/users/delete | Delete users. | +> | Microsoft.LabServices/labAccounts/labs/users/read | Read users. | +> | Microsoft.LabServices/labAccounts/labs/users/write | Add or modify users. | +> | Microsoft.LabServices/labAccounts/sharedGalleries/delete | Delete sharedgalleries. | +> | Microsoft.LabServices/labAccounts/sharedGalleries/read | Read sharedgalleries. | +> | Microsoft.LabServices/labAccounts/sharedGalleries/write | Add or modify sharedgalleries. | +> | Microsoft.LabServices/labAccounts/sharedImages/delete | Delete sharedimages. | +> | Microsoft.LabServices/labAccounts/sharedImages/read | Read sharedimages. | +> | Microsoft.LabServices/labAccounts/sharedImages/write | Add or modify sharedimages. | +> | Microsoft.LabServices/labPlans/read | Get the properties of a lab plan. | +> | Microsoft.LabServices/labPlans/write | Create new or update an existing lab plan. | +> | Microsoft.LabServices/labPlans/delete | Delete the lab plan. | +> | Microsoft.LabServices/labPlans/saveImage/action | Create an image from a virtual machine in the gallery attached to the lab plan. | +> | Microsoft.LabServices/labPlans/images/read | Get the properties of an image. | +> | Microsoft.LabServices/labPlans/images/write | Enable or disable a marketplace or gallery image. | +> | Microsoft.LabServices/labs/read | Get the properties of a lab. | +> | Microsoft.LabServices/labs/write | Create new or update an existing lab. | +> | Microsoft.LabServices/labs/delete | Delete the lab and all its users, schedules and virtual machines. | +> | Microsoft.LabServices/labs/publish/action | Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. | +> | Microsoft.LabServices/labs/syncGroup/action | Updates the list of users from the Active Directory group assigned to the lab. | +> | Microsoft.LabServices/labs/schedules/read | Get the properties of a schedule. | +> | Microsoft.LabServices/labs/schedules/write | Create new or update an existing schedule. | +> | Microsoft.LabServices/labs/schedules/delete | Delete the schedule. | +> | Microsoft.LabServices/labs/users/read | Get the properties of a user. | +> | Microsoft.LabServices/labs/users/write | Create new or update an existing user. | +> | Microsoft.LabServices/labs/users/delete | Delete the user. | +> | Microsoft.LabServices/labs/users/invite/action | Send email invitation to a user to join the lab. | +> | Microsoft.LabServices/labs/virtualMachines/read | Get the properties of a virtual machine. | +> | Microsoft.LabServices/labs/virtualMachines/start/action | Start a virtual machine. | +> | Microsoft.LabServices/labs/virtualMachines/stop/action | Stop and deallocate a virtual machine. | +> | Microsoft.LabServices/labs/virtualMachines/reimage/action | Reimage a virtual machine to the last published image. | +> | Microsoft.LabServices/labs/virtualMachines/redeploy/action | Redeploy a virtual machine to a different compute node. | +> | Microsoft.LabServices/labs/virtualMachines/resetPassword/action | Reset local user's password on a virtual machine. | +> | Microsoft.LabServices/locations/operationResults/read | Get the properties and status of an asynchronous operation. | +> | Microsoft.LabServices/locations/operations/read | Read operations. | +> | Microsoft.LabServices/locations/usages/read | Get Usage in a location | +> | Microsoft.LabServices/skus/read | Get the properties of a Lab Services SKU. | +> | Microsoft.LabServices/users/Register/action | Register a user to a managed lab | +> | Microsoft.LabServices/users/ListAllEnvironments/action | List all Environments for the user | +> | Microsoft.LabServices/users/StartEnvironment/action | Starts an environment by starting all resources inside the environment. | +> | Microsoft.LabServices/users/StopEnvironment/action | Stops an environment by stopping all resources inside the environment | +> | Microsoft.LabServices/users/ResetPassword/action | Resets the user password on an environment | +> | Microsoft.LabServices/users/UserSettings/action | Updates and returns personal user settings. | +> | **DataAction** | **Description** | +> | Microsoft.LabServices/labPlans/createLab/action | Create a new lab from a lab plan. | ++## Microsoft.LoadTestService ++Azure service: [Azure Load Testing](/azure/load-testing/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.LoadTestService/checkNameAvailability/action | Checks if a LoadTest resource name is available | +> | Microsoft.LoadTestService/register/action | Register the subscription for Microsoft.LoadTestService | +> | Microsoft.LoadTestService/unregister/action | Unregister the subscription for Microsoft.LoadTestService | +> | Microsoft.LoadTestService/loadTestMappings/read | Get a LoadTest mapping resource, or Lists LoadTest mapping resources in a scope. | +> | Microsoft.LoadTestService/loadTestMappings/write | Create or update LoadTest mapping resource. | +> | Microsoft.LoadTestService/loadTestMappings/delete | Delete a LoadTest mapping resource. | +> | Microsoft.LoadTestService/loadTests/read | Get a LoadTest resource, or Lists loadtest resources in a subscription or resource group. | +> | Microsoft.LoadTestService/loadTests/write | Create or update LoadTest resource. | +> | Microsoft.LoadTestService/loadTests/delete | Delete a LoadTest resource. | +> | Microsoft.LoadTestService/loadTests/outboundNetworkDependenciesEndpoints/read | Lists the endpoints that agents may call as part of load testing. | +> | Microsoft.LoadTestService/Locations/OperationStatuses/read | Read OperationStatuses | +> | Microsoft.LoadTestService/Locations/OperationStatuses/write | Write OperationStatuses | +> | Microsoft.LoadTestService/locations/quotas/read | Get/List the available quotas for quota buckets per region per subscription. | +> | Microsoft.LoadTestService/locations/quotas/checkAvailability/action | Check Quota Availability on quota bucket per region per subscription. | +> | Microsoft.LoadTestService/operations/read | read operations | +> | Microsoft.LoadTestService/registeredSubscriptions/read | read registeredSubscriptions | +> | **DataAction** | **Description** | +> | Microsoft.LoadTestService/loadtests/startTest/action | Start Load Tests | +> | Microsoft.LoadTestService/loadtests/stopTest/action | Stop Load Tests | +> | Microsoft.LoadTestService/loadtests/writeTest/action | Create or Update Load Tests | +> | Microsoft.LoadTestService/loadtests/deleteTest/action | Delete Load Tests | +> | Microsoft.LoadTestService/loadtests/readTest/action | Read Load Tests | ++## Microsoft.SecurityDevOps ++Azure service: [Microsoft Defender for Cloud](/azure/defender-for-cloud/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.SecurityDevOps/register/action | Register the subscription for Microsoft.SecurityDevOps | +> | Microsoft.SecurityDevOps/unregister/action | Unregister the subscription for Microsoft.SecurityDevOps | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/read | read azureDevOpsConnectors | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/read | read azureDevOpsConnectors | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/write | write azureDevOpsConnectors | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/delete | delete azureDevOpsConnectors | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/write | write azureDevOpsConnectors | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/configure/action | action configure | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/read | read azureDevOpsConnectors | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/read | read orgs | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/write | write orgs | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/write | write orgs | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/read | read orgs | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/read | read projects | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/write | write projects | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/write | write projects | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/read | read projects | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/repos/read | read repos | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/repos/write | write repos | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/repos/write | write repos | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/repos/read | read repos | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/repos/read | read repos | +> | Microsoft.SecurityDevOps/azureDevOpsConnectors/stats/read | read stats | +> | Microsoft.SecurityDevOps/gitHubConnectors/read | read gitHubConnectors | +> | Microsoft.SecurityDevOps/gitHubConnectors/read | read gitHubConnectors | +> | Microsoft.SecurityDevOps/gitHubConnectors/write | write gitHubConnectors | +> | Microsoft.SecurityDevOps/gitHubConnectors/delete | delete gitHubConnectors | +> | Microsoft.SecurityDevOps/gitHubConnectors/write | write gitHubConnectors | +> | Microsoft.SecurityDevOps/gitHubConnectors/configure/action | action configure | +> | Microsoft.SecurityDevOps/gitHubConnectors/read | read gitHubConnectors | +> | Microsoft.SecurityDevOps/gitHubConnectors/gitHubInstallations/read | read gitHubInstallations | +> | Microsoft.SecurityDevOps/gitHubConnectors/gitHubInstallations/read | read gitHubInstallations | +> | Microsoft.SecurityDevOps/gitHubConnectors/gitHubInstallations/gitHubRepositories/read | read gitHubRepositories | +> | Microsoft.SecurityDevOps/gitHubConnectors/gitHubInstallations/gitHubRepositories/read | read gitHubRepositories | +> | Microsoft.SecurityDevOps/gitHubConnectors/owners/read | read owners | +> | Microsoft.SecurityDevOps/gitHubConnectors/owners/read | read owners | +> | Microsoft.SecurityDevOps/gitHubConnectors/owners/write | write owners | +> | Microsoft.SecurityDevOps/gitHubConnectors/owners/write | write owners | +> | Microsoft.SecurityDevOps/gitHubConnectors/owners/repos/read | read repos | +> | Microsoft.SecurityDevOps/gitHubConnectors/owners/repos/read | read repos | +> | Microsoft.SecurityDevOps/gitHubConnectors/owners/repos/write | write repos | +> | Microsoft.SecurityDevOps/gitHubConnectors/owners/repos/write | write repos | +> | Microsoft.SecurityDevOps/gitHubConnectors/repos/read | read repos | +> | Microsoft.SecurityDevOps/gitHubConnectors/stats/read | read stats | +> | Microsoft.SecurityDevOps/gitLabConnectors/read | read gitLabConnectors | +> | Microsoft.SecurityDevOps/gitLabConnectors/read | read gitLabConnectors | +> | Microsoft.SecurityDevOps/gitLabConnectors/write | write gitLabConnectors | +> | Microsoft.SecurityDevOps/gitLabConnectors/delete | delete gitLabConnectors | +> | Microsoft.SecurityDevOps/gitLabConnectors/write | write gitLabConnectors | +> | Microsoft.SecurityDevOps/gitLabConnectors/configure/action | action configure | +> | Microsoft.SecurityDevOps/gitLabConnectors/read | read gitLabConnectors | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/read | read groups | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/read | read groups | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/write | write groups | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/delete | delete groups | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/write | write groups | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/listSubgroups/action | action listSubgroups | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/projects/read | read projects | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/projects/read | read projects | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/projects/write | write projects | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/projects/delete | delete projects | +> | Microsoft.SecurityDevOps/gitLabConnectors/groups/projects/write | write projects | +> | Microsoft.SecurityDevOps/gitLabConnectors/projects/read | read projects | +> | Microsoft.SecurityDevOps/gitLabConnectors/stats/read | read stats | +> | Microsoft.SecurityDevOps/Locations/OperationStatuses/read | read OperationStatuses | +> | Microsoft.SecurityDevOps/Locations/OperationStatuses/write | write OperationStatuses | +> | Microsoft.SecurityDevOps/Operations/read | read Operations | ++## Microsoft.VisualStudio ++Azure service: [Azure DevOps](/azure/devops/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.VisualStudio/Register/Action | Register Azure Subscription with Microsoft.VisualStudio provider | +> | Microsoft.VisualStudio/Account/Write | Set Account | +> | Microsoft.VisualStudio/Account/Delete | Delete Account | +> | Microsoft.VisualStudio/Account/Read | Read Account | +> | Microsoft.VisualStudio/Account/Extension/Read | Read Account/Extension | +> | Microsoft.VisualStudio/Account/Project/Read | Read Account/Project | +> | Microsoft.VisualStudio/Account/Project/Write | Set Account/Project | +> | Microsoft.VisualStudio/Extension/Write | Set Extension | +> | Microsoft.VisualStudio/Extension/Delete | Delete Extension | +> | Microsoft.VisualStudio/Extension/Read | Read Extension | +> | Microsoft.VisualStudio/Project/Write | Set Project | +> | Microsoft.VisualStudio/Project/Delete | Delete Project | +> | Microsoft.VisualStudio/Project/Read | Read Project | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | General | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/general.md | + + Title: Azure permissions for General - Azure RBAC +description: Lists the permissions for the Azure resource providers in the General category. +++++ Last updated : 02/07/2024++++# Azure permissions for General ++This article lists the permissions for the Azure resource providers in the General category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.Addons ++Azure service: core ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Addons/register/action | Register the specified subscription with Microsoft.Addons | +> | Microsoft.Addons/operations/read | Gets supported RP operations. | +> | Microsoft.Addons/supportProviders/listsupportplaninfo/action | Lists current support plan information for the specified subscription. | +> | Microsoft.Addons/supportProviders/supportPlanTypes/read | Get the specified Canonical support plan state. | +> | Microsoft.Addons/supportProviders/supportPlanTypes/write | Adds the Canonical support plan type specified. | +> | Microsoft.Addons/supportProviders/supportPlanTypes/delete | Removes the specified Canonical support plan | ++## Microsoft.Marketplace ++Azure service: core ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Marketplace/register/action | Registers Microsoft.Marketplace resource provider in the subscription. | +> | Microsoft.Marketplace/privateStores/action | Updates PrivateStore. | +> | Microsoft.Marketplace/search/action | Returns a list of azure private store marketplace catalog offers and total count and facets | +> | Microsoft.Marketplace/mysolutions/read | Get user solutions | +> | Microsoft.Marketplace/mysolutions/write | Create or update user solutions | +> | Microsoft.Marketplace/mysolutions/delete | Remove user solutions | +> | Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read | Returns an Agreement. | +> | Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/write | Accepts a signed agreement. | +> | Microsoft.Marketplace/offerTypes/publishers/offers/plans/configs/read | Returns a config. | +> | Microsoft.Marketplace/offerTypes/publishers/offers/plans/configs/write | Saves a config. | +> | Microsoft.Marketplace/offerTypes/publishers/offers/plans/configs/importImage/action | Imports an image to the end user's ACR. | +> | Microsoft.Marketplace/privateStores/write | Creates PrivateStore. | +> | Microsoft.Marketplace/privateStores/delete | Deletes PrivateStore. | +> | Microsoft.Marketplace/privateStores/offers/action | Updates offer in PrivateStore. | +> | Microsoft.Marketplace/privateStores/read | Reads PrivateStores. | +> | Microsoft.Marketplace/privateStores/requestApprovals/action | Update request approvals | +> | Microsoft.Marketplace/privateStores/fetchAllSubscriptionsInTenant/action | Admin fetches all subscriptions in tenant | +> | Microsoft.Marketplace/privateStores/listStopSellOffersPlansNotifications/action | List stop sell offers plans notifications | +> | Microsoft.Marketplace/privateStores/listSubscriptionsContext/action | List the subscription in private store context | +> | Microsoft.Marketplace/privateStores/listNewPlansNotifications/action | List new plans notifications | +> | Microsoft.Marketplace/privateStores/queryUserOffers/action | Fetch the approved offers from the offers ids and the user subscriptions in the payload | +> | Microsoft.Marketplace/privateStores/queryUserRules/action | Fetch the approved rules for the user under the user subscriptions | +> | Microsoft.Marketplace/privateStores/anyExistingOffersInTheStore/action | Return true if there is an existing offer for at least one enabled collection | +> | Microsoft.Marketplace/privateStores/queryInternalOfferIds/action | List of all internal offers under given azure application and plans | +> | Microsoft.Marketplace/privateStores/adminRequestApprovals/read | Read all request approvals details, only admins | +> | Microsoft.Marketplace/privateStores/adminRequestApprovals/write | Admin update the request with decision on the request | +> | Microsoft.Marketplace/privateStores/collections/approveAllItems/action | Delete all specific approved items and set collection to allItemsApproved | +> | Microsoft.Marketplace/privateStores/collections/disableApproveAllItems/action | Set approve all items property to false for the collection | +> | Microsoft.Marketplace/privateStores/collections/setRules/action | Set Rules on a given collection | +> | Microsoft.Marketplace/privateStores/collections/queryRules/action | Get Rules on a given collection | +> | Microsoft.Marketplace/privateStores/collections/upsertOfferWithMultiContext/action | Upsert an offer with different contexts | +> | Microsoft.Marketplace/privateStores/collections/offers/action | Get Collection Offers By Public and Subscriptions Context | +> | Microsoft.Marketplace/privateStores/offers/write | Creates offer in PrivateStore. | +> | Microsoft.Marketplace/privateStores/offers/delete | Deletes offer from PrivateStore. | +> | Microsoft.Marketplace/privateStores/offers/read | Reads PrivateStore offers. | +> | Microsoft.Marketplace/privateStores/queryNotificationsState/read | Read notifications state details, only admins | +> | Microsoft.Marketplace/privateStores/requestApprovals/read | Read request approvals | +> | Microsoft.Marketplace/privateStores/requestApprovals/write | Create request approval | +> | Microsoft.Marketplace/privateStores/RequestApprovals/offer/acknowledgeNotification/write | Acknowledge a notification, Admins only | +> | Microsoft.Marketplace/privateStores/RequestApprovals/withdrawPlan/write | Withdraw a plan from offer's notifications | ++## Microsoft.MarketplaceOrdering ++Azure service: core ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.MarketplaceOrdering/agreements/read | Return all agreements under given subscription | +> | Microsoft.MarketplaceOrdering/agreements/offers/plans/read | Return an agreement for a given marketplace item | +> | Microsoft.MarketplaceOrdering/agreements/offers/plans/sign/action | Sign an agreement for a given marketplace item | +> | Microsoft.MarketplaceOrdering/agreements/offers/plans/cancel/action | Cancel an agreement for a given marketplace item | +> | Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read | Get an agreement for a given marketplace virtual machine item | +> | Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write | Sign or Cancel an agreement for a given marketplace virtual machine item | +> | Microsoft.MarketplaceOrdering/operations/read | List all possible operations in the API | ++## Microsoft.Quota ++Azure service: [Azure Quotas](/azure/quotas/quotas-overview) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Quota/register/action | Register the subscription with Microsoft.Quota Resource Provider | +> | Microsoft.Quota/groupQuotas/read | Get the GroupQuota | +> | Microsoft.Quota/groupQuotas/write | Creates the GroupQuota resource | +> | Microsoft.Quota/groupQuotas/groupQuotaLimits/read | Get the current GroupQuota of the specified resource | +> | Microsoft.Quota/groupQuotas/groupQuotaLimits/write | Creates the GroupQuota request for the specified resource | +> | Microsoft.Quota/groupQuotas/groupQuotaRequests/read | Get the GroupQuota request status for the specific request | +> | Microsoft.Quota/groupQuotas/quotaAllocationRequests/read | Get the GroupQuota to Subscription Quota allocation request status for the specific request | +> | Microsoft.Quota/groupQuotas/quotaAllocations/read | Get the current GroupQuota to Subscription Quota allocation | +> | Microsoft.Quota/groupQuotas/quotaAllocations/write | Creates the GroupQuota to subscription Quota limit request for the specified resource | +> | Microsoft.Quota/groupQuotas/subscriptions/read | Get the GroupQuota subscriptions | +> | Microsoft.Quota/groupQuotas/subscriptions/write | Add Subscriptions to GroupQuota resource | +> | Microsoft.Quota/operations/read | Get the Operations supported by Microsoft.Quota | +> | Microsoft.Quota/quotaRequests/read | Get any service limit request for the specified resource | +> | Microsoft.Quota/quotas/read | Get the current Service limit or quota of the specified resource | +> | Microsoft.Quota/quotas/write | Creates the service limit or quota request for the specified resource | +> | Microsoft.Quota/usages/read | Get the usages for resource providers | ++## Microsoft.ResourceHealth ++Azure service: [Azure Service Health](/azure/service-health/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ResourceHealth/events/action | Endpoint to fetch details for event | +> | Microsoft.ResourceHealth/register/action | Registers the subscription for the Microsoft ResourceHealth | +> | Microsoft.ResourceHealth/unregister/action | Unregisters the subscription for the Microsoft ResourceHealth | +> | Microsoft.Resourcehealth/healthevent/action | Denotes the change in health state for the specified resource | +> | Microsoft.ResourceHealth/AvailabilityStatuses/read | Gets the availability statuses for all resources in the specified scope | +> | Microsoft.ResourceHealth/AvailabilityStatuses/current/read | Gets the availability status for the specified resource | +> | Microsoft.ResourceHealth/emergingissues/read | Get Azure services' emerging issues | +> | Microsoft.ResourceHealth/events/read | Get Service Health Events for given subscription | +> | Microsoft.ResourceHealth/events/fetchEventDetails/action | Endpoint to fetch details for event | +> | Microsoft.ResourceHealth/events/listSecurityAdvisoryImpactedResources/action | Get Impacted Resources for a given event of type SecurityAdvisory | +> | Microsoft.ResourceHealth/events/impactedResources/read | Get Impacted Resources for a given event | +> | Microsoft.Resourcehealth/healthevent/Activated/action | Denotes the change in health state for the specified resource | +> | Microsoft.Resourcehealth/healthevent/Updated/action | Denotes the change in health state for the specified resource | +> | Microsoft.Resourcehealth/healthevent/Resolved/action | Denotes the change in health state for the specified resource | +> | Microsoft.Resourcehealth/healthevent/InProgress/action | Denotes the change in health state for the specified resource | +> | Microsoft.Resourcehealth/healthevent/Pending/action | Denotes the change in health state for the specified resource | +> | Microsoft.ResourceHealth/impactedResources/read | Get Impacted Resources for given subscription | +> | Microsoft.ResourceHealth/metadata/read | Gets Metadata | +> | Microsoft.ResourceHealth/Notifications/read | Receives Azure Resource Manager notifications | +> | Microsoft.ResourceHealth/Operations/read | Get the operations available for the Microsoft ResourceHealth | +> | Microsoft.ResourceHealth/potentialoutages/read | Get Potential Outages for given subscription | ++## Microsoft.Support ++Azure service: core ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Support/register/action | Registers Support Resource Provider | +> | Microsoft.Support/lookUpResourceId/action | Looks up resource Id for resource type | +> | Microsoft.Support/checkNameAvailability/action | Checks that name is valid and not in use for resource type | +> | Microsoft.Support/classifyServices/action | Lists one or all classified services | +> | Microsoft.Support/operationresults/read | Gets the result of the asynchronous operation | +> | Microsoft.Support/operations/read | Lists all operations available on Microsoft.Support resource provider | +> | Microsoft.Support/operationsstatus/read | Gets the status of the asynchronous operation | +> | Microsoft.Support/services/read | Lists one or all Azure services available for support | +> | Microsoft.Support/services/classifyProblems/action | Lists one or all classified problems | +> | Microsoft.Support/services/problemClassifications/read | Lists one or all problem classifications for an Azure service | +> | Microsoft.Support/supportTickets/read | Lists one or all support tickets | +> | Microsoft.Support/supportTickets/write | Allows creating and updating a support ticket | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Hybrid Multicloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/hybrid-multicloud.md | + + Title: Azure permissions for Hybrid + multicloud - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Hybrid + multicloud category. +++++ Last updated : 02/07/2024++++# Azure permissions for Hybrid + multicloud ++This article lists the permissions for the Azure resource providers in the Hybrid + multicloud category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.AzureStack ++Azure service: [Azure Stack](/azure-stack/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AzureStack/register/action | Subscription Registration Action | +> | Microsoft.AzureStack/register/action | Registers Subscription with Microsoft.AzureStack resource provider | +> | Microsoft.AzureStack/generateDeploymentLicense/action | Generates a temporary license to deploy an Azure Stack device. | +> | Microsoft.AzureStack/cloudManifestFiles/read | Gets the Cloud Manifest File | +> | Microsoft.AzureStack/linkedSubscriptions/read | Get the properties of an Azure Stack Linked Subscription | +> | Microsoft.AzureStack/linkedSubscriptions/write | Create or updates an linked subscription | +> | Microsoft.AzureStack/linkedSubscriptions/delete | Delete a Linked Subscription | +> | Microsoft.AzureStack/linkedSubscriptions/linkedResourceGroups/action | Reads or Writes to a projected linked resource under the linked resource group | +> | Microsoft.AzureStack/linkedSubscriptions/linkedProviders/action | Reads or Writes to a projected linked resource under the given linked resource provider namespace | +> | Microsoft.AzureStack/linkedSubscriptions/operations/action | Get or list statuses of async operations on projected linked resources | +> | Microsoft.AzureStack/linkedSubscriptions/linkedResourceGroups/linkedProviders/virtualNetworks/read | Get or list virtual network | +> | Microsoft.AzureStack/Operations/read | Gets the properties of a resource provider operation | +> | Microsoft.AzureStack/registrations/read | Gets the properties of an Azure Stack registration | +> | Microsoft.AzureStack/registrations/write | Creates or updates an Azure Stack registration | +> | Microsoft.AzureStack/registrations/delete | Deletes an Azure Stack registration | +> | Microsoft.AzureStack/registrations/getActivationKey/action | Gets the latest Azure Stack activation key | +> | Microsoft.AzureStack/registrations/enableRemoteManagement/action | Enable RemoteManagement for Azure Stack registration | +> | Microsoft.AzureStack/registrations/customerSubscriptions/read | Gets the properties of an Azure Stack Customer Subscription | +> | Microsoft.AzureStack/registrations/customerSubscriptions/write | Creates or updates an Azure Stack Customer Subscription | +> | Microsoft.AzureStack/registrations/customerSubscriptions/delete | Deletes an Azure Stack Customer Subscription | +> | Microsoft.AzureStack/registrations/products/read | Gets the properties of an Azure Stack Marketplace product | +> | Microsoft.AzureStack/registrations/products/listDetails/action | Retrieves extended details for an Azure Stack Marketplace product | +> | Microsoft.AzureStack/registrations/products/getProducts/action | Retrieves a list of Azure Stack Marketplace products | +> | Microsoft.AzureStack/registrations/products/getProduct/action | Retrieves Azure Stack Marketplace product | +> | Microsoft.AzureStack/registrations/products/uploadProductLog/action | Record Azure Stack Marketplace product operation status and timestamp | ++## Microsoft.AzureStackHCI ++Azure service: [Azure Stack HCI](/azure-stack/hci/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AzureStackHCI/Register/Action | Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources. | +> | Microsoft.AzureStackHCI/Unregister/Action | Unregisters the subscription for the Azure Stack HCI resource provider. | +> | Microsoft.AzureStackHCI/Clusters/Read | Gets clusters | +> | Microsoft.AzureStackHCI/Clusters/Write | Creates or updates a cluster | +> | Microsoft.AzureStackHCI/Clusters/Delete | Deletes cluster resource | +> | Microsoft.AzureStackHCI/Clusters/AddNodes/Action | Adds Arc Nodes to the cluster | +> | Microsoft.AzureStackHCI/Clusters/CreateClusterIdentity/Action | Create cluster identity | +> | Microsoft.AzureStackHCI/Clusters/UploadCertificate/Action | Upload cluster certificate | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/Read | Gets arc resource of HCI cluster | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/Write | Create or updates arc resource of HCI cluster | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/Delete | Delete arc resource of HCI cluster | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/GeneratePassword/Action | Generate password for Arc settings identity | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/CreateArcIdentity/Action | Create Arc settings identity | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/ConsentAndInstallDefaultExtensions/Action | Updates Consent Time and Installs default extensions | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/InitializeDisableProcess/Action | Initializes disable process for arc settings resource | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read | Gets extension resource of HCI cluster | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write | Create or update extension resource of HCI cluster | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete | Delete extension resources of HCI cluster | +> | Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Upgrade/Action | Upgrade extension resources of HCI cluster | +> | Microsoft.AzureStackHCI/Clusters/DeploymentSettings/Read | Gets DeploymentSettings | +> | Microsoft.AzureStackHCI/Clusters/DeploymentSettings/Write | Creates or updates DeploymentSettings resource | +> | Microsoft.AzureStackHCI/Clusters/DeploymentSettings/Delete | Deletes DeploymentSettings resource | +> | Microsoft.AzureStackHCI/Clusters/SecuritySettings/Read | Gets SecuritySettings of HCI cluster | +> | Microsoft.AzureStackHCI/Clusters/SecuritySettings/Write | Create or updates SecuritySettings resource of HCI cluster | +> | Microsoft.AzureStackHCI/Clusters/SecuritySettings/Delete | Delete SecuritySettings resource of HCI cluster | +> | Microsoft.AzureStackHCI/EdgeDevices/Read | Gets EdgeDevices resources | +> | Microsoft.AzureStackHCI/EdgeDevices/Write | Creates or updates EdgeDevice resource | +> | Microsoft.AzureStackHCI/EdgeDevices/Delete | Deletes EdgeDevice resource | +> | Microsoft.AzureStackHCI/EdgeDevices/Validate/Action | Validates EdgeDevice Resources for deployment | +> | Microsoft.AzureStackHCI/GalleryImages/Delete | Deletes gallery images resource | +> | Microsoft.AzureStackHCI/GalleryImages/Write | Creates/Updates gallery images resource | +> | Microsoft.AzureStackHCI/GalleryImages/Read | Gets/Lists gallery images resource | +> | Microsoft.AzureStackHCI/GalleryImages/deploy/action | Deploys gallery images resource | +> | Microsoft.AzureStackHCI/LogicalNetworks/Delete | Deletes logical networks resource | +> | Microsoft.AzureStackHCI/LogicalNetworks/Write | Creates/Updates logical networks resource | +> | Microsoft.AzureStackHCI/LogicalNetworks/Read | Gets/Lists logical networks resource | +> | Microsoft.AzureStackHCI/LogicalNetworks/join/action | Joins logical networks resource | +> | Microsoft.AzureStackHCI/MarketPlaceGalleryImages/Delete | Deletes market place gallery images resource | +> | Microsoft.AzureStackHCI/MarketPlaceGalleryImages/Write | Creates/Updates market place gallery images resource | +> | Microsoft.AzureStackHCI/MarketPlaceGalleryImages/Read | Gets/Lists market place gallery images resource | +> | Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action | Deploys market place gallery images resource | +> | Microsoft.AzureStackHCI/NetworkInterfaces/Delete | Deletes network interfaces resource | +> | Microsoft.AzureStackHCI/NetworkInterfaces/Write | Creates/Updates network interfaces resource | +> | Microsoft.AzureStackHCI/NetworkInterfaces/Read | Gets/Lists network interfaces resource | +> | Microsoft.AzureStackHCI/Operations/Read | Gets operations | +> | Microsoft.AzureStackHCI/RegisteredSubscriptions/read | Reads registered subscriptions | +> | Microsoft.AzureStackHCI/StorageContainers/Delete | Deletes storage containers resource | +> | Microsoft.AzureStackHCI/StorageContainers/Write | Creates/Updates storage containers resource | +> | Microsoft.AzureStackHCI/StorageContainers/Read | Gets/Lists storage containers resource | +> | Microsoft.AzureStackHCI/StorageContainers/deploy/action | Deploys storage containers resource | +> | Microsoft.AzureStackHCI/VirtualHardDisks/Delete | Deletes virtual hard disk resource | +> | Microsoft.AzureStackHCI/VirtualHardDisks/Write | Creates/Updates virtual hard disk resource | +> | Microsoft.AzureStackHCI/VirtualHardDisks/Read | Gets/Lists virtual hard disk resource | +> | Microsoft.AzureStackHCI/VirtualMachineInstances/Restart/Action | Restarts virtual machine instance resource | +> | Microsoft.AzureStackHCI/VirtualMachineInstances/Start/Action | Starts virtual machine instance resource | +> | Microsoft.AzureStackHCI/VirtualMachineInstances/Stop/Action | Stops virtual machine instance resource | +> | Microsoft.AzureStackHCI/VirtualMachineInstances/Delete | Deletes virtual machine instance resource | +> | Microsoft.AzureStackHCI/VirtualMachineInstances/Write | Creates/Updates virtual machine instance resource | +> | Microsoft.AzureStackHCI/VirtualMachineInstances/Read | Gets/Lists virtual machine instance resource | +> | Microsoft.AzureStackHCI/VirtualMachineInstances/HybridIdentityMetadata/Read | Gets/Lists virtual machine instance hybrid identity metadata proxy resource | +> | Microsoft.AzureStackHCI/VirtualMachines/Restart/Action | Restarts virtual machine resource | +> | Microsoft.AzureStackHCI/VirtualMachines/Start/Action | Starts virtual machine resource | +> | Microsoft.AzureStackHCI/VirtualMachines/Stop/Action | Stops virtual machine resource | +> | Microsoft.AzureStackHCI/VirtualMachines/Delete | Deletes virtual machine resource | +> | Microsoft.AzureStackHCI/VirtualMachines/Write | Creates/Updates virtual machine resource | +> | Microsoft.AzureStackHCI/VirtualMachines/Read | Gets/Lists virtual machine resource | +> | Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read | Gets/Lists virtual machine extensions resource | +> | Microsoft.AzureStackHCI/VirtualMachines/Extensions/Write | Creates/Updates virtual machine extensions resource | +> | Microsoft.AzureStackHCI/VirtualMachines/Extensions/Delete | Deletes virtual machine extensions resource | +> | Microsoft.AzureStackHCI/VirtualMachines/HybridIdentityMetadata/Read | Gets/Lists virtual machine hybrid identity metadata proxy resource | +> | Microsoft.AzureStackHCI/VirtualNetworks/Delete | Deletes virtual networks resource | +> | Microsoft.AzureStackHCI/VirtualNetworks/Write | Creates/Updates virtual networks resource | +> | Microsoft.AzureStackHCI/VirtualNetworks/Read | Gets/Lists virtual networks resource | +> | Microsoft.AzureStackHCI/VirtualNetworks/join/action | Joins virtual networks resource | +> | **DataAction** | **Description** | +> | Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action | Manage OS of HCI resource via Windows Admin Center as an administrator | +> | Microsoft.AzureStackHCI/VirtualMachineInstances/WACloginAsAdmin/Action | Manage ARC enabled VM resources on HCI via Windows Admin Center as an administrator | +> | Microsoft.AzureStackHCI/virtualMachines/WACloginAsAdmin/Action | Manage ARC enabled VM resources on HCI via Windows Admin Center as an administrator | ++## Microsoft.HybridCompute ++Azure service: [Azure Arc](/azure/azure-arc/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.HybridCompute/register/action | Registers the subscription for the Microsoft.HybridCompute Resource Provider | +> | Microsoft.HybridCompute/unregister/action | Unregisters the subscription for Microsoft.HybridCompute Resource Provider | +> | Microsoft.HybridCompute/batch/action | Batch deletes Azure Arc machines | +> | Microsoft.HybridCompute/validateLicense/action | Validates the provided license data and returns what would be created on a PUT to Microsoft.HybridCompute/licenses | +> | Microsoft.HybridCompute/licenses/read | Reads any Azure Arc licenses | +> | Microsoft.HybridCompute/licenses/write | Installs or Updates an Azure Arc licenses | +> | Microsoft.HybridCompute/licenses/delete | Deletes an Azure Arc licenses | +> | Microsoft.HybridCompute/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action | Updates Network Security Perimeter Profiles | +> | Microsoft.HybridCompute/locations/machines/extensions/notifyExtension/action | Notifies Microsoft.HybridCompute about extensions updates | +> | Microsoft.HybridCompute/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | Microsoft.HybridCompute/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider | +> | Microsoft.HybridCompute/locations/privateLinkScopes/read | Reads the full details of any Azure Arc privateLinkScopes | +> | Microsoft.HybridCompute/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines | +> | Microsoft.HybridCompute/machines/read | Read any Azure Arc machines | +> | Microsoft.HybridCompute/machines/write | Writes an Azure Arc machines | +> | Microsoft.HybridCompute/machines/delete | Deletes an Azure Arc machines | +> | Microsoft.HybridCompute/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines | +> | Microsoft.HybridCompute/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches | +> | Microsoft.HybridCompute/machines/installPatches/action | Installs patches on any Azure Arc machines | +> | Microsoft.HybridCompute/machines/extensions/read | Reads any Azure Arc extensions | +> | Microsoft.HybridCompute/machines/extensions/write | Installs or Updates an Azure Arc extensions | +> | Microsoft.HybridCompute/machines/extensions/delete | Deletes an Azure Arc extensions | +> | Microsoft.HybridCompute/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata | +> | Microsoft.HybridCompute/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles | +> | Microsoft.HybridCompute/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles | +> | Microsoft.HybridCompute/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles | +> | Microsoft.HybridCompute/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults | +> | Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches | +> | Microsoft.HybridCompute/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults | +> | Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches | +> | Microsoft.HybridCompute/machines/runcommands/read | Reads any Azure Arc runcommands | +> | Microsoft.HybridCompute/machines/runcommands/write | Installs or Updates an Azure Arc runcommands | +> | Microsoft.HybridCompute/machines/runcommands/delete | Deletes an Azure Arc runcommands | +> | Microsoft.HybridCompute/networkConfigurations/read | Reads any Azure Arc networkConfigurations | +> | Microsoft.HybridCompute/networkConfigurations/write | Writes an Azure Arc networkConfigurations | +> | Microsoft.HybridCompute/operations/read | Read all Operations for Azure Arc for Servers | +> | Microsoft.HybridCompute/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available | +> | Microsoft.HybridCompute/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version | +> | Microsoft.HybridCompute/privateLinkScopes/read | Read any Azure Arc privateLinkScopes | +> | Microsoft.HybridCompute/privateLinkScopes/write | Writes an Azure Arc privateLinkScopes | +> | Microsoft.HybridCompute/privateLinkScopes/delete | Deletes an Azure Arc privateLinkScopes | +> | Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterAssociationProxies/read | Reads any Azure Arc networkSecurityPerimeterAssociationProxies | +> | Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterAssociationProxies/write | Writes an Azure Arc networkSecurityPerimeterAssociationProxies | +> | Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterAssociationProxies/delete | Deletes an Azure Arc networkSecurityPerimeterAssociationProxies | +> | Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read | Reads any Azure Arc networkSecurityPerimeterConfigurations | +> | Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/reconcile/action | Forces the networkSecurityPerimeterConfigurations resource to refresh | +> | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnectionProxies/read | Read any Azure Arc privateEndpointConnectionProxies | +> | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnectionProxies/write | Writes an Azure Arc privateEndpointConnectionProxies | +> | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnectionProxies/delete | Deletes an Azure Arc privateEndpointConnectionProxies | +> | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnectionProxies/validate/action | Validates an Azure Arc privateEndpointConnectionProxies | +> | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action | Updates an Azure Arc privateEndpointConnectionProxies with updated Private Endpoint details | +> | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read | Read any Azure Arc privateEndpointConnections | +> | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/write | Writes an Azure Arc privateEndpointConnections | +> | Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/delete | Deletes an Azure Arc privateEndpointConnections | +> | **DataAction** | **Description** | +> | Microsoft.HybridCompute/locations/publishers/extensionTypes/versions/read | Returns a list of versions for extensionMetadata based on query parameters. | +> | Microsoft.HybridCompute/machines/login/action | Log in to an Azure Arc machine as a regular user | +> | Microsoft.HybridCompute/machines/loginAsAdmin/action | Log in to an Azure Arc machine with Windows administrator or Linux root user privilege | +> | Microsoft.HybridCompute/machines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. | ++## Microsoft.HybridConnectivity ++Azure service: Microsoft.HybridConnectivity ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.HybridConnectivity/generateAwsTemplate/action | Retrieve AWS Cloud Formation template | +> | Microsoft.HybridConnectivity/register/action | Register the subscription for Microsoft.HybridConnectivity | +> | Microsoft.HybridConnectivity/unregister/action | Unregister the subscription for Microsoft.HybridConnectivity | +> | Microsoft.HybridConnectivity/endpoints/read | List of endpoints to the target resource. | +> | Microsoft.HybridConnectivity/endpoints/read | Gets the endpoint to the resource. | +> | Microsoft.HybridConnectivity/endpoints/write | Create or update the endpoint to the target resource. | +> | Microsoft.HybridConnectivity/endpoints/delete | Deletes the endpoint access to the target resource. | +> | Microsoft.HybridConnectivity/endpoints/write | Update the endpoint to the target resource. | +> | Microsoft.HybridConnectivity/endpoints/listCredentials/action | Gets the endpoint access credentials to the resource. | +> | Microsoft.HybridConnectivity/endpoints/listIngressGatewayCredentials/action | Gets the ingress gateway endpoint credentials | +> | Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action | Fetches the managed proxy details | +> | Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read | API to enumerate registered services in service configurations under a Endpoint Resource | +> | Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read | Gets the details about the service to the resource. | +> | Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write | Create or update a service in serviceConfiguration for the endpoint resource. | +> | Microsoft.HybridConnectivity/endpoints/serviceConfigurations/delete | Deletes the service details to the target resource. | +> | Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write | Update the service details in the service configurations of the target resource. | +> | Microsoft.HybridConnectivity/Locations/OperationStatuses/read | read OperationStatuses | +> | Microsoft.HybridConnectivity/Locations/OperationStatuses/write | write OperationStatuses | +> | Microsoft.HybridConnectivity/Operations/read | read Operations | +> | Microsoft.HybridConnectivity/publicCloudConnectors/read | Gets the public cloud connectors in the subscription. | +> | Microsoft.HybridConnectivity/publicCloudConnectors/read | Gets the publicCloudConnector in the resource group. | +> | Microsoft.HybridConnectivity/publicCloudConnectors/read | Gets the public cloud connectors. | +> | Microsoft.HybridConnectivity/publicCloudConnectors/write | Creates public cloud connectors resource. | +> | Microsoft.HybridConnectivity/publicCloudConnectors/delete | Deletes the public cloud connectors resource. | +> | Microsoft.HybridConnectivity/publicCloudConnectors/write | Update the public cloud connectors resource. | +> | Microsoft.HybridConnectivity/solutionConfigurations/read | Retrieve the List of solution configuration resources. | +> | Microsoft.HybridConnectivity/solutionConfigurations/read | Retrieve the solution configuration identified by solution name. | +> | Microsoft.HybridConnectivity/solutionConfigurations/write | Creates solution configuration with provided solution name | +> | Microsoft.HybridConnectivity/solutionConfigurations/delete | Deletes the solution configuration with provided solution name. | +> | Microsoft.HybridConnectivity/solutionConfigurations/write | Updates the solution configuration for solution name. | +> | Microsoft.HybridConnectivity/solutionConfigurations/inventory/read | Retrieve the inventory identified by inventory id. | +> | Microsoft.HybridConnectivity/solutionConfigurations/inventory/read | Retrieve a list of inventory by solution name. | +> | Microsoft.HybridConnectivity/solutionTypes/read | Retrieve the list of available solution types. | +> | Microsoft.HybridConnectivity/solutionTypes/read | Retrieve the solution type by provided solution type. | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/identity.md | + + Title: Azure permissions for Identity - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Identity category. +++++ Last updated : 02/07/2024++++# Azure permissions for Identity ++This article lists the permissions for the Azure resource providers in the Identity category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.AAD ++Azure service: [Microsoft Entra Domain Services](/entra/identity/domain-services/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AAD/register/action | Subscription Registration Action | +> | Microsoft.AAD/unregister/action | Unregister Domain Service | +> | Microsoft.AAD/register/action | Register Domain Service | +> | Microsoft.AAD/domainServices/read | Read Domain Services | +> | Microsoft.AAD/domainServices/write | Write Domain Service | +> | Microsoft.AAD/domainServices/delete | Delete Domain Service | +> | Microsoft.AAD/domainServices/oucontainer/read | Read Ou Containers | +> | Microsoft.AAD/domainServices/oucontainer/write | Write Ou Container | +> | Microsoft.AAD/domainServices/oucontainer/delete | Delete Ou Container | +> | Microsoft.AAD/domainServices/OutboundNetworkDependenciesEndpoints/read | Get the network endpoints of all outbound dependencies | +> | Microsoft.AAD/domainServices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for Domain Service | +> | Microsoft.AAD/domainServices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the Domain Service resource | +> | Microsoft.AAD/domainServices/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Domain Service | +> | Microsoft.AAD/domainServices/providers/Microsoft.Insights/metricDefinitions/read | Gets metrics for Domain Service | +> | Microsoft.AAD/locations/operationresults/read | | +> | Microsoft.AAD/Operations/read | | ++## microsoft.aadiam ++Azure service: Azure Active Directory ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | microsoft.aadiam/azureADMetrics/read | Read Azure AD Metrics Definition | +> | microsoft.aadiam/azureADMetrics/write | Create and Update Azure AD Metrics Definition | +> | microsoft.aadiam/azureADMetrics/delete | Delete Azure AD Metrics Definition | +> | microsoft.aadiam/azureADMetrics/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | microsoft.aadiam/azureADMetrics/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | microsoft.aadiam/azureADMetrics/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for azureADMetrics | +> | microsoft.aadiam/diagnosticsettings/write | Writing a diagnostic setting | +> | microsoft.aadiam/diagnosticsettings/read | Reading a diagnostic setting | +> | microsoft.aadiam/diagnosticsettings/delete | Deleting a diagnostic setting | +> | microsoft.aadiam/diagnosticsettingscategories/read | Reading a diagnostic setting categories | +> | microsoft.aadiam/metricDefinitions/read | Reading Tenant-Level Metric Definitions | +> | microsoft.aadiam/metrics/read | Reading Tenant-Level Metrics | +> | microsoft.aadiam/privateLinkForAzureAD/read | Read Private Link Policy Definition | +> | microsoft.aadiam/privateLinkForAzureAD/write | Create and Update Private Link Policy Definition | +> | microsoft.aadiam/privateLinkForAzureAD/delete | Delete Private Link Policy Definition | +> | microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnectionsApproval/action | Approve PrivateEndpointConnections | +> | microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnectionProxies/read | Read Private Link Proxies | +> | microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnectionProxies/delete | Delete Private Link Proxies | +> | microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnectionProxies/validate/action | Validate Private Link Proxies | +> | microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnections/read | Read PrivateEndpointConnections | +> | microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnections/write | Create and Update PrivateEndpointConnections | +> | microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnections/delete | Delete PrivateEndpointConnections | +> | microsoft.aadiam/privateLinkForAzureAD/privateLinkResources/read | Read PrivateLinkResources | +> | microsoft.aadiam/privateLinkForAzureAD/privateLinkResources/write | Create and Update PrivateLinkResources | +> | microsoft.aadiam/privateLinkForAzureAD/privateLinkResources/delete | Delete PrivateLinkResources | +> | microsoft.aadiam/tenants/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | microsoft.aadiam/tenants/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | microsoft.aadiam/tenants/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for tenants | ++## Microsoft.ADHybridHealthService ++Azure service: [Microsoft Entra ID](/entra/identity/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ADHybridHealthService/configuration/action | Updates Tenant Configuration. | +> | Microsoft.ADHybridHealthService/services/action | Updates a service instance in the tenant. | +> | Microsoft.ADHybridHealthService/addsservices/action | Create a new forest for the tenant. | +> | Microsoft.ADHybridHealthService/register/action | Registers the ADHybrid Health Service Resource Provider and enables the creation of ADHybrid Health Service resource. | +> | Microsoft.ADHybridHealthService/unregister/action | Unregisters the subscription for ADHybrid Health Service Resource Provider. | +> | Microsoft.ADHybridHealthService/addsservices/write | Creates or Updates the ADDomainService instance for the tenant. | +> | Microsoft.ADHybridHealthService/addsservices/servicemembers/action | Add a server instance to the service. | +> | Microsoft.ADHybridHealthService/addsservices/read | Gets Service details for the specified service name. | +> | Microsoft.ADHybridHealthService/addsservices/delete | Deletes a Service and it's servers along with Health data. | +> | Microsoft.ADHybridHealthService/addsservices/addomainservicemembers/read | Gets all servers for the specified service name. | +> | Microsoft.ADHybridHealthService/addsservices/alerts/read | Gets alerts details for the forest like alertid, alert raised date, alert last detected, alert description, last updated, alert level, alert state, alert troubleshooting links etc. . | +> | Microsoft.ADHybridHealthService/addsservices/configuration/read | Gets Service Configuration for the forest. Example- Forest Name, Functional Level, Domain Naming master FSMO role, Schema master FSMO role etc. | +> | Microsoft.ADHybridHealthService/addsservices/dimensions/read | Gets the domains and sites details for the forest. Example- health status, active alerts, resolved alerts, properties like Domain Functional Level, Forest, Infrastructure Master, PDC, RID master etc. | +> | Microsoft.ADHybridHealthService/addsservices/features/userpreference/read | Gets the user preference setting for the forest.<br>Example- MetricCounterName like ldapsuccessfulbinds, ntlmauthentications, kerberosauthentications, addsinsightsagentprivatebytes, ldapsearches.<br>Settings for the UI Charts etc. | +> | Microsoft.ADHybridHealthService/addsservices/forestsummary/read | Gets forest summary for the given forest like forest name, number of domains under this forest, number of sites and sites details etc. | +> | Microsoft.ADHybridHealthService/addsservices/metricmetadata/read | Gets the list of supported metrics for a given service.<br>For example Extranet Account Lockouts, Total Failed Requests, Outstanding Token Requests (Proxy), Token Requests /sec etc for ADFS service.<br>NTLM Authentications/sec, LDAP Successful Binds/sec, LDAP Bind Time, LDAP Active Threads, Kerberos Authentications/sec, ATQ Threads Total etc for ADDomainService.<br>Run Profile Latency, TCP Connections Established, Insights Agent Private Bytes,Export Statistics to Azure AD for ADSync service. | +> | Microsoft.ADHybridHealthService/addsservices/metrics/groups/read | Given a service, this API gets the metrics information.<br>For example, this API can be used to get information related to: Extranet Account Lockouts, Total Failed Requests, Outstanding Token Requests (Proxy), Token Requests /sec etc for ADFederation service.<br>NTLM Authentications/sec, LDAP Successful Binds/sec, LDAP Bind Time, LDAP Active Threads, Kerberos Authentications/sec, ATQ Threads Total etc for ADDomain Service.<br>Run Profile Latency, TCP Connections Established, Insights Agent Private Bytes,Export Statistics to Azure AD for Sync Service. | +> | Microsoft.ADHybridHealthService/addsservices/premiumcheck/read | This API gets the list of all onboarded ADDomainServices for a premium tenant. | +> | Microsoft.ADHybridHealthService/addsservices/replicationdetails/read | Gets replication details for all the servers for the specified service name. | +> | Microsoft.ADHybridHealthService/addsservices/replicationstatus/read | Gets the number of domain controllers and their replication errors if any. | +> | Microsoft.ADHybridHealthService/addsservices/replicationsummary/read | Gets complete domain controller list along with replication details for the given forest. | +> | Microsoft.ADHybridHealthService/addsservices/servicemembers/delete | Deletes a server for a given service and tenant. | +> | Microsoft.ADHybridHealthService/addsservices/servicemembers/credentials/read | During server registration of ADDomainService, this api is called to get the credentials for onboarding new servers. | +> | Microsoft.ADHybridHealthService/configuration/write | Creates a Tenant Configuration. | +> | Microsoft.ADHybridHealthService/configuration/read | Reads the Tenant Configuration. | +> | Microsoft.ADHybridHealthService/logs/read | Gets agent installation and registration logs for the tenant. | +> | Microsoft.ADHybridHealthService/logs/contents/read | Gets the content of agent installation and registration logs stored in blob. | +> | Microsoft.ADHybridHealthService/operations/read | Gets list of operations supported by system. | +> | Microsoft.ADHybridHealthService/reports/availabledeployments/read | Gets list of available regions, used by DevOps to support customer incidents. | +> | Microsoft.ADHybridHealthService/reports/badpassword/read | Gets the list of bad password attempts for all the users in Active Directory Federation Service. | +> | Microsoft.ADHybridHealthService/reports/badpassworduseridipfrequency/read | Gets Blob SAS URI containing status and eventual result of newly enqueued report job for frequency of Bad Username/Password attempts per UserId per IPAddress per Day for a given Tenant. | +> | Microsoft.ADHybridHealthService/reports/consentedtodevopstenants/read | Gets the list of DevOps consented tenants. Typically used for customer support. | +> | Microsoft.ADHybridHealthService/reports/isdevops/read | Gets a value indicating whether the tenant is DevOps Consented or not. | +> | Microsoft.ADHybridHealthService/reports/selectdevopstenant/read | Updates userid(objectid) for the selected dev ops tenant. | +> | Microsoft.ADHybridHealthService/reports/selecteddeployment/read | Gets selected deployment for the given tenant. | +> | Microsoft.ADHybridHealthService/reports/tenantassigneddeployment/read | Given a tenant id gets the tenant storage location. | +> | Microsoft.ADHybridHealthService/reports/updateselecteddeployment/read | Gets the geo location from which data will be accessed. | +> | Microsoft.ADHybridHealthService/services/write | Creates a service instance in the tenant. | +> | Microsoft.ADHybridHealthService/services/read | Reads the service instances in the tenant. | +> | Microsoft.ADHybridHealthService/services/delete | Deletes a service instance in the tenant. | +> | Microsoft.ADHybridHealthService/services/servicemembers/action | Creates or updates a server instance in the service. | +> | Microsoft.ADHybridHealthService/services/alerts/read | Reads the alerts for a service. | +> | Microsoft.ADHybridHealthService/services/alerts/read | Reads the alerts for a service. | +> | Microsoft.ADHybridHealthService/services/checkservicefeatureavailibility/read | Given a feature name verifies if a service has everything required to use that feature. | +> | Microsoft.ADHybridHealthService/services/exporterrors/read | Gets the export errors for a given sync service. | +> | Microsoft.ADHybridHealthService/services/exportstatus/read | Gets the export status for a given service. | +> | Microsoft.ADHybridHealthService/services/feedbacktype/feedback/read | Gets alerts feedback for a given service and server. | +> | Microsoft.ADHybridHealthService/services/ipAddressAggregates/read | Reads the bad IPs which attempted to access the service. | +> | Microsoft.ADHybridHealthService/services/ipAddressAggregateSettings/read | Reads alarm thresholds for bad IPs. | +> | Microsoft.ADHybridHealthService/services/ipAddressAggregateSettings/write | Writes alarm thresholds for bad IPs. | +> | Microsoft.ADHybridHealthService/services/metricmetadata/read | Gets the list of supported metrics for a given service.<br>For example Extranet Account Lockouts, Total Failed Requests, Outstanding Token Requests (Proxy), Token Requests /sec etc for ADFS service.<br>NTLM Authentications/sec, LDAP Successful Binds/sec, LDAP Bind Time, LDAP Active Threads, Kerberos Authentications/sec, ATQ Threads Total etc for ADDomainService.<br>Run Profile Latency, TCP Connections Established, Insights Agent Private Bytes,Export Statistics to Azure AD for ADSync service. | +> | Microsoft.ADHybridHealthService/services/metrics/groups/read | Given a service, this API gets the metrics information.<br>For example, this API can be used to get information related to: Extranet Account Lockouts, Total Failed Requests, Outstanding Token Requests (Proxy), Token Requests /sec etc for ADFederation service.<br>NTLM Authentications/sec, LDAP Successful Binds/sec, LDAP Bind Time, LDAP Active Threads, Kerberos Authentications/sec, ATQ Threads Total etc for ADDomain Service.<br>Run Profile Latency, TCP Connections Established, Insights Agent Private Bytes,Export Statistics to Azure AD for Sync Service. | +> | Microsoft.ADHybridHealthService/services/metrics/groups/average/read | Given a service, this API gets the average for metrics for a given service.<br>For example, this API can be used to get information related to: Extranet Account Lockouts, Total Failed Requests, Outstanding Token Requests (Proxy), Token Requests /sec etc for ADFederation service.<br>NTLM Authentications/sec, LDAP Successful Binds/sec, LDAP Bind Time, LDAP Active Threads, Kerberos Authentications/sec, ATQ Threads Total etc for ADDomain Service.<br>Run Profile Latency, TCP Connections Established, Insights Agent Private Bytes,Export Statistics to Azure AD for Sync Service. | +> | Microsoft.ADHybridHealthService/services/metrics/groups/sum/read | Given a service, this API gets the aggregated view for metrics for a given service.<br>For example, this API can be used to get information related to: Extranet Account Lockouts, Total Failed Requests, Outstanding Token Requests (Proxy), Token Requests /sec etc for ADFederation service.<br>NTLM Authentications/sec, LDAP Successful Binds/sec, LDAP Bind Time, LDAP Active Threads, Kerberos Authentications/sec, ATQ Threads Total etc for ADDomain Service.<br>Run Profile Latency, TCP Connections Established, Insights Agent Private Bytes,Export Statistics to Azure AD for Sync Service. | +> | Microsoft.ADHybridHealthService/services/monitoringconfiguration/write | Add or updates monitoring configuration for a service. | +> | Microsoft.ADHybridHealthService/services/monitoringconfigurations/read | Gets the monitoring configurations for a given service. | +> | Microsoft.ADHybridHealthService/services/monitoringconfigurations/write | Add or updates monitoring configurations for a service. | +> | Microsoft.ADHybridHealthService/services/premiumcheck/read | This API gets the list of all onboarded services for a premium tenant. | +> | Microsoft.ADHybridHealthService/services/reports/generateBlobUri/action | Generates Risky IP report and returns a URI pointing to it. | +> | Microsoft.ADHybridHealthService/services/reports/blobUris/read | Gets all Risky IP report URIs for the last 7 days. | +> | Microsoft.ADHybridHealthService/services/reports/details/read | Gets report of top 50 users with bad password errors from last 7 days | +> | Microsoft.ADHybridHealthService/services/servicemembers/read | Reads the server instance in the service. | +> | Microsoft.ADHybridHealthService/services/servicemembers/delete | Deletes a server instance in the service. | +> | Microsoft.ADHybridHealthService/services/servicemembers/alerts/read | Reads the alerts for a server. | +> | Microsoft.ADHybridHealthService/services/servicemembers/credentials/read | During server registration, this api is called to get the credentials for onboarding new servers. | +> | Microsoft.ADHybridHealthService/services/servicemembers/datafreshness/read | For a given server, this API gets a list of datatypes that are being uploaded by the servers and the latest time for each upload. | +> | Microsoft.ADHybridHealthService/services/servicemembers/exportstatus/read | Gets the Sync Export Error details for a given Sync Service. | +> | Microsoft.ADHybridHealthService/services/servicemembers/metrics/read | Gets the list of connectors and run profile names for the given service and service member. | +> | Microsoft.ADHybridHealthService/services/servicemembers/metrics/groups/read | Given a service, this API gets the metrics information.<br>For example, this API can be used to get information related to: Extranet Account Lockouts, Total Failed Requests, Outstanding Token Requests (Proxy), Token Requests /sec etc for ADFederation service.<br>NTLM Authentications/sec, LDAP Successful Binds/sec, LDAP Bind Time, LDAP Active Threads, Kerberos Authentications/sec, ATQ Threads Total etc for ADDomain Service.<br>Run Profile Latency, TCP Connections Established, Insights Agent Private Bytes,Export Statistics to Azure AD for Sync Service. | +> | Microsoft.ADHybridHealthService/services/servicemembers/serviceconfiguration/read | Gets service configuration for a given tenant. | +> | Microsoft.ADHybridHealthService/services/tenantwhitelisting/read | Gets feature allowlisting status for a given tenant. | ++## Microsoft.AzureActiveDirectory ++Azure service: [Azure Active Directory B2C](/azure/active-directory-b2c/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AzureActiveDirectory/register/action | Register subscription for Microsoft.AzureActiveDirectory resource provider | +> | Microsoft.AzureActiveDirectory/b2cDirectories/write | Create or update B2C Directory resource | +> | Microsoft.AzureActiveDirectory/b2cDirectories/read | View B2C Directory resource | +> | Microsoft.AzureActiveDirectory/b2cDirectories/delete | Delete B2C Directory resource | +> | Microsoft.AzureActiveDirectory/b2ctenants/read | Lists all B2C tenants where the user is a member | +> | Microsoft.AzureActiveDirectory/ciamDirectories/write | Create or update CIAM Directory resource | +> | Microsoft.AzureActiveDirectory/ciamDirectories/read | View CIAM Directory resource | +> | Microsoft.AzureActiveDirectory/ciamDirectories/delete | Delete CIAM Directory resource | +> | Microsoft.AzureActiveDirectory/guestUsages/write | Create or update Guest Usages resource | +> | Microsoft.AzureActiveDirectory/guestUsages/read | View Guest Usages resource | +> | Microsoft.AzureActiveDirectory/guestUsages/delete | Delete Guest Usages resource | +> | Microsoft.AzureActiveDirectory/operations/read | Read all API operations available for Microsoft.AzureActiveDirectory resource provider | ++## Microsoft.ManagedIdentity ++Azure service: [Managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ManagedIdentity/register/action | Registers the subscription for the managed identity resource provider | +> | Microsoft.ManagedIdentity/identities/read | Gets an existing system assigned identity | +> | Microsoft.ManagedIdentity/operations/read | Lists operations available on Microsoft.ManagedIdentity resource provider | +> | Microsoft.ManagedIdentity/userAssignedIdentities/assign/action | RBAC action for assigning an existing user assigned identity to a resource | +> | Microsoft.ManagedIdentity/userAssignedIdentities/delete | Deletes an existing user assigned identity | +> | Microsoft.ManagedIdentity/userAssignedIdentities/listAssociatedResources/action | Lists all associated resources for an existing user assigned identity | +> | Microsoft.ManagedIdentity/userAssignedIdentities/read | Gets an existing user assigned identity | +> | Microsoft.ManagedIdentity/userAssignedIdentities/write | Creates a new user assigned identity or updates the tags associated with an existing user assigned identity | +> | Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action | Revoked all the existing tokens on a user assigned identity | +> | Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read | Get or list Federated Identity Credentials | +> | Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write | Add or update a Federated Identity Credential | +> | Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete | Delete a Federated Identity Credential | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/integration.md | + + Title: Azure permissions for Integration - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Integration category. +++++ Last updated : 02/07/2024++++# Azure permissions for Integration ++This article lists the permissions for the Azure resource providers in the Integration category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.ApiManagement ++Azure service: [API Management](/azure/api-management/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ApiManagement/register/action | Register subscription for Microsoft.ApiManagement resource provider | +> | Microsoft.ApiManagement/unregister/action | Un-register subscription for Microsoft.ApiManagement resource provider | +> | Microsoft.ApiManagement/checkNameAvailability/read | Checks if provided service name is available | +> | Microsoft.ApiManagement/deletedservices/read | Get deleted API Management Services which can be restored within the soft-delete period | +> | Microsoft.ApiManagement/locations/deletedservices/read | Get deleted API Management Service which can be restored within the soft-delete period by location | +> | Microsoft.ApiManagement/locations/deletedservices/delete | Delete API Management Service without the option to restore it | +> | Microsoft.ApiManagement/operations/read | Read all API operations available for Microsoft.ApiManagement resource | +> | Microsoft.ApiManagement/reports/read | Get reports aggregated by time periods, geographical region, developers, products, APIs, operations, subscription and byRequest. | +> | Microsoft.ApiManagement/service/write | Create or Update API Management Service instance | +> | Microsoft.ApiManagement/service/read | Read metadata for an API Management Service instance | +> | Microsoft.ApiManagement/service/delete | Delete API Management Service instance | +> | Microsoft.ApiManagement/service/updatehostname/action | Setup, update or remove custom domain names for an API Management Service | +> | Microsoft.ApiManagement/service/updatecertificate/action | Upload TLS/SSL certificate for an API Management Service | +> | Microsoft.ApiManagement/service/backup/action | Backup API Management Service to the specified container in a user provided storage account | +> | Microsoft.ApiManagement/service/restore/action | Restore API Management Service from the specified container in a user provided storage account | +> | Microsoft.ApiManagement/service/managedeployments/action | Change SKU/units, add/remove regional deployments of API Management Service | +> | Microsoft.ApiManagement/service/getssotoken/action | Gets SSO token that can be used to login into API Management Service Legacy portal as an administrator | +> | Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action | Updates the Microsoft.ApiManagement resources running in Virtual Network to pick updated Network Settings. | +> | Microsoft.ApiManagement/service/scheduledMaintenance/action | Perform Scheduled Maintenance on the service | +> | Microsoft.ApiManagement/service/users/action | Register a new user | +> | Microsoft.ApiManagement/service/notifications/action | Sends notification to a specified user | +> | Microsoft.ApiManagement/service/validatePolicies/action | Validates Tenant Policy Restrictions | +> | Microsoft.ApiManagement/service/apis/read | Lists all APIs of the API Management service instance. or Gets the details of the API specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/write | Creates new or updates existing specified API of the API Management service instance. or Updates the specified API of the API Management service instance. | +> | Microsoft.ApiManagement/service/apis/delete | Deletes the specified API of the API Management service instance. | +> | Microsoft.ApiManagement/service/apis/diagnostics/read | Lists all diagnostics of an API. or Gets the details of the Diagnostic for an API specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/diagnostics/write | Creates a new Diagnostic for an API or updates an existing one. or Updates the details of the Diagnostic for an API specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/diagnostics/delete | Deletes the specified Diagnostic from an API. | +> | Microsoft.ApiManagement/service/apis/issues/read | Lists all issues associated with the specified API. or Gets the details of the Issue for an API specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/issues/write | Creates a new Issue for an API or updates an existing one. or Updates an existing issue for an API. | +> | Microsoft.ApiManagement/service/apis/issues/delete | Deletes the specified Issue from an API. | +> | Microsoft.ApiManagement/service/apis/issues/attachments/read | Lists all attachments for the Issue associated with the specified API. or Gets the details of the issue Attachment for an API specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/issues/attachments/write | Creates a new Attachment for the Issue in an API or updates an existing one. | +> | Microsoft.ApiManagement/service/apis/issues/attachments/delete | Deletes the specified comment from an Issue. | +> | Microsoft.ApiManagement/service/apis/issues/comments/read | Lists all comments for the Issue associated with the specified API. or Gets the details of the issue Comment for an API specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/issues/comments/write | Creates a new Comment for the Issue in an API or updates an existing one. | +> | Microsoft.ApiManagement/service/apis/issues/comments/delete | Deletes the specified comment from an Issue. | +> | Microsoft.ApiManagement/service/apis/operations/read | Lists a collection of the operations for the specified API. or Gets the details of the API Operation specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/operations/write | Creates a new operation in the API or updates an existing one. or Updates the details of the operation in the API specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/operations/delete | Deletes the specified operation in the API. | +> | Microsoft.ApiManagement/service/apis/operations/policies/read | Get the list of policy configuration at the API Operation level. or Get the policy configuration at the API Operation level. | +> | Microsoft.ApiManagement/service/apis/operations/policies/write | Creates or updates policy configuration for the API Operation level. | +> | Microsoft.ApiManagement/service/apis/operations/policies/delete | Deletes the policy configuration at the Api Operation. | +> | Microsoft.ApiManagement/service/apis/operations/policy/read | Get the policy configuration at Operation level | +> | Microsoft.ApiManagement/service/apis/operations/policy/write | Create policy configuration at Operation level | +> | Microsoft.ApiManagement/service/apis/operations/policy/delete | Delete the policy configuration at Operation level | +> | Microsoft.ApiManagement/service/apis/operations/tags/read | Lists all Tags associated with the Operation. or Get tag associated with the Operation. | +> | Microsoft.ApiManagement/service/apis/operations/tags/write | Assign tag to the Operation. | +> | Microsoft.ApiManagement/service/apis/operations/tags/delete | Detach the tag from the Operation. | +> | Microsoft.ApiManagement/service/apis/operationsByTags/read | Lists a collection of operations associated with tags. | +> | Microsoft.ApiManagement/service/apis/policies/read | Get the policy configuration at the API level. or Get the policy configuration at the API level. | +> | Microsoft.ApiManagement/service/apis/policies/write | Creates or updates policy configuration for the API. | +> | Microsoft.ApiManagement/service/apis/policies/delete | Deletes the policy configuration at the Api. | +> | Microsoft.ApiManagement/service/apis/policy/read | Get the policy configuration at API level | +> | Microsoft.ApiManagement/service/apis/policy/write | Create policy configuration at API level | +> | Microsoft.ApiManagement/service/apis/policy/delete | Delete the policy configuration at API level | +> | Microsoft.ApiManagement/service/apis/products/read | Lists all Products, which the API is part of. | +> | Microsoft.ApiManagement/service/apis/releases/read | Lists all releases of an API.<br>An API release is created when making an API Revision current.<br>Releases are also used to rollback to previous revisions.<br>Results will be paged and can be constrained by the $top and $skip parameters.<br>or Returns the details of an API release. | +> | Microsoft.ApiManagement/service/apis/releases/delete | Removes all releases of the API or Deletes the specified release in the API. | +> | Microsoft.ApiManagement/service/apis/releases/write | Creates a new Release for the API. or Updates the details of the release of the API specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/resolvers/read | Get the graphQL resolvers at the API level. or Get the graphQL resolver at the API level. | +> | Microsoft.ApiManagement/service/apis/resolvers/write | Creates or updates graphQL resolver for the API. or Updates the details of the graphQL resolver in the API specified by its identifier. | +> | Microsoft.ApiManagement/service/apis/resolvers/delete | Deletes the policy configuration at the Api. | +> | Microsoft.ApiManagement/service/apis/resolvers/policies/read | Get the list of policy configurations at the GraphQL API resolver level. or Get the policy configuration at the GraphQL API resolver level. | +> | Microsoft.ApiManagement/service/apis/resolvers/policies/write | Creates or updates policy configuration for the GraphQL API. | +> | Microsoft.ApiManagement/service/apis/resolvers/policies/delete | Deletes the policy configuration at the GraphQL Api. | +> | Microsoft.ApiManagement/service/apis/revisions/read | Lists all revisions of an API. | +> | Microsoft.ApiManagement/service/apis/revisions/delete | Removes all revisions of an API | +> | Microsoft.ApiManagement/service/apis/schemas/read | Get the schema configuration at the API level. or Get the schema configuration at the API level. | +> | Microsoft.ApiManagement/service/apis/schemas/write | Creates or updates schema configuration for the API. | +> | Microsoft.ApiManagement/service/apis/schemas/delete | Deletes the schema configuration at the Api. | +> | Microsoft.ApiManagement/service/apis/tagDescriptions/read | Lists all Tags descriptions in scope of API. Model similar to swagger - tagDescription is defined on API level but tag may be assigned to the Operations or Get Tag description in scope of API | +> | Microsoft.ApiManagement/service/apis/tagDescriptions/write | Create/Update tag description in scope of the Api. | +> | Microsoft.ApiManagement/service/apis/tagDescriptions/delete | Delete tag description for the Api. | +> | Microsoft.ApiManagement/service/apis/tags/read | Lists all Tags associated with the API. or Get tag associated with the API. | +> | Microsoft.ApiManagement/service/apis/tags/write | Assign tag to the Api. | +> | Microsoft.ApiManagement/service/apis/tags/delete | Detach the tag from the Api. | +> | Microsoft.ApiManagement/service/apisByTags/read | Lists a collection of apis associated with tags. | +> | Microsoft.ApiManagement/service/apiVersionSets/read | Lists a collection of API Version Sets in the specified service instance. or Gets the details of the Api Version Set specified by its identifier. | +> | Microsoft.ApiManagement/service/apiVersionSets/write | Creates or Updates a Api Version Set. or Updates the details of the Api VersionSet specified by its identifier. | +> | Microsoft.ApiManagement/service/apiVersionSets/delete | Deletes specific Api Version Set. | +> | Microsoft.ApiManagement/service/apiVersionSets/versions/read | Get list of version entities | +> | Microsoft.ApiManagement/service/authorizationProviders/read | Lists AuthorizationProvider within a service instance or Gets a AuthorizationProvider | +> | Microsoft.ApiManagement/service/authorizationProviders/write | Creates a AuthorizationProvider | +> | Microsoft.ApiManagement/service/authorizationProviders/delete | Deletes a AuthorizationProvider | +> | Microsoft.ApiManagement/service/authorizationProviders/authorizations/read | Lists Authorization or Get Authorization | +> | Microsoft.ApiManagement/service/authorizationProviders/authorizations/write | Creates a Authorization | +> | Microsoft.ApiManagement/service/authorizationProviders/authorizations/delete | Deletes a Authorization | +> | Microsoft.ApiManagement/service/authorizationProviders/authorizations/getLoginLinks/action | Posts Authorization Login Links | +> | Microsoft.ApiManagement/service/authorizationProviders/authorizations/confirmConsentCode/action | Posts Authorization Confirm Consent Code | +> | Microsoft.ApiManagement/service/authorizationProviders/authorizations/permission/read | Lists Authorization Permissions or Get Authorization Permission | +> | Microsoft.ApiManagement/service/authorizationProviders/authorizations/permission/write | Creates a Authorization Permission | +> | Microsoft.ApiManagement/service/authorizationProviders/authorizations/permission/delete | Deletes a Authorization Permission | +> | Microsoft.ApiManagement/service/authorizationServers/read | Lists a collection of authorization servers defined within a service instance. or Gets the details of the authorization server without secrets. | +> | Microsoft.ApiManagement/service/authorizationServers/write | Creates new authorization server or updates an existing authorization server. or Updates the details of the authorization server specified by its identifier. | +> | Microsoft.ApiManagement/service/authorizationServers/delete | Deletes specific authorization server instance. | +> | Microsoft.ApiManagement/service/authorizationServers/listSecrets/action | Gets secrets for the authorization server. | +> | Microsoft.ApiManagement/service/backends/read | Lists a collection of backends in the specified service instance. or Gets the details of the backend specified by its identifier. | +> | Microsoft.ApiManagement/service/backends/write | Creates or Updates a backend. or Updates an existing backend. | +> | Microsoft.ApiManagement/service/backends/delete | Deletes the specified backend. | +> | Microsoft.ApiManagement/service/backends/reconnect/action | Notifies the APIM proxy to create a new connection to the backend after the specified timeout. If no timeout was specified, timeout of 2 minutes is used. | +> | Microsoft.ApiManagement/service/caches/read | Lists a collection of all external Caches in the specified service instance. or Gets the details of the Cache specified by its identifier. | +> | Microsoft.ApiManagement/service/caches/write | Creates or updates an External Cache to be used in Api Management instance. or Updates the details of the cache specified by its identifier. | +> | Microsoft.ApiManagement/service/caches/delete | Deletes specific Cache. | +> | Microsoft.ApiManagement/service/certificates/read | Lists a collection of all certificates in the specified service instance. or Gets the details of the certificate specified by its identifier. | +> | Microsoft.ApiManagement/service/certificates/write | Creates or updates the certificate being used for authentication with the backend. | +> | Microsoft.ApiManagement/service/certificates/delete | Deletes specific certificate. | +> | Microsoft.ApiManagement/service/certificates/refreshSecret/action | Refreshes certificate by fetching it from Key Vault. | +> | Microsoft.ApiManagement/service/contentTypes/read | Returns list of content types or Returns content type | +> | Microsoft.ApiManagement/service/contentTypes/delete | Removes content type. | +> | Microsoft.ApiManagement/service/contentTypes/write | Creates new content type | +> | Microsoft.ApiManagement/service/contentTypes/contentItems/read | Returns list of content items or Returns content item details | +> | Microsoft.ApiManagement/service/contentTypes/contentItems/write | Creates new content item or Updates specified content item | +> | Microsoft.ApiManagement/service/contentTypes/contentItems/delete | Removes specified content item. | +> | Microsoft.ApiManagement/service/diagnostics/read | Lists all diagnostics of the API Management service instance. or Gets the details of the Diagnostic specified by its identifier. | +> | Microsoft.ApiManagement/service/diagnostics/write | Creates a new Diagnostic or updates an existing one. or Updates the details of the Diagnostic specified by its identifier. | +> | Microsoft.ApiManagement/service/diagnostics/delete | Deletes the specified Diagnostic. | +> | Microsoft.ApiManagement/service/documentations/read | Lists all Documentations of the API Management service instance. or Gets the details of the documentation specified by its identifier. | +> | Microsoft.ApiManagement/service/documentations/write | Creates or Updates a documentation. or Updates the specified documentation of the API Management service instance. | +> | Microsoft.ApiManagement/service/documentations/delete | Delete documentation. | +> | Microsoft.ApiManagement/service/eventGridFilters/write | Set Event Grid Filters | +> | Microsoft.ApiManagement/service/eventGridFilters/delete | Delete Event Grid Filters | +> | Microsoft.ApiManagement/service/eventGridFilters/read | Get Event Grid Filter | +> | Microsoft.ApiManagement/service/gateways/read | Lists a collection of gateways registered with service instance. or Gets the details of the Gateway specified by its identifier. | +> | Microsoft.ApiManagement/service/gateways/write | Creates or updates an Gateway to be used in Api Management instance. or Updates the details of the gateway specified by its identifier. | +> | Microsoft.ApiManagement/service/gateways/delete | Deletes specific Gateway. | +> | Microsoft.ApiManagement/service/gateways/listKeys/action | Retrieves gateway keys. | +> | Microsoft.ApiManagement/service/gateways/keys/action | Retrieves gateway keys. | +> | Microsoft.ApiManagement/service/gateways/regenerateKey/action | Regenerates specified gateway key invalidationg any tokens created with it. | +> | Microsoft.ApiManagement/service/gateways/generateToken/action | Gets the Shared Access Authorization Token for the gateway. | +> | Microsoft.ApiManagement/service/gateways/token/action | Gets the Shared Access Authorization Token for the gateway. | +> | Microsoft.ApiManagement/service/gateways/invalidateDebugCredentials/action | Forces gateway to reset all issued debug credentials | +> | Microsoft.ApiManagement/service/gateways/listDebugCredentials/action | Issue a debug credentials for requests | +> | Microsoft.ApiManagement/service/gateways/listTrace/action | List collected trace created by gateway | +> | Microsoft.ApiManagement/service/gateways/apis/read | Lists a collection of the APIs associated with a gateway. | +> | Microsoft.ApiManagement/service/gateways/apis/write | Adds an API to the specified Gateway. | +> | Microsoft.ApiManagement/service/gateways/apis/delete | Deletes the specified API from the specified Gateway. | +> | Microsoft.ApiManagement/service/gateways/certificateAuthorities/read | Get Gateway CAs list. or Get assigned Certificate Authority details. | +> | Microsoft.ApiManagement/service/gateways/certificateAuthorities/write | Adds an API to the specified Gateway. | +> | Microsoft.ApiManagement/service/gateways/certificateAuthorities/delete | Unassign Certificate Authority from Gateway. | +> | Microsoft.ApiManagement/service/gateways/hostnameConfigurations/read | Lists the collection of hostname configurations for the specified gateway. or Get details of a hostname configuration | +> | Microsoft.ApiManagement/service/gateways/hostnameConfigurations/write | Request subscription for a new product | +> | Microsoft.ApiManagement/service/gateways/hostnameConfigurations/delete | Deletes the specified hostname configuration. | +> | Microsoft.ApiManagement/service/groups/read | Lists a collection of groups defined within a service instance. or Gets the details of the group specified by its identifier. | +> | Microsoft.ApiManagement/service/groups/write | Creates or Updates a group. or Updates the details of the group specified by its identifier. | +> | Microsoft.ApiManagement/service/groups/delete | Deletes specific group of the API Management service instance. | +> | Microsoft.ApiManagement/service/groups/users/read | Lists a collection of user entities associated with the group. | +> | Microsoft.ApiManagement/service/groups/users/write | Add existing user to existing group | +> | Microsoft.ApiManagement/service/groups/users/delete | Remove existing user from existing group. | +> | Microsoft.ApiManagement/service/identityProviders/read | Lists a collection of Identity Provider configured in the specified service instance. or Gets the configuration details of the identity Provider without secrets. | +> | Microsoft.ApiManagement/service/identityProviders/write | Creates or Updates the IdentityProvider configuration. or Updates an existing IdentityProvider configuration. | +> | Microsoft.ApiManagement/service/identityProviders/delete | Deletes the specified identity provider configuration. | +> | Microsoft.ApiManagement/service/identityProviders/listSecrets/action | Gets Identity Provider secrets. | +> | Microsoft.ApiManagement/service/issues/read | Lists a collection of issues in the specified service instance. or Gets API Management issue details | +> | Microsoft.ApiManagement/service/locations/networkstatus/read | Gets the network access status of resources on which the service depends in the location. | +> | Microsoft.ApiManagement/service/loggers/read | Lists a collection of loggers in the specified service instance. or Gets the details of the logger specified by its identifier. | +> | Microsoft.ApiManagement/service/loggers/write | Creates or Updates a logger. or Updates an existing logger. | +> | Microsoft.ApiManagement/service/loggers/delete | Deletes the specified logger. | +> | Microsoft.ApiManagement/service/namedValues/read | Lists a collection of named values defined within a service instance. or Gets the details of the named value specified by its identifier. | +> | Microsoft.ApiManagement/service/namedValues/write | Creates or updates named value. or Updates the specific named value. | +> | Microsoft.ApiManagement/service/namedValues/delete | Deletes specific named value from the API Management service instance. | +> | Microsoft.ApiManagement/service/namedValues/listValue/action | Gets the secret of the named value specified by its identifier. | +> | Microsoft.ApiManagement/service/namedValues/refreshSecret/action | Refreshes named value by fetching it from Key Vault. | +> | Microsoft.ApiManagement/service/networkstatus/read | Gets the network access status of resources on which the service depends. | +> | Microsoft.ApiManagement/service/notifications/read | Lists a collection of properties defined within a service instance. or Gets the details of the Notification specified by its identifier. | +> | Microsoft.ApiManagement/service/notifications/write | Create or Update API Management publisher notification. | +> | Microsoft.ApiManagement/service/notifications/recipientEmails/read | Gets the list of the Notification Recipient Emails subscribed to a notification. | +> | Microsoft.ApiManagement/service/notifications/recipientEmails/write | Adds the Email address to the list of Recipients for the Notification. | +> | Microsoft.ApiManagement/service/notifications/recipientEmails/delete | Removes the email from the list of Notification. | +> | Microsoft.ApiManagement/service/notifications/recipientUsers/read | Gets the list of the Notification Recipient User subscribed to the notification. | +> | Microsoft.ApiManagement/service/notifications/recipientUsers/write | Adds the API Management User to the list of Recipients for the Notification. | +> | Microsoft.ApiManagement/service/notifications/recipientUsers/delete | Removes the API Management user from the list of Notification. | +> | Microsoft.ApiManagement/service/openidConnectProviders/read | Lists of all the OpenId Connect Providers. or Gets specific OpenID Connect Provider without secrets. | +> | Microsoft.ApiManagement/service/openidConnectProviders/write | Creates or updates the OpenID Connect Provider. or Updates the specific OpenID Connect Provider. | +> | Microsoft.ApiManagement/service/openidConnectProviders/delete | Deletes specific OpenID Connect Provider of the API Management service instance. | +> | Microsoft.ApiManagement/service/openidConnectProviders/listSecrets/action | Gets specific OpenID Connect Provider secrets. | +> | Microsoft.ApiManagement/service/operationresults/read | Gets current status of long running operation | +> | Microsoft.ApiManagement/service/outboundNetworkDependenciesEndpoints/read | Gets the outbound network dependency status of resources on which the service depends. | +> | Microsoft.ApiManagement/service/policies/read | Lists all the Global Policy definitions of the Api Management service. or Get the Global policy definition of the Api Management service. | +> | Microsoft.ApiManagement/service/policies/write | Creates or updates the global policy configuration of the Api Management service. | +> | Microsoft.ApiManagement/service/policies/delete | Deletes the global policy configuration of the Api Management Service. | +> | Microsoft.ApiManagement/service/policy/read | Get the policy configuration at Tenant level | +> | Microsoft.ApiManagement/service/policy/write | Create policy configuration at Tenant level | +> | Microsoft.ApiManagement/service/policy/delete | Delete the policy configuration at Tenant level | +> | Microsoft.ApiManagement/service/policyDescriptions/read | Lists all policy descriptions. | +> | Microsoft.ApiManagement/service/policyFragments/read | Gets all policy fragments. or Gets a policy fragment. | +> | Microsoft.ApiManagement/service/policyFragments/write | Creates or updates a policy fragment. | +> | Microsoft.ApiManagement/service/policyFragments/delete | Deletes a policy fragment. | +> | Microsoft.ApiManagement/service/policyFragments/listReferences/action | Lists policy resources that reference the policy fragment. | +> | Microsoft.ApiManagement/service/policyRestrictions/read | Lists all the Global Policy Restrictions of the Api Management service. or Get the Global policy restriction of the Api Management service. | +> | Microsoft.ApiManagement/service/policyRestrictions/write | Creates or updates the global policy restriction of the Api Management service. or Updates the global policy restriction of the Api Management service. | +> | Microsoft.ApiManagement/service/policyRestrictions/delete | Deletes the global policy restriction of the Api Management Service. | +> | Microsoft.ApiManagement/service/policySnippets/read | Lists all policy snippets. | +> | Microsoft.ApiManagement/service/portalConfigs/read | Lists a collection of developer portal config entities. or Gets developer portal config specified by its identifier. | +> | Microsoft.ApiManagement/service/portalConfigs/write | Creates a new developer portal config. or Updates the description of specified portal config or makes it current. | +> | Microsoft.ApiManagement/service/portalConfigs/listDelegationSecrets/action | Gets validation key of portal delegation settings. | +> | Microsoft.ApiManagement/service/portalConfigs/listMediaContentSecrets/action | Get media content blob container uri. | +> | Microsoft.ApiManagement/service/portalRevisions/read | Lists a collection of developer portal revision entities. or Gets developer portal revision specified by its identifier. | +> | Microsoft.ApiManagement/service/portalRevisions/write | Creates a new developer portal revision. or Updates the description of specified portal revision or makes it current. | +> | Microsoft.ApiManagement/service/portalSettings/read | Lists a collection of portal settings. or Get Sign In Settings for the Portal or Get Sign Up Settings for the Portal or Get Delegation Settings for the Portal. | +> | Microsoft.ApiManagement/service/portalSettings/write | Update Sign-In settings. or Create or Update Sign-In settings. or Update Sign Up settings or Update Sign Up settings or Update Delegation settings. or Create or Update Delegation settings. | +> | Microsoft.ApiManagement/service/portalSettings/listSecrets/action | Gets validation key of portal delegation settings. or Get media content blob container uri. | +> | Microsoft.ApiManagement/service/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.ApiManagement/service/privateEndpointConnectionProxies/write | Create the private endpoint connection proxy | +> | Microsoft.ApiManagement/service/privateEndpointConnectionProxies/delete | Delete the private endpoint connection proxy | +> | Microsoft.ApiManagement/service/privateEndpointConnectionProxies/validate/action | Validate the private endpoint connection proxy | +> | Microsoft.ApiManagement/service/privateEndpointConnectionProxies/operationresults/read | View the result of private endpoint connection operations in the management portal | +> | Microsoft.ApiManagement/service/privateEndpointConnections/read | Get Private Endpoint Connections | +> | Microsoft.ApiManagement/service/privateEndpointConnections/write | Approve Or Reject Private Endpoint Connections | +> | Microsoft.ApiManagement/service/privateEndpointConnections/delete | Delete Private Endpoint Connections | +> | Microsoft.ApiManagement/service/privateLinkResources/read | Get Private Link Group resources | +> | Microsoft.ApiManagement/service/products/read | Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. | +> | Microsoft.ApiManagement/service/products/write | Creates or Updates a product. or Update existing product details. | +> | Microsoft.ApiManagement/service/products/delete | Delete product. | +> | Microsoft.ApiManagement/service/products/apiLinks/read | Lists a collection of product-API links in the specified service instance. or Get product-API details. | +> | Microsoft.ApiManagement/service/products/apiLinks/write | Creates or Updates a product-API link. | +> | Microsoft.ApiManagement/service/products/apiLinks/delete | Delete product-API link. | +> | Microsoft.ApiManagement/service/products/apis/read | Lists a collection of the APIs associated with a product. | +> | Microsoft.ApiManagement/service/products/apis/write | Adds an API to the specified product. | +> | Microsoft.ApiManagement/service/products/apis/delete | Deletes the specified API from the specified product. | +> | Microsoft.ApiManagement/service/products/groupLinks/read | Lists a collection of product-group links in the specified service instance. or Get product-group details. | +> | Microsoft.ApiManagement/service/products/groupLinks/write | Creates or Updates a product-group link. | +> | Microsoft.ApiManagement/service/products/groupLinks/delete | Delete product-group link. | +> | Microsoft.ApiManagement/service/products/groups/read | Lists the collection of developer groups associated with the specified product. | +> | Microsoft.ApiManagement/service/products/groups/write | Adds the association between the specified developer group with the specified product. | +> | Microsoft.ApiManagement/service/products/groups/delete | Deletes the association between the specified group and product. | +> | Microsoft.ApiManagement/service/products/policies/read | Get the policy configuration at the Product level. or Get the policy configuration at the Product level. | +> | Microsoft.ApiManagement/service/products/policies/write | Creates or updates policy configuration for the Product. | +> | Microsoft.ApiManagement/service/products/policies/delete | Deletes the policy configuration at the Product. | +> | Microsoft.ApiManagement/service/products/policy/read | Get the policy configuration at Product level | +> | Microsoft.ApiManagement/service/products/policy/write | Create policy configuration at Product level | +> | Microsoft.ApiManagement/service/products/policy/delete | Delete the policy configuration at Product level | +> | Microsoft.ApiManagement/service/products/subscriptions/read | Lists the collection of subscriptions to the specified product. | +> | Microsoft.ApiManagement/service/products/tags/read | Lists all Tags associated with the Product. or Get tag associated with the Product. | +> | Microsoft.ApiManagement/service/products/tags/write | Assign tag to the Product. | +> | Microsoft.ApiManagement/service/products/tags/delete | Detach the tag from the Product. | +> | Microsoft.ApiManagement/service/productsByTags/read | Lists a collection of products associated with tags. | +> | Microsoft.ApiManagement/service/properties/read | Lists a collection of properties defined within a service instance. or Gets the details of the property specified by its identifier. | +> | Microsoft.ApiManagement/service/properties/write | Creates or updates a property. or Updates the specific property. | +> | Microsoft.ApiManagement/service/properties/delete | Deletes specific property from the API Management service instance. | +> | Microsoft.ApiManagement/service/properties/listSecrets/action | Gets the secrets of the property specified by its identifier. | +> | Microsoft.ApiManagement/service/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for ApiManagement service | +> | Microsoft.ApiManagement/service/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for ApiManagement service | +> | Microsoft.ApiManagement/service/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for API Management service | +> | Microsoft.ApiManagement/service/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for API Management service | +> | Microsoft.ApiManagement/service/quotas/read | Get values for quota | +> | Microsoft.ApiManagement/service/quotas/write | Set quota counter current value | +> | Microsoft.ApiManagement/service/quotas/periods/read | Get quota counter value for period | +> | Microsoft.ApiManagement/service/quotas/periods/write | Set quota counter current value | +> | Microsoft.ApiManagement/service/regions/read | Lists all azure regions in which the service exists. | +> | Microsoft.ApiManagement/service/reports/read | Get report aggregated by time periods or Get report aggregated by geographical region or Get report aggregated by developers.<br>or Get report aggregated by products.<br>or Get report aggregated by APIs or Get report aggregated by operations or Get report aggregated by subscription.<br>or Get requests reporting data | +> | Microsoft.ApiManagement/service/schemas/read | Lists a collection of schemas registered. or Gets the details of the Schema specified by its identifier. | +> | Microsoft.ApiManagement/service/schemas/write | Creates or updates an Schema to be used in Api Management instance. | +> | Microsoft.ApiManagement/service/schemas/delete | Deletes specific Schema. | +> | Microsoft.ApiManagement/service/settings/read | Lists a collection of tenant settings. Always empty. Use /settings/public instead | +> | Microsoft.ApiManagement/service/subscriptions/read | Lists all subscriptions of the API Management service instance. or Gets the specified Subscription entity (without keys). | +> | Microsoft.ApiManagement/service/subscriptions/write | Creates or updates the subscription of specified user to the specified product. or Updates the details of a subscription specified by its identifier. | +> | Microsoft.ApiManagement/service/subscriptions/delete | Deletes the specified subscription. | +> | Microsoft.ApiManagement/service/subscriptions/regeneratePrimaryKey/action | Regenerates primary key of existing subscription of the API Management service instance. | +> | Microsoft.ApiManagement/service/subscriptions/regenerateSecondaryKey/action | Regenerates secondary key of existing subscription of the API Management service instance. | +> | Microsoft.ApiManagement/service/subscriptions/listSecrets/action | Gets the specified Subscription keys. | +> | Microsoft.ApiManagement/service/tagResources/read | Lists a collection of resources associated with tags. | +> | Microsoft.ApiManagement/service/tags/read | Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. | +> | Microsoft.ApiManagement/service/tags/write | Creates a tag. or Updates the details of the tag specified by its identifier. | +> | Microsoft.ApiManagement/service/tags/delete | Deletes specific tag of the API Management service instance. | +> | Microsoft.ApiManagement/service/tags/apiLinks/read | Lists a collection of Tag-API links in the specified service instance. or Get Tag-API details. | +> | Microsoft.ApiManagement/service/tags/apiLinks/write | Creates or Updates a Tag-API link. | +> | Microsoft.ApiManagement/service/tags/apiLinks/delete | Delete Tag-API link. | +> | Microsoft.ApiManagement/service/tags/operationLinks/read | Lists a collection of Tag-operation links in the specified service instance. or Get Tag-operation details. | +> | Microsoft.ApiManagement/service/tags/operationLinks/write | Creates or Updates a Tag-operation link. | +> | Microsoft.ApiManagement/service/tags/operationLinks/delete | Delete Tag-operation link. | +> | Microsoft.ApiManagement/service/tags/productLinks/read | Lists a collection of Tag-product links in the specified service instance. or Get Tag-product details. | +> | Microsoft.ApiManagement/service/tags/productLinks/write | Creates or Updates a Tag-product link. | +> | Microsoft.ApiManagement/service/tags/productLinks/delete | Delete Tag-product link. | +> | Microsoft.ApiManagement/service/templates/read | Gets all email templates or Gets API Management email template details | +> | Microsoft.ApiManagement/service/templates/write | Create or update API Management email template or Updates API Management email template | +> | Microsoft.ApiManagement/service/templates/delete | Reset default API Management email template | +> | Microsoft.ApiManagement/service/tenant/read | Lists a collection of tenant access settings. or Get the Global policy definition of the Api Management service. or Get tenant access information details | +> | Microsoft.ApiManagement/service/tenant/write | Set policy configuration for the tenant or Update tenant access information details or Update tenant access information details | +> | Microsoft.ApiManagement/service/tenant/delete | Remove policy configuration for the tenant | +> | Microsoft.ApiManagement/service/tenant/listSecrets/action | Get tenant access information details | +> | Microsoft.ApiManagement/service/tenant/regeneratePrimaryKey/action | Regenerate primary access key | +> | Microsoft.ApiManagement/service/tenant/regenerateSecondaryKey/action | Regenerate secondary access key | +> | Microsoft.ApiManagement/service/tenant/deploy/action | Runs a deployment task to apply changes from the specified git branch to the configuration in database. | +> | Microsoft.ApiManagement/service/tenant/save/action | Creates commit with configuration snapshot to the specified branch in the repository | +> | Microsoft.ApiManagement/service/tenant/validate/action | Validates changes from the specified git branch | +> | Microsoft.ApiManagement/service/tenant/operationResults/read | Get list of operation results or Get result of a specific operation | +> | Microsoft.ApiManagement/service/tenant/syncState/read | Get status of last git synchronization | +> | Microsoft.ApiManagement/service/tenants/apis/diagnostics/read | Lists all diagnostics of an API. or Gets the details of the Diagnostic for an API specified by its identifier. | +> | Microsoft.ApiManagement/service/tenants/apis/diagnostics/write | Creates a new Diagnostic for an API or updates an existing one. or Updates the details of the Diagnostic for an API specified by its identifier. | +> | Microsoft.ApiManagement/service/tenants/apis/diagnostics/delete | Deletes the specified Diagnostic from an API. | +> | Microsoft.ApiManagement/service/tenants/apis/operations/read | Lists a collection of the operations for the specified API. or Gets the details of the API Operation specified by its identifier. | +> | Microsoft.ApiManagement/service/tenants/apis/operations/write | Creates a new operation in the API or updates an existing one. or Updates the details of the operation in the API specified by its identifier. | +> | Microsoft.ApiManagement/service/tenants/apis/operations/delete | Deletes the specified operation in the API. | +> | Microsoft.ApiManagement/service/tenants/apis/operations/policies/read | Get the list of policy configuration at the API Operation level. or Get the policy configuration at the API Operation level. | +> | Microsoft.ApiManagement/service/tenants/apis/operations/policies/write | Creates or updates policy configuration for the API Operation level. | +> | Microsoft.ApiManagement/service/tenants/apis/operations/policies/delete | Deletes the policy configuration at the Api Operation. | +> | Microsoft.ApiManagement/service/tenants/apis/operations/tags/read | Lists all Tags associated with the Operation. or Get tag associated with the Operation. | +> | Microsoft.ApiManagement/service/tenants/apis/operations/tags/write | Assign tag to the Operation. | +> | Microsoft.ApiManagement/service/tenants/apis/operations/tags/delete | Detach the tag from the Operation. | +> | Microsoft.ApiManagement/service/tenants/apis/operationsByTags/read | Lists a collection of operations associated with tags. | +> | Microsoft.ApiManagement/service/tenants/apis/policies/read | Get the policy configuration at the API level. or Get the policy configuration at the API level. | +> | Microsoft.ApiManagement/service/tenants/apis/policies/write | Creates or updates policy configuration for the API. | +> | Microsoft.ApiManagement/service/tenants/apis/policies/delete | Deletes the policy configuration at the Api. | +> | Microsoft.ApiManagement/service/tenants/apis/products/read | Lists all Products, which the API is part of. | +> | Microsoft.ApiManagement/service/tenants/apis/releases/read | Lists all releases of an API.<br>An API release is created when making an API Revision current.<br>Releases are also used to rollback to previous revisions.<br>Results will be paged and can be constrained by the $top and $skip parameters.<br>or Returns the details of an API release. | +> | Microsoft.ApiManagement/service/tenants/apis/releases/delete | Removes all releases of the API or Deletes the specified release in the API. | +> | Microsoft.ApiManagement/service/tenants/apis/releases/write | Creates a new Release for the API. or Updates the details of the release of the API specified by its identifier. | +> | Microsoft.ApiManagement/service/tenants/apis/resolvers/read | Get the graphQL resolvers at the API level. or Get the graphQL resolver at the API level. | +> | Microsoft.ApiManagement/service/tenants/apis/resolvers/write | Creates or updates graphQL resolver for the API. or Updates the details of the graphQL resolver in the API specified by its identifier. | +> | Microsoft.ApiManagement/service/tenants/apis/resolvers/delete | Deletes the policy configuration at the Api. | +> | Microsoft.ApiManagement/service/tenants/apis/resolvers/policies/read | Get the list of policy configurations at the GraphQL API resolver level. or Get the policy configuration at the GraphQL API resolver level. | +> | Microsoft.ApiManagement/service/tenants/apis/resolvers/policies/write | Creates or updates policy configuration for the GraphQL API. | +> | Microsoft.ApiManagement/service/tenants/apis/resolvers/policies/delete | Deletes the policy configuration at the GraphQL Api. | +> | Microsoft.ApiManagement/service/tenants/apis/revisions/read | Lists all revisions of an API. | +> | Microsoft.ApiManagement/service/tenants/apis/revisions/delete | Removes all revisions of an API | +> | Microsoft.ApiManagement/service/tenants/apis/schemas/read | Get the schema configuration at the API level. or Get the schema configuration at the API level. | +> | Microsoft.ApiManagement/service/tenants/apis/schemas/write | Creates or updates schema configuration for the API. | +> | Microsoft.ApiManagement/service/tenants/apis/schemas/delete | Deletes the schema configuration at the Api. | +> | Microsoft.ApiManagement/service/tenants/apis/tagDescriptions/read | Lists all Tags descriptions in scope of API. Model similar to swagger - tagDescription is defined on API level but tag may be assigned to the Operations or Get Tag description in scope of API | +> | Microsoft.ApiManagement/service/tenants/apis/tagDescriptions/write | Create/Update tag description in scope of the Api. | +> | Microsoft.ApiManagement/service/tenants/apis/tagDescriptions/delete | Delete tag description for the Api. | +> | Microsoft.ApiManagement/service/tenants/apis/tags/read | Lists all Tags associated with the API. or Get tag associated with the API. | +> | Microsoft.ApiManagement/service/tenants/apis/tags/write | Assign tag to the Api. | +> | Microsoft.ApiManagement/service/tenants/apis/tags/delete | Detach the tag from the Api. | +> | Microsoft.ApiManagement/service/tenants/keys/read | Get a list of keys or Get details of key | +> | Microsoft.ApiManagement/service/tenants/keys/write | Create a Key to an existing Existing Entity or Update existing key details. This operation can be used to renew key. | +> | Microsoft.ApiManagement/service/tenants/keys/delete | Delete key. This operation can be used to delete key. | +> | Microsoft.ApiManagement/service/tenants/keys/regeneratePrimaryKey/action | Regenerate primary key | +> | Microsoft.ApiManagement/service/tenants/keys/regenerateSecondaryKey/action | Regenerate secondary key | +> | Microsoft.ApiManagement/service/users/read | Lists a collection of registered users in the specified service instance. or Gets the details of the user specified by its identifier. | +> | Microsoft.ApiManagement/service/users/write | Creates or Updates a user. or Updates the details of the user specified by its identifier. | +> | Microsoft.ApiManagement/service/users/delete | Deletes specific user. | +> | Microsoft.ApiManagement/service/users/generateSsoUrl/action | Retrieves a redirection URL containing an authentication token for signing a given user into the developer portal. | +> | Microsoft.ApiManagement/service/users/token/action | Gets the Shared Access Authorization Token for the User. | +> | Microsoft.ApiManagement/service/users/confirmations/send/action | Sends confirmation | +> | Microsoft.ApiManagement/service/users/groups/read | Lists all user groups. | +> | Microsoft.ApiManagement/service/users/identities/read | List of all user identities. | +> | Microsoft.ApiManagement/service/users/keys/read | Get keys associated with user | +> | Microsoft.ApiManagement/service/users/subscriptions/read | Lists the collection of subscriptions of the specified user. | +> | Microsoft.ApiManagement/service/workspaces/read | Lists a collection of Workspaces defined within a service instance. or Gets the details of the Workspace specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/write | Creates Workspace. or Updates the details of the Workspace specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/delete | Deletes specific Workspace of the API Management service instance. | +> | Microsoft.ApiManagement/service/workspaces/notifications/action | Sends notification to a specified user | +> | Microsoft.ApiManagement/service/workspaces/apis/read | Lists all APIs of the API Management service instance. or Gets the details of the API specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/apis/write | Creates new or updates existing specified API of the API Management service instance. or Updates the specified API of the API Management service instance. | +> | Microsoft.ApiManagement/service/workspaces/apis/delete | Deletes the specified API of the API Management service instance. | +> | Microsoft.ApiManagement/service/workspaces/apis/diagnostics/read | Lists all diagnostics of an API. or Gets the details of the Diagnostic for an API specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/apis/diagnostics/write | Creates a new Diagnostic for an API or updates an existing one. or Updates the details of the Diagnostic for an API specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/apis/diagnostics/delete | Deletes the specified Diagnostic from an API. | +> | Microsoft.ApiManagement/service/workspaces/apis/operations/read | Lists a collection of the operations for the specified API. or Gets the details of the API Operation specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/apis/operations/write | Creates a new operation in the API or updates an existing one. or Updates the details of the operation in the API specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/apis/operations/delete | Deletes the specified operation in the API. | +> | Microsoft.ApiManagement/service/workspaces/apis/operations/policies/read | Get the list of policy configuration at the API Operation level. or Get the policy configuration at the API Operation level. | +> | Microsoft.ApiManagement/service/workspaces/apis/operations/policies/write | Creates or updates policy configuration for the API Operation level. | +> | Microsoft.ApiManagement/service/workspaces/apis/operations/policies/delete | Deletes the policy configuration at the Api Operation. | +> | Microsoft.ApiManagement/service/workspaces/apis/operations/tags/read | Lists all Tags associated with the Operation. or Get tag associated with the Operation. | +> | Microsoft.ApiManagement/service/workspaces/apis/operations/tags/write | Assign tag to the Operation. | +> | Microsoft.ApiManagement/service/workspaces/apis/operations/tags/delete | Detach the tag from the Operation. | +> | Microsoft.ApiManagement/service/workspaces/apis/operationsByTags/read | Lists a collection of operations associated with tags. | +> | Microsoft.ApiManagement/service/workspaces/apis/policies/read | Get the policy configuration at the API level. or Get the policy configuration at the API level. | +> | Microsoft.ApiManagement/service/workspaces/apis/policies/write | Creates or updates policy configuration for the API. | +> | Microsoft.ApiManagement/service/workspaces/apis/policies/delete | Deletes the policy configuration at the Api. | +> | Microsoft.ApiManagement/service/workspaces/apis/products/read | Lists all Products, which the API is part of. | +> | Microsoft.ApiManagement/service/workspaces/apis/releases/read | Lists all releases of an API.<br>An API release is created when making an API Revision current.<br>Releases are also used to rollback to previous revisions.<br>Results will be paged and can be constrained by the $top and $skip parameters.<br>or Returns the details of an API release. | +> | Microsoft.ApiManagement/service/workspaces/apis/releases/delete | Removes all releases of the API or Deletes the specified release in the API. | +> | Microsoft.ApiManagement/service/workspaces/apis/releases/write | Creates a new Release for the API. or Updates the details of the release of the API specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/apis/revisions/read | Lists all revisions of an API. | +> | Microsoft.ApiManagement/service/workspaces/apis/schemas/read | Get the schema configuration at the API level. or Get the schema configuration at the API level. | +> | Microsoft.ApiManagement/service/workspaces/apis/schemas/write | Creates or updates schema configuration for the API. | +> | Microsoft.ApiManagement/service/workspaces/apis/schemas/delete | Deletes the schema configuration at the Api. | +> | Microsoft.ApiManagement/service/workspaces/apis/schemas/document/read | Get the document describing the Schema | +> | Microsoft.ApiManagement/service/workspaces/apis/schemas/document/write | Update the document describing the Schema | +> | Microsoft.ApiManagement/service/workspaces/apis/tags/read | Lists all Tags associated with the API. or Get tag associated with the API. | +> | Microsoft.ApiManagement/service/workspaces/apis/tags/write | Assign tag to the Api. | +> | Microsoft.ApiManagement/service/workspaces/apis/tags/delete | Detach the tag from the Api. | +> | Microsoft.ApiManagement/service/workspaces/apiVersionSets/read | Lists a collection of API Version Sets in the specified service instance. or Gets the details of the Api Version Set specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/apiVersionSets/write | Creates or Updates a Api Version Set. or Updates the details of the Api VersionSet specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/apiVersionSets/delete | Deletes specific Api Version Set. | +> | Microsoft.ApiManagement/service/workspaces/apiVersionSets/versions/read | Get list of version entities | +> | Microsoft.ApiManagement/service/workspaces/backends/read | Lists a collection of backed in the specified service instance. or Gets the details of the backend specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/backends/write | Creates or Updates a Api Version Set. or Updates the details of the backend specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/backends/delete | Deletes specific Api Version Set. | +> | Microsoft.ApiManagement/service/workspaces/backends/reconnect/action | Notifies the APIM proxy to create a new connection to the backend after the specified timeout. If no timeout was specified, timeout of 2 minutes is used. | +> | Microsoft.ApiManagement/service/workspaces/certificates/read | Lists a collection of all certificates in the specified workspace or Gets the details of the certificate specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/certificates/write | Creates or updates the certificate being used for authentication with the backend. | +> | Microsoft.ApiManagement/service/workspaces/certificates/delete | Deletes specific certificate. | +> | Microsoft.ApiManagement/service/workspaces/certificates/refreshSecret/action | Refreshes certificate by fetching it from Key Vault. | +> | Microsoft.ApiManagement/service/workspaces/diagnostics/read | Lists all diagnostics of a workspace. or Gets the details of the Diagnostic for a workspace specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/diagnostics/write | Creates a new Diagnostic for a workspace or updates an existing one. or Updates the details of the Diagnostic for a workspace specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/diagnostics/delete | Deletes the specified Diagnostic from a workspace. | +> | Microsoft.ApiManagement/service/workspaces/documentations/read | Lists all Documentations of the API Management service instance. or Gets the details of the documentation specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/documentations/write | Creates or Updates a documentation. or Updates the specified documentation of the API Management service instance. | +> | Microsoft.ApiManagement/service/workspaces/documentations/delete | Delete documentation. | +> | Microsoft.ApiManagement/service/workspaces/groups/read | Lists a collection of groups defined within a service instance. or Gets the details of the group specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/groups/write | Creates or Updates a group. or Updates the details of the group specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/groups/delete | Deletes specific group of the API Management service instance. | +> | Microsoft.ApiManagement/service/workspaces/groups/users/read | Lists a collection of user entities associated with the group. | +> | Microsoft.ApiManagement/service/workspaces/groups/users/write | Add existing user to existing group | +> | Microsoft.ApiManagement/service/workspaces/groups/users/delete | Remove existing user from existing group. | +> | Microsoft.ApiManagement/service/workspaces/loggers/read | Lists a collection of loggers in the specified workspace. or Gets the details of the logger specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/loggers/write | Creates or Updates a logger. or Updates an existing logger. | +> | Microsoft.ApiManagement/service/workspaces/loggers/delete | Deletes the specified logger. | +> | Microsoft.ApiManagement/service/workspaces/namedValues/read | Lists a collection of named values defined within a service instance. or Gets the details of the named value specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/namedValues/write | Creates or updates named value. or Updates the specific named value. | +> | Microsoft.ApiManagement/service/workspaces/namedValues/delete | Deletes specific named value from the API Management service instance. | +> | Microsoft.ApiManagement/service/workspaces/namedValues/listValue/action | Gets the secret of the named value specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/namedValues/refreshSecret/action | Refreshes named value by fetching it from Key Vault. | +> | Microsoft.ApiManagement/service/workspaces/notifications/read | Lists a collection of properties defined within a service instance. or Gets the details of the Notification specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/notifications/write | Create or Update API Management publisher notification. | +> | Microsoft.ApiManagement/service/workspaces/notifications/recipientEmails/read | Gets the list of the Notification Recipient Emails subscribed to a notification. | +> | Microsoft.ApiManagement/service/workspaces/notifications/recipientEmails/write | Adds the Email address to the list of Recipients for the Notification. | +> | Microsoft.ApiManagement/service/workspaces/notifications/recipientEmails/delete | Removes the email from the list of Notification. | +> | Microsoft.ApiManagement/service/workspaces/notifications/recipientUsers/read | Gets the list of the Notification Recipient User subscribed to the notification. | +> | Microsoft.ApiManagement/service/workspaces/notifications/recipientUsers/write | Adds the API Management User to the list of Recipients for the Notification. | +> | Microsoft.ApiManagement/service/workspaces/notifications/recipientUsers/delete | Removes the API Management user from the list of Notification. | +> | Microsoft.ApiManagement/service/workspaces/policies/read | Get the policy configuration at the Workspace level. or Get the policy configuration at the Workspace level. | +> | Microsoft.ApiManagement/service/workspaces/policies/write | Creates or updates policy configuration for the Workspace. | +> | Microsoft.ApiManagement/service/workspaces/policies/delete | Deletes the policy configuration at the Workspace. | +> | Microsoft.ApiManagement/service/workspaces/policyFragments/read | Gets all policy fragments. or Gets a policy fragment. | +> | Microsoft.ApiManagement/service/workspaces/policyFragments/write | Creates or updates a policy fragment. | +> | Microsoft.ApiManagement/service/workspaces/policyFragments/delete | Deletes a policy fragment. | +> | Microsoft.ApiManagement/service/workspaces/policyFragments/listReferences/action | Lists policy resources that reference the policy fragment. | +> | Microsoft.ApiManagement/service/workspaces/products/read | Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/products/write | Creates or Updates a product. or Update existing product details. | +> | Microsoft.ApiManagement/service/workspaces/products/delete | Delete product. | +> | Microsoft.ApiManagement/service/workspaces/products/apiLinks/read | Lists a collection of product-API links in the specified service instance. or Get product-API details. | +> | Microsoft.ApiManagement/service/workspaces/products/apiLinks/write | Creates or Updates a product-API link. | +> | Microsoft.ApiManagement/service/workspaces/products/apiLinks/delete | Delete product-API link. | +> | Microsoft.ApiManagement/service/workspaces/products/apis/read | Lists a collection of the APIs associated with a product. | +> | Microsoft.ApiManagement/service/workspaces/products/apis/write | Adds an API to the specified product. | +> | Microsoft.ApiManagement/service/workspaces/products/apis/delete | Deletes the specified API from the specified product. | +> | Microsoft.ApiManagement/service/workspaces/products/groupLinks/read | Lists a collection of product-group links in the specified service instance. or Get product-group details. | +> | Microsoft.ApiManagement/service/workspaces/products/groupLinks/write | Creates or Updates a product-group link. | +> | Microsoft.ApiManagement/service/workspaces/products/groupLinks/delete | Delete product-group link. | +> | Microsoft.ApiManagement/service/workspaces/products/groups/read | Lists the collection of developer groups associated with the specified product. | +> | Microsoft.ApiManagement/service/workspaces/products/groups/write | Adds the association between the specified developer group with the specified product. | +> | Microsoft.ApiManagement/service/workspaces/products/groups/delete | Deletes the association between the specified group and product. | +> | Microsoft.ApiManagement/service/workspaces/products/policies/read | Get the policy configuration at the Product level. or Get the policy configuration at the Product level. | +> | Microsoft.ApiManagement/service/workspaces/products/policies/write | Creates or updates policy configuration for the Product. | +> | Microsoft.ApiManagement/service/workspaces/products/policies/delete | Deletes the policy configuration at the Product. | +> | Microsoft.ApiManagement/service/workspaces/products/subscriptions/read | Lists the collection of subscriptions to the specified product. | +> | Microsoft.ApiManagement/service/workspaces/products/tags/read | Lists all Tags associated with the Product. or Get tag associated with the Product. | +> | Microsoft.ApiManagement/service/workspaces/products/tags/write | Assign tag to the Product. | +> | Microsoft.ApiManagement/service/workspaces/products/tags/delete | Detach the tag from the Product. | +> | Microsoft.ApiManagement/service/workspaces/schemas/read | Lists a collection of schemas registered. or Gets the details of the Schema specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/schemas/write | Creates or updates an Schema to be used in Api Management instance. | +> | Microsoft.ApiManagement/service/workspaces/schemas/delete | Deletes specific Schema. | +> | Microsoft.ApiManagement/service/workspaces/subscriptions/read | Lists all subscriptions of the API Management service instance. or Gets the specified Subscription entity (without keys). | +> | Microsoft.ApiManagement/service/workspaces/subscriptions/write | Creates or updates the subscription of specified user to the specified product. or Updates the details of a subscription specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/subscriptions/delete | Deletes the specified subscription. | +> | Microsoft.ApiManagement/service/workspaces/subscriptions/regeneratePrimaryKey/action | Regenerates primary key of existing subscription of the API Management service instance. | +> | Microsoft.ApiManagement/service/workspaces/subscriptions/regenerateSecondaryKey/action | Regenerates secondary key of existing subscription of the API Management service instance. | +> | Microsoft.ApiManagement/service/workspaces/subscriptions/listSecrets/action | Gets the specified Subscription keys. | +> | Microsoft.ApiManagement/service/workspaces/tags/read | Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/tags/write | Creates a tag. or Updates the details of the tag specified by its identifier. | +> | Microsoft.ApiManagement/service/workspaces/tags/delete | Deletes specific tag of the API Management service instance. | +> | Microsoft.ApiManagement/service/workspaces/tags/apiLinks/read | Lists a collection of Tag-API links in the specified service instance. or Get Tag-API details. | +> | Microsoft.ApiManagement/service/workspaces/tags/apiLinks/write | Creates or Updates a Tag-API link. | +> | Microsoft.ApiManagement/service/workspaces/tags/apiLinks/delete | Delete Tag-API link. | +> | Microsoft.ApiManagement/service/workspaces/tags/operationLinks/read | Lists a collection of Tag-operation links in the specified service instance. or Get Tag-operation details. | +> | Microsoft.ApiManagement/service/workspaces/tags/operationLinks/write | Creates or Updates a Tag-operation link. | +> | Microsoft.ApiManagement/service/workspaces/tags/operationLinks/delete | Delete Tag-operation link. | +> | Microsoft.ApiManagement/service/workspaces/tags/productLinks/read | Lists a collection of Tag-product links in the specified service instance. or Get Tag-product details. | +> | Microsoft.ApiManagement/service/workspaces/tags/productLinks/write | Creates or Updates a Tag-product link. | +> | Microsoft.ApiManagement/service/workspaces/tags/productLinks/delete | Delete Tag-product link. | +> | **DataAction** | **Description** | +> | Microsoft.ApiManagement/service/gateways/getConfiguration/action | Fetches configuration for specified self-hosted gateway | ++## Microsoft.AppConfiguration ++Azure service: core ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AppConfiguration/register/action | Registers a subscription to use Microsoft App Configuration. | +> | Microsoft.AppConfiguration/unregister/action | Unregisters a subscription from using Microsoft App Configuration. | +> | Microsoft.AppConfiguration/checkNameAvailability/read | Check whether the resource name is available for use. | +> | Microsoft.AppConfiguration/configurationStores/read | Gets the properties of the specified configuration store or lists all the configuration stores under the specified resource group or subscription. | +> | Microsoft.AppConfiguration/configurationStores/write | Create or update a configuration store with the specified parameters. | +> | Microsoft.AppConfiguration/configurationStores/delete | Deletes a configuration store. | +> | Microsoft.AppConfiguration/configurationStores/ListKeys/action | Lists the API keys for the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/RegenerateKey/action | Regenerates of the API key's for the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/ListKeyValue/action | Lists a key-value for the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/PrivateEndpointConnectionsApproval/action | Auto-Approve a private endpoint connection under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/joinPerimeter/action | Determines if a user is allowed to associate an Azure App Configuration with a Network Security Perimeter. | +> | Microsoft.AppConfiguration/configurationStores/eventGridFilters/read | Gets the properties of the specified configuration store event grid filter or lists all the configuration store event grid filters under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/eventGridFilters/write | Create or update a configuration store event grid filter with the specified parameters. | +> | Microsoft.AppConfiguration/configurationStores/eventGridFilters/delete | Deletes a configuration store event grid filter. | +> | Microsoft.AppConfiguration/configurationStores/networkSecurityPerimeterAssociationProxies/read | Get the properties of the specific network security perimeter association proxy or lists all the network security perimeter association proxies under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/networkSecurityPerimeterAssociationProxies/write | Create or update a network security perimeter association proxy under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/networkSecurityPerimeterAssociationProxies/delete | Delete a network security perimeter association proxy under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/networkSecurityPerimeterConfigurations/read | Get the properties of the specific network security perimeter configuration or lists all the network security perimeter configurations under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/networkSecurityPerimeterConfigurations/reconcile/action | Reconcile a network security perimeter configuration under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/validate/action | Validate a private endpoint connection proxy under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/read | Get a private endpoint connection proxy under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/write | Create or update a private endpoint connection proxy under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/privateEndpointConnectionProxies/delete | Delete a private endpoint connection proxy under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/read | Get a private endpoint connection or list private endpoint connections under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/write | Approve or reject a private endpoint connection under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/delete | Delete a private endpoint connection under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/privateLinkResources/read | Lists all the private link resources under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/diagnosticSettings/read | Read all Diagnostic Settings values for a Configuration Store. | +> | Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/diagnosticSettings/write | Write/Overwrite Diagnostic Settings for Microsoft App Configuration. | +> | Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/logDefinitions/read | Retrieve all log definitions for Microsoft App Configuration. | +> | Microsoft.AppConfiguration/configurationStores/providers/Microsoft.Insights/metricDefinitions/read | Retrieve all metric definitions for Microsoft App Configuration. | +> | Microsoft.AppConfiguration/configurationStores/replicas/read | Gets the properties of the specified replica or lists all the replicas under the specified configuration store. | +> | Microsoft.AppConfiguration/configurationStores/replicas/write | Creates a replica with the specified parameters. | +> | Microsoft.AppConfiguration/configurationStores/replicas/delete | Deletes a replica. | +> | Microsoft.AppConfiguration/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action | Receive network security perimeter update notifications. | +> | Microsoft.AppConfiguration/locations/checkNameAvailability/read | Check whether the resource name is available for use. | +> | Microsoft.AppConfiguration/locations/deletedConfigurationStores/read | Gets the properties of the specified deleted configuration store or lists all the deleted configuration stores under the specified subscription. | +> | Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action | Purge the specified deleted configuration store. | +> | Microsoft.AppConfiguration/locations/operationsStatus/read | Get the status of an operation. | +> | Microsoft.AppConfiguration/operations/read | Lists all of the operations supported by Microsoft App Configuration. | +> | **DataAction** | **Description** | +> | Microsoft.AppConfiguration/configurationStores/keyValues/read | Reads a key-value from the configuration store. | +> | Microsoft.AppConfiguration/configurationStores/keyValues/write | Creates or updates a key-value in the configuration store. | +> | Microsoft.AppConfiguration/configurationStores/keyValues/delete | Deletes an existing key-value from the configuration store. | +> | Microsoft.AppConfiguration/configurationStores/snapshots/read | Reads a snapshot from the configuration store. | +> | Microsoft.AppConfiguration/configurationStores/snapshots/write | Creates or updates a snapshot in the configuration store. | +> | Microsoft.AppConfiguration/configurationStores/snapshots/archive/action | Modifies archival state for an existing snapshot in the configuration store. | ++## Microsoft.AVS ++Azure service: [Azure VMware Solution](/azure/azure-vmware/introduction) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AVS/register/action | Register Subscription for Microsoft.AVS resource provider. | +> | Microsoft.AVS/unregister/action | Unregister Subscription for Microsoft.AVS resource provider. | +> | Microsoft.AVS/checkNameAvailability/read | Checks if the privateCloud Name is available | +> | Microsoft.AVS/locations/checkNameAvailability/read | Checks if the privateCloud Name is available | +> | Microsoft.AVS/locations/checkQuotaAvailability/read | Checks if quota is available for the subscription | +> | Microsoft.AVS/locations/checkTrialAvailability/read | Checks if trial is available for the subscription | +> | Microsoft.AVS/operations/read | Lists operations available on Microsoft.AVS resource provider. | +> | Microsoft.AVS/privateClouds/register/action | Registers the Microsoft Microsoft.AVS resource provider and enables creation of Private Clouds. | +> | Microsoft.AVS/privateClouds/write | Creates or updates a PrivateCloud resource. | +> | Microsoft.AVS/privateClouds/read | Gets the settings for the specified PrivateCloud. | +> | Microsoft.AVS/privateClouds/delete | Delete a specific PrivateCloud. | +> | Microsoft.AVS/privateClouds/addOns/read | Read addOns. | +> | Microsoft.AVS/privateClouds/addOns/write | Write addOns. | +> | Microsoft.AVS/privateClouds/addOns/delete | Delete addOns. | +> | Microsoft.AVS/privateClouds/addOns/operationStatuses/read | Read addOns operationStatuses. | +> | Microsoft.AVS/privateClouds/authorizations/read | Gets the authorization settings for a PrivateCloud cluster. | +> | Microsoft.AVS/privateClouds/authorizations/write | Create or update a PrivateCloud authorization resource. | +> | Microsoft.AVS/privateClouds/authorizations/delete | Delete a specific PrivateCloud authorization. | +> | Microsoft.AVS/privateClouds/clusters/read | Gets the cluster settings for a PrivateCloud cluster. | +> | Microsoft.AVS/privateClouds/clusters/write | Create or update a PrivateCloud cluster resource. | +> | Microsoft.AVS/privateClouds/clusters/delete | Delete a specific PrivateCloud cluster. | +> | Microsoft.AVS/privateClouds/clusters/datastores/read | Get the datastore properties in a private cloud cluster. | +> | Microsoft.AVS/privateClouds/clusters/datastores/write | Create or update datastore in private cloud cluster. | +> | Microsoft.AVS/privateClouds/clusters/datastores/delete | Delete datastore in private cloud cluster. | +> | Microsoft.AVS/privateclouds/clusters/datastores/operationresults/read | Read privateClouds/clusters/datastores operationresults. | +> | Microsoft.AVS/privateClouds/clusters/datastores/operationstatuses/read | Read privateClouds/clusters/datastores operationstatuses. | +> | Microsoft.AVS/privateclouds/clusters/operationresults/read | Reads privateClouds/clusters operationresults. | +> | Microsoft.AVS/privateClouds/clusters/operationstatuses/read | Reads privateClouds/clusters operationstatuses. | +> | Microsoft.AVS/privateClouds/globalReachConnections/delete | Delete globalReachConnections. | +> | Microsoft.AVS/privateClouds/globalReachConnections/write | Write globalReachConnections. | +> | Microsoft.AVS/privateClouds/globalReachConnections/read | Read globalReachConnections. | +> | Microsoft.AVS/privateClouds/globalReachConnections/operationStatuses/read | Read globalReachConnections operationStatuses. | +> | Microsoft.AVS/privateClouds/hcxEnterpriseSites/read | Gets the hcxEnterpriseSites for a PrivateCloud. | +> | Microsoft.AVS/privateClouds/hcxEnterpriseSites/write | Create or update a hcxEnterpriseSites. | +> | Microsoft.AVS/privateClouds/hcxEnterpriseSites/delete | Delete a specific hcxEnterpriseSites. | +> | Microsoft.AVS/privateClouds/hostInstances/read | Gets the hostInstances for a PrivateCloud. | +> | Microsoft.AVS/privateClouds/hostInstances/write | Create or update a hostInstances. | +> | Microsoft.AVS/privateClouds/hostInstances/delete | Delete a specific hostInstances. | +> | Microsoft.AVS/privateClouds/operationresults/read | Reads privateClouds operationresults. | +> | Microsoft.AVS/privateClouds/operationstatuses/read | Reads privateClouds operationstatuses. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/delete | Delete dhcpConfigurations. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/write | Write dhcpConfigurations. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/read | Read dhcpConfigurations. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/operationStatuses/read | Read dhcpConfigurations operationStatuses. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/delete | Delete dnsServices. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/write | Write dnsServices. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/read | Read dnsServices. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/operationStatuses/read | Read dnsServices operationStatuses. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/delete | Delete dnsZones. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/write | Write dnsZones. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/read | Read dnsZones. | +> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/operationStatuses/read | Read dnsZones operationStatuses. | +> | Microsoft.AVS/privateClouds/workloadNetworks/gateways/read | Read gateways. | +> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/delete | Delete portMirroringProfiles. | +> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/write | Write portMirroringProfiles. | +> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/read | Read portMirroringProfiles. | +> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/operationStatuses/read | Read portMirroringProfiles operationStatuses. | +> | Microsoft.AVS/privateClouds/workloadNetworks/segments/delete | Delete segments. | +> | Microsoft.AVS/privateClouds/workloadNetworks/segments/write | Write segments. | +> | Microsoft.AVS/privateClouds/workloadNetworks/segments/read | Read segments. | +> | Microsoft.AVS/privateClouds/workloadNetworks/segments/operationStatuses/read | Read segments operationStatuses. | +> | Microsoft.AVS/privateClouds/workloadNetworks/virtualMachines/read | Read virtualMachines. | +> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/delete | Delete vmGroups. | +> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/write | Write vmGroups. | +> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/read | Read vmGroups. | +> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/operationStatuses/read | Read vmGroups operationStatuses. | +> | **DataAction** | **Description** | +> | Microsoft.AVS/privateClouds/listAdminCredentials/action | Lists the AdminCredentials for privateClouds. | +> | Microsoft.AVS/privateClouds/rotateVcenterPassword/action | Rotate Vcenter password for the PrivateCloud. | +> | Microsoft.AVS/privateClouds/rotateNsxtPassword/action | Rotate Nsxt CloudAdmin password for the PrivateCloud. | +> | Microsoft.AVS/privateClouds/rotateNsxtCloudAdminPassword/action | Rotate Nsxt CloudAdmin password for the PrivateCloud. | ++## Microsoft.DataCatalog ++Azure service: [Data Catalog](/azure/data-catalog/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DataCatalog/checkNameAvailability/action | Checks catalog name availability for tenant. | +> | Microsoft.DataCatalog/register/action | Registers subscription with Microsoft.DataCatalog resource provider. | +> | Microsoft.DataCatalog/unregister/action | Unregisters subscription from Microsoft.DataCatalog resource provider. | +> | Microsoft.DataCatalog/catalogs/read | Get properties for catalog or catalogs under subscription or resource group. | +> | Microsoft.DataCatalog/catalogs/write | Creates catalog or updates the tags and properties for the catalog. | +> | Microsoft.DataCatalog/catalogs/delete | Deletes the catalog. | +> | Microsoft.DataCatalog/operations/read | Lists operations available on Microsoft.DataCatalog resource provider. | ++## Microsoft.EventGrid ++Azure service: [Event Grid](/azure/event-grid/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.EventGrid/register/action | Registers the subscription for the EventGrid resource provider. | +> | Microsoft.EventGrid/unregister/action | Unregisters the subscription for the EventGrid resource provider. | +> | Microsoft.EventGrid/domains/write | Create or update a domain | +> | Microsoft.EventGrid/domains/read | Read a domain | +> | Microsoft.EventGrid/domains/delete | Delete a domain | +> | Microsoft.EventGrid/domains/listKeys/action | List keys for a domain | +> | Microsoft.EventGrid/domains/regenerateKey/action | Regenerate key for a domain | +> | Microsoft.EventGrid/domains/PrivateEndpointConnectionsApproval/action | Approve PrivateEndpointConnections for domains | +> | Microsoft.EventGrid/domains/eventSubscriptions/write | Create or update a Domain eventSubscription | +> | Microsoft.EventGrid/domains/eventSubscriptions/read | Read a Domain eventSubscription | +> | Microsoft.EventGrid/domains/eventSubscriptions/delete | Delete a Domain eventSubscription | +> | Microsoft.EventGrid/domains/eventSubscriptions/getFullUrl/action | Get full url for the Domain event subscription | +> | Microsoft.EventGrid/domains/eventSubscriptions/getDeliveryAttributes/action | Get Domain EventSubscription Delivery Attributes | +> | Microsoft.EventGrid/domains/networkSecurityPerimeterAssociationProxies/read | Read NspAssociationProxies for domains | +> | Microsoft.EventGrid/domains/networkSecurityPerimeterAssociationProxies/write | Write NspAssociationProxies for domains | +> | Microsoft.EventGrid/domains/networkSecurityPerimeterAssociationProxies/delete | Delete NspAssociationProxies for domains | +> | Microsoft.EventGrid/domains/networkSecurityPerimeterConfigurations/read | Read NspConfiguration for domains | +> | Microsoft.EventGrid/domains/privateEndpointConnectionProxies/validate/action | Validate PrivateEndpointConnectionProxies for domains | +> | Microsoft.EventGrid/domains/privateEndpointConnectionProxies/read | Read PrivateEndpointConnectionProxies for domains | +> | Microsoft.EventGrid/domains/privateEndpointConnectionProxies/write | Write PrivateEndpointConnectionProxies for domains | +> | Microsoft.EventGrid/domains/privateEndpointConnectionProxies/delete | Delete PrivateEndpointConnectionProxies for domains | +> | Microsoft.EventGrid/domains/privateEndpointConnections/read | Read PrivateEndpointConnections for domains | +> | Microsoft.EventGrid/domains/privateEndpointConnections/write | Write PrivateEndpointConnections for domains | +> | Microsoft.EventGrid/domains/privateEndpointConnections/delete | Delete PrivateEndpointConnections for domains | +> | Microsoft.EventGrid/domains/privateLinkResources/read | Get or List PrivateLinkResources for domains | +> | Microsoft.EventGrid/domains/providers/Microsoft.Insights/logDefinitions/read | Allows access to diagnostic logs | +> | Microsoft.EventGrid/domains/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for domains | +> | Microsoft.EventGrid/domains/topics/read | Read a domain topic | +> | Microsoft.EventGrid/domains/topics/write | Create or update a domain topic | +> | Microsoft.EventGrid/domains/topics/delete | Delete a domain topic | +> | Microsoft.EventGrid/domains/topics/eventSubscriptions/write | Create or update a DomainTopic eventSubscription | +> | Microsoft.EventGrid/domains/topics/eventSubscriptions/read | Read a DomainTopic eventSubscription | +> | Microsoft.EventGrid/domains/topics/eventSubscriptions/delete | Delete a DomainTopic eventSubscription | +> | Microsoft.EventGrid/domains/topics/eventSubscriptions/getFullUrl/action | Get full url for the DomainTopic event subscription | +> | Microsoft.EventGrid/domains/topics/eventSubscriptions/getDeliveryAttributes/action | Get DomainTopic EventSubscription Delivery Attributes | +> | Microsoft.EventGrid/eventSubscriptions/write | Create or update an eventSubscription | +> | Microsoft.EventGrid/eventSubscriptions/read | Read an eventSubscription | +> | Microsoft.EventGrid/eventSubscriptions/delete | Delete an eventSubscription | +> | Microsoft.EventGrid/eventSubscriptions/getFullUrl/action | Get full url for the event subscription | +> | Microsoft.EventGrid/eventSubscriptions/getDeliveryAttributes/action | Get EventSubscription Delivery Attributes | +> | Microsoft.EventGrid/eventSubscriptions/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for event subscriptions | +> | Microsoft.EventGrid/eventSubscriptions/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for event subscriptions | +> | Microsoft.EventGrid/eventSubscriptions/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for eventSubscriptions | +> | Microsoft.EventGrid/extensionTopics/read | Read an extensionTopic. | +> | Microsoft.EventGrid/extensionTopics/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for topics | +> | Microsoft.EventGrid/extensionTopics/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for topics | +> | Microsoft.EventGrid/extensionTopics/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for topics | +> | Microsoft.EventGrid/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action | Upate notifications for network security perimeter | +> | Microsoft.EventGrid/locations/eventSubscriptions/read | List regional event subscriptions | +> | Microsoft.EventGrid/locations/operationResults/read | Read the result of a regional operation | +> | Microsoft.EventGrid/locations/operationsStatus/read | Read the status of a regional operation | +> | Microsoft.EventGrid/locations/topictypes/eventSubscriptions/read | List regional event subscriptions by topictype | +> | Microsoft.EventGrid/namespaces/write | Create or update a namespace | +> | Microsoft.EventGrid/namespaces/read | Read a namespace | +> | Microsoft.EventGrid/namespaces/delete | Delete a namespace | +> | Microsoft.EventGrid/namespaces/listKeys/action | List keys for a namespace | +> | Microsoft.EventGrid/namespaces/regenerateKey/action | Regenerate key for a namespace | +> | Microsoft.EventGrid/namespaces/PrivateEndpointConnectionsApproval/action | Approve PrivateEndpointConnections for namespaces | +> | Microsoft.EventGrid/namespaces/caCertificates/read | Read a CA Certificate | +> | Microsoft.EventGrid/namespaces/caCertificates/write | Create or update a CA Certificate | +> | Microsoft.EventGrid/namespaces/caCertificates/delete | Delete a CA Certificate | +> | Microsoft.EventGrid/namespaces/clientGroups/read | Read a client group | +> | Microsoft.EventGrid/namespaces/clientGroups/write | Create or update a client group | +> | Microsoft.EventGrid/namespaces/clientGroups/delete | Delete a client group | +> | Microsoft.EventGrid/namespaces/clients/read | Read a client | +> | Microsoft.EventGrid/namespaces/clients/write | Create or update a client | +> | Microsoft.EventGrid/namespaces/clients/delete | Delete a client | +> | Microsoft.EventGrid/namespaces/permissionBindings/read | Read a Permission Binding | +> | Microsoft.EventGrid/namespaces/permissionBindings/write | Create or update a Permission Binding | +> | Microsoft.EventGrid/namespaces/permissionBindings/delete | Delete a Permission Binding | +> | Microsoft.EventGrid/namespaces/privateEndpointConnectionProxies/validate/action | Validate PrivateEndpointConnectionProxies for namespaces | +> | Microsoft.EventGrid/namespaces/privateEndpointConnectionProxies/read | Read PrivateEndpointConnectionProxies for namespaces | +> | Microsoft.EventGrid/namespaces/privateEndpointConnectionProxies/write | Write PrivateEndpointConnectionProxies for namespaces | +> | Microsoft.EventGrid/namespaces/privateEndpointConnectionProxies/delete | Delete PrivateEndpointConnectionProxies for namespaces | +> | Microsoft.EventGrid/namespaces/privateEndpointConnections/read | Read PrivateEndpointConnections for namespaces | +> | Microsoft.EventGrid/namespaces/privateEndpointConnections/write | Write PrivateEndpointConnections for namespaces | +> | Microsoft.EventGrid/namespaces/privateEndpointConnections/delete | Delete PrivateEndpointConnections for namespaces | +> | Microsoft.EventGrid/namespaces/privateLinkResources/read | Read PrivateLinkResources for namespaces | +> | Microsoft.EventGrid/namespaces/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for namespaces | +> | Microsoft.EventGrid/namespaces/topics/read | Read a namespace topic | +> | Microsoft.EventGrid/namespaces/topics/write | Create or update a namespace topic | +> | Microsoft.EventGrid/namespaces/topics/delete | Delete a namespace topic | +> | Microsoft.EventGrid/namespaces/topics/listKeys/action | List keys for a namespace topic | +> | Microsoft.EventGrid/namespaces/topics/eventSubscriptions/read | Read a namespace topic event subscription | +> | Microsoft.EventGrid/namespaces/topics/eventSubscriptions/write | Create or update a namespace topic event subscription | +> | Microsoft.EventGrid/namespaces/topics/eventSubscriptions/delete | Delete a namespace topic event subscription | +> | Microsoft.EventGrid/namespaces/topicSpaces/read | Read a Topic Space | +> | Microsoft.EventGrid/namespaces/topicSpaces/write | Create or update a Topic Space | +> | Microsoft.EventGrid/namespaces/topicSpaces/delete | Delete a Topic Space | +> | Microsoft.EventGrid/operationResults/read | Read the result of an operation | +> | Microsoft.EventGrid/operations/read | List EventGrid operations. | +> | Microsoft.EventGrid/operationsStatus/read | Read the status of an operation | +> | Microsoft.EventGrid/partnerConfigurations/read | Read a partner configuration | +> | Microsoft.EventGrid/partnerConfigurations/write | Create or update a partner configuration | +> | Microsoft.EventGrid/partnerConfigurations/delete | Delete a partner configuration | +> | Microsoft.EventGrid/partnerConfigurations/authorizePartner/action | Authorize a partner in the partner configuration | +> | Microsoft.EventGrid/partnerConfigurations/unauthorizePartner/action | Unauthorize a partner in the partner configuration | +> | Microsoft.EventGrid/partnerDestinations/read | Read a partner destination | +> | Microsoft.EventGrid/partnerDestinations/write | Create or update a partner destination | +> | Microsoft.EventGrid/partnerDestinations/delete | Delete a partner destination | +> | Microsoft.EventGrid/partnerDestinations/activate/action | Activate a partner destination | +> | Microsoft.EventGrid/partnerDestinations/getPartnerDestinationChannelInfo/action | Get channel details of activated partner destination | +> | Microsoft.EventGrid/partnerDestinations/setToIdleState/action | Set provisioning status of partner destination to idle | +> | Microsoft.EventGrid/partnerDestinations/reLinkPartnerDestination/action | Re-link an idle partner destination to a newly created channel | +> | Microsoft.EventGrid/partnerNamespaces/write | Create or update a partner namespace | +> | Microsoft.EventGrid/partnerNamespaces/read | Read a partner namespace | +> | Microsoft.EventGrid/partnerNamespaces/delete | Delete a partner namespace | +> | Microsoft.EventGrid/partnerNamespaces/listKeys/action | List keys for a partner namespace | +> | Microsoft.EventGrid/partnerNamespaces/regenerateKey/action | Regenerate key for a partner namespace | +> | Microsoft.EventGrid/partnerNamespaces/PrivateEndpointConnectionsApproval/action | Approve PrivateEndpointConnections for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/channels/read | Read a channel | +> | Microsoft.EventGrid/partnerNamespaces/channels/write | Create or update a channel | +> | Microsoft.EventGrid/partnerNamespaces/channels/delete | Delete a channel | +> | Microsoft.EventGrid/partnerNamespaces/channels/channelReadinessStateChange/action | Change channel readiness state | +> | Microsoft.EventGrid/partnerNamespaces/channels/getFullUrl/action | Get full url for the partner destination channel | +> | Microsoft.EventGrid/partnerNamespaces/channels/SetChannelToIdle/action | Set provisioning status of channel to idle | +> | Microsoft.EventGrid/partnerNamespaces/eventChannels/read | Read an event channel | +> | Microsoft.EventGrid/partnerNamespaces/eventChannels/write | Create or update an event channel | +> | Microsoft.EventGrid/partnerNamespaces/eventChannels/delete | Delete an event channel | +> | Microsoft.EventGrid/partnerNamespaces/eventChannels/channelReadinessStateChange/action | Change event channel readiness state | +> | Microsoft.EventGrid/partnerNamespaces/eventChannels/SetEventChannelToIdle/action | Set provisioning status of event channel to idle | +> | Microsoft.EventGrid/partnerNamespaces/privateEndpointConnectionProxies/validate/action | Validate PrivateEndpointConnectionProxies for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/privateEndpointConnectionProxies/read | Read PrivateEndpointConnectionProxies for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/privateEndpointConnectionProxies/write | Write PrivateEndpointConnectionProxies for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/privateEndpointConnectionProxies/delete | Delete PrivateEndpointConnectionProxies for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/privateEndpointConnections/read | Read PrivateEndpointConnections for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/privateEndpointConnections/write | Write PrivateEndpointConnections for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/privateEndpointConnections/delete | Delete PrivateEndpointConnections for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/privateLinkResources/read | Read PrivateLinkResources for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for partner namespaces | +> | Microsoft.EventGrid/partnerNamespaces/providers/Microsoft.Insights/logDefinitions/read | Allows access to diagnostic logs | +> | Microsoft.EventGrid/partnerNamespaces/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for partner namespaces | +> | Microsoft.EventGrid/partnerRegistrations/write | Create or update a partner registration | +> | Microsoft.EventGrid/partnerRegistrations/read | Read a partner registration | +> | Microsoft.EventGrid/partnerRegistrations/delete | Delete a partner registration | +> | Microsoft.EventGrid/partnerTopics/read | Read a partner topic | +> | Microsoft.EventGrid/partnerTopics/write | Create or update a partner topic | +> | Microsoft.EventGrid/partnerTopics/delete | Delete a partner topic | +> | Microsoft.EventGrid/partnerTopics/setToIdleState/action | Set provisioning status of partner topic to idle | +> | Microsoft.EventGrid/partnerTopics/reLinkPartnerTopic/action | Re-link an idle PartnerTopic to a newly created channel | +> | Microsoft.EventGrid/partnerTopics/activate/action | Activate a partner topic | +> | Microsoft.EventGrid/partnerTopics/deactivate/action | Deactivate a partner topic | +> | Microsoft.EventGrid/partnerTopics/eventSubscriptions/write | Create or update a PartnerTopic eventSubscription | +> | Microsoft.EventGrid/partnerTopics/eventSubscriptions/read | Read a partner topic event subscription | +> | Microsoft.EventGrid/partnerTopics/eventSubscriptions/delete | Delete a partner topic event subscription | +> | Microsoft.EventGrid/partnerTopics/eventSubscriptions/getFullUrl/action | Get full url for the partner topic event subscription | +> | Microsoft.EventGrid/partnerTopics/eventSubscriptions/getDeliveryAttributes/action | Get PartnerTopic EventSubscription Delivery Attributes | +> | Microsoft.EventGrid/partnerTopics/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for partner topics | +> | Microsoft.EventGrid/partnerTopics/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for partner topics | +> | Microsoft.EventGrid/partnerTopics/providers/Microsoft.Insights/logDefinitions/read | Allows access to diagnostic logs | +> | Microsoft.EventGrid/partnerTopics/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for partner topics | +> | Microsoft.EventGrid/sku/read | Read available Sku Definitions for event grid resources | +> | Microsoft.EventGrid/systemTopics/read | Read a system topic | +> | Microsoft.EventGrid/systemTopics/write | Create or update a system topic | +> | Microsoft.EventGrid/systemTopics/delete | Delete a system topic | +> | Microsoft.EventGrid/systemTopics/eventSubscriptions/write | Create or update a SystemTopic eventSubscription | +> | Microsoft.EventGrid/systemTopics/eventSubscriptions/read | Read a SystemTopic eventSubscription | +> | Microsoft.EventGrid/systemTopics/eventSubscriptions/delete | Delete a SystemTopic eventSubscription | +> | Microsoft.EventGrid/systemTopics/eventSubscriptions/getFullUrl/action | Get full url for the SystemTopic event subscription | +> | Microsoft.EventGrid/systemTopics/eventSubscriptions/getDeliveryAttributes/action | Get SystemTopic EventSubscription Delivery Attributes | +> | Microsoft.EventGrid/systemTopics/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for system topics | +> | Microsoft.EventGrid/systemTopics/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for system topics | +> | Microsoft.EventGrid/systemTopics/providers/Microsoft.Insights/logDefinitions/read | Allows access to diagnostic logs | +> | Microsoft.EventGrid/systemTopics/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for system topics | +> | Microsoft.EventGrid/topics/write | Create or update a topic | +> | Microsoft.EventGrid/topics/read | Read a topic | +> | Microsoft.EventGrid/topics/delete | Delete a topic | +> | Microsoft.EventGrid/topics/listKeys/action | List keys for a topic | +> | Microsoft.EventGrid/topics/regenerateKey/action | Regenerate key for a topic | +> | Microsoft.EventGrid/topics/PrivateEndpointConnectionsApproval/action | Approve PrivateEndpointConnections for topics | +> | Microsoft.EventGrid/topics/eventSubscriptions/write | Create or update a Topic eventSubscription | +> | Microsoft.EventGrid/topics/eventSubscriptions/read | Read a Topic eventSubscription | +> | Microsoft.EventGrid/topics/eventSubscriptions/delete | Delete a Topic eventSubscription | +> | Microsoft.EventGrid/topics/eventSubscriptions/getFullUrl/action | Get full url for the Topic event subscription | +> | Microsoft.EventGrid/topics/eventSubscriptions/getDeliveryAttributes/action | Get Topic EventSubscription Delivery Attributes | +> | Microsoft.EventGrid/topics/networkSecurityPerimeterAssociationProxies/read | Read NspAssociationProxies for topics | +> | Microsoft.EventGrid/topics/networkSecurityPerimeterAssociationProxies/write | Write NspAssociationProxies for topics | +> | Microsoft.EventGrid/topics/networkSecurityPerimeterAssociationProxies/delete | Delete NspAssociationProxies for topics | +> | Microsoft.EventGrid/topics/networkSecurityPerimeterConfigurations/read | Read NspConfiguration for topics | +> | Microsoft.EventGrid/topics/privateEndpointConnectionProxies/validate/action | Validate PrivateEndpointConnectionProxies for topics | +> | Microsoft.EventGrid/topics/privateEndpointConnectionProxies/read | Read PrivateEndpointConnectionProxies for topics | +> | Microsoft.EventGrid/topics/privateEndpointConnectionProxies/write | Write PrivateEndpointConnectionProxies for topics | +> | Microsoft.EventGrid/topics/privateEndpointConnectionProxies/delete | Delete PrivateEndpointConnectionProxies for topics | +> | Microsoft.EventGrid/topics/privateEndpointConnections/read | Read PrivateEndpointConnections for topics | +> | Microsoft.EventGrid/topics/privateEndpointConnections/write | Write PrivateEndpointConnections for topics | +> | Microsoft.EventGrid/topics/privateEndpointConnections/delete | Delete PrivateEndpointConnections for topics | +> | Microsoft.EventGrid/topics/privateLinkResources/read | Read PrivateLinkResources for topics | +> | Microsoft.EventGrid/topics/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for topics | +> | Microsoft.EventGrid/topics/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for topics | +> | Microsoft.EventGrid/topics/providers/Microsoft.Insights/logDefinitions/read | Allows access to diagnostic logs | +> | Microsoft.EventGrid/topics/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for topics | +> | Microsoft.EventGrid/topictypes/read | Read a topictype | +> | Microsoft.EventGrid/topictypes/eventSubscriptions/read | List global event subscriptions by topic type | +> | Microsoft.EventGrid/topictypes/eventtypes/read | Read eventtypes supported by a topictype | +> | Microsoft.EventGrid/verifiedPartners/read | Read a verified partner | +> | **DataAction** | **Description** | +> | Microsoft.EventGrid/events/send/action | Send events to topics | +> | Microsoft.EventGrid/events/receive/action | Receive events from namespace topics | +> | Microsoft.EventGrid/topicSpaces/subscribe/action | Subscribe to a topic space | +> | Microsoft.EventGrid/topicSpaces/publish/action | Publish to a topic space | ++## Microsoft.HealthcareApis ++Azure service: [Azure API for FHIR](/azure/healthcare-apis/azure-api-for-fhir/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.HealthcareApis/register/action | Subscription Registration Action | +> | Microsoft.HealthcareApis/unregister/action | Unregisters the subscription for the resource provider. | +> | Microsoft.HealthcareApis/checkNameAvailability/read | Checks for the availability of the specified name. | +> | Microsoft.HealthcareApis/locations/checkNameAvailability/read | Checks for the availability of the specified name. | +> | Microsoft.HealthcareApis/locations/operationresults/read | Read the status of an asynchronous operation. | +> | Microsoft.HealthcareApis/Operations/read | Read the operations for all resource types. | +> | Microsoft.HealthcareApis/services/read | Reads resources. | +> | Microsoft.HealthcareApis/services/write | Writes resources. | +> | Microsoft.HealthcareApis/services/delete | Deletes resources. | +> | Microsoft.HealthcareApis/services/privateEndpointConnectionProxies/validate/action | Validate | +> | Microsoft.HealthcareApis/services/privateEndpointConnectionProxies/write | Writes Private Endpoint Connection Proxy resources. | +> | Microsoft.HealthcareApis/services/privateEndpointConnectionProxies/read | Reads Private Endpoint Connection Proxy resources. | +> | Microsoft.HealthcareApis/services/privateEndpointConnectionProxies/delete | Deletes Private Endpoint Connection Proxy resources. | +> | Microsoft.HealthcareApis/services/privateEndpointConnections/read | Reads Private Endpoint Connections resources. | +> | Microsoft.HealthcareApis/services/privateEndpointConnections/write | Writes connection status to Private Endpoint Connection. | +> | Microsoft.HealthcareApis/services/privateEndpointConnections/delete | Deletes Private Endpoint Connections. | +> | Microsoft.HealthcareApis/services/privateLinkResources/read | Reads Private Link resources. | +> | Microsoft.HealthcareApis/services/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for Azure API for FHIR | +> | Microsoft.HealthcareApis/services/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for Azure API for FHIR | +> | Microsoft.HealthcareApis/services/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Azure API for FHIR | +> | Microsoft.HealthcareApis/services/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics settings for Azure API for FHIR | +> | Microsoft.HealthcareApis/validateMedtechMappings/read | Handles requests related to editing IotConnector mapping files | +> | Microsoft.HealthcareApis/workspaces/read | | +> | Microsoft.HealthcareApis/workspaces/write | | +> | Microsoft.HealthcareApis/workspaces/delete | | +> | Microsoft.HealthcareApis/workspaces/dicomservices/read | | +> | Microsoft.HealthcareApis/workspaces/dicomservices/write | | +> | Microsoft.HealthcareApis/workspaces/dicomservices/delete | | +> | Microsoft.HealthcareApis/workspaces/dicomservices/dicomcasts/read | | +> | Microsoft.HealthcareApis/workspaces/dicomservices/dicomcasts/write | | +> | Microsoft.HealthcareApis/workspaces/dicomservices/dicomcasts/delete | | +> | Microsoft.HealthcareApis/workspaces/dicomservices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/dicomservices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/dicomservices/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/dicomservices/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics settings for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/eventGridFilters/read | | +> | Microsoft.HealthcareApis/workspaces/eventGridFilters/write | | +> | Microsoft.HealthcareApis/workspaces/eventGridFilters/delete | | +> | Microsoft.HealthcareApis/workspaces/fhirservices/read | | +> | Microsoft.HealthcareApis/workspaces/fhirservices/write | | +> | Microsoft.HealthcareApis/workspaces/fhirservices/delete | | +> | Microsoft.HealthcareApis/workspaces/fhirservices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/fhirservices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/fhirservices/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/fhirservices/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics settings for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/read | | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/write | | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/delete | | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/destinations/read | | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/destinations/write | | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/destinations/delete | | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations/read | | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations/write | | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations/delete | | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/iotconnectors/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics settings for the Azure service. | +> | Microsoft.HealthcareApis/workspaces/privateEndpointConnectionProxies/read | | +> | Microsoft.HealthcareApis/workspaces/privateEndpointConnectionProxies/write | | +> | Microsoft.HealthcareApis/workspaces/privateEndpointConnectionProxies/delete | | +> | Microsoft.HealthcareApis/workspaces/privateEndpointConnectionProxies/validate/action | Validate | +> | Microsoft.HealthcareApis/workspaces/privateEndpointConnections/read | | +> | Microsoft.HealthcareApis/workspaces/privateEndpointConnections/write | | +> | Microsoft.HealthcareApis/workspaces/privateEndpointConnections/delete | | +> | Microsoft.HealthcareApis/workspaces/privateLinkResources/read | Reads Private Link resources. | +> | **DataAction** | **Description** | +> | Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). | +> | Microsoft.HealthcareApis/services/fhir/resources/write | Write FHIR resources (includes create and update). | +> | Microsoft.HealthcareApis/services/fhir/resources/delete | Delete FHIR resources (soft delete). | +> | Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action | Hard Delete (including version history). | +> | Microsoft.HealthcareApis/services/fhir/resources/export/action | Export operation ($export). | +> | Microsoft.HealthcareApis/services/fhir/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. | +> | Microsoft.HealthcareApis/services/fhir/resources/searchParameter/action | Allows running of $status operation for Search Parameters | +> | Microsoft.HealthcareApis/services/fhir/resources/convertData/action | Data convert operation ($convert-data) | +> | Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action | Validate operation ($validate). | +> | Microsoft.HealthcareApis/services/fhir/resources/reindex/action | Allows user to run Reindex job to index any search parameters that haven't yet been indexed. | +> | Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action | Allows user to perform Create Update Delete operations on profile resources. | +> | Microsoft.HealthcareApis/services/fhir/resources/import/action | Import FHIR resources in batch. | +> | Microsoft.HealthcareApis/workspaces/dicomservices/resources/read | Read DICOM resources (includes searching and change feed). | +> | Microsoft.HealthcareApis/workspaces/dicomservices/resources/write | Write DICOM resources. | +> | Microsoft.HealthcareApis/workspaces/dicomservices/resources/delete | Delete DICOM resources. | +> | Microsoft.HealthcareApis/workspaces/dicomservices/resources/manageExtendedQueryTags/action | Manage DICOM extended query tags. | +> | Microsoft.HealthcareApis/workspaces/dicomservices/resources/export/action | Export resources from the DICOM service. | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/write | Write FHIR resources (includes create and update). | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete | Delete FHIR resources (soft delete). | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action | Hard Delete (including version history). | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action | Export operation ($export). | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action | Data convert operation ($convert-data) | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action | Validate operation ($validate). | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action | Import FHIR resources in batch. | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action | Allows user to run Reindex job to index any search parameters that haven't yet been indexed. | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action | Allows user to perform Create Update Delete operations on profile resources. | +> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/searchParameter/action | Allows running of $status operation for Search Parameters | ++## Microsoft.Logic ++Azure service: [Logic Apps](/azure/logic-apps/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Logic/register/action | Registers the Microsoft.Logic resource provider for a given subscription. | +> | Microsoft.Logic/integrationAccounts/read | Reads the integration account. | +> | Microsoft.Logic/integrationAccounts/write | Creates or updates the integration account. | +> | Microsoft.Logic/integrationAccounts/delete | Deletes the integration account. | +> | Microsoft.Logic/integrationAccounts/regenerateAccessKey/action | Regenerates the access key secrets. | +> | Microsoft.Logic/integrationAccounts/listCallbackUrl/action | Gets the callback URL for integration account. | +> | Microsoft.Logic/integrationAccounts/listKeyVaultKeys/action | Gets the keys in the key vault. | +> | Microsoft.Logic/integrationAccounts/logTrackingEvents/action | Logs the tracking events in the integration account. | +> | Microsoft.Logic/integrationAccounts/join/action | Joins the Integration Account. | +> | Microsoft.Logic/integrationAccounts/agreements/read | Reads the agreement in integration account. | +> | Microsoft.Logic/integrationAccounts/agreements/write | Creates or updates the agreement in integration account. | +> | Microsoft.Logic/integrationAccounts/agreements/delete | Deletes the agreement in integration account. | +> | Microsoft.Logic/integrationAccounts/agreements/listContentCallbackUrl/action | Gets the callback URL for agreement content in integration account. | +> | Microsoft.Logic/integrationAccounts/assemblies/read | Reads the assembly in integration account. | +> | Microsoft.Logic/integrationAccounts/assemblies/write | Creates or updates the assembly in integration account. | +> | Microsoft.Logic/integrationAccounts/assemblies/delete | Deletes the assembly in integration account. | +> | Microsoft.Logic/integrationAccounts/assemblies/listContentCallbackUrl/action | Gets the callback URL for assembly content in integration account. | +> | Microsoft.Logic/integrationAccounts/batchConfigurations/read | Reads the batch configuration in integration account. | +> | Microsoft.Logic/integrationAccounts/batchConfigurations/write | Creates or updates the batch configuration in integration account. | +> | Microsoft.Logic/integrationAccounts/batchConfigurations/delete | Deletes the batch configuration in integration account. | +> | Microsoft.Logic/integrationAccounts/certificates/read | Reads the certificate in integration account. | +> | Microsoft.Logic/integrationAccounts/certificates/write | Creates or updates the certificate in integration account. | +> | Microsoft.Logic/integrationAccounts/certificates/delete | Deletes the certificate in integration account. | +> | Microsoft.Logic/integrationAccounts/groups/read | Reads the group in integration account. | +> | Microsoft.Logic/integrationAccounts/groups/write | Creates or updates the group in integration account. | +> | Microsoft.Logic/integrationAccounts/groups/delete | Deletes the group in integration account. | +> | Microsoft.Logic/integrationAccounts/maps/read | Reads the map in integration account. | +> | Microsoft.Logic/integrationAccounts/maps/write | Creates or updates the map in integration account. | +> | Microsoft.Logic/integrationAccounts/maps/delete | Deletes the map in integration account. | +> | Microsoft.Logic/integrationAccounts/maps/listContentCallbackUrl/action | Gets the callback URL for map content in integration account. | +> | Microsoft.Logic/integrationAccounts/partners/read | Reads the partner in integration account. | +> | Microsoft.Logic/integrationAccounts/partners/write | Creates or updates the partner in integration account. | +> | Microsoft.Logic/integrationAccounts/partners/delete | Deletes the partner in integration account. | +> | Microsoft.Logic/integrationAccounts/partners/listContentCallbackUrl/action | Gets the callback URL for partner content in integration account. | +> | Microsoft.Logic/integrationAccounts/providers/Microsoft.Insights/logDefinitions/read | Reads the Integration Account log definitions. | +> | Microsoft.Logic/integrationAccounts/rosettaNetProcessConfigurations/read | Reads the RosettaNet process configuration in integration account. | +> | Microsoft.Logic/integrationAccounts/rosettaNetProcessConfigurations/write | Creates or updates the RosettaNet process configuration in integration account. | +> | Microsoft.Logic/integrationAccounts/rosettaNetProcessConfigurations/delete | Deletes the RosettaNet process configuration in integration account. | +> | Microsoft.Logic/integrationAccounts/schedules/read | Reads the schedule in integration account. | +> | Microsoft.Logic/integrationAccounts/schedules/write | Creates or updates the schedule in integration account. | +> | Microsoft.Logic/integrationAccounts/schedules/delete | Deletes the schedule in integration account. | +> | Microsoft.Logic/integrationAccounts/schemas/read | Reads the schema in integration account. | +> | Microsoft.Logic/integrationAccounts/schemas/write | Creates or updates the schema in integration account. | +> | Microsoft.Logic/integrationAccounts/schemas/delete | Deletes the schema in integration account. | +> | Microsoft.Logic/integrationAccounts/schemas/listContentCallbackUrl/action | Gets the callback URL for schema content in integration account. | +> | Microsoft.Logic/integrationAccounts/sessions/read | Reads the session in integration account. | +> | Microsoft.Logic/integrationAccounts/sessions/write | Creates or updates the session in integration account. | +> | Microsoft.Logic/integrationAccounts/sessions/delete | Deletes the session in integration account. | +> | Microsoft.Logic/integrationAccounts/usageConfigurations/read | Reads the usage configuration in integration account. | +> | Microsoft.Logic/integrationAccounts/usageConfigurations/write | Creates or updates the usage configuration in integration account. | +> | Microsoft.Logic/integrationAccounts/usageConfigurations/delete | Deletes the usage configuration in integration account. | +> | Microsoft.Logic/integrationAccounts/usageConfigurations/listCallbackUrl/action | Gets the callback URL for the usage configuration in integration account. | +> | Microsoft.Logic/integrationServiceEnvironments/read | Reads the integration service environment. | +> | Microsoft.Logic/integrationServiceEnvironments/write | Creates or updates the integration service environment. | +> | Microsoft.Logic/integrationServiceEnvironments/delete | Deletes the integration service environment. | +> | Microsoft.Logic/integrationServiceEnvironments/join/action | Joins the Integration Service Environment. | +> | Microsoft.Logic/integrationServiceEnvironments/availableManagedApis/read | Reads the integration service environment available managed APIs. | +> | Microsoft.Logic/integrationServiceEnvironments/managedApis/read | Reads the integration service environment managed API. | +> | Microsoft.Logic/integrationServiceEnvironments/managedApis/write | Creates or updates the integration service environment managed API. | +> | Microsoft.Logic/integrationServiceEnvironments/managedApis/join/action | Joins the Integration Service Environment Managed API. | +> | Microsoft.Logic/integrationServiceEnvironments/managedApis/apiOperations/read | Reads the integration service environment managed API operation. | +> | Microsoft.Logic/integrationServiceEnvironments/managedApis/operationStatuses/read | Reads the integration service environment managed API operation statuses. | +> | Microsoft.Logic/integrationServiceEnvironments/operationStatuses/read | Reads the integration service environment operation statuses. | +> | Microsoft.Logic/integrationServiceEnvironments/providers/Microsoft.Insights/metricDefinitions/read | Reads the integration service environment metric definitions. | +> | Microsoft.Logic/locations/workflows/validate/action | Validates the workflow. | +> | Microsoft.Logic/locations/workflows/recommendOperationGroups/action | Gets the workflow recommend operation groups. | +> | Microsoft.Logic/operations/read | Gets the operation. | +> | Microsoft.Logic/workflows/read | Reads the workflow. | +> | Microsoft.Logic/workflows/write | Creates or updates the workflow. | +> | Microsoft.Logic/workflows/delete | Deletes the workflow. | +> | Microsoft.Logic/workflows/run/action | Starts a run of the workflow. | +> | Microsoft.Logic/workflows/disable/action | Disables the workflow. | +> | Microsoft.Logic/workflows/enable/action | Enables the workflow. | +> | Microsoft.Logic/workflows/suspend/action | Suspends the workflow. | +> | Microsoft.Logic/workflows/validate/action | Validates the workflow. | +> | Microsoft.Logic/workflows/move/action | Moves Workflow from its existing subscription id, resource group, and/or name to a different subscription id, resource group, and/or name. | +> | Microsoft.Logic/workflows/listSwagger/action | Gets the workflow swagger definitions. | +> | Microsoft.Logic/workflows/regenerateAccessKey/action | Regenerates the access key secrets. | +> | Microsoft.Logic/workflows/listCallbackUrl/action | Gets the callback URL for workflow. | +> | Microsoft.Logic/workflows/accessKeys/read | Reads the access key. | +> | Microsoft.Logic/workflows/accessKeys/write | Creates or updates the access key. | +> | Microsoft.Logic/workflows/accessKeys/delete | Deletes the access key. | +> | Microsoft.Logic/workflows/accessKeys/list/action | Lists the access key secrets. | +> | Microsoft.Logic/workflows/accessKeys/regenerate/action | Regenerates the access key secrets. | +> | Microsoft.Logic/workflows/detectors/read | Reads the workflow detector. | +> | Microsoft.Logic/workflows/providers/Microsoft.Insights/diagnosticSettings/read | Reads the workflow diagnostic settings. | +> | Microsoft.Logic/workflows/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the workflow diagnostic setting. | +> | Microsoft.Logic/workflows/providers/Microsoft.Insights/logDefinitions/read | Reads the workflow log definitions. | +> | Microsoft.Logic/workflows/providers/Microsoft.Insights/metricDefinitions/read | Reads the workflow metric definitions. | +> | Microsoft.Logic/workflows/runs/read | Reads the workflow run. | +> | Microsoft.Logic/workflows/runs/delete | Deletes a run of a workflow. | +> | Microsoft.Logic/workflows/runs/cancel/action | Cancels the run of a workflow. | +> | Microsoft.Logic/workflows/runs/actions/read | Reads the workflow run action. | +> | Microsoft.Logic/workflows/runs/actions/listExpressionTraces/action | Gets the workflow run action expression traces. | +> | Microsoft.Logic/workflows/runs/actions/repetitions/read | Reads the workflow run action repetition. | +> | Microsoft.Logic/workflows/runs/actions/repetitions/listExpressionTraces/action | Gets the workflow run action repetition expression traces. | +> | Microsoft.Logic/workflows/runs/actions/repetitions/requestHistories/read | Reads the workflow run repetition action request history. | +> | Microsoft.Logic/workflows/runs/actions/requestHistories/read | Reads the workflow run action request history. | +> | Microsoft.Logic/workflows/runs/actions/scoperepetitions/read | Reads the workflow run action scope repetition. | +> | Microsoft.Logic/workflows/runs/operations/read | Reads the workflow run operation status. | +> | Microsoft.Logic/workflows/triggers/read | Reads the trigger. | +> | Microsoft.Logic/workflows/triggers/run/action | Executes the trigger. | +> | Microsoft.Logic/workflows/triggers/reset/action | Resets the trigger. | +> | Microsoft.Logic/workflows/triggers/setState/action | Sets the trigger state. | +> | Microsoft.Logic/workflows/triggers/listCallbackUrl/action | Gets the callback URL for trigger. | +> | Microsoft.Logic/workflows/triggers/histories/read | Reads the trigger histories. | +> | Microsoft.Logic/workflows/triggers/histories/resubmit/action | Resubmits the workflow trigger. | +> | Microsoft.Logic/workflows/versions/read | Reads the workflow version. | +> | Microsoft.Logic/workflows/versions/triggers/listCallbackUrl/action | Gets the callback URL for trigger. | ++## Microsoft.Relay ++Azure service: [Azure Relay](/azure/azure-relay/relay-what-is-it) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Relay/checkNamespaceAvailability/action | Checks availability of namespace under given subscription. This API is deprecated please use CheckNameAvailability instead. | +> | Microsoft.Relay/checkNameAvailability/action | Checks availability of namespace under given subscription. | +> | Microsoft.Relay/register/action | Registers the subscription for the Relay resource provider and enables the creation of Relay resources | +> | Microsoft.Relay/unregister/action | Registers the subscription for the Relay resource provider and enables the creation of Relay resources | +> | Microsoft.Relay/namespaces/write | Create a Namespace Resource and Update its properties. Tags and Capacity of the Namespace are the properties which can be updated. | +> | Microsoft.Relay/namespaces/read | Get the list of Namespace Resource Description | +> | Microsoft.Relay/namespaces/Delete | Delete Namespace Resource | +> | Microsoft.Relay/namespaces/authorizationRules/action | Updates Namespace Authorization Rule. This API is deprecated. Please use a PUT call to update the Namespace Authorization Rule instead.. This operation is not supported on API version 2017-04-01. | +> | Microsoft.Relay/namespaces/removeAcsNamepsace/action | Remove ACS namespace | +> | Microsoft.Relay/namespaces/privateEndpointConnectionsApproval/action | Approve Private Endpoint Connection | +> | Microsoft.Relay/namespaces/authorizationRules/read | Get the list of Namespaces Authorization Rules description. | +> | Microsoft.Relay/namespaces/authorizationRules/write | Create a Namespace level Authorization Rules and update its properties. The Authorization Rules Access Rights, the Primary and Secondary Keys can be updated. | +> | Microsoft.Relay/namespaces/authorizationRules/delete | Delete Namespace Authorization Rule. The Default Namespace Authorization Rule cannot be deleted. | +> | Microsoft.Relay/namespaces/authorizationRules/listkeys/action | Get the Connection String to the Namespace | +> | Microsoft.Relay/namespaces/authorizationRules/regenerateKeys/action | Regenerate the Primary or Secondary key to the Resource | +> | Microsoft.Relay/namespaces/disasterrecoveryconfigs/checkNameAvailability/action | Checks availability of namespace alias under given subscription. | +> | Microsoft.Relay/namespaces/disasterRecoveryConfigs/write | Creates or Updates the Disaster Recovery configuration associated with the namespace. | +> | Microsoft.Relay/namespaces/disasterRecoveryConfigs/read | Gets the Disaster Recovery configuration associated with the namespace. | +> | Microsoft.Relay/namespaces/disasterRecoveryConfigs/delete | Deletes the Disaster Recovery configuration associated with the namespace. This operation can only be invoked via the primary namespace. | +> | Microsoft.Relay/namespaces/disasterRecoveryConfigs/breakPairing/action | Disables Disaster Recovery and stops replicating changes from primary to secondary namespaces. | +> | Microsoft.Relay/namespaces/disasterRecoveryConfigs/failover/action | Invokes a GEO DR failover and reconfigures the namespace alias to point to the secondary namespace. | +> | Microsoft.Relay/namespaces/disasterRecoveryConfigs/authorizationRules/read | Get Disaster Recovery Primary Namespace's Authorization Rules | +> | Microsoft.Relay/namespaces/disasterRecoveryConfigs/authorizationRules/listkeys/action | Gets the authorization rules keys for the Disaster Recovery primary namespace | +> | Microsoft.Relay/namespaces/HybridConnections/write | Create or Update HybridConnection properties. | +> | Microsoft.Relay/namespaces/HybridConnections/read | Get list of HybridConnection Resource Descriptions | +> | Microsoft.Relay/namespaces/HybridConnections/Delete | Operation to delete HybridConnection Resource | +> | Microsoft.Relay/namespaces/HybridConnections/authorizationRules/action | Operation to update HybridConnection. This operation is not supported on API version 2017-04-01. Authorization Rules. Please use a PUT call to update Authorization Rule. | +> | Microsoft.Relay/namespaces/HybridConnections/authorizationRules/read | Get the list of HybridConnection Authorization Rules | +> | Microsoft.Relay/namespaces/HybridConnections/authorizationRules/write | Create HybridConnection Authorization Rules and Update its properties. The Authorization Rules Access Rights can be updated. | +> | Microsoft.Relay/namespaces/HybridConnections/authorizationRules/delete | Operation to delete HybridConnection Authorization Rules | +> | Microsoft.Relay/namespaces/HybridConnections/authorizationRules/listkeys/action | Get the Connection String to HybridConnection | +> | Microsoft.Relay/namespaces/HybridConnections/authorizationRules/regeneratekeys/action | Regenerate the Primary or Secondary key to the Resource | +> | Microsoft.Relay/namespaces/messagingPlan/read | Gets the Messaging Plan for a namespace.<br>This API is deprecated.<br>Properties exposed via the MessagingPlan resource are moved to the (parent) Namespace resource in later API versions..<br>This operation is not supported on API version 2017-04-01. | +> | Microsoft.Relay/namespaces/messagingPlan/write | Updates the Messaging Plan for a namespace.<br>This API is deprecated.<br>Properties exposed via the MessagingPlan resource are moved to the (parent) Namespace resource in later API versions..<br>This operation is not supported on API version 2017-04-01. | +> | Microsoft.Relay/namespaces/networkrulesets/read | Gets NetworkRuleSet Resource | +> | Microsoft.Relay/namespaces/networkrulesets/write | Create VNET Rule Resource | +> | Microsoft.Relay/namespaces/networkrulesets/delete | Delete VNET Rule Resource | +> | Microsoft.Relay/namespaces/operationresults/read | Get the status of Namespace operation | +> | Microsoft.Relay/namespaces/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxy | +> | Microsoft.Relay/namespaces/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.Relay/namespaces/privateEndpointConnectionProxies/write | Create Private Endpoint Connection Proxy | +> | Microsoft.Relay/namespaces/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy | +> | Microsoft.Relay/namespaces/privateEndpointConnectionProxies/operationstatus/read | Get the status of an asynchronous private endpoint operation | +> | Microsoft.Relay/namespaces/privateEndpointConnections/read | Get Private Endpoint Connection | +> | Microsoft.Relay/namespaces/privateEndpointConnections/write | Create or Update Private Endpoint Connection | +> | Microsoft.Relay/namespaces/privateEndpointConnections/delete | Removes Private Endpoint Connection | +> | Microsoft.Relay/namespaces/privateEndpointConnections/operationstatus/read | Get the status of an asynchronous private endpoint operation | +> | Microsoft.Relay/namespaces/privateLinkResources/read | Gets the resource types that support private endpoint connections | +> | Microsoft.Relay/namespaces/providers/Microsoft.Insights/diagnosticSettings/read | Get list of Namespace diagnostic settings Resource Descriptions | +> | Microsoft.Relay/namespaces/providers/Microsoft.Insights/diagnosticSettings/write | Get list of Namespace diagnostic settings Resource Descriptions | +> | Microsoft.Relay/namespaces/providers/Microsoft.Insights/logDefinitions/read | Get list of Namespace logs Resource Descriptions | +> | Microsoft.Relay/namespaces/providers/Microsoft.Insights/metricDefinitions/read | Get list of Namespace metrics Resource Descriptions | +> | Microsoft.Relay/namespaces/WcfRelays/write | Create or Update WcfRelay properties. | +> | Microsoft.Relay/namespaces/WcfRelays/read | Get list of WcfRelay Resource Descriptions | +> | Microsoft.Relay/namespaces/WcfRelays/Delete | Operation to delete WcfRelay Resource | +> | Microsoft.Relay/namespaces/WcfRelays/authorizationRules/action | Operation to update WcfRelay. This operation is not supported on API version 2017-04-01. Authorization Rules. Please use a PUT call to update Authorization Rule. | +> | Microsoft.Relay/namespaces/WcfRelays/authorizationRules/read | Get the list of WcfRelay Authorization Rules | +> | Microsoft.Relay/namespaces/WcfRelays/authorizationRules/write | Create WcfRelay Authorization Rules and Update its properties. The Authorization Rules Access Rights can be updated. | +> | Microsoft.Relay/namespaces/WcfRelays/authorizationRules/delete | Operation to delete WcfRelay Authorization Rules | +> | Microsoft.Relay/namespaces/WcfRelays/authorizationRules/listkeys/action | Get the Connection String to WcfRelay | +> | Microsoft.Relay/namespaces/WcfRelays/authorizationRules/regeneratekeys/action | Regenerate the Primary or Secondary key to the Resource | +> | Microsoft.Relay/operations/read | Get Operations | +> | **DataAction** | **Description** | +> | Microsoft.Relay/namespaces/messages/send/action | Send messages | +> | Microsoft.Relay/namespaces/messages/listen/action | Receive messages | ++## Microsoft.ServiceBus ++Azure service: [Service Bus](/azure/service-bus-messaging/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ServiceBus/checkNamespaceAvailability/action | Checks availability of namespace under given subscription. This API is deprecated please use CheckNameAvailability instead. | +> | Microsoft.ServiceBus/checkNameAvailability/action | Checks availability of namespace under given subscription. | +> | Microsoft.ServiceBus/register/action | Registers the subscription for the ServiceBus resource provider and enables the creation of ServiceBus resources | +> | Microsoft.ServiceBus/unregister/action | Registers the subscription for the ServiceBus resource provider and enables the creation of ServiceBus resources | +> | Microsoft.ServiceBus/locations/deleteVirtualNetworkOrSubnets/action | Deletes the VNet rules in ServiceBus Resource Provider for the specified VNet | +> | Microsoft.ServiceBus/namespaces/write | Create a Namespace Resource and Update its properties. Tags and Capacity of the Namespace are the properties which can be updated. | +> | Microsoft.ServiceBus/namespaces/read | Get the list of Namespace Resource Description | +> | Microsoft.ServiceBus/namespaces/Delete | Delete Namespace Resource | +> | Microsoft.ServiceBus/namespaces/authorizationRules/action | Updates Namespace Authorization Rule. This API is deprecated. Please use a PUT call to update the Namespace Authorization Rule instead.. This operation is not supported on API version 2017-04-01. | +> | Microsoft.ServiceBus/namespaces/migrate/action | Migrate namespace operation | +> | Microsoft.ServiceBus/namespaces/removeAcsNamepsace/action | Remove ACS namespace | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnectionsApproval/action | Approve Private Endpoint Connection | +> | Microsoft.ServiceBus/namespaces/authorizationRules/write | Create a Namespace level Authorization Rules and update its properties. The Authorization Rules Access Rights, the Primary and Secondary Keys can be updated. | +> | Microsoft.ServiceBus/namespaces/authorizationRules/read | Get the list of Namespaces Authorization Rules description. | +> | Microsoft.ServiceBus/namespaces/authorizationRules/delete | Delete Namespace Authorization Rule. The Default Namespace Authorization Rule cannot be deleted. | +> | Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action | Get the Connection String to the Namespace | +> | Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action | Regenerate the Primary or Secondary key to the Resource | +> | Microsoft.ServiceBus/namespaces/disasterrecoveryconfigs/checkNameAvailability/action | Checks availability of namespace alias under given subscription. | +> | Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/write | Creates or Updates the Disaster Recovery configuration associated with the namespace. | +> | Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/read | Gets the Disaster Recovery configuration associated with the namespace. | +> | Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/delete | Deletes the Disaster Recovery configuration associated with the namespace. This operation can only be invoked via the primary namespace. | +> | Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/breakPairing/action | Disables Disaster Recovery and stops replicating changes from primary to secondary namespaces. | +> | Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/failover/action | Invokes a GEO DR failover and reconfigures the namespace alias to point to the secondary namespace. | +> | Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/authorizationRules/read | Get Disaster Recovery Primary Namespace's Authorization Rules | +> | Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/authorizationRules/listkeys/action | Gets the authorization rules keys for the Disaster Recovery primary namespace | +> | Microsoft.ServiceBus/namespaces/eventGridFilters/write | Creates or Updates the Event Grid filter associated with the namespace. | +> | Microsoft.ServiceBus/namespaces/eventGridFilters/read | Gets the Event Grid filter associated with the namespace. | +> | Microsoft.ServiceBus/namespaces/eventGridFilters/delete | Deletes the Event Grid filter associated with the namespace. | +> | Microsoft.ServiceBus/namespaces/eventhubs/read | Get list of EventHub Resource Descriptions | +> | Microsoft.ServiceBus/namespaces/ipFilterRules/read | Get IP Filter Resource | +> | Microsoft.ServiceBus/namespaces/ipFilterRules/write | Create IP Filter Resource | +> | Microsoft.ServiceBus/namespaces/ipFilterRules/delete | Delete IP Filter Resource | +> | Microsoft.ServiceBus/namespaces/messagingPlan/read | Gets the Messaging Plan for a namespace.<br>This API is deprecated.<br>Properties exposed via the MessagingPlan resource are moved to the (parent) Namespace resource in later API versions..<br>This operation is not supported on API version 2017-04-01. | +> | Microsoft.ServiceBus/namespaces/messagingPlan/write | Updates the Messaging Plan for a namespace.<br>This API is deprecated.<br>Properties exposed via the MessagingPlan resource are moved to the (parent) Namespace resource in later API versions..<br>This operation is not supported on API version 2017-04-01. | +> | Microsoft.ServiceBus/namespaces/migrationConfigurations/write | Creates or Updates Migration configuration. This will start synchronizing resources from the standard to the premium namespace | +> | Microsoft.ServiceBus/namespaces/migrationConfigurations/read | Gets the Migration configuration which indicates the state of the migration and pending replication operations | +> | Microsoft.ServiceBus/namespaces/migrationConfigurations/delete | Deletes the Migration configuration. | +> | Microsoft.ServiceBus/namespaces/migrationConfigurations/revert/action | Reverts the standard to premium namespace migration | +> | Microsoft.ServiceBus/namespaces/migrationConfigurations/upgrade/action | Assigns the DNS associated with the standard namespace to the premium namespace which completes the migration and stops the syncing resources from standard to premium namespace | +> | Microsoft.ServiceBus/namespaces/networkruleset/read | Gets NetworkRuleSet Resource | +> | Microsoft.ServiceBus/namespaces/networkruleset/write | Create VNET Rule Resource | +> | Microsoft.ServiceBus/namespaces/networkruleset/delete | Delete VNET Rule Resource | +> | Microsoft.ServiceBus/namespaces/networkrulesets/read | Gets NetworkRuleSet Resource | +> | Microsoft.ServiceBus/namespaces/networkrulesets/write | Create VNET Rule Resource | +> | Microsoft.ServiceBus/namespaces/networkrulesets/delete | Delete VNET Rule Resource | +> | Microsoft.ServiceBus/namespaces/operationresults/read | Get the status of Namespace operation | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxy | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnectionProxies/write | Create Private Endpoint Connection Proxy | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnectionProxies/operationstatus/read | Get the status of an asynchronous private endpoint operation | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnections/read | Get Private Endpoint Connection | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnections/write | Create or Update Private Endpoint Connection | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnections/delete | Removes Private Endpoint Connection | +> | Microsoft.ServiceBus/namespaces/privateEndpointConnections/operationstatus/read | Get the status of an asynchronous private endpoint operation | +> | Microsoft.ServiceBus/namespaces/privateLinkResources/read | Gets the resource types that support private endpoint connections | +> | Microsoft.ServiceBus/namespaces/providers/Microsoft.Insights/diagnosticSettings/read | Get list of Namespace diagnostic settings Resource Descriptions | +> | Microsoft.ServiceBus/namespaces/providers/Microsoft.Insights/diagnosticSettings/write | Get list of Namespace diagnostic settings Resource Descriptions | +> | Microsoft.ServiceBus/namespaces/providers/Microsoft.Insights/logDefinitions/read | Get list of Namespace logs Resource Descriptions | +> | Microsoft.ServiceBus/namespaces/providers/Microsoft.Insights/metricDefinitions/read | Get list of Namespace metrics Resource Descriptions | +> | Microsoft.ServiceBus/namespaces/queues/write | Create or Update Queue properties. | +> | Microsoft.ServiceBus/namespaces/queues/read | Get list of Queue Resource Descriptions | +> | Microsoft.ServiceBus/namespaces/queues/Delete | Operation to delete Queue Resource | +> | Microsoft.ServiceBus/namespaces/queues/authorizationRules/action | Operation to update Queue. This operation is not supported on API version 2017-04-01. Authorization Rules. Please use a PUT call to update Authorization Rule. | +> | Microsoft.ServiceBus/namespaces/queues/authorizationRules/write | Create Queue Authorization Rules and Update its properties. The Authorization Rules Access Rights can be updated. | +> | Microsoft.ServiceBus/namespaces/queues/authorizationRules/read | Get the list of Queue Authorization Rules | +> | Microsoft.ServiceBus/namespaces/queues/authorizationRules/delete | Operation to delete Queue Authorization Rules | +> | Microsoft.ServiceBus/namespaces/queues/authorizationRules/listkeys/action | Get the Connection String to Queue | +> | Microsoft.ServiceBus/namespaces/queues/authorizationRules/regenerateKeys/action | Regenerate the Primary or Secondary key to the Resource | +> | Microsoft.ServiceBus/namespaces/skus/read | List Supported SKUs for Namespace | +> | Microsoft.ServiceBus/namespaces/topics/write | Create or Update Topic properties. | +> | Microsoft.ServiceBus/namespaces/topics/read | Get list of Topic Resource Descriptions | +> | Microsoft.ServiceBus/namespaces/topics/Delete | Operation to delete Topic Resource | +> | Microsoft.ServiceBus/namespaces/topics/authorizationRules/action | Operation to update Topic. This operation is not supported on API version 2017-04-01. Authorization Rules. Please use a PUT call to update Authorization Rule. | +> | Microsoft.ServiceBus/namespaces/topics/authorizationRules/write | Create Topic Authorization Rules and Update its properties. The Authorization Rules Access Rights can be updated. | +> | Microsoft.ServiceBus/namespaces/topics/authorizationRules/read | Get the list of Topic Authorization Rules | +> | Microsoft.ServiceBus/namespaces/topics/authorizationRules/delete | Operation to delete Topic Authorization Rules | +> | Microsoft.ServiceBus/namespaces/topics/authorizationRules/listkeys/action | Get the Connection String to Topic | +> | Microsoft.ServiceBus/namespaces/topics/authorizationRules/regenerateKeys/action | Regenerate the Primary or Secondary key to the Resource | +> | Microsoft.ServiceBus/namespaces/topics/subscriptions/write | Create or Update TopicSubscription properties. | +> | Microsoft.ServiceBus/namespaces/topics/subscriptions/read | Get list of TopicSubscription Resource Descriptions | +> | Microsoft.ServiceBus/namespaces/topics/subscriptions/Delete | Operation to delete TopicSubscription Resource | +> | Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/write | Create or Update Rule properties. | +> | Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/read | Get list of Rule Resource Descriptions | +> | Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/Delete | Operation to delete Rule Resource | +> | Microsoft.ServiceBus/namespaces/virtualNetworkRules/read | Gets VNET Rule Resource | +> | Microsoft.ServiceBus/namespaces/virtualNetworkRules/write | Create VNET Rule Resource | +> | Microsoft.ServiceBus/namespaces/virtualNetworkRules/delete | Delete VNET Rule Resource | +> | Microsoft.ServiceBus/operations/read | Get Operations | +> | Microsoft.ServiceBus/sku/read | Get list of Sku Resource Descriptions | +> | Microsoft.ServiceBus/sku/regions/read | Get list of SkuRegions Resource Descriptions | +> | **DataAction** | **Description** | +> | Microsoft.ServiceBus/namespaces/messages/send/action | Send messages | +> | Microsoft.ServiceBus/namespaces/messages/receive/action | Receive messages | ++## Microsoft.ServicesHub ++Azure service: [Services Hub](/services-hub/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ServicesHub/connectors/write | Create or update a Services Hub Connector | +> | Microsoft.ServicesHub/connectors/read | View or List Services Hub Connectors | +> | Microsoft.ServicesHub/connectors/delete | Delete Services Hub Connectors | +> | Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action | Lists the Assessment Entitlements for a given Services Hub Workspace | +> | Microsoft.ServicesHub/supportOfferingEntitlement/read | View the Support Offering Entitlements for a given Services Hub Workspace | +> | Microsoft.ServicesHub/workspaces/read | List the Services Hub Workspaces for a given User | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Internet Of Things | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/internet-of-things.md | + + Title: Azure permissions for Internet of Things - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Internet of Things category. +++++ Last updated : 02/07/2024++++# Azure permissions for Internet of Things ++This article lists the permissions for the Azure resource providers in the Internet of Things category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.DataBoxEdge ++Azure service: [Azure Stack Edge](/azure/databox-online/azure-stack-edge-overview) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DataBoxEdge/availableSkus/read | Lists or gets the available skus | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/deviceCapacityCheck/action | Performs Device Capacity Check and Returns Feasibility | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/write | Creates or updates the Data Box Edge devices | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/read | Lists or gets the Data Box Edge devices | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/delete | Deletes the Data Box Edge devices | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/getExtendedInformation/action | Retrieves resource extended information | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/updateExtendedInformation/action | Updates resource extended information | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/scanForUpdates/action | Scan for updates | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/downloadUpdates/action | Download Updates in device | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/installUpdates/action | Install Updates on device | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/uploadCertificate/action | Upload certificate for device registration | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/generateCertificate/action | Generate certificate | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/triggerSupportPackage/action | Trigger Support Package | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/alerts/read | Lists or gets the alerts | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/bandwidthSchedules/read | Lists or gets the bandwidth schedules | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/bandwidthSchedules/write | Creates or updates the bandwidth schedules | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/bandwidthSchedules/delete | Deletes the bandwidth schedules | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/bandwidthSchedules/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/deviceCapacityCheck/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/deviceCapacityInfo/read | Lists or gets the device capacity information | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/diagnosticProactiveLogCollectionSettings/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/diagnosticRemoteSupportSettings/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/jobs/read | Lists or gets the jobs | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/networkSettings/read | Lists or gets the Device network settings | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/nodes/read | Lists or gets the nodes | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/operationsStatus/read | Lists or gets the operation status | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/orders/read | Lists or gets the orders | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/orders/write | Creates or updates the orders | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/orders/delete | Deletes the orders | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/orders/listDCAccessCode/action | Lists or gets the data center access code | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/orders/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostics setting for the resource | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/providers/Microsoft.Insights/metricDefinitions/read | Gets the available Data Box Edge device level metrics | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/publishers/offers/skus/versions/generatesastoken/action | Gets the SAS Token for a specific image | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/publishers/offers/skus/versions/generatesastoken/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/read | Lists or gets the roles | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/migrate/action | Migrates the IoT role to ASE Kubernetes role | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/write | Creates or updates the roles | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/delete | Deletes the roles | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/addons/read | Lists or gets the addons | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/addons/write | Creates or updates the addons | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/addons/delete | Deletes the addons | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/addons/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/migrate/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/monitoringConfig/write | Creates or updates the monitoring configuration | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/monitoringConfig/delete | Deletes the monitoring configuration | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/monitoringConfig/read | Lists or gets the monitoring configuration | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/monitoringConfig/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/securitySettings/update/action | Update security settings | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/securitySettings/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/shares/read | Lists or gets the shares | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/shares/write | Creates or updates the shares | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/shares/refresh/action | Refresh the share metadata with the data from the cloud | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/shares/delete | Deletes the shares | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/shares/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccountCredentials/write | Creates or updates the storage account credentials | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccountCredentials/read | Lists or gets the storage account credentials | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccountCredentials/delete | Deletes the storage account credentials | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccountCredentials/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/read | Lists or gets the Storage Accounts | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/write | Creates or updates the Storage Accounts | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/delete | Deletes the Storage Accounts | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/containers/read | Lists or gets the Containers | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/containers/write | Creates or updates the Containers | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/containers/delete | Deletes the Containers | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/containers/refresh/action | Refresh the container metadata with the data from the cloud | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/containers/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/triggers/read | Lists or gets the triggers | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/triggers/write | Creates or updates the triggers | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/triggers/delete | Deletes the triggers | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/triggers/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/triggerSupportPackage/operationResults/read | Lists or gets the operation result | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/updateSummary/read | Lists or gets the update summary | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/users/read | Lists or gets the share users | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/users/write | Creates or updates the share users | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/users/delete | Deletes the share users | +> | Microsoft.DataBoxEdge/dataBoxEdgeDevices/users/operationResults/read | Lists or gets the operation result | ++## Microsoft.Devices ++Azure service: [IoT Hub](/azure/iot-hub/), [IoT Hub Device Provisioning Service](/azure/iot-dps/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Devices/register/action | Register the subscription for the IotHub resource provider and enables the creation of IotHub resources | +> | Microsoft.Devices/checkNameAvailability/Action | Check If IotHub name is available | +> | Microsoft.Devices/iotHubs/Read | Gets the IotHub resource(s) | +> | Microsoft.Devices/iotHubs/Write | Create or update IotHub Resource | +> | Microsoft.Devices/iotHubs/Delete | Delete IotHub Resource | +> | Microsoft.Devices/iotHubs/listkeys/Action | Get all IotHub Keys | +> | Microsoft.Devices/iotHubs/exportDevices/Action | Export Devices | +> | Microsoft.Devices/iotHubs/importDevices/Action | Import Devices | +> | Microsoft.Devices/iotHubs/notifyNetworkSecurityPerimeterUpdatesAvailable/Action | Notify RP that an associated NSP has profile updates. | +> | Microsoft.Devices/iotHubs/privateEndpointConnectionsApproval/Action | Approve or reject a private endpoint connection | +> | Microsoft.Devices/iotHubs/networkSecurityPerimeterConfigurations/Action | Reconcile NSP configuration profile from NSP RP | +> | Microsoft.Devices/iotHubs/certificates/Read | Gets the Certificate | +> | Microsoft.Devices/iotHubs/certificates/Write | Create or Update Certificate | +> | Microsoft.Devices/iotHubs/certificates/Delete | Deletes Certificate | +> | Microsoft.Devices/iotHubs/certificates/generateVerificationCode/Action | Generate Verification code | +> | Microsoft.Devices/iotHubs/certificates/verify/Action | Verify Certificate resource | +> | Microsoft.Devices/IotHubs/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Devices/IotHubs/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Devices/iotHubs/eventGridFilters/Write | Create new or Update existing Event Grid filter | +> | Microsoft.Devices/iotHubs/eventGridFilters/Read | Gets the Event Grid filter | +> | Microsoft.Devices/iotHubs/eventGridFilters/Delete | Deletes the Event Grid filter | +> | Microsoft.Devices/iotHubs/eventHubEndpoints/consumerGroups/Write | Create EventHub Consumer Group | +> | Microsoft.Devices/iotHubs/eventHubEndpoints/consumerGroups/Read | Get EventHub Consumer Group(s) | +> | Microsoft.Devices/iotHubs/eventHubEndpoints/consumerGroups/Delete | Delete EventHub Consumer Group | +> | Microsoft.Devices/iotHubs/iotHubKeys/listkeys/Action | Get IotHub Key for the given name | +> | Microsoft.Devices/iotHubs/iotHubStats/Read | Get IotHub Statistics | +> | Microsoft.Devices/iotHubs/jobs/Read | Get Job(s) details submitted on given IotHub | +> | Microsoft.Devices/IotHubs/logDefinitions/read | Gets the available log definitions for the IotHub Service | +> | Microsoft.Devices/IotHubs/metricDefinitions/read | Gets the available metrics for the IotHub service | +> | Microsoft.Devices/iotHubs/networkSecurityPerimeterAssociationProxies/Read | List all NSP association proxies associated with the IotHub | +> | Microsoft.Devices/iotHubs/networkSecurityPerimeterAssociationProxies/Write | Put an NSP association proxy on the IotHub to associate the resource with the NSP | +> | Microsoft.Devices/iotHubs/networkSecurityPerimeterAssociationProxies/Delete | Delete an NSP association proxy to disassociate the IotHub resource from the NSP | +> | Microsoft.Devices/iotHubs/networkSecurityPerimeterConfigurations/Read | List all NSP configurations associated with the IotHub | +> | Microsoft.Devices/iotHubs/operationresults/Read | Get Operation Result (Obsolete API) | +> | Microsoft.Devices/iotHubs/privateEndpointConnectionProxies/validate/Action | Validates private endpoint connection proxy input during create | +> | Microsoft.Devices/iotHubs/privateEndpointConnectionProxies/Read | Gets properties for specified private endpoint connection proxy | +> | Microsoft.Devices/iotHubs/privateEndpointConnectionProxies/Write | Creates or updates a private endpoint connection proxy | +> | Microsoft.Devices/iotHubs/privateEndpointConnectionProxies/Delete | Deletes an existing private endpoint connection proxy | +> | Microsoft.Devices/iotHubs/privateEndpointConnectionProxies/operationResults/Read | Get the result of an async operation on a private endpoint connection proxy | +> | Microsoft.Devices/iotHubs/privateEndpointConnections/Read | Gets all the private endpoint connections for the specified iot hub | +> | Microsoft.Devices/iotHubs/privateEndpointConnections/Delete | Deletes an existing private endpoint connection | +> | Microsoft.Devices/iotHubs/privateEndpointConnections/Write | Creates or updates a private endpoint connection | +> | Microsoft.Devices/iotHubs/privateEndpointConnections/operationResults/Read | Get the result of an async operation on a private endpoint connection | +> | Microsoft.Devices/iotHubs/privateLinkResources/Read | Gets private link resources for IotHub | +> | Microsoft.Devices/iotHubs/quotaMetrics/Read | Get Quota Metrics | +> | Microsoft.Devices/iotHubs/routing/$testall/Action | Test a message against all existing Routes | +> | Microsoft.Devices/iotHubs/routing/$testnew/Action | Test a message against a provided test Route | +> | Microsoft.Devices/iotHubs/routingEndpointsHealth/Read | Gets the health of all routing Endpoints for an IotHub | +> | Microsoft.Devices/iotHubs/securitySettings/Write | Update the Azure Security Center settings on Iot Hub | +> | Microsoft.Devices/iotHubs/securitySettings/Read | Get the Azure Security Center settings on Iot Hub | +> | Microsoft.Devices/iotHubs/securitySettings/operationResults/Read | Get the result of the Async Put operation for Iot Hub SecuritySettings | +> | Microsoft.Devices/iotHubs/skus/Read | Get valid IotHub Skus | +> | Microsoft.Devices/locations/operationresults/Read | Get Location based Operation Result | +> | Microsoft.Devices/operationresults/Read | Get Operation Result | +> | Microsoft.Devices/operations/Read | Get All ResourceProvider Operations | +> | Microsoft.Devices/provisioningServices/Read | Get IotDps resource | +> | Microsoft.Devices/provisioningServices/Write | Create IotDps resource | +> | Microsoft.Devices/provisioningServices/Delete | Delete IotDps resource | +> | Microsoft.Devices/provisioningServices/listkeys/Action | Get all IotDps keys | +> | Microsoft.Devices/provisioningServices/privateEndpointConnectionsApproval/Action | Approve or reject a private endpoint connection | +> | Microsoft.Devices/provisioningServices/certificates/Read | Gets the Certificate | +> | Microsoft.Devices/provisioningServices/certificates/Write | Create or Update Certificate | +> | Microsoft.Devices/provisioningServices/certificates/Delete | Deletes Certificate | +> | Microsoft.Devices/provisioningServices/certificates/generateVerificationCode/Action | Generate Verification code | +> | Microsoft.Devices/provisioningServices/certificates/verify/Action | Verify Certificate resource | +> | Microsoft.Devices/provisioningServices/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Devices/provisioningServices/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Devices/provisioningServices/keys/listkeys/Action | Get IotDps Keys for key name | +> | Microsoft.Devices/provisioningServices/logDefinitions/read | Gets the available log definitions for the provisioning Service | +> | Microsoft.Devices/provisioningServices/metricDefinitions/read | Gets the available metrics for the provisioning service | +> | Microsoft.Devices/provisioningServices/operationresults/Read | Get DPS Operation Result | +> | Microsoft.Devices/provisioningServices/privateEndpointConnectionProxies/validate/Action | Validates private endpoint connection proxy input during create | +> | Microsoft.Devices/provisioningServices/privateEndpointConnectionProxies/Read | Gets properties for specified private endpoint connection proxy | +> | Microsoft.Devices/provisioningServices/privateEndpointConnectionProxies/Write | Creates or updates a private endpoint connection proxy | +> | Microsoft.Devices/provisioningServices/privateEndpointConnectionProxies/Delete | Deletes an existing private endpoint connection proxy | +> | Microsoft.Devices/provisioningServices/privateEndpointConnectionProxies/operationResults/Read | Get the result of an async operation on a private endpoint connection proxy | +> | Microsoft.Devices/provisioningServices/privateEndpointConnections/Read | Gets all the private endpoint connections for the specified iot hub | +> | Microsoft.Devices/provisioningServices/privateEndpointConnections/Delete | Deletes an existing private endpoint connection | +> | Microsoft.Devices/provisioningServices/privateEndpointConnections/Write | Creates or updates a private endpoint connection | +> | Microsoft.Devices/provisioningServices/privateEndpointConnections/operationResults/Read | Get the result of an async operation on a private endpoint connection | +> | Microsoft.Devices/provisioningServices/privateLinkResources/Read | Gets private link resources for IotHub | +> | Microsoft.Devices/provisioningServices/skus/Read | Get valid IotDps Skus | +> | Microsoft.Devices/usages/Read | Get subscription usage details for this provider. | +> | **DataAction** | **Description** | +> | Microsoft.Devices/IotHubs/cloudToDeviceMessages/send/action | Send cloud-to-device message to any device | +> | Microsoft.Devices/IotHubs/cloudToDeviceMessages/feedback/action | Receive, complete, or abandon cloud-to-device message feedback notification | +> | Microsoft.Devices/IotHubs/cloudToDeviceMessages/queue/purge/action | Deletes all the pending commands for a device | +> | Microsoft.Devices/IotHubs/configurations/read | Read device management configurations | +> | Microsoft.Devices/IotHubs/configurations/write | Create or update device management configurations | +> | Microsoft.Devices/IotHubs/configurations/delete | Delete any device management configuration | +> | Microsoft.Devices/IotHubs/configurations/applyToEdgeDevice/action | Applies the configuration content to an edge device | +> | Microsoft.Devices/IotHubs/configurations/testQueries/action | Validates target condition and custom metric queries for a configuration | +> | Microsoft.Devices/IotHubs/devices/read | Read any device or module identity | +> | Microsoft.Devices/IotHubs/devices/write | Create or update any device or module identity | +> | Microsoft.Devices/IotHubs/devices/delete | Delete any device or module identity | +> | Microsoft.Devices/IotHubs/directMethods/invoke/action | Invokes a direct method on a device | +> | Microsoft.Devices/IotHubs/fileUpload/notifications/action | Receive, complete, or abandon file upload notifications | +> | Microsoft.Devices/IotHubs/jobs/read | Return a list of jobs | +> | Microsoft.Devices/IotHubs/jobs/write | Create or update any job | +> | Microsoft.Devices/IotHubs/jobs/delete | Delete any job | +> | Microsoft.Devices/IotHubs/statistics/read | Read device and service statistics | +> | Microsoft.Devices/IotHubs/twins/read | Read any device or module twin | +> | Microsoft.Devices/IotHubs/twins/write | Write any device or module twin | +> | Microsoft.Devices/provisioningServices/attestationmechanism/details/action | Fetch Attestation Mechanism Details | +> | Microsoft.Devices/provisioningServices/enrollmentGroups/read | Read Enrollment Groups | +> | Microsoft.Devices/provisioningServices/enrollmentGroups/write | Write Enrollment Groups | +> | Microsoft.Devices/provisioningServices/enrollmentGroups/delete | Delete Enrollment Groups | +> | Microsoft.Devices/provisioningServices/enrollments/read | Read Enrollments | +> | Microsoft.Devices/provisioningServices/enrollments/write | Write Enrollments | +> | Microsoft.Devices/provisioningServices/enrollments/delete | Delete Enrollments | +> | Microsoft.Devices/provisioningServices/registrationStates/read | Read Registration States | +> | Microsoft.Devices/provisioningServices/registrationStates/delete | Delete Registration States | ++## Microsoft.DeviceUpdate ++Azure service: [Device Update for IoT Hub](/azure/iot-hub-device-update/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DeviceUpdate/checkNameAvailability/action | Checks Name Availability | +> | Microsoft.DeviceUpdate/register/action | Registers Device Update | +> | Microsoft.DeviceUpdate/unregister/action | Unregisters Device Update | +> | Microsoft.DeviceUpdate/accounts/read | Returns the list of Device Update Accounts | +> | Microsoft.DeviceUpdate/accounts/write | Creates or updates a Device Update Account | +> | Microsoft.DeviceUpdate/accounts/delete | Deletes a Device Update Account | +> | Microsoft.DeviceUpdate/accounts/agents/read | Returns the list of Device Update Agents | +> | Microsoft.DeviceUpdate/accounts/agents/write | Creates or updates a Device Update Agent | +> | Microsoft.DeviceUpdate/accounts/agents/delete | Deletes a Device Update Agent | +> | Microsoft.DeviceUpdate/accounts/instances/read | Returns the list of Device Update Instances | +> | Microsoft.DeviceUpdate/accounts/instances/write | Creates or updates a Device Update Instance | +> | Microsoft.DeviceUpdate/accounts/instances/delete | Deletes a Device Update Instance | +> | Microsoft.DeviceUpdate/accounts/privateEndpointConnectionProxies/read | Returns the list of Device Update Private Endpoint Connection Proxies | +> | Microsoft.DeviceUpdate/accounts/privateEndpointConnectionProxies/write | Creates or updates a Device Update Private Endpoint Connection Proxy | +> | Microsoft.DeviceUpdate/accounts/privateEndpointConnectionProxies/delete | Deletes a Device Update Private Endpoint Connection Proxy | +> | Microsoft.DeviceUpdate/accounts/privateEndpointConnectionProxies/validate/action | Validates a Device Update Private Endpoint Connection Proxy | +> | Microsoft.DeviceUpdate/accounts/privateEndpointConnections/read | Returns the list of Device Update Private Endpoint Connections | +> | Microsoft.DeviceUpdate/accounts/privateEndpointConnections/write | Creates or updates a Device Update Private Endpoint Connection | +> | Microsoft.DeviceUpdate/accounts/privateEndpointConnections/delete | Deletes a Device Update Private Endpoint Connection | +> | Microsoft.DeviceUpdate/accounts/privateLinkResources/read | Returns the list of Device Update Private Link Resources | +> | Microsoft.DeviceUpdate/locations/operationStatuses/read | Gets an Operation Status | +> | Microsoft.DeviceUpdate/locations/operationStatuses/write | Updates an Operation Status | +> | Microsoft.DeviceUpdate/operations/read | Lists Device Update Operations | +> | Microsoft.DeviceUpdate/registeredSubscriptions/read | Reads registered subscriptions | +> | **DataAction** | **Description** | +> | Microsoft.DeviceUpdate/accounts/instances/management/read | Performs a read operation related to management | +> | Microsoft.DeviceUpdate/accounts/instances/management/write | Performs a write operation related to management | +> | Microsoft.DeviceUpdate/accounts/instances/management/delete | Performs a delete operation related to management | +> | Microsoft.DeviceUpdate/accounts/instances/updates/read | Performs a read operation related to updates | +> | Microsoft.DeviceUpdate/accounts/instances/updates/write | Performs a write operation related to updates | +> | Microsoft.DeviceUpdate/accounts/instances/updates/delete | Performs a delete operation related to updates | ++## Microsoft.DigitalTwins ++Azure service: [Azure Digital Twins](/azure/digital-twins/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DigitalTwins/register/action | Register the Subscription for the Digital Twins resource provider and enable the creation of Digital Twins instances. | +> | Microsoft.DigitalTwins/unregister/action | Unregister the subscription for the Digital Twins Resource Provider | +> | Microsoft.DigitalTwins/digitalTwinsInstances/read | Read any Microsoft.DigitalTwins/digitalTwinsInstances resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/write | Create or update any Microsoft.DigitalTwins/digitalTwinsInstances resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/delete | Delete an Microsoft.DigitalTwins/digitalTwinsInstances resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/PrivateEndpointConnectionsApproval/action | Approve PrivateEndpointConnection resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/diagnosticSettings/read | Gets the diagnostic settings for the resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/diagnosticSettings/write | Sets the diagnostic settings for the resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/endpoints/delete | Delete any Endpoint of a Digital Twins resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/endpoints/read | Read any Endpoint of a Digital Twins resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/endpoints/write | Create or Update any Endpoint of a Digital Twins resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/logDefinitions/read | Gets the log settings for the resource's Azure Monitor | +> | Microsoft.DigitalTwins/digitalTwinsInstances/metricDefinitions/read | Gets the metric settings for the resource's Azure Monitor | +> | Microsoft.DigitalTwins/digitalTwinsInstances/operationResults/read | Read any Operation Result | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateEndpointConnectionProxies/validate/action | Validate PrivateEndpointConnectionProxies resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateEndpointConnectionProxies/read | Read PrivateEndpointConnectionProxies resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateEndpointConnectionProxies/write | Write PrivateEndpointConnectionProxies resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateEndpointConnectionProxies/delete | Delete PrivateEndpointConnectionProxies resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateEndpointConnectionProxies/operationResults/read | Get the result of an async operation on a private endpoint connection proxy | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateEndpointConnections/read | Read PrivateEndpointConnection resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateEndpointConnections/write | Write PrivateEndpointConnection resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateEndpointConnections/delete | Delete PrivateEndpointConnection resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateEndpointConnections/operationResults/read | Get the result of an async operation on a private endpoint connection | +> | Microsoft.DigitalTwins/digitalTwinsInstances/privateLinkResources/read | Reads PrivateLinkResources for Digital Twins | +> | Microsoft.DigitalTwins/digitalTwinsInstances/timeSeriesDatabaseConnections/delete | Delete any time series database connection of a Digital Twins resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/timeSeriesDatabaseConnections/read | Read any time series database connection of a Digital Twins resource | +> | Microsoft.DigitalTwins/digitalTwinsInstances/timeSeriesDatabaseConnections/write | Create any time series database connection of a Digital Twins resource | +> | Microsoft.DigitalTwins/locations/checkNameAvailability/action | Check Name Availability of a resource in the Digital Twins Resource Provider | +> | Microsoft.DigitalTwins/locations/operationResults/read | Read any Operation Result | +> | Microsoft.DigitalTwins/locations/operationsStatuses/read | Read any Operation Status | +> | Microsoft.DigitalTwins/operations/read | Read all Operations | +> | **DataAction** | **Description** | +> | Microsoft.DigitalTwins/query/action | Query any Digital Twins Graph | +> | Microsoft.DigitalTwins/digitaltwins/read | Read any Digital Twin | +> | Microsoft.DigitalTwins/digitaltwins/write | Create or Update any Digital Twin | +> | Microsoft.DigitalTwins/digitaltwins/delete | Delete any Digital Twin | +> | Microsoft.DigitalTwins/digitaltwins/commands/action | Invoke any Command on a Digital Twin | +> | Microsoft.DigitalTwins/digitaltwins/relationships/read | Read any Digital Twin Relationship | +> | Microsoft.DigitalTwins/digitaltwins/relationships/write | Create or Update any Digital Twin Relationship | +> | Microsoft.DigitalTwins/digitaltwins/relationships/delete | Delete any Digital Twin Relationship | +> | Microsoft.DigitalTwins/eventroutes/read | Read any Event Route | +> | Microsoft.DigitalTwins/eventroutes/delete | Delete any Event Route | +> | Microsoft.DigitalTwins/eventroutes/write | Create or Update any Event Route | +> | Microsoft.DigitalTwins/jobs/delete/read | Read any Bulk Delete Job | +> | Microsoft.DigitalTwins/jobs/delete/write | Create any Bulk Delete Job | +> | Microsoft.DigitalTwins/jobs/deletions/read | Read any Bulk Delete Job | +> | Microsoft.DigitalTwins/jobs/deletions/write | Create any Bulk Delete Job | +> | Microsoft.DigitalTwins/jobs/import/read | Read any Bulk Import Job | +> | Microsoft.DigitalTwins/jobs/imports/read | Read any Bulk Import Job | +> | Microsoft.DigitalTwins/jobs/imports/write | Create any Bulk Import Job | +> | Microsoft.DigitalTwins/jobs/imports/delete | Delete any Bulk Import Job | +> | Microsoft.DigitalTwins/jobs/imports/cancel/action | Cancel any Bulk Import Job | +> | Microsoft.DigitalTwins/models/read | Read any Model | +> | Microsoft.DigitalTwins/models/write | Create or Update any Model | +> | Microsoft.DigitalTwins/models/delete | Delete any Model | ++## Microsoft.IoTCentral ++Azure service: [IoT Central](/azure/iot-central/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.IoTCentral/checkNameAvailability/action | Checks if a IoTApp resource name is available | +> | Microsoft.IoTCentral/checkSubdomainAvailability/action | Check if a IoTApp resource subdomain is available | +> | Microsoft.IoTCentral/appTemplates/action | Lists application templates for IoTApps resources. | +> | Microsoft.IoTCentral/register/action | Register the subscription for the IoTCentral resource provider | +> | Microsoft.IoTCentral/IoTApps/read | Read IoTApp resources | +> | Microsoft.IoTCentral/IoTApps/write | Create or update a IoTApp resource | +> | Microsoft.IoTCentral/IoTApps/delete | Delete IoTApp resource | +> | Microsoft.IoTCentral/IoTApps/privateEndpointConnectionProxies/validate/action | Validate private endpoint connection proxies during Create/Update/Patch | +> | Microsoft.IoTCentral/IoTApps/privateEndpointConnectionProxies/read | Read private endpoint connection proxies | +> | Microsoft.IoTCentral/IoTApps/privateEndpointConnectionProxies/write | Create/Update/Patch private endpoint connection proxies | +> | Microsoft.IoTCentral/IoTApps/privateEndpointConnectionProxies/delete | Deletes private endpoint connection proxies | +> | Microsoft.IoTCentral/IoTApps/privateEndpointConnections/write | Approve/reject/disconnect private endpoint connections | +> | Microsoft.IoTCentral/IoTApps/privateEndpointConnections/read | Read private endpoint connections | +> | Microsoft.IoTCentral/IoTApps/privateEndpointConnections/delete | Delete private endpoint connections | +> | Microsoft.IoTCentral/IoTApps/privateLinkResources/read | Read private link resources | +> | Microsoft.IoTCentral/IoTApps/providers/Microsoft.Insights/diagnosticSettings/read | Get/List all the diagnostic settings for the resource | +> | Microsoft.IoTCentral/IoTApps/providers/Microsoft.Insights/diagnosticSettings/write | Set diagnostic settings for the resource | +> | Microsoft.IoTCentral/IoTApps/providers/Microsoft.Insights/metricDefinitions/read | Read all the available metric definitions for IoT Central | +> | Microsoft.IoTCentral/locations/operationResults/read | Get async operation results for IoT Central | +> | Microsoft.IoTCentral/locations/operationStatuses/read | Get async operation status for IoT Central | +> | Microsoft.IoTCentral/operations/read | Get/List all the available operations for IoT Central | ++## Microsoft.IoTSecurity ++Azure service: [IoT security](/azure/iot/iot-security-architecture) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.IoTSecurity/unregister/action | Unregisters the subscription for Azure Defender for IoT | +> | Microsoft.IoTSecurity/register/action | Registers the subscription for Azure Defender for IoT | +> | Microsoft.IoTSecurity/defenderSettings/read | Gets IoT Defender Settings | +> | Microsoft.IoTSecurity/defenderSettings/write | Creates or updates IoT Defender Settings | +> | Microsoft.IoTSecurity/defenderSettings/delete | Deletes IoT Defender Settings | +> | Microsoft.IoTSecurity/defenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information | +> | Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action | Download manager activation file | +> | Microsoft.IoTSecurity/endpoints/read | Download sensor endpoints in location | +> | Microsoft.IoTSecurity/locations/read | Gets location | +> | Microsoft.IoTSecurity/locations/alertSuppressionRules/read | Gets alert suppression rule | +> | Microsoft.IoTSecurity/locations/alertSuppressionRules/write | Creates alert suppression rule | +> | Microsoft.IoTSecurity/locations/alertSuppressionRules/delete | Deletes alert suppression rule | +> | Microsoft.IoTSecurity/locations/deviceGroups/read | Gets device group | +> | Microsoft.IoTSecurity/locations/deviceGroups/alerts/read | Gets IoT Alerts | +> | Microsoft.IoTSecurity/locations/deviceGroups/alerts/write | Updates IoT Alert properties | +> | Microsoft.IoTSecurity/locations/deviceGroups/alerts/learn/action | Learn and close the alert | +> | Microsoft.IoTSecurity/locations/deviceGroups/alerts/pcapAvailability/action | Get alert PCAP file aviability | +> | Microsoft.IoTSecurity/locations/deviceGroups/alerts/pcapRequest/action | Request related PCAP file for alert | +> | Microsoft.IoTSecurity/locations/deviceGroups/alerts/pcaps/write | Request related PCAP file for alert | +> | Microsoft.IoTSecurity/locations/deviceGroups/devices/read | Get devices | +> | Microsoft.IoTSecurity/locations/deviceGroups/devices/write | Updates device properties | +> | Microsoft.IoTSecurity/locations/deviceGroups/devices/delete | Deletes device | +> | Microsoft.IoTSecurity/locations/deviceGroups/recommendations/read | Gets IoT Recommendations | +> | Microsoft.IoTSecurity/locations/deviceGroups/recommendations/write | Updates IoT Recommendation properties | +> | Microsoft.IoTSecurity/locations/deviceGroups/vulnerabilities/read | Gets device vulnerabilities | +> | Microsoft.IoTSecurity/locations/remoteConfigurations/read | Gets remote configuration | +> | Microsoft.IoTSecurity/locations/remoteConfigurations/write | Creates remote configuration | +> | Microsoft.IoTSecurity/locations/remoteConfigurations/delete | Deletes remote configuration | +> | Microsoft.IoTSecurity/locations/sensors/read | Gets IoT Sensors | +> | Microsoft.IoTSecurity/locations/sites/read | Gets IoT site | +> | Microsoft.IoTSecurity/locations/sites/write | Creates IoT site | +> | Microsoft.IoTSecurity/locations/sites/delete | Deletes IoT site | +> | Microsoft.IoTSecurity/locations/sites/sensors/read | Gets IoT Sensors | +> | Microsoft.IoTSecurity/locations/sites/sensors/write | Creates or updates IoT Sensors | +> | Microsoft.IoTSecurity/locations/sites/sensors/delete | Deletes IoT Sensors | +> | Microsoft.IoTSecurity/locations/sites/sensors/downloadActivation/action | Downloads activation file for IoT Sensors | +> | Microsoft.IoTSecurity/locations/sites/sensors/triggerTiPackageUpdate/action | Triggers threat intelligence package update | +> | Microsoft.IoTSecurity/locations/sites/sensors/downloadResetPassword/action | Downloads reset password file for IoT Sensors | +> | Microsoft.IoTSecurity/locations/sites/sensors/updateSoftwareVersion/action | Trigger sensor update | +> | Microsoft.IoTSecurity/onPremiseSensors/read | Gets on-premise IoT Sensors | +> | Microsoft.IoTSecurity/onPremiseSensors/write | Creates or updates on-premise IoT Sensors | +> | Microsoft.IoTSecurity/onPremiseSensors/delete | Deletes on-premise IoT Sensors | +> | Microsoft.IoTSecurity/onPremiseSensors/downloadActivation/action | Gets on-premise IoT Sensor Activation File | +> | Microsoft.IoTSecurity/onPremiseSensors/downloadResetPassword/action | Downloads file for reset password of the on-premise IoT Sensor | +> | Microsoft.IoTSecurity/onPremiseSensors/listDiagnosticsUploadDetails/action | Get details required to upload sensor diagnostics data | +> | Microsoft.IoTSecurity/sensors/read | Gets IoT Sensors | ++## Microsoft.NotificationHubs ++Azure service: [Notification Hubs](/azure/notification-hubs/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.NotificationHubs/register/action | Registers the subscription for the NotificationHubs resource provider and enables the creation of Namespaces and NotificationHubs | +> | Microsoft.NotificationHubs/unregister/action | Unregisters the subscription for the NotificationHubs resource provider and enables the creation of Namespaces and NotificationHubs | +> | Microsoft.NotificationHubs/CheckNamespaceAvailability/action | Checks whether or not a given Namespace resource name is available within the NotificationHub service. | +> | Microsoft.NotificationHubs/CheckNamespaceAvailability/read | Checks whether or not a given Namespace resource name is available within the NotificationHub service. | +> | Microsoft.NotificationHubs/Namespaces/write | Create a Namespace Resource and Update its properties. Tags and Capacity of the Namespace are the properties which can be updated. | +> | Microsoft.NotificationHubs/Namespaces/read | Get the list of Namespace Resource Description | +> | Microsoft.NotificationHubs/Namespaces/delete | Delete Namespace Resource | +> | Microsoft.NotificationHubs/Namespaces/authorizationRules/action | Get the list of Namespaces Authorization Rules description. | +> | Microsoft.NotificationHubs/Namespaces/CheckNotificationHubAvailability/action | Checks whether or not a given NotificationHub name is available inside a Namespace. | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnectionsApproval/action | Approve Private Endpoint Connection | +> | Microsoft.NotificationHubs/Namespaces/authorizationRules/write | Create a Namespace level Authorization Rules and update its properties. The Authorization Rules Access Rights, the Primary and Secondary Keys can be updated. | +> | Microsoft.NotificationHubs/Namespaces/authorizationRules/read | Get the list of Namespaces Authorization Rules description. | +> | Microsoft.NotificationHubs/Namespaces/authorizationRules/delete | Delete Namespace Authorization Rule. The Default Namespace Authorization Rule cannot be deleted. | +> | Microsoft.NotificationHubs/Namespaces/authorizationRules/listkeys/action | Get the Connection String to the Namespace | +> | Microsoft.NotificationHubs/Namespaces/authorizationRules/regenerateKeys/action | Namespace Authorization Rule Regenerate Primary/SecondaryKey, Specify the Key that needs to be regenerated | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/write | Create a Notification Hub and Update its properties. Its properties mainly include PNS Credentials. Authorization Rules and TTL | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/read | Get list of Notification Hub Resource Descriptions | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/delete | Delete Notification Hub Resource | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/authorizationRules/action | Get the list of Notification Hub Authorization Rules | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/pnsCredentials/action | Get All Notification Hub PNS Credentials. This includes, WNS, MPNS, APNS, GCM and Baidu credentials | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/debugSend/action | Send a test push notification to 10 matched devices. | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/authorizationRules/write | Create Notification Hub Authorization Rules and Update its properties. The Authorization Rules Access Rights, the Primary and Secondary Keys can be updated. | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/authorizationRules/read | Get the list of Notification Hub Authorization Rules | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/authorizationRules/delete | Delete Notification Hub Authorization Rules | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/authorizationRules/listkeys/action | Get the Connection String to the Notification Hub | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/authorizationRules/regenerateKeys/action | Notification Hub Authorization Rule Regenerate Primary/SecondaryKey, Specify the Key that needs to be regenerated | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/metricDefinitions/read | Get list of Namespace metrics Resource Descriptions | +> | Microsoft.NotificationHubs/Namespaces/NotificationHubs/vapidkeys/read | Get new pair of VAPID keys for a Notification Hub | +> | Microsoft.NotificationHubs/Namespaces/operations/read | Returns a list of supported operations for Notification Hubs namespaces provider | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxy | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnectionProxies/write | Create Private Endpoint Connection Proxy | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnectionProxies/operationstatus/read | Get the status of an asynchronous private endpoint operation | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnections/read | Get Private Endpoint Connection | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnections/write | Create or Update Private Endpoint Connection | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnections/delete | Removes Private Endpoint Connection | +> | Microsoft.NotificationHubs/namespaces/privateEndpointConnections/operationstatus/read | Removes Private Endpoint Connection | +> | Microsoft.NotificationHubs/namespaces/providers/Microsoft.Insights/diagnosticSettings/read | Get Namespace diagnostic settings | +> | Microsoft.NotificationHubs/namespaces/providers/Microsoft.Insights/diagnosticSettings/write | Create or Update Namespace diagnostic settings | +> | Microsoft.NotificationHubs/namespaces/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Namespace | +> | Microsoft.NotificationHubs/operationResults/read | Returns operation results for Notification Hubs provider | +> | Microsoft.NotificationHubs/operations/read | Returns a list of supported operations for Notification Hubs provider | +> | Microsoft.NotificationHubs/resourceTypes/read | Gets a list of the resource types for Notification Hubs | ++## Microsoft.TimeSeriesInsights ++Azure service: [Time Series Insights](/azure/time-series-insights/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.TimeSeriesInsights/register/action | Registers the subscription for the Time Series Insights resource provider and enables the creation of Time Series Insights environments. | +> | Microsoft.TimeSeriesInsights/environments/read | Get the properties of an environment. | +> | Microsoft.TimeSeriesInsights/environments/write | Creates a new environment, or updates an existing environment. | +> | Microsoft.TimeSeriesInsights/environments/delete | Deletes the environment. | +> | Microsoft.TimeSeriesInsights/environments/accesspolicies/read | Get the properties of an access policy. | +> | Microsoft.TimeSeriesInsights/environments/accesspolicies/write | Creates a new access policy for an environment, or updates an existing access policy. | +> | Microsoft.TimeSeriesInsights/environments/accesspolicies/delete | Deletes the access policy. | +> | Microsoft.TimeSeriesInsights/environments/eventsources/read | Get the properties of an event source. | +> | Microsoft.TimeSeriesInsights/environments/eventsources/write | Creates a new event source for an environment, or updates an existing event source. | +> | Microsoft.TimeSeriesInsights/environments/eventsources/delete | Deletes the event source. | +> | Microsoft.TimeSeriesInsights/environments/eventsources/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.TimeSeriesInsights/environments/eventsources/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.TimeSeriesInsights/environments/eventsources/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for the event source | +> | Microsoft.TimeSeriesInsights/environments/eventsources/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for eventsources | +> | Microsoft.TimeSeriesInsights/environments/privateEndpointConnectionProxies/read | Get the properties of a private endpoint connection proxy. | +> | Microsoft.TimeSeriesInsights/environments/privateEndpointConnectionProxies/write | Creates a new private endpoint connection proxy for an environment, or updates an existing connection proxy. | +> | Microsoft.TimeSeriesInsights/environments/privateEndpointConnectionProxies/delete | Deletes the private endpoint connection proxy. | +> | Microsoft.TimeSeriesInsights/environments/privateEndpointConnectionProxies/validate/action | Validate the private endpoint connection proxy object before creation. | +> | Microsoft.TimeSeriesInsights/environments/privateEndpointConnectionProxies/operationresults/read | Validate the private endpoint connection proxy operation status. | +> | Microsoft.TimeSeriesInsights/environments/privateendpointConnections/read | Get the properties of a private endpoint connection. | +> | Microsoft.TimeSeriesInsights/environments/privateendpointConnections/write | Creates a new private endpoint connection for an environment, or updates an existing connection. | +> | Microsoft.TimeSeriesInsights/environments/privateendpointConnections/delete | Deletes the private endpoint connection. | +> | Microsoft.TimeSeriesInsights/environments/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.TimeSeriesInsights/environments/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.TimeSeriesInsights/environments/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for environments | +> | Microsoft.TimeSeriesInsights/environments/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for environments | +> | Microsoft.TimeSeriesInsights/environments/referencedatasets/read | Get the properties of a reference data set. | +> | Microsoft.TimeSeriesInsights/environments/referencedatasets/write | Creates a new reference data set for an environment, or updates an existing reference data set. | +> | Microsoft.TimeSeriesInsights/environments/referencedatasets/delete | Deletes the reference data set. | +> | Microsoft.TimeSeriesInsights/environments/status/read | Get the status of the environment, state of its associated operations like ingress. | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Management And Governance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/management-and-governance.md | + + Title: Azure permissions for Management and governance - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Management and governance category. +++++ Last updated : 02/07/2024++++# Azure permissions for Management and governance ++This article lists the permissions for the Azure resource providers in the Management and governance category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.Advisor ++Azure service: [Azure Advisor](/azure/advisor/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Advisor/generateRecommendations/action | Gets generate recommendations status | +> | Microsoft.Advisor/register/action | Registers the subscription for the Microsoft Advisor | +> | Microsoft.Advisor/unregister/action | Unregisters the subscription for the Microsoft Advisor | +> | Microsoft.Advisor/advisorScore/read | Gets the score data for given subscription | +> | Microsoft.Advisor/assessments/read | Read assessments | +> | Microsoft.Advisor/assessments/write | Write assessments | +> | Microsoft.Advisor/assessmentTypes/read | Read assessmentTypes | +> | Microsoft.Advisor/configurations/read | Get configurations | +> | Microsoft.Advisor/configurations/write | Creates/updates configuration | +> | Microsoft.Advisor/generateRecommendations/read | Gets generate recommendations status | +> | Microsoft.Advisor/metadata/read | Get Metadata | +> | Microsoft.Advisor/operations/read | Gets the operations for the Microsoft Advisor | +> | Microsoft.Advisor/recommendations/read | Reads recommendations | +> | Microsoft.Advisor/recommendations/write | Writes recommendations | +> | Microsoft.Advisor/recommendations/available/action | New recommendation is available in Microsoft Advisor | +> | Microsoft.Advisor/recommendations/suppressions/read | Gets suppressions | +> | Microsoft.Advisor/recommendations/suppressions/write | Creates/updates suppressions | +> | Microsoft.Advisor/recommendations/suppressions/delete | Deletes suppression | +> | Microsoft.Advisor/resiliencyReviews/read | Read resiliencyReviews | +> | Microsoft.Advisor/suppressions/read | Gets suppressions | +> | Microsoft.Advisor/suppressions/write | Creates/updates suppressions | +> | Microsoft.Advisor/suppressions/delete | Deletes suppression | +> | Microsoft.Advisor/triageRecommendations/read | Read triageRecommendations | +> | Microsoft.Advisor/triageRecommendations/approve/action | Approve triageRecommendations | +> | Microsoft.Advisor/triageRecommendations/reject/action | Reject triageRecommendations | +> | Microsoft.Advisor/triageRecommendations/reset/action | Reset triageRecommendations | +> | Microsoft.Advisor/workloads/read | Read workloads | ++## Microsoft.Authorization ++Azure service: [Azure Policy](/azure/governance/policy/overview), [Azure RBAC](/azure/role-based-access-control/overview), [Azure Resource Manager](/azure/azure-resource-manager/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Authorization/elevateAccess/action | Grants the caller User Access Administrator access at the tenant scope | +> | Microsoft.Authorization/classicAdministrators/read | Reads the administrators for the subscription. Does not have an effect if used as a NotAction in a custom role. | +> | Microsoft.Authorization/classicAdministrators/write | Add or modify administrator to a subscription. | +> | Microsoft.Authorization/classicAdministrators/delete | Removes the administrator from the subscription. | +> | Microsoft.Authorization/classicAdministrators/operationstatuses/read | Gets the administrator operation statuses of the subscription. | +> | Microsoft.Authorization/denyAssignments/read | Get information about a deny assignment. | +> | Microsoft.Authorization/denyAssignments/write | Create a deny assignment at the specified scope. | +> | Microsoft.Authorization/denyAssignments/delete | Delete a deny assignment at the specified scope. | +> | Microsoft.Authorization/diagnosticSettings/read | Read the information about diagnostics settings | +> | Microsoft.Authorization/diagnosticSettings/write | Create or update the information of diagnostics settings | +> | Microsoft.Authorization/diagnosticSettings/delete | Delete diagnostics settings | +> | Microsoft.Authorization/diagnosticSettingsCategories/read | Get the information about diagnostic settings categories | +> | Microsoft.Authorization/locks/read | Gets locks at the specified scope. | +> | Microsoft.Authorization/locks/write | Add locks at the specified scope. | +> | Microsoft.Authorization/locks/delete | Delete locks at the specified scope. | +> | Microsoft.Authorization/operations/read | Gets the list of operations | +> | Microsoft.Authorization/permissions/read | Lists all the permissions the caller has at a given scope. | +> | Microsoft.Authorization/policies/audit/action | Action taken as a result of evaluation of Azure Policy with 'audit' effect | +> | Microsoft.Authorization/policies/auditIfNotExists/action | Action taken as a result of evaluation of Azure Policy with 'auditIfNotExists' effect | +> | Microsoft.Authorization/policies/deny/action | Action taken as a result of evaluation of Azure Policy with 'deny' effect | +> | Microsoft.Authorization/policies/deployIfNotExists/action | Action taken as a result of evaluation of Azure Policy with 'deployIfNotExists' effect | +> | Microsoft.Authorization/policyAssignments/read | Get information about a policy assignment. | +> | Microsoft.Authorization/policyAssignments/write | Create a policy assignment at the specified scope. | +> | Microsoft.Authorization/policyAssignments/delete | Delete a policy assignment at the specified scope. | +> | Microsoft.Authorization/policyAssignments/exempt/action | Exempt a policy assignment at the specified scope. | +> | Microsoft.Authorization/policyAssignments/privateLinkAssociations/read | Get information about private link association. | +> | Microsoft.Authorization/policyAssignments/privateLinkAssociations/write | Creates or updates a private link association. | +> | Microsoft.Authorization/policyAssignments/privateLinkAssociations/delete | Deletes a private link association. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/read | Get information about resource management private link. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write | Creates or updates a resource management private link. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/delete | Deletes a resource management private link. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/read | Get information about private endpoint connection proxy. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write | Creates or updates a private endpoint connection proxy. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/delete | Deletes a private endpoint connection proxy. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection proxy. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/read | Get information about private endpoint connection. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write | Creates or updates a private endpoint connection. | +> | Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/delete | Deletes a private endpoint connection. | +> | Microsoft.Authorization/policyDefinitions/read | Get information about a policy definition. | +> | Microsoft.Authorization/policyDefinitions/write | Create a custom policy definition. | +> | Microsoft.Authorization/policyDefinitions/delete | Delete a policy definition. | +> | Microsoft.Authorization/policyExemptions/read | Get information about a policy exemption. | +> | Microsoft.Authorization/policyExemptions/write | Create a policy exemption at the specified scope. | +> | Microsoft.Authorization/policyExemptions/delete | Delete a policy exemption at the specified scope. | +> | Microsoft.Authorization/policySetDefinitions/read | Get information about a policy set definition. | +> | Microsoft.Authorization/policySetDefinitions/write | Create a custom policy set definition. | +> | Microsoft.Authorization/policySetDefinitions/delete | Delete a policy set definition. | +> | Microsoft.Authorization/providerOperations/read | Get operations for all resource providers which can be used in role definitions. | +> | Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. | +> | Microsoft.Authorization/roleAssignments/write | Create a role assignment at the specified scope. | +> | Microsoft.Authorization/roleAssignments/delete | Delete a role assignment at the specified scope. | +> | Microsoft.Authorization/roleAssignmentScheduleInstances/read | Gets the role assignment schedule instances at given scope. | +> | Microsoft.Authorization/roleAssignmentScheduleRequests/read | Gets the role assignment schedule requests at given scope. | +> | Microsoft.Authorization/roleAssignmentScheduleRequests/write | Creates a role assignment schedule request at given scope. | +> | Microsoft.Authorization/roleAssignmentScheduleRequests/cancel/action | Cancels a pending role assignment schedule request. | +> | Microsoft.Authorization/roleAssignmentSchedules/read | Gets the role assignment schedules at given scope. | +> | Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. | +> | Microsoft.Authorization/roleDefinitions/write | Create or update a custom role definition with specified permissions and assignable scopes. | +> | Microsoft.Authorization/roleDefinitions/delete | Delete the specified custom role definition. | +> | Microsoft.Authorization/roleEligibilityScheduleInstances/read | Gets the role eligibility schedule instances at given scope. | +> | Microsoft.Authorization/roleEligibilityScheduleRequests/read | Gets the role eligibility schedule requests at given scope. | +> | Microsoft.Authorization/roleEligibilityScheduleRequests/write | Creates a role eligibility schedule request at given scope. | +> | Microsoft.Authorization/roleEligibilityScheduleRequests/cancel/action | Cancels a pending role eligibility schedule request. | +> | Microsoft.Authorization/roleEligibilitySchedules/read | Gets the role eligibility schedules at given scope. | +> | Microsoft.Authorization/roleManagementPolicies/read | Get Role management policies | +> | Microsoft.Authorization/roleManagementPolicies/write | Update a role management policy | +> | Microsoft.Authorization/roleManagementPolicyAssignments/read | Get role management policy assignments | ++## Microsoft.Automation ++Azure service: [Automation](/azure/automation/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Automation/register/action | Registers the subscription to Azure Automation | +> | Microsoft.Automation/automationAccounts/convertGraphRunbookContent/action | Convert Graph Runbook Content to its raw serialized format and vice-versa | +> | Microsoft.Automation/automationAccounts/webhooks/action | Generates a URI for an Azure Automation webhook | +> | Microsoft.Automation/automationAccounts/read | Gets an Azure Automation account | +> | Microsoft.Automation/automationAccounts/write | Creates or updates an Azure Automation account | +> | Microsoft.Automation/automationAccounts/listKeys/action | Reads the Keys for the automation account | +> | Microsoft.Automation/automationAccounts/delete | Deletes an Azure Automation account | +> | Microsoft.Automation/automationAccounts/agentRegistrationInformation/read | Read an Azure Automation DSC's registration information | +> | Microsoft.Automation/automationAccounts/agentRegistrationInformation/regenerateKey/action | Writes a request to regenerate Azure Automation DSC keys | +> | Microsoft.Automation/automationAccounts/certificates/getCount/action | Reads the count of certificates | +> | Microsoft.Automation/automationAccounts/certificates/read | Gets an Azure Automation certificate asset | +> | Microsoft.Automation/automationAccounts/certificates/write | Creates or updates an Azure Automation certificate asset | +> | Microsoft.Automation/automationAccounts/certificates/delete | Deletes an Azure Automation certificate asset | +> | Microsoft.Automation/automationAccounts/compilationjobs/write | Writes an Azure Automation DSC's Compilation | +> | Microsoft.Automation/automationAccounts/compilationjobs/read | Reads an Azure Automation DSC's Compilation | +> | Microsoft.Automation/automationAccounts/configurations/read | Gets an Azure Automation DSC's content | +> | Microsoft.Automation/automationAccounts/configurations/getCount/action | Reads the count of an Azure Automation DSC's content | +> | Microsoft.Automation/automationAccounts/configurations/write | Writes an Azure Automation DSC's content | +> | Microsoft.Automation/automationAccounts/configurations/delete | Deletes an Azure Automation DSC's content | +> | Microsoft.Automation/automationAccounts/configurations/content/read | Reads the configuration media content | +> | Microsoft.Automation/automationAccounts/connections/read | Gets an Azure Automation connection asset | +> | Microsoft.Automation/automationAccounts/connections/getCount/action | Reads the count of connections | +> | Microsoft.Automation/automationAccounts/connections/write | Creates or updates an Azure Automation connection asset | +> | Microsoft.Automation/automationAccounts/connections/delete | Deletes an Azure Automation connection asset | +> | Microsoft.Automation/automationAccounts/connectionTypes/read | Gets an Azure Automation connection type asset | +> | Microsoft.Automation/automationAccounts/connectionTypes/write | Creates an Azure Automation connection type asset | +> | Microsoft.Automation/automationAccounts/connectionTypes/delete | Deletes an Azure Automation connection type asset | +> | Microsoft.Automation/automationAccounts/credentials/read | Gets an Azure Automation credential asset | +> | Microsoft.Automation/automationAccounts/credentials/getCount/action | Reads the count of credentials | +> | Microsoft.Automation/automationAccounts/credentials/write | Creates or updates an Azure Automation credential asset | +> | Microsoft.Automation/automationAccounts/credentials/delete | Deletes an Azure Automation credential asset | +> | Microsoft.Automation/automationAccounts/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Automation/automationAccounts/diagnosticSettings/write | Sets the diagnostic setting for the resource | +> | Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read | Reads a Hybrid Runbook Worker Group | +> | Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/write | Creates a Hybrid Runbook Worker Group | +> | Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/delete | Deletes a Hybrid Runbook Worker Group | +> | Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/read | Reads a Hybrid Runbook Worker | +> | Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/write | Creates a Hybrid Runbook Worker | +> | Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/move/action | Moves Hybrid Runbook Worker from one Worker Group to another | +> | Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/delete | Deletes a Hybrid Runbook Worker | +> | Microsoft.Automation/automationAccounts/jobs/runbookContent/action | Gets the content of the Azure Automation runbook at the time of the job execution | +> | Microsoft.Automation/automationAccounts/jobs/read | Gets an Azure Automation job | +> | Microsoft.Automation/automationAccounts/jobs/write | Creates an Azure Automation job | +> | Microsoft.Automation/automationAccounts/jobs/stop/action | Stops an Azure Automation job | +> | Microsoft.Automation/automationAccounts/jobs/suspend/action | Suspends an Azure Automation job | +> | Microsoft.Automation/automationAccounts/jobs/resume/action | Resumes an Azure Automation job | +> | Microsoft.Automation/automationAccounts/jobs/output/read | Gets the output of a job | +> | Microsoft.Automation/automationAccounts/jobs/streams/read | Gets an Azure Automation job stream | +> | Microsoft.Automation/automationAccounts/jobSchedules/read | Gets an Azure Automation job schedule | +> | Microsoft.Automation/automationAccounts/jobSchedules/write | Creates an Azure Automation job schedule | +> | Microsoft.Automation/automationAccounts/jobSchedules/delete | Deletes an Azure Automation job schedule | +> | Microsoft.Automation/automationAccounts/linkedWorkspace/read | Gets the workspace linked to the automation account | +> | Microsoft.Automation/automationAccounts/logDefinitions/read | Gets the available logs for the automation account | +> | Microsoft.Automation/automationAccounts/modules/read | Gets an Azure Automation Powershell module | +> | Microsoft.Automation/automationAccounts/modules/getCount/action | Gets the count of Powershell modules within the Automation Account | +> | Microsoft.Automation/automationAccounts/modules/write | Creates or updates an Azure Automation Powershell module | +> | Microsoft.Automation/automationAccounts/modules/delete | Deletes an Azure Automation Powershell module | +> | Microsoft.Automation/automationAccounts/modules/activities/read | Gets Azure Automation Activities | +> | Microsoft.Automation/automationAccounts/nodeConfigurations/rawContent/action | Reads an Azure Automation DSC's node configuration content | +> | Microsoft.Automation/automationAccounts/nodeConfigurations/read | Reads an Azure Automation DSC's node configuration | +> | Microsoft.Automation/automationAccounts/nodeConfigurations/write | Writes an Azure Automation DSC's node configuration | +> | Microsoft.Automation/automationAccounts/nodeConfigurations/delete | Deletes an Azure Automation DSC's node configuration | +> | Microsoft.Automation/automationAccounts/nodecounts/read | Reads node count summary for the specified type | +> | Microsoft.Automation/automationAccounts/nodes/read | Reads Azure Automation DSC nodes | +> | Microsoft.Automation/automationAccounts/nodes/write | Creates or updates Azure Automation DSC nodes | +> | Microsoft.Automation/automationAccounts/nodes/delete | Deletes Azure Automation DSC nodes | +> | Microsoft.Automation/automationAccounts/nodes/reports/read | Reads Azure Automation DSC reports | +> | Microsoft.Automation/automationAccounts/nodes/reports/content/read | Reads Azure Automation DSC report contents | +> | Microsoft.Automation/automationAccounts/objectDataTypes/fields/read | Gets Azure Automation TypeFields | +> | Microsoft.Automation/automationAccounts/privateEndpointConnectionProxies/read | Reads Azure Automation Private Endpoint Connection Proxy | +> | Microsoft.Automation/automationAccounts/privateEndpointConnectionProxies/write | Creates an Azure Automation Private Endpoint Connection Proxy | +> | Microsoft.Automation/automationAccounts/privateEndpointConnectionProxies/validate/action | Validate a Private endpoint connection request (groupId Validation) | +> | Microsoft.Automation/automationAccounts/privateEndpointConnectionProxies/delete | Delete an Azure Automation Private Endpoint Connection Proxy | +> | Microsoft.Automation/automationAccounts/privateEndpointConnectionProxies/operationResults/read | Get Azure Automation private endpoint proxy operation results. | +> | Microsoft.Automation/automationAccounts/privateEndpointConnections/read | Get Azure Automation Private Endpoint Connection status | +> | Microsoft.Automation/automationAccounts/privateEndpointConnections/write | Approve or reject an Azure Automation Private Endpoint Connection | +> | Microsoft.Automation/automationAccounts/privateEndpointConnections/delete | Delete an Azure Automation Private Endpoint Connection | +> | Microsoft.Automation/automationAccounts/privateLinkResources/read | Reads Group Information for private endpoints | +> | Microsoft.Automation/automationAccounts/providers/Microsoft.Insights/metricDefinitions/read | Gets Automation Metric Definitions | +> | Microsoft.Automation/automationAccounts/python2Packages/read | Gets an Azure Automation Python 2 package | +> | Microsoft.Automation/automationAccounts/python2Packages/write | Creates or updates an Azure Automation Python 2 package | +> | Microsoft.Automation/automationAccounts/python2Packages/delete | Deletes an Azure Automation Python 2 package | +> | Microsoft.Automation/automationAccounts/python3Packages/read | Gets an Azure Automation Python 3 package | +> | Microsoft.Automation/automationAccounts/python3Packages/write | Creates or updates an Azure Automation Python 3 package | +> | Microsoft.Automation/automationAccounts/python3Packages/delete | Deletes an Azure Automation Python 3 package | +> | Microsoft.Automation/automationAccounts/runbooks/read | Gets an Azure Automation runbook | +> | Microsoft.Automation/automationAccounts/runbooks/getCount/action | Gets the count of Azure Automation runbooks | +> | Microsoft.Automation/automationAccounts/runbooks/write | Creates or updates an Azure Automation runbook | +> | Microsoft.Automation/automationAccounts/runbooks/delete | Deletes an Azure Automation runbook | +> | Microsoft.Automation/automationAccounts/runbooks/publish/action | Publishes an Azure Automation runbook draft | +> | Microsoft.Automation/automationAccounts/runbooks/content/read | Gets the content of an Azure Automation runbook | +> | Microsoft.Automation/automationAccounts/runbooks/draft/read | Gets an Azure Automation runbook draft | +> | Microsoft.Automation/automationAccounts/runbooks/draft/undoEdit/action | Undo edits to an Azure Automation runbook draft | +> | Microsoft.Automation/automationAccounts/runbooks/draft/write | Creates an Azure Automation runbook draft | +> | Microsoft.Automation/automationAccounts/runbooks/draft/content/write | Creates the content of an Azure Automation runbook draft | +> | Microsoft.Automation/automationAccounts/runbooks/draft/operationResults/read | Gets Azure Automation runbook draft operation results | +> | Microsoft.Automation/automationAccounts/runbooks/draft/testJob/read | Gets an Azure Automation runbook draft test job | +> | Microsoft.Automation/automationAccounts/runbooks/draft/testJob/write | Creates an Azure Automation runbook draft test job | +> | Microsoft.Automation/automationAccounts/runbooks/draft/testJob/stop/action | Stops an Azure Automation runbook draft test job | +> | Microsoft.Automation/automationAccounts/runbooks/draft/testJob/suspend/action | Suspends an Azure Automation runbook draft test job | +> | Microsoft.Automation/automationAccounts/runbooks/draft/testJob/resume/action | Resumes an Azure Automation runbook draft test job | +> | Microsoft.Automation/automationAccounts/runbooks/operationResults/read | Gets Azure Automation runbook operation results | +> | Microsoft.Automation/automationAccounts/schedules/read | Gets an Azure Automation schedule asset | +> | Microsoft.Automation/automationAccounts/schedules/getCount/action | Gets the count of Azure Automation schedules | +> | Microsoft.Automation/automationAccounts/schedules/write | Creates or updates an Azure Automation schedule asset | +> | Microsoft.Automation/automationAccounts/schedules/delete | Deletes an Azure Automation schedule asset | +> | Microsoft.Automation/automationAccounts/softwareUpdateConfigurationMachineRuns/read | Gets an Azure Automation Software Update Configuration Machine Run | +> | Microsoft.Automation/automationAccounts/softwareUpdateConfigurationRuns/read | Gets an Azure Automation Software Update Configuration Run | +> | Microsoft.Automation/automationAccounts/softwareUpdateConfigurations/write | Creates or updates Azure Automation Software Update Configuration | +> | Microsoft.Automation/automationAccounts/softwareUpdateConfigurations/read | Gets an Azure Automation Software Update Configuration | +> | Microsoft.Automation/automationAccounts/softwareUpdateConfigurations/delete | Deletes an Azure Automation Software Update Configuration | +> | Microsoft.Automation/automationAccounts/statistics/read | Gets Azure Automation Statistics | +> | Microsoft.Automation/automationAccounts/updateDeploymentMachineRuns/read | Get an Azure Automation update deployment machine | +> | Microsoft.Automation/automationAccounts/updateManagementPatchJob/read | Gets an Azure Automation update management patch job | +> | Microsoft.Automation/automationAccounts/usages/read | Gets Azure Automation Usage | +> | Microsoft.Automation/automationAccounts/variables/read | Reads an Azure Automation variable asset | +> | Microsoft.Automation/automationAccounts/variables/write | Creates or updates an Azure Automation variable asset | +> | Microsoft.Automation/automationAccounts/variables/delete | Deletes an Azure Automation variable asset | +> | Microsoft.Automation/automationAccounts/watchers/write | Creates an Azure Automation watcher job | +> | Microsoft.Automation/automationAccounts/watchers/read | Gets an Azure Automation watcher job | +> | Microsoft.Automation/automationAccounts/watchers/delete | Delete an Azure Automation watcher job | +> | Microsoft.Automation/automationAccounts/watchers/start/action | Start an Azure Automation watcher job | +> | Microsoft.Automation/automationAccounts/watchers/stop/action | Stop an Azure Automation watcher job | +> | Microsoft.Automation/automationAccounts/watchers/streams/read | Gets an Azure Automation watcher job stream | +> | Microsoft.Automation/automationAccounts/watchers/watcherActions/write | Create an Azure Automation watcher job actions | +> | Microsoft.Automation/automationAccounts/watchers/watcherActions/read | Gets an Azure Automation watcher job actions | +> | Microsoft.Automation/automationAccounts/watchers/watcherActions/delete | Delete an Azure Automation watcher job actions | +> | Microsoft.Automation/automationAccounts/webhooks/read | Reads an Azure Automation webhook | +> | Microsoft.Automation/automationAccounts/webhooks/write | Creates or updates an Azure Automation webhook | +> | Microsoft.Automation/automationAccounts/webhooks/delete | Deletes an Azure Automation webhook | +> | Microsoft.Automation/deletedAutomationAccounts/read | Gets an Azure Automation deleted account | +> | Microsoft.Automation/operations/read | Gets Available Operations for Azure Automation resources | ++## Microsoft.Batch ++Azure service: [Batch](/azure/batch/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Batch/register/action | Registers the subscription for the Batch Resource Provider and enables the creation of Batch accounts | +> | Microsoft.Batch/unregister/action | Unregisters the subscription for the Batch Resource Provider preventing the creation of Batch accounts | +> | Microsoft.Batch/batchAccounts/read | Lists Batch accounts or gets the properties of a Batch account | +> | Microsoft.Batch/batchAccounts/write | Creates a new Batch account or updates an existing Batch account | +> | Microsoft.Batch/batchAccounts/delete | Deletes a Batch account | +> | Microsoft.Batch/batchAccounts/listkeys/action | Lists access keys for a Batch account | +> | Microsoft.Batch/batchAccounts/regeneratekeys/action | Regenerates access keys for a Batch account | +> | Microsoft.Batch/batchAccounts/syncAutoStorageKeys/action | Synchronizes access keys for the auto storage account configured for a Batch account | +> | Microsoft.Batch/batchAccounts/applications/read | Lists applications or gets the properties of an application | +> | Microsoft.Batch/batchAccounts/applications/write | Creates a new application or updates an existing application | +> | Microsoft.Batch/batchAccounts/applications/delete | Deletes an application | +> | Microsoft.Batch/batchAccounts/applications/versions/read | Gets the properties of an application package | +> | Microsoft.Batch/batchAccounts/applications/versions/write | Creates a new application package or updates an existing application package | +> | Microsoft.Batch/batchAccounts/applications/versions/delete | Deletes an application package | +> | Microsoft.Batch/batchAccounts/applications/versions/activate/action | Activates an application package | +> | Microsoft.Batch/batchAccounts/certificateOperationResults/read | Gets the results of a long running certificate operation on a Batch account | +> | Microsoft.Batch/batchAccounts/certificates/read | Lists certificates on a Batch account or gets the properties of a certificate | +> | Microsoft.Batch/batchAccounts/certificates/write | Creates a new certificate on a Batch account or updates an existing certificate | +> | Microsoft.Batch/batchAccounts/certificates/delete | Deletes a certificate from a Batch account | +> | Microsoft.Batch/batchAccounts/certificates/cancelDelete/action | Cancels the failed deletion of a certificate on a Batch account | +> | Microsoft.Batch/batchAccounts/detectors/read | Gets AppLens Detector or Lists AppLens Detectors on a Batch account | +> | Microsoft.Batch/batchAccounts/operationResults/read | Gets the results of a long running Batch account operation | +> | Microsoft.Batch/batchAccounts/outboundNetworkDependenciesEndpoints/read | Lists the outbound network dependency endpoints for a Batch account | +> | Microsoft.Batch/batchAccounts/poolOperationResults/read | Gets the results of a long running pool operation on a Batch account | +> | Microsoft.Batch/batchAccounts/pools/read | Lists pools on a Batch account or gets the properties of a pool | +> | Microsoft.Batch/batchAccounts/pools/write | Creates a new pool on a Batch account or updates an existing pool | +> | Microsoft.Batch/batchAccounts/pools/delete | Deletes a pool from a Batch account | +> | Microsoft.Batch/batchAccounts/pools/stopResize/action | Stops an ongoing resize operation on a Batch account pool | +> | Microsoft.Batch/batchAccounts/pools/disableAutoscale/action | Disables automatic scaling for a Batch account pool | +> | Microsoft.Batch/batchAccounts/privateEndpointConnectionProxies/validate/action | Validates a Private endpoint connection proxy on a Batch account | +> | Microsoft.Batch/batchAccounts/privateEndpointConnectionProxies/write | Create a new Private endpoint connection proxy on a Batch account | +> | Microsoft.Batch/batchAccounts/privateEndpointConnectionProxies/read | Gets Private endpoint connection proxy on a Batch account | +> | Microsoft.Batch/batchAccounts/privateEndpointConnectionProxies/delete | Delete a Private endpoint connection proxy on a Batch account | +> | Microsoft.Batch/batchAccounts/privateEndpointConnectionProxyResults/read | Gets the results of a long running Batch account private endpoint connection proxy operation | +> | Microsoft.Batch/batchAccounts/privateEndpointConnectionResults/read | Gets the results of a long running Batch account private endpoint connection operation | +> | Microsoft.Batch/batchAccounts/privateEndpointConnections/write | Update an existing Private endpoint connection on a Batch account | +> | Microsoft.Batch/batchAccounts/privateEndpointConnections/read | Gets Private endpoint connection or Lists Private endpoint connections on a Batch account | +> | Microsoft.Batch/batchAccounts/privateEndpointConnections/delete | Delete a Private endpoint connection on a Batch account | +> | Microsoft.Batch/batchAccounts/privateLinkResources/read | Gets the properties of a Private link resource or Lists Private link resources on a Batch account | +> | Microsoft.Batch/batchAccounts/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Batch/batchAccounts/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Batch/batchAccounts/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for the Batch service | +> | Microsoft.Batch/batchAccounts/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for the Batch service | +> | Microsoft.Batch/deployments/preflight/action | Runs Preflight validation for resources included in the request | +> | Microsoft.Batch/locations/checkNameAvailability/action | Checks that the account name is valid and not in use. | +> | Microsoft.Batch/locations/accountOperationResults/read | Gets the results of a long running Batch account operation | +> | Microsoft.Batch/locations/cloudServiceSkus/read | Lists available Batch supported Cloud Service VM sizes at the given location | +> | Microsoft.Batch/locations/quotas/read | Gets Batch quotas of the specified subscription at the specified Azure region | +> | Microsoft.Batch/locations/virtualMachineSkus/read | Lists available Batch supported Virtual Machine VM sizes at the given location | +> | Microsoft.Batch/operations/read | Lists operations available on Microsoft.Batch resource provider | +> | **DataAction** | **Description** | +> | Microsoft.Batch/batchAccounts/jobs/read | Lists jobs on a Batch account or gets the properties of a job | +> | Microsoft.Batch/batchAccounts/jobs/write | Creates a new job on a Batch account or updates an existing job | +> | Microsoft.Batch/batchAccounts/jobs/delete | Deletes a job from a Batch account | +> | Microsoft.Batch/batchAccounts/jobSchedules/read | Lists job schedules on a Batch account or gets the properties of a job schedule | +> | Microsoft.Batch/batchAccounts/jobSchedules/write | Creates a new job schedule on a Batch account or updates an existing job schedule | +> | Microsoft.Batch/batchAccounts/jobSchedules/delete | Deletes a job schedule from a Batch account | ++## Microsoft.Billing ++Azure service: [Cost Management + Billing](/azure/cost-management-billing/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Billing/validateAddress/action | | +> | Microsoft.Billing/register/action | | +> | Microsoft.Billing/billingAccounts/read | Lists accessible billing accounts. | +> | Microsoft.Billing/billingAccounts/write | Updates the properties of a billing account. | +> | Microsoft.Billing/billingAccounts/listInvoiceSectionsWithCreateSubscriptionPermission/action | | +> | Microsoft.Billing/billingAccounts/confirmTransition/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/action | | +> | Microsoft.Billing/billingAccounts/addDailyInvoicingOverrideTerms/write | | +> | Microsoft.Billing/billingAccounts/addDepartment/write | | +> | Microsoft.Billing/billingAccounts/addEnrollmentAccount/write | | +> | Microsoft.Billing/billingAccounts/addPaymentTerms/write | | +> | Microsoft.Billing/billingAccounts/agreements/read | | +> | Microsoft.Billing/billingAccounts/alertPreferences/write | Creates or updates an AlertPreference for the specifed Billing Account. | +> | Microsoft.Billing/billingAccounts/alertPreferences/read | Gets the AlertPreference with the given Id. | +> | Microsoft.Billing/billingAccounts/alerts/read | Gets the alert definition by an Id. | +> | Microsoft.Billing/billingAccounts/associatedTenants/read | Lists the tenants that can collaborate with the billing account on commerce activities like viewing and downloading invoices, managing payments, making purchases, and managing licenses. | +> | Microsoft.Billing/billingAccounts/associatedTenants/write | Create or update an associated tenant for the billing account. | +> | Microsoft.Billing/billingAccounts/billingPermissions/read | | +> | Microsoft.Billing/billingAccounts/billingProfiles/read | | +> | Microsoft.Billing/billingAccounts/billingProfiles/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/purchaseProduct/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/priceProduct/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/alerts/read | Lists the alerts for a billing profile. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement and Microsoft Partner Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/billingPermissions/read | | +> | Microsoft.Billing/billingAccounts/billingProfiles/billingRoleDefinitions/read | Gets the definition for a role on a billing profile. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement or Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/billingSubscriptions/read | Get a billing subscription by billing profile ID and billing subscription ID. This operation is supported only for billing accounts of type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/checkAccess/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/customers/read | | +> | Microsoft.Billing/billingAccounts/billingProfiles/customers/billingPermissions/read | | +> | Microsoft.Billing/billingAccounts/billingProfiles/customers/billingRoleDefinitions/read | Gets the definition for a role on a customer. The operation is supported only for billing accounts with agreement type Microsoft Partner Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/customers/checkAccess/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/customers/resolveBillingRoleAssignments/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/departments/read | Lists the departments that a user has access to. The operation is supported only for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/departments/billingPermissions/read | | +> | Microsoft.Billing/billingAccounts/billingProfiles/departments/billingRoleDefinitions/read | Gets the definition for a role on a department. The operation is supported for billing profiles with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/departments/billingSubscriptions/read | List billing subscriptions by billing profile ID and department name. This operation is supported only for billing accounts of type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/departments/enrollmentAccounts/read | Get list of enrollment accounts using billing profile ID and department ID | +> | Microsoft.Billing/billingAccounts/billingProfiles/enrollmentAccounts/read | Lists the enrollment accounts for a specific billing account and a billing profile belonging to it. | +> | Microsoft.Billing/billingAccounts/billingProfiles/enrollmentAccounts/billingPermissions/read | | +> | Microsoft.Billing/billingAccounts/billingProfiles/enrollmentAccounts/billingSubscriptions/read | List billing subscriptions by billing profile ID and enrollment account name. This operation is supported only for billing accounts of type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoices/download/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoices/pricesheet/download/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoices/validateRefundEligibility/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/read | Lists the invoice sections that a user has access to. The operation is supported only for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/write | Creates or updates an invoice section. The operation is supported only for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingPermissions/read | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingRoleDefinitions/read | Gets the definition for a role on an invoice section. The operation is supported only for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingSubscriptions/transfer/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingSubscriptions/move/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingSubscriptions/validateMoveEligibility/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingSubscriptions/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingSubscriptions/read | Lists the subscriptions that are billed to an invoice section. The operation is supported only for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/checkAccess/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/products/transfer/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/products/move/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/products/validateMoveEligibility/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/resolveBillingRoleAssignments/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/validateDeleteEligibility/write | Validates if the invoice section can be deleted. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/validateDeleteInvoiceSectionEligibility/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/notificationContacts/read | Lists the NotificationContacts for the given billing profile. The operation is supported only for billing profiles with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/policies/read | Lists the policies for a billing profile. This operation is supported only for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/policies/write | Updates the policies for a billing profile. This operation is supported only for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingProfiles/pricesheet/download/action | | +> | Microsoft.Billing/billingAccounts/billingProfiles/products/read | | +> | Microsoft.Billing/billingAccounts/billingProfiles/resolveBillingRoleAssignments/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/validateDeleteBillingProfileEligibility/write | | +> | Microsoft.Billing/billingAccounts/billingProfiles/validateRefundEligibility/write | Validates whether the billing profile has any invoices eligible for an expedited refund. The operation is supported for billing accounts with the agreement type Microsoft Customer Agreement and the account type Individual. | +> | Microsoft.Billing/billingAccounts/billingProfilesSummaries/read | Gets the summary of billing profiles under a billing account. The operation is supported for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/billingRoleAssignments/write | | +> | Microsoft.Billing/billingAccounts/billingRoleDefinitions/read | Gets the definition for a role on a billing account. The operation is supported for billing accounts with agreement type Microsoft Partner Agreement, Microsoft Customer Agreement or Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/billingSubscriptionAliases/read | | +> | Microsoft.Billing/billingAccounts/billingSubscriptionAliases/write | | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/read | Lists the subscriptions for a billing account. The operation is supported for billing accounts with agreement type Microsoft Customer Agreement, Microsoft Partner Agreement or Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/downloadDocuments/action | Download invoice using download link from list | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/move/action | | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/validateMoveEligibility/action | | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/write | Updates the properties of a billing subscription. Cost center can only be updated for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/cancel/write | Cancel an azure billing subscription. | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/enable/write | Enable an azure billing subscription. | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/merge/write | | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/move/write | Moves a subscription's charges to a new invoice section. The new invoice section must belong to the same billing profile as the existing invoice section. This operation is supported for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/split/write | | +> | Microsoft.Billing/billingAccounts/billingSubscriptions/validateMoveEligibility/write | Validates if a subscription's charges can be moved to a new invoice section. This operation is supported for billing accounts with agreement type Microsoft Customer Agreement. | +> | Microsoft.Billing/billingAccounts/cancelDailyInvoicingOverrideTerms/write | | +> | Microsoft.Billing/billingAccounts/cancelPaymentTerms/write | | +> | Microsoft.Billing/billingAccounts/checkAccess/write | | +> | Microsoft.Billing/billingAccounts/customers/read | | +> | Microsoft.Billing/billingAccounts/customers/initiateTransfer/action | | +> | Microsoft.Billing/billingAccounts/customers/billingPermissions/read | | +> | Microsoft.Billing/billingAccounts/customers/billingSubscriptions/read | Lists the subscriptions for a customer. The operation is supported only for billing accounts with agreement type Microsoft Partner Agreement. | +> | Microsoft.Billing/billingAccounts/customers/checkAccess/write | | +> | Microsoft.Billing/billingAccounts/customers/policies/read | Lists the policies for a customer. This operation is supported only for billing accounts with agreement type Microsoft Partner Agreement. | +> | Microsoft.Billing/billingAccounts/customers/policies/write | Updates the policies for a customer. This operation is supported only for billing accounts with agreement type Microsoft Partner Agreement. | +> | Microsoft.Billing/billingAccounts/customers/resolveBillingRoleAssignments/write | | +> | Microsoft.Billing/billingAccounts/customers/transfers/write | | +> | Microsoft.Billing/billingAccounts/customers/transfers/read | | +> | Microsoft.Billing/billingAccounts/departments/read | Lists the departments that a user has access to. The operation is supported only for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/departments/write | | +> | Microsoft.Billing/billingAccounts/departments/addEnrollmentAccount/write | | +> | Microsoft.Billing/billingAccounts/departments/billingPermissions/read | | +> | Microsoft.Billing/billingAccounts/departments/billingRoleAssignments/write | | +> | Microsoft.Billing/billingAccounts/departments/billingRoleDefinitions/read | Gets the definition for a role on a department. The operation is supported for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/departments/billingSubscriptions/read | Lists the subscriptions for a department. The operation is supported for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/departments/checkAccess/write | | +> | Microsoft.Billing/billingAccounts/departments/enrollmentAccounts/read | Lists the enrollment accounts for a department. The operation is supported only for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/departments/enrollmentAccounts/write | | +> | Microsoft.Billing/billingAccounts/departments/enrollmentAccounts/remove/write | | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/read | Lists the enrollment accounts for a billing account. The operation is supported only for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/write | | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/activate/write | | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/activationStatus/read | | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/billingPermissions/read | | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/billingRoleAssignments/write | | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/billingRoleDefinitions/read | Gets the definition for a role on a enrollment account. The operation is supported for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/billingSubscriptions/write | | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/billingSubscriptions/read | Lists the subscriptions for an enrollment account. The operation is supported for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/checkAccess/write | | +> | Microsoft.Billing/billingAccounts/enrollmentAccounts/transferBillingSubscriptions/write | | +> | Microsoft.Billing/billingAccounts/invoices/download/action | | +> | Microsoft.Billing/billingAccounts/invoices/pricesheet/download/action | | +> | Microsoft.Billing/billingAccounts/invoiceSections/write | | +> | Microsoft.Billing/billingAccounts/invoiceSections/elevate/action | | +> | Microsoft.Billing/billingAccounts/invoiceSections/read | | +> | Microsoft.Billing/billingAccounts/listBillingProfilesWithViewPricesheetPermissions/read | | +> | Microsoft.Billing/billingAccounts/listProductRecommendations/write | Lists ProductIds or offerIds recommended for purchase on an account. Please specify the type of the cohort for the billing account in the 'x-ms-recommendations-cohort-type' header as a required string parameter. | +> | Microsoft.Billing/billingAccounts/notificationContacts/read | Lists the NotificationContacts for the given billing account. The operation is supported only for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/notificationContacts/write | Update a notification contact by ID. The operation is supported only for billing accounts with agreement type Enterprise Agreement. | +> | Microsoft.Billing/billingAccounts/operationResults/read | | +> | Microsoft.Billing/billingAccounts/policies/read | Get the policies for a billing account of Enterprise Agreement type. | +> | Microsoft.Billing/billingAccounts/policies/write | Update the policies for a billing account of Enterprise Agreement type. | +> | Microsoft.Billing/billingAccounts/products/read | | +> | Microsoft.Billing/billingAccounts/products/move/action | | +> | Microsoft.Billing/billingAccounts/products/validateMoveEligibility/action | | +> | Microsoft.Billing/billingAccounts/purchaseProduct/write | | +> | Microsoft.Billing/billingAccounts/resolveBillingRoleAssignments/write | | +> | Microsoft.Billing/billingAccounts/validateDailyInvoicingOverrideTerms/write | | +> | Microsoft.Billing/billingAccounts/validatePaymentTerms/write | | +> | Microsoft.Billing/billingPeriods/read | | +> | Microsoft.Billing/billingProperty/read | | +> | Microsoft.Billing/billingProperty/write | | +> | Microsoft.Billing/departments/read | | +> | Microsoft.Billing/enrollmentAccounts/read | | +> | Microsoft.Billing/invoices/read | | +> | Microsoft.Billing/invoices/download/action | Download invoice using download link from list | +> | Microsoft.Billing/operations/read | List of operations supported by provider. | +> | Microsoft.Billing/policies/read | | +> | Microsoft.Billing/promotions/read | List or get promotions | +> | Microsoft.Billing/validateAddress/write | | ++## Microsoft.Blueprint ++Azure service: [Azure Blueprints](/azure/governance/blueprints/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Blueprint/register/action | Registers the Azure Blueprints Resource Provider | +> | Microsoft.Blueprint/blueprintAssignments/read | Read any blueprint artifacts | +> | Microsoft.Blueprint/blueprintAssignments/write | Create or update any blueprint artifacts | +> | Microsoft.Blueprint/blueprintAssignments/delete | Delete any blueprint artifacts | +> | Microsoft.Blueprint/blueprintAssignments/whoisblueprint/action | Get Azure Blueprints service principal object Id. | +> | Microsoft.Blueprint/blueprintAssignments/assignmentOperations/read | Read any blueprint artifacts | +> | Microsoft.Blueprint/blueprints/read | Read any blueprints | +> | Microsoft.Blueprint/blueprints/write | Create or update any blueprints | +> | Microsoft.Blueprint/blueprints/delete | Delete any blueprints | +> | Microsoft.Blueprint/blueprints/artifacts/read | Read any blueprint artifacts | +> | Microsoft.Blueprint/blueprints/artifacts/write | Create or update any blueprint artifacts | +> | Microsoft.Blueprint/blueprints/artifacts/delete | Delete any blueprint artifacts | +> | Microsoft.Blueprint/blueprints/versions/read | Read any blueprints | +> | Microsoft.Blueprint/blueprints/versions/write | Create or update any blueprints | +> | Microsoft.Blueprint/blueprints/versions/delete | Delete any blueprints | +> | Microsoft.Blueprint/blueprints/versions/artifacts/read | Read any blueprint artifacts | ++## Microsoft.Capacity ++Azure service: core ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Capacity/calculateprice/action | Calculate any Reservation Price | +> | Microsoft.Capacity/checkoffers/action | Check any Subscription Offers | +> | Microsoft.Capacity/checkscopes/action | Check any Subscription | +> | Microsoft.Capacity/validatereservationorder/action | Validate any Reservation | +> | Microsoft.Capacity/reservationorders/action | Update any Reservation | +> | Microsoft.Capacity/register/action | Registers the Capacity resource provider and enables the creation of Capacity resources. | +> | Microsoft.Capacity/unregister/action | Unregister any Tenant | +> | Microsoft.Capacity/calculateexchange/action | Computes the exchange amount and price of new purchase and returns policy Errors. | +> | Microsoft.Capacity/exchange/action | Exchange any Reservation | +> | Microsoft.Capacity/listSkus/action | Lists SKUs with filters and without any restrictions | +> | Microsoft.Capacity/appliedreservations/read | Read All Reservations | +> | Microsoft.Capacity/catalogs/read | Read catalog of Reservation | +> | Microsoft.Capacity/commercialreservationorders/read | Get Reservation Orders created in any Tenant | +> | Microsoft.Capacity/operations/read | Read any Operation | +> | Microsoft.Capacity/reservationorders/changedirectory/action | Change directory of any reservation | +> | Microsoft.Capacity/reservationorders/availablescopes/action | Find any Available Scope | +> | Microsoft.Capacity/reservationorders/read | Read All Reservations | +> | Microsoft.Capacity/reservationorders/write | Create any Reservation | +> | Microsoft.Capacity/reservationorders/delete | Delete any Reservation | +> | Microsoft.Capacity/reservationorders/reservations/action | Update any Reservation | +> | Microsoft.Capacity/reservationorders/return/action | Return any Reservation | +> | Microsoft.Capacity/reservationorders/swap/action | Swap any Reservation | +> | Microsoft.Capacity/reservationorders/split/action | Split any Reservation | +> | Microsoft.Capacity/reservationorders/changeBilling/action | Reservation billing change | +> | Microsoft.Capacity/reservationorders/merge/action | Merge any Reservation | +> | Microsoft.Capacity/reservationorders/calculaterefund/action | Computes the refund amount and price of new purchase and returns policy Errors. | +> | Microsoft.Capacity/reservationorders/changebillingoperationresults/read | Poll any Reservation billing change operation | +> | Microsoft.Capacity/reservationorders/mergeoperationresults/read | Poll any merge operation | +> | Microsoft.Capacity/reservationorders/reservations/availablescopes/action | Find any Available Scope | +> | Microsoft.Capacity/reservationorders/reservations/read | Read All Reservations | +> | Microsoft.Capacity/reservationorders/reservations/write | Create any Reservation | +> | Microsoft.Capacity/reservationorders/reservations/delete | Delete any Reservation | +> | Microsoft.Capacity/reservationorders/reservations/archive/action | Archive a reservation which is in a terminal state like Expired, Split etc. | +> | Microsoft.Capacity/reservationorders/reservations/unarchive/action | Unarchive a Reservation which was previously archived | +> | Microsoft.Capacity/reservationorders/reservations/revisions/read | Read All Reservations | +> | Microsoft.Capacity/reservationorders/splitoperationresults/read | Poll any split operation | +> | Microsoft.Capacity/resourceProviders/locations/serviceLimits/read | Get the current service limit or quota of the specified resource and location | +> | Microsoft.Capacity/resourceProviders/locations/serviceLimits/write | Create service limit or quota for the specified resource and location | +> | Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read | Get any service limit request for the specified resource and location | +> | Microsoft.Capacity/tenants/register/action | Register any Tenant | ++## Microsoft.Commerce ++Azure service: core ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Commerce/register/action | Register Subscription for Microsoft Commerce UsageAggregate | +> | Microsoft.Commerce/unregister/action | Unregister Subscription for Microsoft Commerce UsageAggregate | +> | Microsoft.Commerce/RateCard/read | Returns offer data, resource/meter metadata and rates for the given subscription. | +> | Microsoft.Commerce/UsageAggregates/read | Retrieves Microsoft Azure's consumption by a subscription. The result contains aggregates usage data, subscription and resource related information, on a particular time range. | ++## Microsoft.Consumption ++Azure service: [Cost Management](/azure/cost-management-billing/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Consumption/register/action | Register to Consumption RP | +> | Microsoft.Consumption/aggregatedcost/read | List AggregatedCost for management group. | +> | Microsoft.Consumption/balances/read | List the utilization summary for a billing period for a management group. | +> | Microsoft.Consumption/budgets/read | List the budgets by a subscription or a management group. | +> | Microsoft.Consumption/budgets/write | Creates and update the budgets by a subscription or a management group. | +> | Microsoft.Consumption/budgets/delete | Delete the budgets by a subscription or a management group. | +> | Microsoft.Consumption/charges/read | List charges | +> | Microsoft.Consumption/credits/read | List credits | +> | Microsoft.Consumption/events/read | List events | +> | Microsoft.Consumption/externalBillingAccounts/tags/read | List tags for EA and subscriptions. | +> | Microsoft.Consumption/externalSubscriptions/tags/read | List tags for EA and subscriptions. | +> | Microsoft.Consumption/forecasts/read | List forecasts | +> | Microsoft.Consumption/lots/read | List lots | +> | Microsoft.Consumption/marketplaces/read | List the marketplace resource usage details for a scope for EA and WebDirect subscriptions. | +> | Microsoft.Consumption/operationresults/read | List operationresults | +> | Microsoft.Consumption/operations/read | List all supported operations by Microsoft.Consumption resource provider. | +> | Microsoft.Consumption/operationstatus/read | List operationstatus | +> | Microsoft.Consumption/pricesheets/read | List the Pricesheets data for a subscription or a management group. | +> | Microsoft.Consumption/reservationDetails/read | List the utilization details for reserved instances by reservation order or management groups. The details data is per instance per day level. | +> | Microsoft.Consumption/reservationRecommendationDetails/read | List Reservation Recommendation Details | +> | Microsoft.Consumption/reservationRecommendations/read | List single or shared recommendations for Reserved instances for a subscription. | +> | Microsoft.Consumption/reservationSummaries/read | List the utilization summary for reserved instances by reservation order or management groups. The summary data is either at monthly or daily level. | +> | Microsoft.Consumption/reservationTransactions/read | List the transaction history for reserved instances by management groups. | +> | Microsoft.Consumption/tags/read | List tags for EA and subscriptions. | +> | Microsoft.Consumption/tenants/register/action | Register action for scope of Microsoft.Consumption by a tenant. | +> | Microsoft.Consumption/tenants/read | List tenants | +> | Microsoft.Consumption/terms/read | List the terms for a subscription or a management group. | +> | Microsoft.Consumption/usageDetails/read | List the usage details for a scope for EA and WebDirect subscriptions. | ++## Microsoft.CostManagement ++Azure service: [Cost Management](/azure/cost-management-billing/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.CostManagement/query/action | Query usage data by a scope. | +> | Microsoft.CostManagement/reports/action | Schedule reports on usage data by a scope. | +> | Microsoft.CostManagement/exports/action | Run the specified export. | +> | Microsoft.CostManagement/register/action | Register action for scope of Microsoft.CostManagement by a subscription. | +> | Microsoft.CostManagement/views/action | Create view. | +> | Microsoft.CostManagement/forecast/action | Forecast usage data by a scope. | +> | Microsoft.CostManagement/calculateCost/action | Calculate cost for provided product codes. | +> | Microsoft.CostManagement/alerts/write | Update alerts. | +> | Microsoft.CostManagement/alerts/read | List alerts. | +> | Microsoft.CostManagement/budgets/read | List the budgets by a subscription or a management group. | +> | Microsoft.CostManagement/cloudConnectors/read | List the cloudConnectors for the authenticated user. | +> | Microsoft.CostManagement/cloudConnectors/write | Create or update the specified cloudConnector. | +> | Microsoft.CostManagement/cloudConnectors/delete | Delete the specified cloudConnector. | +> | Microsoft.CostManagement/dimensions/read | List all supported dimensions by a scope. | +> | Microsoft.CostManagement/exports/read | List the exports by scope. | +> | Microsoft.CostManagement/exports/write | Create or update the specified export. | +> | Microsoft.CostManagement/exports/delete | Delete the specified export. | +> | Microsoft.CostManagement/exports/run/action | Run exports. | +> | Microsoft.CostManagement/externalBillingAccounts/read | List the externalBillingAccounts for the authenticated user. | +> | Microsoft.CostManagement/externalBillingAccounts/query/action | Query usage data for external BillingAccounts. | +> | Microsoft.CostManagement/externalBillingAccounts/forecast/action | Forecast usage data for external BillingAccounts. | +> | Microsoft.CostManagement/externalBillingAccounts/dimensions/read | List all supported dimensions for external BillingAccounts. | +> | Microsoft.CostManagement/externalBillingAccounts/externalSubscriptions/read | List the externalSubscriptions within an externalBillingAccount for the authenticated user. | +> | Microsoft.CostManagement/externalBillingAccounts/forecast/read | Forecast usage data for external BillingAccounts. | +> | Microsoft.CostManagement/externalBillingAccounts/query/read | Query usage data for external BillingAccounts. | +> | Microsoft.CostManagement/externalSubscriptions/read | List the externalSubscriptions for the authenticated user. | +> | Microsoft.CostManagement/externalSubscriptions/write | Update associated management group of externalSubscription | +> | Microsoft.CostManagement/externalSubscriptions/query/action | Query usage data for external subscription. | +> | Microsoft.CostManagement/externalSubscriptions/forecast/action | Forecast usage data for external BillingAccounts. | +> | Microsoft.CostManagement/externalSubscriptions/dimensions/read | List all supported dimensions for external subscription. | +> | Microsoft.CostManagement/externalSubscriptions/forecast/read | Forecast usage data for external BillingAccounts. | +> | Microsoft.CostManagement/externalSubscriptions/query/read | Query usage data for external subscription. | +> | Microsoft.CostManagement/forecast/read | Forecast usage data by a scope. | +> | Microsoft.CostManagement/operations/read | List all supported operations by Microsoft.CostManagement resource provider. | +> | Microsoft.CostManagement/query/read | Query usage data by a scope. | +> | Microsoft.CostManagement/reports/read | Schedule reports on usage data by a scope. | +> | Microsoft.CostManagement/tenants/register/action | Register action for scope of Microsoft.CostManagement by a tenant. | +> | Microsoft.CostManagement/views/read | List all saved views. | +> | Microsoft.CostManagement/views/delete | Delete saved views. | +> | Microsoft.CostManagement/views/write | Update view. | ++## Microsoft.DataProtection ++Azure service: Microsoft.DataProtection ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DataProtection/register/action | Registers subscription for given Resource Provider | +> | Microsoft.DataProtection/unregister/action | Unregisters subscription for given Resource Provider | +> | Microsoft.DataProtection/backupVaults/write | Create BackupVault operation creates an Azure resource of type 'Backup Vault' | +> | Microsoft.DataProtection/backupVaults/write | Update BackupVault operation updates an Azure resource of type 'Backup Vault' | +> | Microsoft.DataProtection/backupVaults/read | The Get Backup Vault operation gets an object representing the Azure resource of type 'Backup Vault' | +> | Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Subscription | +> | Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group | +> | Microsoft.DataProtection/backupVaults/delete | The Delete Vault operation deletes the specified Azure resource of type 'Backup Vault' | +> | Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance | +> | Microsoft.DataProtection/backupVaults/backupInstances/write | Creates a Backup Instance | +> | Microsoft.DataProtection/backupVaults/backupInstances/validateForModifyBackup/action | Validates for modification of Backup Instance | +> | Microsoft.DataProtection/backupVaults/backupInstances/delete | Deletes the Backup Instance | +> | Microsoft.DataProtection/backupVaults/backupInstances/read | Returns details of the Backup Instance | +> | Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances | +> | Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance | +> | Microsoft.DataProtection/backupVaults/backupInstances/sync/action | Sync operation retries last failed operation on backup instance to bring it to a valid state. | +> | Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance | +> | Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance | +> | Microsoft.DataProtection/backupVaults/backupInstances/stopProtection/action | Stop Protection operation stops both backup and retention schedules of backup instance. Existing data will be retained forever. | +> | Microsoft.DataProtection/backupVaults/backupInstances/suspendBackups/action | Suspend Backups operation stops only backups of backup instance. Retention activities will continue and hence data will be ratained as per policy. | +> | Microsoft.DataProtection/backupVaults/backupInstances/resumeProtection/action | Resume protection of a ProtectionStopped BI. | +> | Microsoft.DataProtection/backupVaults/backupInstances/resumeBackups/action | Resume Backups for a BackupsSuspended BI. | +> | Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges | +> | Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. | +> | Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns details of the Recovery Point | +> | Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points | +> | Microsoft.DataProtection/backupVaults/backupJobs/read | Get Jobs list | +> | Microsoft.DataProtection/backupVaults/backupJobs/enableProgress/action | Get Job details | +> | Microsoft.DataProtection/backupVaults/backupPolicies/write | Creates Backup Policy | +> | Microsoft.DataProtection/backupVaults/backupPolicies/delete | Deletes the Backup Policy | +> | Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns details of the Backup Policy | +> | Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies | +> | Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource | +> | Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' | +> | Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' | +> | Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' | +> | Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation | +> | Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action | Perform undelete of soft-deleted Backup Instance. Backup Instance moves from SoftDeleted to ProtectionStopped state. | +> | Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | Get soft-deleted Backup Instance in a Backup Vault by name | +> | Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. | +> | Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault | +> | Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. | +> | Microsoft.DataProtection/locations/checkNameAvailability/action | Checks if the requested BackupVault Name is Available | +> | Microsoft.DataProtection/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults | +> | Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported | +> | Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. | +> | Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | +> | Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider | +> | Microsoft.DataProtection/subscriptions/providers/resourceGuards/read | Gets list of ResourceGuards in a Subscription | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write | Create ResourceGuard operation creates an Azure resource of type 'ResourceGuard' | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read | The Get ResourceGuard operation gets an object representing the Azure resource of type 'ResourceGuard' | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete | The Delete ResourceGuard operation deletes the specified Azure resource of type 'ResourceGuard' | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read | Gets list of ResourceGuards in a Resource Group | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write | Update ResouceGuard operation updates an Azure resource of type 'ResourceGuard' | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read | Gets ResourceGuard operation request info | +> | Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read | Gets ResourceGuard default operation request info | ++## Microsoft.Features ++Azure service: [Azure Resource Manager](/azure/azure-resource-manager/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Features/register/action | Registers the feature of a subscription. | +> | Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/read | Gets the feature registration of a subscription in a given resource provider. | +> | Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/write | Adds the feature registration of a subscription in a given resource provider. | +> | Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/delete | Deletes the feature registration of a subscription in a given resource provider. | +> | Microsoft.Features/features/read | Gets the features of a subscription. | +> | Microsoft.Features/operations/read | Gets the list of operations. | +> | Microsoft.Features/providers/features/read | Gets the feature of a subscription in a given resource provider. | +> | Microsoft.Features/providers/features/register/action | Registers the feature for a subscription in a given resource provider. | +> | Microsoft.Features/providers/features/unregister/action | Unregisters the feature for a subscription in a given resource provider. | +> | Microsoft.Features/subscriptionFeatureRegistrations/read | Gets the feature registration of a subscription. | ++## Microsoft.GuestConfiguration ++Azure service: [Azure Policy](/azure/governance/policy/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.GuestConfiguration/register/action | Registers the subscription for the Microsoft.GuestConfiguration resource provider. | +> | Microsoft.GuestConfiguration/guestConfigurationAssignments/write | Create new guest configuration assignment. | +> | Microsoft.GuestConfiguration/guestConfigurationAssignments/read | Get guest configuration assignment. | +> | Microsoft.GuestConfiguration/guestConfigurationAssignments/delete | Delete guest configuration assignment. | +> | Microsoft.GuestConfiguration/guestConfigurationAssignments/healthcheck/action | Get guest configuration assignment. | +> | Microsoft.GuestConfiguration/guestConfigurationAssignments/reports/read | Get guest configuration assignment report. | +> | Microsoft.GuestConfiguration/operations/read | Gets the operations for the Microsoft.GuestConfiguration resource provider | ++## Microsoft.Intune ++Azure service: Microsoft Monitoring Insights ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Intune/diagnosticsettings/write | Writing a diagnostic setting | +> | Microsoft.Intune/diagnosticsettings/read | Reading a diagnostic setting | +> | Microsoft.Intune/diagnosticsettings/delete | Deleting a diagnostic setting | +> | Microsoft.Intune/diagnosticsettingscategories/read | Reading a diagnostic setting categories | ++## Microsoft.ManagedServices ++Azure service: [Azure Lighthouse](/azure/lighthouse/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ManagedServices/register/action | Register to Managed Services. | +> | Microsoft.ManagedServices/unregister/action | Unregister from Managed Services. | +> | Microsoft.ManagedServices/marketplaceRegistrationDefinitions/read | Retrieves a list of Managed Services registration definitions. | +> | Microsoft.ManagedServices/operations/read | Retrieves a list of Managed Services operations. | +> | Microsoft.ManagedServices/operationStatuses/read | Reads the operation status for the resource. | +> | Microsoft.ManagedServices/registrationAssignments/read | Retrieves a list of Managed Services registration assignments. | +> | Microsoft.ManagedServices/registrationAssignments/write | Add or modify Managed Services registration assignment. | +> | Microsoft.ManagedServices/registrationAssignments/delete | Removes Managed Services registration assignment. | +> | Microsoft.ManagedServices/registrationDefinitions/read | Retrieves a list of Managed Services registration definitions. | +> | Microsoft.ManagedServices/registrationDefinitions/write | Add or modify Managed Services registration definition. | +> | Microsoft.ManagedServices/registrationDefinitions/delete | Removes Managed Services registration definition. | ++## Microsoft.Management ++Azure service: [Management Groups](/azure/governance/management-groups/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Management/checkNameAvailability/action | Checks if the specified management group name is valid and unique. | +> | Microsoft.Management/getEntities/action | List all entities (Management Groups, Subscriptions, etc.) for the authenticated user. | +> | Microsoft.Management/register/action | Register the specified subscription with Microsoft.Management | +> | Microsoft.Management/managementGroups/read | List management groups for the authenticated user. | +> | Microsoft.Management/managementGroups/write | Create or update a management group. | +> | Microsoft.Management/managementGroups/delete | Delete management group. | +> | Microsoft.Management/managementGroups/descendants/read | Gets all the descendants (Management Groups, Subscriptions) of a Management Group. | +> | Microsoft.Management/managementGroups/settings/read | Lists existing management group hierarchy settings. | +> | Microsoft.Management/managementGroups/settings/write | Creates or updates management group hierarchy settings. | +> | Microsoft.Management/managementGroups/settings/delete | Deletes management group hierarchy settings. | +> | Microsoft.Management/managementGroups/subscriptions/read | Lists subscription under the given management group. | +> | Microsoft.Management/managementGroups/subscriptions/write | Associates existing subscription with the management group. | +> | Microsoft.Management/managementGroups/subscriptions/delete | De-associates subscription from the management group. | ++## Microsoft.PolicyInsights ++Azure service: [Azure Policy](/azure/governance/policy/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.PolicyInsights/register/action | Registers the Microsoft Policy Insights resource provider and enables actions on it. | +> | Microsoft.PolicyInsights/unregister/action | Unregisters the Microsoft Policy Insights resource provider. | +> | Microsoft.PolicyInsights/asyncOperationResults/read | Gets the async operation result. | +> | Microsoft.PolicyInsights/attestations/read | Get compliance state attestations. | +> | Microsoft.PolicyInsights/attestations/write | Create or update compliance state attestations. | +> | Microsoft.PolicyInsights/attestations/delete | Delete compliance state attestations. | +> | Microsoft.PolicyInsights/checkPolicyRestrictions/read | Get details about the restrictions that policy will enforce on a resource. | +> | Microsoft.PolicyInsights/componentPolicyStates/queryResults/read | Query information about component policy states. | +> | Microsoft.PolicyInsights/eventGridFilters/read | Get Event Grid filters used to track which scopes to publish state change notifications for. | +> | Microsoft.PolicyInsights/eventGridFilters/write | Create or update Event Grid filters. | +> | Microsoft.PolicyInsights/eventGridFilters/delete | Delete Event Grid filters. | +> | Microsoft.PolicyInsights/operations/read | Gets supported operations on Microsoft.PolicyInsights namespace | +> | Microsoft.PolicyInsights/policyEvents/queryResults/action | Query information about policy events. | +> | Microsoft.PolicyInsights/policyEvents/queryResults/read | Query information about policy events. | +> | Microsoft.PolicyInsights/policyMetadata/read | Get Policy Metadata resources. | +> | Microsoft.PolicyInsights/policyStates/queryResults/action | Query information about policy states. | +> | Microsoft.PolicyInsights/policyStates/summarize/action | Query summary information about policy latest states. | +> | Microsoft.PolicyInsights/policyStates/triggerEvaluation/action | Triggers a new compliance evaluation for the selected scope. | +> | Microsoft.PolicyInsights/policyStates/queryResults/read | Query information about policy states. | +> | Microsoft.PolicyInsights/policyStates/summarize/read | Query summary information about policy latest states. | +> | Microsoft.PolicyInsights/policyTrackedResources/queryResults/read | Query information about resources required by DeployIfNotExists policies. | +> | Microsoft.PolicyInsights/remediations/read | Get policy remediations. | +> | Microsoft.PolicyInsights/remediations/write | Create or update Microsoft Policy remediations. | +> | Microsoft.PolicyInsights/remediations/delete | Delete policy remediations. | +> | Microsoft.PolicyInsights/remediations/cancel/action | Cancel in-progress Microsoft Policy remediations. | +> | Microsoft.PolicyInsights/remediations/listDeployments/read | Lists the deployments required by a policy remediation. | +> | **DataAction** | **Description** | +> | Microsoft.PolicyInsights/checkDataPolicyCompliance/action | Check the compliance status of a given component against data policies. | +> | Microsoft.PolicyInsights/policyEvents/logDataEvents/action | Log the resource component policy events. | ++## Microsoft.Portal ++Azure service: [Azure portal](/azure/azure-portal/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Portal/register/action | Register to Portal | +> | Microsoft.Portal/consoles/delete | Removes the Cloud Shell instance. | +> | Microsoft.Portal/consoles/write | Create or update a Cloud Shell instance. | +> | Microsoft.Portal/consoles/read | Reads the Cloud Shell instance. | +> | Microsoft.Portal/dashboards/read | Reads the dashboards for the subscription. | +> | Microsoft.Portal/dashboards/write | Add or modify dashboard to a subscription. | +> | Microsoft.Portal/dashboards/delete | Removes the dashboard from the subscription. | +> | Microsoft.Portal/tenantConfigurations/read | Reads Tenant configuration | +> | Microsoft.Portal/tenantConfigurations/write | Adds or updates Tenant configuration. User has to be a Tenant Admin for this operation. | +> | Microsoft.Portal/tenantConfigurations/delete | Removes Tenant configuration. User has to be a Tenant Admin for this operation. | +> | Microsoft.Portal/usersettings/delete | Removes the Cloud Shell user settings. | +> | Microsoft.Portal/usersettings/write | Create or update Cloud Shell user setting. | +> | Microsoft.Portal/usersettings/read | Reads the Cloud Shell user settings. | ++## Microsoft.Purview ++Azure service: [Microsoft Purview](/purview/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Purview/register/action | Register the subscription for Microsoft Purview provider. | +> | Microsoft.Purview/unregister/action | Unregister the subscription for Microsoft Purview provider. | +> | Microsoft.Purview/setDefaultAccount/action | Sets the default account for the scope. | +> | Microsoft.Purview/removeDefaultAccount/action | Removes the default account for the scope. | +> | Microsoft.Purview/accounts/read | Read account resource for Microsoft Purview provider. | +> | Microsoft.Purview/accounts/write | Write account resource for Microsoft Purview provider. | +> | Microsoft.Purview/accounts/delete | Delete account resource for Microsoft Purview provider. | +> | Microsoft.Purview/accounts/listkeys/action | List keys on the account resource for Microsoft Purview provider. | +> | Microsoft.Purview/accounts/addrootcollectionadmin/action | Add root collection admin to account resource for Microsoft Purview provider. | +> | Microsoft.Purview/accounts/move/action | Move account resource for Microsoft Purview provider. | +> | Microsoft.Purview/accounts/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connection. | +> | Microsoft.Purview/accounts/kafkaConfigurations/read | Read Kafka Configurations. | +> | Microsoft.Purview/accounts/kafkaConfigurations/write | Create or update Kafka Configurations. | +> | Microsoft.Purview/accounts/kafkaConfigurations/delete | Delete Kafka Configurations. | +> | Microsoft.Purview/accounts/privateEndpointConnectionProxies/read | Read Account Private Endpoint Connection Proxy. | +> | Microsoft.Purview/accounts/privateEndpointConnectionProxies/write | Write Account Private Endpoint Connection Proxy. | +> | Microsoft.Purview/accounts/privateEndpointConnectionProxies/delete | Delete Account Private Endpoint Connection Proxy. | +> | Microsoft.Purview/accounts/privateEndpointConnectionProxies/validate/action | Validate Account Private Endpoint Connection Proxy. | +> | Microsoft.Purview/accounts/privateEndpointConnectionProxies/operationResults/read | Monitor Private Endpoint Connection Proxy async operations. | +> | Microsoft.Purview/accounts/privateEndpointConnections/read | Read Private Endpoint Connection. | +> | Microsoft.Purview/accounts/privateEndpointConnections/write | Create or update Private Endpoint Connection. | +> | Microsoft.Purview/accounts/privateEndpointConnections/delete | Delete Private Endpoint Connection. | +> | Microsoft.Purview/accounts/privatelinkresources/read | Read Account Link Resources. | +> | Microsoft.Purview/accounts/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.Purview/accounts/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.Purview/accounts/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for the catalog. | +> | Microsoft.Purview/accounts/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for the catalog. | +> | Microsoft.Purview/checkConsent/read | Resolve the scope the Consent is granted. | +> | Microsoft.Purview/checknameavailability/read | Check if name of purview account resource is available for Microsoft Purview provider. | +> | Microsoft.Purview/consents/read | Read Consent Resource. | +> | Microsoft.Purview/consents/write | Create or Update a Consent Resource. | +> | Microsoft.Purview/consents/delete | Delete the Consent Resource. | +> | Microsoft.Purview/getDefaultAccount/read | Gets the default account for the scope. | +> | Microsoft.Purview/locations/operationResults/read | Monitor async operations. | +> | Microsoft.Purview/operations/read | Reads all available operations for Microsoft Purview provider. | +> | Microsoft.Purview/policies/read | Read Policy Resource. | +> | **DataAction** | **Description** | +> | Microsoft.Purview/accounts/data/read | Permission is deprecated. | +> | Microsoft.Purview/accounts/data/write | Permission is deprecated. | +> | Microsoft.Purview/accounts/scan/read | Permission is deprecated. | +> | Microsoft.Purview/accounts/scan/write | Permission is deprecated. | +> | Microsoft.Purview/attributeBlobs/read | Read Attribute Blob. | +> | Microsoft.Purview/attributeBlobs/write | Write Attribute Blob. | +> | Microsoft.Purview/policyElements/read | Read Policy Element. | +> | Microsoft.Purview/policyElements/write | Create or update Policy Element. | +> | Microsoft.Purview/policyElements/delete | Delete Policy Element. | +> | Microsoft.Purview/purviewAccountBindings/read | Read Account Binding. | +> | Microsoft.Purview/purviewAccountBindings/write | Create or update Account Binding. | +> | Microsoft.Purview/purviewAccountBindings/delete | Delete Account Binding. | ++## Microsoft.RecoveryServices ++Azure service: [Site Recovery](/azure/site-recovery/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.RecoveryServices/register/action | Registers subscription for given Resource Provider | +> | Microsoft.RecoveryServices/unregister/action | Unregisters subscription for given Resource Provider | +> | Microsoft.RecoveryServices/Locations/backupCrossRegionRestore/action | Trigger Cross region restore. | +> | Microsoft.RecoveryServices/Locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Locations/backupPreValidateProtection/action | | +> | Microsoft.RecoveryServices/Locations/backupStatus/action | Check Backup Status for Recovery Services Vaults | +> | Microsoft.RecoveryServices/Locations/backupValidateFeatures/action | Validate Features | +> | Microsoft.RecoveryServices/locations/allocateStamp/action | AllocateStamp is internal operation used by service | +> | Microsoft.RecoveryServices/locations/checkNameAvailability/action | Check Resource Name Availability is an API to check if resource name is available | +> | Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service | +> | Microsoft.RecoveryServices/Locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. | +> | Microsoft.RecoveryServices/Locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Locations/backupProtectedItem/write | Create a backup Protected Item | +> | Microsoft.RecoveryServices/Locations/backupProtectedItems/read | Returns the list of all Protected Items. | +> | Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation | +> | Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider | +> | Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs | +> | Microsoft.RecoveryServices/Vaults/backupSecurityPIN/action | Returns Security PIN Information for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action | Validate Operation on Protected Item | +> | Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item | +> | Microsoft.RecoveryServices/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' | +> | Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' | +> | Microsoft.RecoveryServices/Vaults/delete | The Delete Vault operation deletes the specified Azure resource of type 'vault' | +> | Microsoft.RecoveryServices/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Vaults/backupconfig/write | Updates Configuration for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Vaults/backupDeletedProtectionContainers/read | Returns all containers belonging to the subscription | +> | Microsoft.RecoveryServices/Vaults/backupEncryptionConfigs/read | Gets Backup Resource Encryption Configuration. | +> | Microsoft.RecoveryServices/Vaults/backupEncryptionConfigs/write | Updates Backup Resource Encryption Configuration | +> | Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/delete | Delete a backup Protection Intent | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | Returns status of the operation | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/operationsStatus/read | Returns status of the operation | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete | Deletes the registered Container | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write | Creates a registered container | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationsStatus/read | Gets status of Operation performed on Protection Container. | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/delete | Deletes Protected Item | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPointsRecommendedForMove/action | Get Recovery points recommended for move to another tier | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/move/action | Move Recovery point to another tier | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. | +> | Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item | +> | Microsoft.RecoveryServices/Vaults/backupJobs/cancel/action | Cancel the Job | +> | Microsoft.RecoveryServices/Vaults/backupJobs/read | Returns all Job Objects | +> | Microsoft.RecoveryServices/Vaults/backupJobs/retry/action | Cancel the Job | +> | Microsoft.RecoveryServices/Vaults/backupJobs/backupChildJobs/read | Returns all Job Objects | +> | Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. | +> | Microsoft.RecoveryServices/Vaults/backupJobs/operationsStatus/read | Returns the status of Job Operation. | +> | Microsoft.RecoveryServices/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Vaults/backupPolicies/delete | Delete a Protection Policy | +> | Microsoft.RecoveryServices/Vaults/backupPolicies/read | Returns all Protection Policies | +> | Microsoft.RecoveryServices/Vaults/backupPolicies/write | Creates Protection Policy | +> | Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. | +> | Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. | +> | Microsoft.RecoveryServices/Vaults/backupProtectableItems/read | Returns list of all Protectable Items. | +> | Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. | +> | Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription | +> | Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents | +> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' | +> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource | +> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' | +> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation | +> | Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' | +> | Microsoft.RecoveryServices/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Vaults/backupstorageconfig/write | Updates Storage Configuration for Recovery Services Vault. | +> | Microsoft.RecoveryServices/Vaults/backupTieringCost/fetchTieringCost/action | Returns the tiering related cost info. | +> | Microsoft.RecoveryServices/Vaults/backupTieringCost/operationResults/read | Returns the result of Operation performed for tiering costs | +> | Microsoft.RecoveryServices/Vaults/backupTieringCost/operationsStatus/read | Returns the status of Operation performed for tiering cost | +> | Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . | +> | Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read | Validate Operation on Protected Item | +> | Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read | Validate Operation on Protected Item | +> | Microsoft.RecoveryServices/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. | +> | Microsoft.RecoveryServices/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | +> | Microsoft.RecoveryServices/Vaults/extendedInformation/write | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | +> | Microsoft.RecoveryServices/Vaults/extendedInformation/delete | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? | +> | Microsoft.RecoveryServices/Vaults/locations/capabilities/action | List capabilities at a given location. | +> | Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. | +> | Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. | +> | Microsoft.RecoveryServices/Vaults/monitoringConfigurations/read | Gets the Recovery services vault notification configuration. | +> | Microsoft.RecoveryServices/Vaults/monitoringConfigurations/write | Configures e-mail notifications to Recovery services vault. | +> | Microsoft.RecoveryServices/Vaults/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | +> | Microsoft.RecoveryServices/Vaults/operationStatus/read | Gets Operation Status for a given Operation | +> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/delete | Wait for a few minutes and then try the operation again. If the issue persists, please contact Microsoft support. | +> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/read | Get all protectable containers | +> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/validate/action | Get all protectable containers | +> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/write | Get all protectable containers | +> | Microsoft.RecoveryServices/Vaults/privateEndpointConnectionProxies/operationsStatus/read | Get all protectable containers | +> | Microsoft.RecoveryServices/Vaults/privateEndpointConnections/delete | Delete Private Endpoint requests. This call is made by Backup Admin. | +> | Microsoft.RecoveryServices/Vaults/privateEndpointConnections/write | Approve or Reject Private Endpoint requests. This call is made by Backup Admin. | +> | Microsoft.RecoveryServices/Vaults/privateEndpointConnections/read | Returns all the private endpoint connections. | +> | Microsoft.RecoveryServices/Vaults/privateEndpointConnections/operationsStatus/read | Returns the operation status for a private endpoint connection. | +> | Microsoft.RecoveryServices/Vaults/privateLinkResources/read | Returns all the private link resources. | +> | Microsoft.RecoveryServices/Vaults/providers/Microsoft.Insights/diagnosticSettings/read | Azure Backup Diagnostics | +> | Microsoft.RecoveryServices/Vaults/providers/Microsoft.Insights/diagnosticSettings/write | Azure Backup Diagnostics | +> | Microsoft.RecoveryServices/Vaults/providers/Microsoft.Insights/logDefinitions/read | Azure Backup Logs | +> | Microsoft.RecoveryServices/Vaults/providers/Microsoft.Insights/metricDefinitions/read | Azure Backup Metrics | +> | Microsoft.RecoveryServices/Vaults/registeredIdentities/write | The Register Service Container operation can be used to register a container with Recovery Service. | +> | Microsoft.RecoveryServices/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. | +> | Microsoft.RecoveryServices/Vaults/registeredIdentities/delete | The UnRegister Container operation can be used to unregister a container. | +> | Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation | +> | Microsoft.RecoveryServices/vaults/replicationAlertSettings/read | Read any Alerts Settings | +> | Microsoft.RecoveryServices/vaults/replicationAlertSettings/write | Create or Update any Alerts Settings | +> | Microsoft.RecoveryServices/vaults/replicationEvents/read | Read any Events | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/read | Read any Fabrics | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/write | Create or Update any Fabrics | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/remove/action | Remove Fabric | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action | Checks Consistency of the Fabric | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/delete | Delete any Fabrics | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action | Renew Certificate for Fabric | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/deployProcessServerImage/action | Deploy Process Server Image | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action | Reassociate Gateway | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/migratetoaad/action | Migrate Fabric To AAD | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/moveWebApp/action | Move WebApp | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/removeInfra/action | | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/operationresults/read | Track the results of an asynchronous operation on the resource Fabrics | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationLogicalNetworks/read | Read any Logical Networks | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read | Read any Networks | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read | Read any Network Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/write | Create or Update any Network Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/delete | Delete any Network Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read | Read any Protection Containers | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/discoverProtectableItem/action | Discover Protectable Item | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/write | Create or Update any Protection Containers | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/remove/action | Remove Protection Container | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action | Switch Protection Container | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/operationresults/read | Track the results of an asynchronous operation on the resource Protection Containers | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/read | Read any Migration Items | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/write | Create or Update any Migration Items | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/delete | Delete any Migration Items | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/resync/action | Resynchronize | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/migrate/action | Migrate Item | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/testMigrate/action | Test Migrate | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/testMigrateCleanup/action | Test Migrate Cleanup | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/pauseReplication/action | | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/resumeReplication/action | | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/migrationRecoveryPoints/read | Read any Migration Recovery Points | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/operationresults/read | Track the results of an asynchronous operation on the resource Migration Items | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read | Read any Protectable Items | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read | Read any Protected Items | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/write | Create or Update any Protected Items | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/delete | Delete any Protected Items | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/remove/action | Remove Protected Item | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action | Planned Failover | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action | Failover | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action | Test Failover | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action | Test Failover Cleanup | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action | Failover Commit | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action | ReProtect Protected Item | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action | Update Mobility Service | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action | Repair replication | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action | Apply Recovery Point | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/submitFeedback/action | Submit Feedback | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/addDisks/action | Add disks | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/removeDisks/action | Remove disks | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/ResolveHealthErrors/action | | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCancel/action | Failover Cancel | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateAppliance/action | | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/operationresults/read | Track the results of an asynchronous operation on the resource Protected Items | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read | Read any Replication Recovery Points | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/targetComputeSizes/read | Read any Target Compute Sizes | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read | Read any Protection Container Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/write | Create or Update any Protection Container Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/remove/action | Remove Protection Container Mapping | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/delete | Delete any Protection Container Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/operationresults/read | Track the results of an asynchronous operation on the resource Protection Container Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read | Read any Recovery Services Providers | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/write | Create or Update any Recovery Services Providers | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/remove/action | Remove Recovery Services Provider | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/delete | Delete any Recovery Services Providers | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action | Refresh Provider | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/operationresults/read | Track the results of an asynchronous operation on the resource Recovery Services Providers | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read | Read any Storage Classifications | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read | Read any Storage Classification Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/write | Create or Update any Storage Classification Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/delete | Delete any Storage Classification Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/operationresults/read | Track the results of an asynchronous operation on the resource Storage Classification Mappings | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read | Read any vCenters | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/write | Create or Update any vCenters | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/delete | Delete any vCenters | +> | Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/operationresults/read | Track the results of an asynchronous operation on the resource vCenters | +> | Microsoft.RecoveryServices/vaults/replicationJobs/read | Read any Jobs | +> | Microsoft.RecoveryServices/vaults/replicationJobs/cancel/action | Cancel Job | +> | Microsoft.RecoveryServices/vaults/replicationJobs/restart/action | Restart job | +> | Microsoft.RecoveryServices/vaults/replicationJobs/resume/action | Resume Job | +> | Microsoft.RecoveryServices/vaults/replicationJobs/operationresults/read | Track the results of an asynchronous operation on the resource Jobs | +> | Microsoft.RecoveryServices/vaults/replicationMigrationItems/read | Read any Migration Items | +> | Microsoft.RecoveryServices/vaults/replicationNetworkMappings/read | Read any Network Mappings | +> | Microsoft.RecoveryServices/vaults/replicationNetworks/read | Read any Networks | +> | Microsoft.RecoveryServices/vaults/replicationOperationStatus/read | Read any Vault Replication Operation Status | +> | Microsoft.RecoveryServices/vaults/replicationPolicies/read | Read any Policies | +> | Microsoft.RecoveryServices/vaults/replicationPolicies/write | Create or Update any Policies | +> | Microsoft.RecoveryServices/vaults/replicationPolicies/delete | Delete any Policies | +> | Microsoft.RecoveryServices/vaults/replicationPolicies/operationresults/read | Track the results of an asynchronous operation on the resource Policies | +> | Microsoft.RecoveryServices/vaults/replicationProtectedItems/read | Read any Protected Items | +> | Microsoft.RecoveryServices/vaults/replicationProtectionContainerMappings/read | Read any Protection Container Mappings | +> | Microsoft.RecoveryServices/vaults/replicationProtectionContainers/read | Read any Protection Containers | +> | Microsoft.RecoveryServices/vaults/replicationProtectionIntents/read | Read any | +> | Microsoft.RecoveryServices/vaults/replicationProtectionIntents/write | Create or Update any | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read | Read any Recovery Plans | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/write | Create or Update any Recovery Plans | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/delete | Delete any Recovery Plans | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action | Planned Failover Recovery Plan | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action | Failover Recovery Plan | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action | Test Failover Recovery Plan | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action | Test Failover Cleanup Recovery Plan | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action | Failover Commit Recovery Plan | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action | ReProtect Recovery Plan | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCancel/action | Cancel Failover Recovery Plan | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/operationresults/read | Track the results of an asynchronous operation on the resource Recovery Plans | +> | Microsoft.RecoveryServices/vaults/replicationRecoveryServicesProviders/read | Read any Recovery Services Providers | +> | Microsoft.RecoveryServices/vaults/replicationStorageClassificationMappings/read | Read any Storage Classification Mappings | +> | Microsoft.RecoveryServices/vaults/replicationStorageClassifications/read | Read any Storage Classifications | +> | Microsoft.RecoveryServices/vaults/replicationSupportedOperatingSystems/read | Read any | +> | Microsoft.RecoveryServices/vaults/replicationSupportedRegionMappings/read | Read any | +> | Microsoft.RecoveryServices/vaults/replicationUsages/read | Read any Vault Replication Usages | +> | Microsoft.RecoveryServices/vaults/replicationVaultHealth/read | Read any Vault Replication Health | +> | Microsoft.RecoveryServices/vaults/replicationVaultHealth/refresh/action | Refresh Vault Health | +> | Microsoft.RecoveryServices/vaults/replicationVaultHealth/operationresults/read | Track the results of an asynchronous operation on the resource Vault Replication Health | +> | Microsoft.RecoveryServices/vaults/replicationVaultSettings/read | Read any | +> | Microsoft.RecoveryServices/vaults/replicationVaultSettings/write | Create or Update any | +> | Microsoft.RecoveryServices/vaults/replicationvCenters/read | Read any vCenters | +> | Microsoft.RecoveryServices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. | +> | Microsoft.RecoveryServices/vaults/usages/read | Read any Vault Usages | +> | Microsoft.RecoveryServices/Vaults/vaultTokens/read | The Vault Token operation can be used to get Vault Token for vault level backend operations. | ++## Microsoft.ResourceGraph ++Azure service: [Azure Resource Graph](/azure/governance/resource-graph/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ResourceGraph/operations/read | Gets the list of supported operations | +> | Microsoft.ResourceGraph/queries/read | Gets the specified graph query | +> | Microsoft.ResourceGraph/queries/delete | Deletes the specified graph query | +> | Microsoft.ResourceGraph/queries/write | Creates/Updates the specified graph query | +> | Microsoft.ResourceGraph/resourceChangeDetails/read | Gets the details of the specified resource change | +> | Microsoft.ResourceGraph/resourceChanges/read | Lists changes to a resource for a given time interval | +> | Microsoft.ResourceGraph/resources/read | Submits a query on resources within specified subscriptions, management groups or tenant scope | +> | Microsoft.ResourceGraph/resourcesHistory/read | List all snapshots of resources history within specified subscriptions, management groups or tenant scope | ++## Microsoft.Resources ++Azure service: [Azure Resource Manager](/azure/azure-resource-manager/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Resources/checkResourceName/action | Check the resource name for validity. | +> | Microsoft.Resources/calculateTemplateHash/action | Calculate the hash of provided template. | +> | Microsoft.Resources/checkZonePeers/action | Check Zone Peers | +> | Microsoft.Resources/changes/read | Gets or lists changes | +> | Microsoft.Resources/checkPolicyCompliance/read | Check the compliance status of a given resource against resource policies. | +> | Microsoft.Resources/dataBoundaries/write | Tenant level opt-in to data boundary | +> | Microsoft.Resources/deployments/read | Gets or lists deployments. | +> | Microsoft.Resources/deployments/write | Creates or updates an deployment. | +> | Microsoft.Resources/deployments/delete | Deletes a deployment. | +> | Microsoft.Resources/deployments/cancel/action | Cancels a deployment. | +> | Microsoft.Resources/deployments/validate/action | Validates an deployment. | +> | Microsoft.Resources/deployments/whatIf/action | Predicts template deployment changes. | +> | Microsoft.Resources/deployments/exportTemplate/action | Export template for a deployment | +> | Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. | +> | Microsoft.Resources/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | Microsoft.Resources/deploymentScripts/read | Gets or lists deployment scripts | +> | Microsoft.Resources/deploymentScripts/write | Creates or updates a deployment script | +> | Microsoft.Resources/deploymentScripts/delete | Deletes a deployment script | +> | Microsoft.Resources/deploymentScripts/logs/read | Gets or lists deployment script logs | +> | Microsoft.Resources/deploymentStacks/read | Gets or lists deployment stacks | +> | Microsoft.Resources/deploymentStacks/write | Creates or updates a deployment stack | +> | Microsoft.Resources/deploymentStacks/delete | Deletes a deployment stack | +> | Microsoft.Resources/links/read | Gets or lists resource links. | +> | Microsoft.Resources/links/write | Creates or updates a resource link. | +> | Microsoft.Resources/links/delete | Deletes a resource link. | +> | Microsoft.Resources/locations/moboOperationStatuses/read | Reads the Mobo Service Operation Status for the resource. | +> | Microsoft.Resources/marketplace/purchase/action | Purchases a resource from the marketplace. | +> | Microsoft.Resources/moboBrokers/read | Gets or lists mobo brokers | +> | Microsoft.Resources/moboBrokers/write | Creates or updates a mobo broker | +> | Microsoft.Resources/moboBrokers/delete | Deletes a mobo broker | +> | Microsoft.Resources/providers/read | Get the list of providers. | +> | Microsoft.Resources/resources/read | Get the list of resources based upon filters. | +> | Microsoft.Resources/subscriptionRegistrations/read | Get Subscription Registration for a resource provider namespace. | +> | Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. | +> | Microsoft.Resources/subscriptions/locations/read | Gets the list of locations supported. | +> | Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. | +> | Microsoft.Resources/subscriptions/providers/read | Gets or lists resource providers. | +> | Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. | +> | Microsoft.Resources/subscriptions/resourceGroups/write | Creates or updates a resource group. | +> | Microsoft.Resources/subscriptions/resourceGroups/delete | Deletes a resource group and all its resources. | +> | Microsoft.Resources/subscriptions/resourceGroups/moveResources/action | Moves resources from one resource group to another. | +> | Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action | Validate move of resources from one resource group to another. | +> | Microsoft.Resources/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. | +> | Microsoft.Resources/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. | +> | Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. | +> | Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. | +> | Microsoft.Resources/subscriptions/resourcegroups/resources/read | Gets the resources for the resource group. | +> | Microsoft.Resources/subscriptions/resources/read | Gets resources of a subscription. | +> | Microsoft.Resources/subscriptions/tagNames/read | Gets or lists subscription tags. | +> | Microsoft.Resources/subscriptions/tagNames/write | Adds a subscription tag. | +> | Microsoft.Resources/subscriptions/tagNames/delete | Deletes a subscription tag. | +> | Microsoft.Resources/subscriptions/tagNames/tagValues/read | Gets or lists subscription tag values. | +> | Microsoft.Resources/subscriptions/tagNames/tagValues/write | Adds a subscription tag value. | +> | Microsoft.Resources/subscriptions/tagNames/tagValues/delete | Deletes a subscription tag value. | +> | Microsoft.Resources/tags/read | Gets all the tags on a resource. | +> | Microsoft.Resources/tags/write | Updates the tags on a resource by replacing or merging existing tags with a new set of tags, or removing existing tags. | +> | Microsoft.Resources/tags/delete | Removes all the tags on a resource. | +> | Microsoft.Resources/templateSpecs/read | Gets or lists template specs | +> | Microsoft.Resources/templateSpecs/write | Creates or updates a template spec | +> | Microsoft.Resources/templateSpecs/delete | Deletes a template spec | +> | Microsoft.Resources/templateSpecs/versions/read | Gets or lists template specs | +> | Microsoft.Resources/templateSpecs/versions/write | Creates or updates a template spec version | +> | Microsoft.Resources/templateSpecs/versions/delete | Deletes a template spec version | +> | Microsoft.Resources/tenants/read | Gets the list of tenants. | ++## Microsoft.Solutions ++Azure service: [Azure Managed Applications](/azure/azure-resource-manager/managed-applications/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Solutions/register/action | Register the subscription for Microsoft.Solutions | +> | Microsoft.Solutions/unregister/action | Unregister the subscription for Microsoft.Solutions | +> | Microsoft.Solutions/applicationDefinitions/read | Gets the managed application definition. | +> | Microsoft.Solutions/applicationDefinitions/write | Creates or updates a managed application definition. | +> | Microsoft.Solutions/applicationDefinitions/delete | Deletes the managed application definition. | +> | Microsoft.Solutions/applicationDefinitions/write | Updates the managed application definition. | +> | Microsoft.Solutions/applicationDefinitions/read | Lists the managed application definitions in a resource group. | +> | Microsoft.Solutions/applicationDefinitions/read | Lists all the application definitions within a subscription. | +> | Microsoft.Solutions/applications/read | Gets the managed application. | +> | Microsoft.Solutions/applications/write | Creates or updates a managed application. | +> | Microsoft.Solutions/applications/delete | Deletes the managed application. | +> | Microsoft.Solutions/applications/write | Updates an existing managed application. | +> | Microsoft.Solutions/applications/read | Lists all the applications within a resource group. | +> | Microsoft.Solutions/applications/read | Lists all the applications within a subscription. | +> | Microsoft.Solutions/applications/refreshPermissions/action | Refresh Permissions for application. | +> | Microsoft.Solutions/applications/listAllowedUpgradePlans/action | List allowed upgrade plans for application. | +> | Microsoft.Solutions/applications/updateAccess/action | Update access for application. | +> | Microsoft.Solutions/applications/listTokens/action | List tokens for application. | +> | Microsoft.Solutions/jitRequests/read | Gets the JIT request. | +> | Microsoft.Solutions/jitRequests/write | Creates or updates the JIT request. | +> | Microsoft.Solutions/jitRequests/delete | Deletes the JIT request. | +> | Microsoft.Solutions/jitRequests/write | Updates the JIT request. | +> | Microsoft.Solutions/jitRequests/read | Lists all JIT requests within the subscription. | +> | Microsoft.Solutions/jitRequests/read | Lists all JIT requests within the resource group. | +> | Microsoft.Solutions/locations/operationstatuses/read | read operationstatuses | +> | Microsoft.Solutions/locations/operationstatuses/write | write operationstatuses | +> | Microsoft.Solutions/operations/read | read operations | ++## Microsoft.Subscription ++Azure service: core ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Subscription/cancel/action | Cancels the Subscription | +> | Microsoft.Subscription/rename/action | Renames the Subscription | +> | Microsoft.Subscription/enable/action | Reactivates the Subscription | +> | Microsoft.Subscription/aliases/write | Create subscription alias | +> | Microsoft.Subscription/aliases/read | Get subscription alias | +> | Microsoft.Subscription/aliases/delete | Delete subscription alias | +> | Microsoft.Subscription/Policies/write | Create tenant policy | +> | Microsoft.Subscription/Policies/default/read | Get tenant policy | +> | Microsoft.Subscription/subscriptions/acceptOwnership/action | Accept ownership of Subscription | +> | Microsoft.Subscription/subscriptions/acceptOwnershipStatus/read | Get the status of accepting ownership of Subscription | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/migration.md | + + Title: Azure permissions for Migration - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Migration category. +++++ Last updated : 02/07/2024++++# Azure permissions for Migration ++This article lists the permissions for the Azure resource providers in the Migration category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.Migrate ++Azure service: [Azure Migrate](/azure/migrate/migrate-services-overview) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Migrate/register/action | Subscription Registration Action | +> | Microsoft.Migrate/register/action | Registers Subscription with Microsoft.Migrate resource provider | +> | Microsoft.Migrate/unregister/action | Unregisters Subscription with Microsoft.Migrate resource provider | +> | Microsoft.Migrate/assessmentprojects/read | Gets the properties of assessment project | +> | Microsoft.Migrate/assessmentprojects/write | Creates a new assessment project or updates an existing assessment project | +> | Microsoft.Migrate/assessmentprojects/delete | Deletes the assessment project | +> | Microsoft.Migrate/assessmentprojects/startreplicationplanner/action | Initiates replication planner for the set of resources included in the request body | +> | Microsoft.Migrate/assessmentprojects/aksAssessmentOptions/read | Gets the properties of the aks AssessmentOptions | +> | Microsoft.Migrate/assessmentprojects/aksAssessments/read | Gets the properties of the aks Assessment | +> | Microsoft.Migrate/assessmentprojects/aksAssessments/write | Creates a aks Assessment or updates an existing aks Assessment | +> | Microsoft.Migrate/assessmentprojects/aksAssessments/delete | Deletes the aks Assessment which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/aksAssessments/downloadurl/action | Get Blob SAS URI for the aks AssessmentReport | +> | Microsoft.Migrate/assessmentprojects/aksAssessments/assessedwebapps/read | Gets the properties of the assessedwebapps | +> | Microsoft.Migrate/assessmentprojects/aksAssessments/clusters/read | Gets the properties of the clusters | +> | Microsoft.Migrate/assessmentprojects/aksAssessments/costdetails/read | Gets the properties of the costdetails | +> | Microsoft.Migrate/assessmentprojects/aksAssessments/summaries/read | Gets the properties of the aks AssessmentSummary | +> | Microsoft.Migrate/assessmentprojects/assessmentOptions/read | Gets the assessment options which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/assessments/read | Lists assessments within a project | +> | Microsoft.Migrate/assessmentprojects/assessmentsSummary/read | Gets the assessments summary which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/avsAssessmentOptions/read | Gets the AVS assessment options which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/businesscases/comparesummary/action | Gets the compare summary of the business case | +> | Microsoft.Migrate/assessmentprojects/businesscases/read | Gets the properties of a business case | +> | Microsoft.Migrate/assessmentprojects/businesscases/report/action | Downloads a Business Case report's URL | +> | Microsoft.Migrate/assessmentprojects/businesscases/write | Creates a new business case or updates an existing business case | +> | Microsoft.Migrate/assessmentprojects/businesscases/delete | Delete a Business Case | +> | Microsoft.Migrate/assessmentprojects/businesscases/avssummaries/read | Gets the AVS summary of the business case | +> | Microsoft.Migrate/assessmentprojects/businesscases/evaluatedavsmachines/read | Get the properties of an evaluated Avs machine | +> | Microsoft.Migrate/assessmentprojects/businesscases/evaluatedmachines/read | Get the properties of an evaluated machine | +> | Microsoft.Migrate/assessmentprojects/businesscases/evaluatedsqlentities/read | Get the properties of an evaluated SQL entities | +> | Microsoft.Migrate/assessmentprojects/businesscases/evaluatedwebapps/read | Get the properties of an Evaluated Webapp | +> | Microsoft.Migrate/assessmentprojects/businesscases/iaassummaries/read | Gets the IAAS summary of the business case | +> | Microsoft.Migrate/assessmentprojects/businesscases/overviewsummaries/read | Gets the overview summary of the business case | +> | Microsoft.Migrate/assessmentprojects/businesscases/paassummaries/read | Gets the PAAS summary of the business case | +> | Microsoft.Migrate/assessmentprojects/groups/read | Get the properties of a group | +> | Microsoft.Migrate/assessmentprojects/groups/write | Creates a new group or updates an existing group | +> | Microsoft.Migrate/assessmentprojects/groups/delete | Deletes a group | +> | Microsoft.Migrate/assessmentprojects/groups/updateMachines/action | Update group by adding or removing machines | +> | Microsoft.Migrate/assessmentprojects/groups/assessments/read | Gets the properties of an assessment | +> | Microsoft.Migrate/assessmentprojects/groups/assessments/write | Creates a new assessment or updates an existing assessment | +> | Microsoft.Migrate/assessmentprojects/groups/assessments/delete | Deletes an assessment | +> | Microsoft.Migrate/assessmentprojects/groups/assessments/downloadurl/action | Downloads an assessment report's URL | +> | Microsoft.Migrate/assessmentprojects/groups/assessments/assessedmachines/read | Get the properties of an assessed machine | +> | Microsoft.Migrate/assessmentprojects/groups/assessmentsSummary/read | Assessment summary of group | +> | Microsoft.Migrate/assessmentprojects/groups/avsAssessments/read | Gets the properties of an AVS assessment | +> | Microsoft.Migrate/assessmentprojects/groups/avsAssessments/write | Creates a new AVS assessment or updates an existing AVS assessment | +> | Microsoft.Migrate/assessmentprojects/groups/avsAssessments/delete | Deletes an AVS assessment | +> | Microsoft.Migrate/assessmentprojects/groups/avsAssessments/downloadurl/action | Downloads an AVS assessment report's URL | +> | Microsoft.Migrate/assessmentprojects/groups/avsAssessments/avsassessedmachines/read | Get the properties of an AVS assessed machine | +> | Microsoft.Migrate/assessmentprojects/groups/sqlAssessments/read | Gets the properties of an SQL assessment | +> | Microsoft.Migrate/assessmentprojects/groups/sqlAssessments/write | Creates a new SQL assessment or updates an existing SQL assessment | +> | Microsoft.Migrate/assessmentprojects/groups/sqlAssessments/delete | Deletes an SQL assessment | +> | Microsoft.Migrate/assessmentprojects/groups/sqlAssessments/downloadurl/action | Downloads an SQL assessment report's URL | +> | Microsoft.Migrate/assessmentprojects/groups/sqlAssessments/assessedSqlDatabases/read | Get the properties of assessed SQL databses | +> | Microsoft.Migrate/assessmentprojects/groups/sqlAssessments/assessedSqlInstances/read | Get the properties of assessed SQL instances | +> | Microsoft.Migrate/assessmentprojects/groups/sqlAssessments/assessedSqlMachines/read | Get the properties of assessed SQL machines | +> | Microsoft.Migrate/assessmentprojects/groups/sqlAssessments/recommendedAssessedEntities/read | Get the properties of recommended assessed entity | +> | Microsoft.Migrate/assessmentprojects/groups/sqlAssessments/summaries/read | Gets Sql Assessment summary of group | +> | Microsoft.Migrate/assessmentprojects/groups/webappAssessments/downloadurl/action | Downloads WebApp assessment report's URL | +> | Microsoft.Migrate/assessmentprojects/groups/webappAssessments/read | Gets the properties of an WebApp assessment | +> | Microsoft.Migrate/assessmentprojects/groups/webappAssessments/write | Creates a new WebApp assessment or updates an existing WebApp assessment | +> | Microsoft.Migrate/assessmentprojects/groups/webappAssessments/delete | Deletes an WebApp assessment | +> | Microsoft.Migrate/assessmentprojects/groups/webappAssessments/assessedwebApps/read | Get the properties of assessed WebApps | +> | Microsoft.Migrate/assessmentprojects/groups/webappAssessments/summaries/read | Gets web app assessment summary | +> | Microsoft.Migrate/assessmentprojects/groups/webappAssessments/webappServicePlans/read | Get the properties of WebApp service plan | +> | Microsoft.Migrate/assessmentprojects/hypervcollectors/read | Gets the properties of HyperV collector | +> | Microsoft.Migrate/assessmentprojects/hypervcollectors/write | Creates a new HyperV collector or updates an existing HyperV collector | +> | Microsoft.Migrate/assessmentprojects/hypervcollectors/delete | Deletes the HyperV collector | +> | Microsoft.Migrate/assessmentprojects/importcollectors/read | Gets the properties of Import collector | +> | Microsoft.Migrate/assessmentprojects/importcollectors/write | Creates a new Import collector or updates an existing Import collector | +> | Microsoft.Migrate/assessmentprojects/importcollectors/delete | Deletes the Import collector | +> | Microsoft.Migrate/assessmentprojects/machines/read | Gets the properties of a machine | +> | Microsoft.Migrate/assessmentprojects/oracleAssessmentOptions/read | Gets the properties of the oracle AssessmentOptions | +> | Microsoft.Migrate/assessmentprojects/oracleAssessments/read | Gets the properties of the oracle Assessment | +> | Microsoft.Migrate/assessmentprojects/oracleAssessments/write | Creates a oracle Assessment or updates an existing oracle Assessment | +> | Microsoft.Migrate/assessmentprojects/oracleAssessments/delete | Deletes the oracle Assessment which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/oracleAssessments/downloadurl/action | Get Blob SAS URI for the oracle AssessmentReport | +> | Microsoft.Migrate/assessmentprojects/oracleAssessments/assessedDatabases/read | Gets the properties of the assessedDatabases | +> | Microsoft.Migrate/assessmentprojects/oracleAssessments/assessedInstances/read | Gets the properties of the assessedInstances | +> | Microsoft.Migrate/assessmentprojects/oracleAssessments/summaries/read | Gets the properties of the oracle AssessmentSummary | +> | Microsoft.Migrate/assessmentprojects/oraclecollectors/read | Gets the properties of the oracle Collector | +> | Microsoft.Migrate/assessmentprojects/oraclecollectors/write | Creates a oracle Collector or updates an existing oracle Collector | +> | Microsoft.Migrate/assessmentprojects/oraclecollectors/delete | Deletes the oracle Collector which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/validate/action | Validate a Private Endpoint Connection Proxy | +> | Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/write | Create or Update a Private Endpoint Connection Proxy | +> | Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/delete | Delete a Private Endpoint Connection Proxy | +> | Microsoft.Migrate/assessmentprojects/privateEndpointConnections/read | Get Private Endpoint Connection | +> | Microsoft.Migrate/assessmentprojects/privateEndpointConnections/write | Update a Private Endpoint Connection | +> | Microsoft.Migrate/assessmentprojects/privateEndpointConnections/delete | Delete a Private Endpoint Connection | +> | Microsoft.Migrate/assessmentprojects/privateLinkResources/read | Get Private Link Resource | +> | Microsoft.Migrate/assessmentprojects/projectsummary/read | Gets the properties of project summary | +> | Microsoft.Migrate/assessmentprojects/replicationplannerjobs/read | Gets the properties of an replication planner jobs | +> | Microsoft.Migrate/assessmentprojects/servercollectors/read | Gets the properties of Server collector | +> | Microsoft.Migrate/assessmentprojects/servercollectors/write | Creates a new Server collector or updates an existing Server collector | +> | Microsoft.Migrate/assessmentprojects/springBootAssessmentOptions/read | Gets the properties of the springBoot AssessmentOptions | +> | Microsoft.Migrate/assessmentprojects/springBootAssessments/read | Gets the properties of the springBoot Assessment | +> | Microsoft.Migrate/assessmentprojects/springBootAssessments/write | Creates a springBoot Assessment or updates an existing springBoot Assessment | +> | Microsoft.Migrate/assessmentprojects/springBootAssessments/delete | Deletes the springBoot Assessment which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/springBootAssessments/downloadurl/action | Get Blob SAS URI for the springBoot AssessmentReport | +> | Microsoft.Migrate/assessmentprojects/springBootAssessments/assessedApplications/read | Gets the properties of the assessedApplications | +> | Microsoft.Migrate/assessmentprojects/springBootAssessments/summaries/read | Gets the properties of the springBoot AssessmentSummary | +> | Microsoft.Migrate/assessmentprojects/springBootcollectors/read | Gets the properties of the springBoot Collector | +> | Microsoft.Migrate/assessmentprojects/springBootcollectors/write | Creates a springBoot Collector or updates an existing springBoot Collector | +> | Microsoft.Migrate/assessmentprojects/springBootcollectors/delete | Deletes the springBoot Collector which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/sqlAssessmentOptions/read | Gets the SQL assessment options which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/sqlcollectors/read | Gets the properties of SQL collector | +> | Microsoft.Migrate/assessmentprojects/sqlcollectors/write | Creates a new SQL collector or updates an existing SQL collector | +> | Microsoft.Migrate/assessmentprojects/sqlcollectors/delete | Deletes the SQL collector | +> | Microsoft.Migrate/assessmentprojects/vmwarecollectors/read | Gets the properties of VMware collector | +> | Microsoft.Migrate/assessmentprojects/vmwarecollectors/write | Creates a new VMware collector or updates an existing VMware collector | +> | Microsoft.Migrate/assessmentprojects/vmwarecollectors/delete | Deletes the VMware collector | +> | Microsoft.Migrate/assessmentprojects/webAppAssessmentOptions/read | Gets the WebApp assessment options which are available in the given location | +> | Microsoft.Migrate/assessmentprojects/webAppAssessments/read | Lists web app assessments within a project | +> | Microsoft.Migrate/assessmentprojects/webappcollectors/read | Gets the properties of Webapp collector | +> | Microsoft.Migrate/assessmentprojects/webappcollectors/write | Creates a new Webapp collector or updates an existing Webapp collector | +> | Microsoft.Migrate/assessmentprojects/webappcollectors/delete | Deletes the Webapp collector | +> | Microsoft.Migrate/locations/checknameavailability/action | Checks availability of the resource name for the given subscription in the given location | +> | Microsoft.Migrate/locations/assessmentOptions/read | Gets the assessment options which are available in the given location | +> | Microsoft.Migrate/locations/rmsOperationResults/read | Gets the status of the subscription wide location based operation | +> | Microsoft.Migrate/migrateprojects/read | Gets the properties of migrate project | +> | Microsoft.Migrate/migrateprojects/write | Creates a new migrate project or updates an existing migrate project | +> | Microsoft.Migrate/migrateprojects/delete | Deletes a migrate project | +> | Microsoft.Migrate/migrateprojects/registerTool/action | Registers tool to a migrate project | +> | Microsoft.Migrate/migrateprojects/RefreshSummary/action | Refreshes the migrate project summary | +> | Microsoft.Migrate/migrateprojects/registrationDetails/action | Provides the tool registration details | +> | Microsoft.Migrate/migrateprojects/DatabaseInstances/read | Gets the properties of a database instance | +> | Microsoft.Migrate/migrateprojects/Databases/read | Gets the properties of a database | +> | Microsoft.Migrate/migrateprojects/machines/read | Gets the properties of a machine | +> | Microsoft.Migrate/migrateprojects/MigrateEvents/read | Gets the properties of a migrate events. | +> | Microsoft.Migrate/migrateprojects/MigrateEvents/Delete | Deletes a migrate event | +> | Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/validate/action | Validate a Private Endpoint Connection Proxy | +> | Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/write | Create or Update a Private Endpoint Connection Proxy | +> | Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/delete | Delete a Private Endpoint Connection Proxy | +> | Microsoft.Migrate/migrateprojects/privateEndpointConnections/read | Get Private Endpoint Connection | +> | Microsoft.Migrate/migrateprojects/privateEndpointConnections/write | Update a Private Endpoint Connection | +> | Microsoft.Migrate/migrateprojects/privateEndpointConnections/delete | Delete a Private Endpoint Connection | +> | Microsoft.Migrate/migrateprojects/privateLinkResources/read | Get Private Link Resource | +> | Microsoft.Migrate/migrateprojects/solutions/read | Gets the properties of migrate project solution | +> | Microsoft.Migrate/migrateprojects/solutions/write | Creates a new migrate project solution or updates an existing migrate project solution | +> | Microsoft.Migrate/migrateprojects/solutions/Delete | Deletes a migrate project solution | +> | Microsoft.Migrate/migrateprojects/solutions/getconfig/action | Gets the migrate project solution configuration | +> | Microsoft.Migrate/migrateprojects/solutions/cleanupData/action | Clean up the migrate project solution data | +> | Microsoft.Migrate/migrateprojects/VirtualDesktopUsers/read | Gets the properties of a virtual desktop user | +> | Microsoft.Migrate/migrateprojects/WebServers/read | Gets the properties of a web server | +> | Microsoft.Migrate/migrateprojects/WebSites/read | Gets the properties of a web site | +> | Microsoft.Migrate/modernizeProjects/read | Gets the details of the modernize project | +> | Microsoft.Migrate/modernizeProjects/write | Creates the modernizeProject | +> | Microsoft.Migrate/modernizeProjects/delete | Removes the modernizeProject | +> | Microsoft.Migrate/modernizeProjects/deployedResources/read | Gets the details of the deployed resource | +> | Microsoft.Migrate/modernizeProjects/jobs/read | Gets the details of the job | +> | Microsoft.Migrate/modernizeProjects/jobs/operations/read | Tracks the results of an asynchronous operation on the job | +> | Microsoft.Migrate/modernizeProjects/migrateAgents/read | Gets the details of the modernizeProject agent | +> | Microsoft.Migrate/modernizeProjects/migrateAgents/write | Creates the modernizeProject agent | +> | Microsoft.Migrate/modernizeProjects/migrateAgents/delete | Deletes the modernizeProject agent | +> | Microsoft.Migrate/modernizeProjects/migrateAgents/refresh/action | Refreshes the modernizeProject agent | +> | Microsoft.Migrate/modernizeProjects/migrateAgents/operations/read | Tracks the results of an asynchronous operation on the modernizeProject agent | +> | Microsoft.Migrate/modernizeProjects/operations/read | Tracks the results of an asynchronous operation on the modernizeProject | +> | Microsoft.Migrate/modernizeProjects/statistics/read | Gets the statistics for the modernizeProject | +> | Microsoft.Migrate/modernizeProjects/workloadDeployments/read | Gets the details of the workload deployment | +> | Microsoft.Migrate/modernizeProjects/workloadDeployments/write | Creates the workload deployment | +> | Microsoft.Migrate/modernizeProjects/workloadDeployments/delete | Removes the workload deployment | +> | Microsoft.Migrate/modernizeProjects/workloadDeployments/getSecrets/action | Gets the secrets of the workload deployment | +> | Microsoft.Migrate/modernizeProjects/workloadDeployments/buildContainerImage/action | Performs the build container image action on the workload deployment | +> | Microsoft.Migrate/modernizeProjects/workloadDeployments/testMigrate/action | Performs the test migrate on the workload deployment | +> | Microsoft.Migrate/modernizeProjects/workloadDeployments/testMigrateCleanup/action | Performs the test migrate cleanup on the workload deployment | +> | Microsoft.Migrate/modernizeProjects/workloadDeployments/migrate/action | Performs migrate on the workload deployment | +> | Microsoft.Migrate/modernizeProjects/workloadDeployments/operations/read | Tracks the results of an asynchronous operation on the workload deployment | +> | Microsoft.Migrate/modernizeProjects/workloadInstances/read | Gets the details of the workload instance | +> | Microsoft.Migrate/modernizeProjects/workloadInstances/write | Creates the workload instance in the given modernizeProject | +> | Microsoft.Migrate/modernizeProjects/workloadInstances/delete | Deletes the workload instance in the given modernizeProject | +> | Microsoft.Migrate/modernizeProjects/workloadInstances/completeMigration/action | Performs complete migrate on the workload instance | +> | Microsoft.Migrate/modernizeProjects/workloadInstances/disableReplication/action | Performs disable replicate on the workload instance | +> | Microsoft.Migrate/modernizeProjects/workloadInstances/operations/read | Tracks the results of an asynchronous operation on the workload instance | +> | Microsoft.Migrate/moveCollections/read | Gets the move collection | +> | Microsoft.Migrate/moveCollections/write | Creates or updates a move collection | +> | Microsoft.Migrate/moveCollections/delete | Deletes a move collection | +> | Microsoft.Migrate/moveCollections/resolveDependencies/action | Computes, resolves and validate the dependencies of the move resources in the move collection | +> | Microsoft.Migrate/moveCollections/prepare/action | Initiates prepare for the set of resources included in the request body | +> | Microsoft.Migrate/moveCollections/initiateMove/action | Moves the set of resources included in the request body | +> | Microsoft.Migrate/moveCollections/discard/action | Discards the set of resources included in the request body | +> | Microsoft.Migrate/moveCollections/commit/action | Commits the set of resources included in the request body | +> | Microsoft.Migrate/moveCollections/bulkRemove/action | Removes the set of move resources included in the request body from move collection | +> | Microsoft.Migrate/moveCollections/moveResources/read | Gets all the move resources or a move resource from the move collection | +> | Microsoft.Migrate/moveCollections/moveResources/write | Creates or updates a move resource | +> | Microsoft.Migrate/moveCollections/moveResources/delete | Deletes a move resource from the move collection | +> | Microsoft.Migrate/moveCollections/operations/read | Gets the status of the operation | +> | Microsoft.Migrate/moveCollections/requiredFor/read | Gets the resources which will use the resource passed in query parameter | +> | Microsoft.Migrate/moveCollections/unresolvedDependencies/read | Gets a list of unresolved dependencies in the move collection | +> | Microsoft.Migrate/Operations/read | Lists operations available on Microsoft.Migrate resource provider | +> | Microsoft.Migrate/projects/read | Gets the properties of a project | +> | Microsoft.Migrate/projects/write | Creates a new project or updates an existing project | +> | Microsoft.Migrate/projects/delete | Deletes the project | +> | Microsoft.Migrate/projects/keys/action | Gets shared keys for the project | +> | Microsoft.Migrate/projects/assessments/read | Lists assessments within a project | +> | Microsoft.Migrate/projects/groups/read | Get the properties of a group | +> | Microsoft.Migrate/projects/groups/write | Creates a new group or updates an existing group | +> | Microsoft.Migrate/projects/groups/delete | Deletes a group | +> | Microsoft.Migrate/projects/groups/assessments/read | Gets the properties of an assessment | +> | Microsoft.Migrate/projects/groups/assessments/write | Creates a new assessment or updates an existing assessment | +> | Microsoft.Migrate/projects/groups/assessments/delete | Deletes an assessment | +> | Microsoft.Migrate/projects/groups/assessments/downloadurl/action | Downloads an assessment report's URL | +> | Microsoft.Migrate/projects/groups/assessments/assessedmachines/read | Get the properties of an assessed machine | +> | Microsoft.Migrate/projects/machines/read | Gets the properties of a machine | +> | Microsoft.Migrate/resourcetypes/read | Gets the resource types | ++## Microsoft.OffAzure ++Azure service: [Azure Migrate](/azure/migrate/migrate-services-overview) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.OffAzure/register/action | Subscription Registration Action | +> | Microsoft.OffAzure/unregister/action | Unregisters Subscription with Microsoft.Migrate resource provider | +> | Microsoft.OffAzure/register/action | Registers Subscription with Microsoft.OffAzure resource provider | +> | Microsoft.OffAzure/Appliances/credentials/action | Resyncs the credential under appliance resource | +> | Microsoft.OffAzure/Appliances/credentials/write | Creates or updates the credential under appliance resource | +> | Microsoft.OffAzure/HyperVSites/read | Gets the properties of a Hyper-V site | +> | Microsoft.OffAzure/HyperVSites/write | Creates or updates the Hyper-V site | +> | Microsoft.OffAzure/HyperVSites/delete | Deletes the Hyper-V site | +> | Microsoft.OffAzure/HyperVSites/refresh/action | Refreshes the objects within a Hyper-V site | +> | Microsoft.OffAzure/HyperVSites/updateProperties/action | Updates the properties for machines in a site | +> | Microsoft.OffAzure/HyperVSites/clientGroupMembers/action | Generates client group members view with dependency map data | +> | Microsoft.OffAzure/HyperVSites/exportApplications/action | Export the Applications, roles and features of HyperV site machine inventory | +> | Microsoft.OffAzure/HyperVSites/exportDependencies/action | Export the machine Dependency map information of entire HyperV site machine inventory | +> | Microsoft.OffAzure/HyperVSites/exportMachineErrors/action | Export machine errors for the entire HyperV site machine inventory | +> | Microsoft.OffAzure/HyperVSites/generateCoarseMap/action | Generates coarse map for the list of machines | +> | Microsoft.OffAzure/HyperVSites/generateDetailedMap/action | Generate details HyperV coarse map | +> | Microsoft.OffAzure/HyperVSites/serverGroupMembers/action | Lists the server group members for the selected server group. | +> | Microsoft.OffAzure/HyperVSites/updateDependencyMapStatus/action | Toggle dependency map switch of a list of machines | +> | Microsoft.OffAzure/HyperVSites/clusters/read | Gets the properties of a Hyper-V cluster | +> | Microsoft.OffAzure/HyperVSites/clusters/write | Creates or updates the Hyper-V cluster | +> | Microsoft.OffAzure/HyperVSites/errorSummary/read | Gets the error summaries of all the HyperV Site resource inventory | +> | Microsoft.OffAzure/HyperVSites/healthsummary/read | Gets the health summary for Hyper-V resource | +> | Microsoft.OffAzure/HyperVSites/hosts/read | Gets the properties of a Hyper-V host | +> | Microsoft.OffAzure/HyperVSites/hosts/write | Creates or updates the Hyper-V host | +> | Microsoft.OffAzure/HyperVSites/jobs/read | Gets the properties of a Hyper-V jobs | +> | Microsoft.OffAzure/HyperVSites/machines/read | Gets the properties of a Hyper-V machines | +> | Microsoft.OffAzure/HyperVSites/machines/applications/read | Get properties of HyperV machine application | +> | Microsoft.OffAzure/HyperVSites/machines/softwareinventory/read | Gets HyperV machine software inventory data | +> | Microsoft.OffAzure/HyperVSites/operationsstatus/read | Gets the properties of a Hyper-V operation status | +> | Microsoft.OffAzure/HyperVSites/runasaccounts/read | Gets the properties of a Hyper-V run as accounts | +> | Microsoft.OffAzure/HyperVSites/summary/read | Gets the summary of a Hyper-V site | +> | Microsoft.OffAzure/HyperVSites/usage/read | Gets the usages of a Hyper-V site | +> | Microsoft.OffAzure/ImportSites/read | Gets the properties of a Import site | +> | Microsoft.OffAzure/ImportSites/write | Creates or updates the Import site | +> | Microsoft.OffAzure/ImportSites/delete | Deletes the Import site | +> | Microsoft.OffAzure/ImportSites/importuri/action | Gets the SAS uri for importing the machines CSV file. | +> | Microsoft.OffAzure/ImportSites/exporturi/action | Gets the SAS uri for exporting the machines CSV file. | +> | Microsoft.OffAzure/ImportSites/jobs/read | Gets the properties of a Import jobs | +> | Microsoft.OffAzure/ImportSites/machines/read | Gets the properties of a Import machines | +> | Microsoft.OffAzure/ImportSites/machines/delete | Deletes the Import machine | +> | Microsoft.OffAzure/locations/operationResults/read | Locations Operation Results | +> | Microsoft.OffAzure/MasterSites/read | Gets the properties of a Master site | +> | Microsoft.OffAzure/MasterSites/write | Creates or updates the Master site | +> | Microsoft.OffAzure/MasterSites/delete | Deletes the Master site | +> | Microsoft.OffAzure/MasterSites/applianceRegistrationInfo/action | Register an Appliances Under A Master Site | +> | Microsoft.OffAzure/MasterSites/errorSummary/action | Retrieves Error Summary For Resources Under A Given Master Site | +> | Microsoft.OffAzure/MasterSites/operationsstatus/read | Gets the properties of a Master site operation status | +> | Microsoft.OffAzure/MasterSites/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.OffAzure/MasterSites/privateEndpointConnectionProxies/validate/action | Validate a Private Endpoint Connection Proxy | +> | Microsoft.OffAzure/MasterSites/privateEndpointConnectionProxies/write | Create or Update a Private Endpoint Connection Proxy | +> | Microsoft.OffAzure/MasterSites/privateEndpointConnectionProxies/delete | Delete a Private Endpoint Connection Proxy | +> | Microsoft.OffAzure/MasterSites/privateEndpointConnectionProxies/operationsstatus/read | Get status of a long running operation on a Private Endpoint Connection Proxy | +> | Microsoft.OffAzure/MasterSites/privateEndpointConnections/read | Get Private Endpoint Connection | +> | Microsoft.OffAzure/MasterSites/privateEndpointConnections/write | Update a Private Endpoint Connection | +> | Microsoft.OffAzure/MasterSites/privateEndpointConnections/delete | Delete a Private Endpoint Connection | +> | Microsoft.OffAzure/MasterSites/privateLinkResources/read | Get Private Link Resource | +> | Microsoft.OffAzure/MasterSites/sqlSites/read | Gets the Sql Site | +> | Microsoft.OffAzure/MasterSites/sqlSites/write | Creates or Updates a Sql Site | +> | Microsoft.OffAzure/MasterSites/sqlSites/delete | Delete a Sql Site | +> | Microsoft.OffAzure/MasterSites/sqlSites/refresh/action | Refreshes data for Sql Site | +> | Microsoft.OffAzure/MasterSites/sqlSites/exportSqlServers/action | Export Sql servers for the entire Sql site inventory | +> | Microsoft.OffAzure/MasterSites/sqlSites/exportSqlServerErrors/action | Export Sql server errors for the entire Sql site inventory | +> | Microsoft.OffAzure/MasterSites/sqlSites/errorDetailedSummary/action | Retrieves Sql Error detailed summary for a resource under a given Sql Site | +> | Microsoft.OffAzure/MasterSites/sqlSites/discoverySiteDataSources/read | Gets the Sql Discovery Site Data Source | +> | Microsoft.OffAzure/MasterSites/sqlSites/discoverySiteDataSources/write | Creates or Updates the Sql Discovery Site Data Source | +> | Microsoft.OffAzure/MasterSites/sqlSites/operationsStatus/read | Gets Sql Operation Status | +> | Microsoft.OffAzure/MasterSites/sqlSites/runAsAccounts/read | Gets Sql Run as Accounts for a given site | +> | Microsoft.OffAzure/MasterSites/sqlSites/sqlAvailabilityGroups/read | Gets Sql Availability Groups for a given site | +> | Microsoft.OffAzure/MasterSites/sqlSites/sqlDatabases/read | Gets Sql Database for a given site | +> | Microsoft.OffAzure/MasterSites/sqlSites/sqlServers/read | Gets the Sql Servers for a given site | +> | Microsoft.OffAzure/MasterSites/webAppSites/read | Gets the properties of a WebApp site | +> | Microsoft.OffAzure/MasterSites/webAppSites/write | Creates or updates the WebApp site | +> | Microsoft.OffAzure/MasterSites/webAppSites/delete | Deletes the WebApp site | +> | Microsoft.OffAzure/MasterSites/webAppSites/Refresh/action | Refresh Web App For A Given Site | +> | Microsoft.OffAzure/MasterSites/webAppSites/UpdateProperties/action | Create or Update Web App Properties for a given site | +> | Microsoft.OffAzure/MasterSites/webAppSites/DiscoverySiteDataSources/read | Gets Web App Discovery Site Data Source For A Given Site | +> | Microsoft.OffAzure/MasterSites/webAppSites/DiscoverySiteDataSources/write | Create or Update Web App Discovery Site Data Source For A Given Site | +> | Microsoft.OffAzure/MasterSites/webAppSites/ExtendedMachines/read | Get Web App Extended Machines For A Given Site | +> | Microsoft.OffAzure/MasterSites/webAppSites/IISWebApplications/read | Gets the properties of IIS Web applications. | +> | Microsoft.OffAzure/MasterSites/webAppSites/IISWebServers/read | Gets the properties of IIS Web servers. | +> | Microsoft.OffAzure/MasterSites/webAppSites/RunAsAccounts/read | Get Web App Run As Accounts For A Given Site | +> | Microsoft.OffAzure/MasterSites/webAppSites/TomcatWebApplications/read | Get TomCat Web Applications | +> | Microsoft.OffAzure/MasterSites/webAppSites/TomcatWebServers/read | Get TomCat Web Servers for a given site | +> | Microsoft.OffAzure/MasterSites/webAppSites/WebApplications/read | Gets Web App Applications for a given site | +> | Microsoft.OffAzure/MasterSites/webAppSites/WebServers/read | Gets Web App Web Servers | +> | Microsoft.OffAzure/Operations/read | Reads the exposed operations | +> | Microsoft.OffAzure/ServerSites/read | Gets the properties of a Server site | +> | Microsoft.OffAzure/ServerSites/write | Creates or updates the Server site | +> | Microsoft.OffAzure/ServerSites/delete | Deletes the Server site | +> | Microsoft.OffAzure/ServerSites/refresh/action | Refreshes the objects within a Server site | +> | Microsoft.OffAzure/ServerSites/updateProperties/action | Updates the properties for machines in a site | +> | Microsoft.OffAzure/ServerSites/updateTags/action | Updates the tags for machines in a site | +> | Microsoft.OffAzure/ServerSites/clientGroupMembers/action | Generate client group members view with dependency map data | +> | Microsoft.OffAzure/ServerSites/exportApplications/action | Export Applications, Roles and Features of Server Site Inventory | +> | Microsoft.OffAzure/ServerSites/exportDependencies/action | Export the machine Dependency map information of entire Server site machine inventory | +> | Microsoft.OffAzure/ServerSites/exportMachineErrors/action | Export machine errors for the entire Server site machine inventory | +> | Microsoft.OffAzure/ServerSites/generateCoarseMap/action | Generate Coarse map for the list of machines | +> | Microsoft.OffAzure/ServerSites/generateDetailedMap/action | Generate detailed coarse map for the list of machines | +> | Microsoft.OffAzure/ServerSites/serverGroupMembers/action | Generate server group members view with dependency map data | +> | Microsoft.OffAzure/ServerSites/updateDependencyMapStatus/action | Toggle dependency map data of a list of machines | +> | Microsoft.OffAzure/ServerSites/errorSummary/read | Get Error Summary for Server site inventory | +> | Microsoft.OffAzure/ServerSites/jobs/read | Gets the properties of a Server jobs | +> | Microsoft.OffAzure/ServerSites/machines/read | Gets the properties of a Server machines | +> | Microsoft.OffAzure/ServerSites/machines/write | Write the properties of a Server machines | +> | Microsoft.OffAzure/ServerSites/machines/delete | Delete the properties of a Server machines | +> | Microsoft.OffAzure/ServerSites/machines/applications/read | Get server machine installed applications, roles and features | +> | Microsoft.OffAzure/ServerSites/machines/softwareinventory/read | Gets Server machine software inventory data | +> | Microsoft.OffAzure/ServerSites/operationsstatus/read | Gets the properties of a Server operation status | +> | Microsoft.OffAzure/ServerSites/runasaccounts/read | Gets the properties of a Server run as accounts | +> | Microsoft.OffAzure/ServerSites/summary/read | Gets the summary of a Server site | +> | Microsoft.OffAzure/ServerSites/usage/read | Gets the usages of a Server site | +> | Microsoft.OffAzure/VMwareSites/read | Gets the properties of a VMware site | +> | Microsoft.OffAzure/VMwareSites/write | Creates or updates the VMware site | +> | Microsoft.OffAzure/VMwareSites/delete | Deletes the VMware site | +> | Microsoft.OffAzure/VMwareSites/refresh/action | Refreshes the objects within a VMware site | +> | Microsoft.OffAzure/VMwareSites/exportapplications/action | Exports the VMware applications and roles data into xls | +> | Microsoft.OffAzure/VMwareSites/updateProperties/action | Updates the properties for machines in a site | +> | Microsoft.OffAzure/VMwareSites/updateTags/action | Updates the tags for machines in a site | +> | Microsoft.OffAzure/VMwareSites/generateCoarseMap/action | Generates the coarse map for the list of machines | +> | Microsoft.OffAzure/VMwareSites/generateDetailedMap/action | Generates the Detailed VMware Coarse Map | +> | Microsoft.OffAzure/VMwareSites/clientGroupMembers/action | Lists the client group members for the selected client group. | +> | Microsoft.OffAzure/VMwareSites/serverGroupMembers/action | Lists the server group members for the selected server group. | +> | Microsoft.OffAzure/VMwareSites/getApplications/action | Gets the list application information for the selected machines | +> | Microsoft.OffAzure/VMwareSites/exportDependencies/action | Exports the dependencies information for the selected machines | +> | Microsoft.OffAzure/VMwareSites/exportMachineerrors/action | Export machine errors for the entire VMware site machine inventory | +> | Microsoft.OffAzure/VMwareSites/updateDependencyMapStatus/action | Toggle dependency map data of a list of machines | +> | Microsoft.OffAzure/VMwareSites/errorSummary/read | Get Error Summary for VMware site inventory | +> | Microsoft.OffAzure/VMwareSites/healthsummary/read | Gets the health summary for VMware resource | +> | Microsoft.OffAzure/VMwareSites/hosts/read | Gets the properties of a VMware hosts | +> | Microsoft.OffAzure/VMwareSites/jobs/read | Gets the properties of a VMware jobs | +> | Microsoft.OffAzure/VMwareSites/machines/read | Gets the properties of a VMware machines | +> | Microsoft.OffAzure/VMwareSites/machines/stop/action | Stops the VMware machines | +> | Microsoft.OffAzure/VMwareSites/machines/start/action | Start VMware machines | +> | Microsoft.OffAzure/VMwareSites/machines/applications/read | Gets the properties of a VMware machines applications | +> | Microsoft.OffAzure/VMwareSites/machines/softwareinventory/read | Gets VMware machine software inventory data | +> | Microsoft.OffAzure/VMwareSites/operationsstatus/read | Gets the properties of a VMware operation status | +> | Microsoft.OffAzure/VMwareSites/runasaccounts/read | Gets the properties of a VMware run as accounts | +> | Microsoft.OffAzure/VMwareSites/summary/read | Gets the summary of a VMware site | +> | Microsoft.OffAzure/VMwareSites/usage/read | Gets the usages of a VMware site | +> | Microsoft.OffAzure/VMwareSites/vcenters/read | Gets the properties of a VMware vCenter | +> | Microsoft.OffAzure/VMwareSites/vcenters/write | Creates or updates the VMware vCenter | +> | Microsoft.OffAzure/VMwareSites/vcenters/delete | Delete previously added Vcenter | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Mixed Reality | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/mixed-reality.md | + + Title: Azure permissions for Mixed reality - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Mixed reality category. +++++ Last updated : 02/07/2024++++# Azure permissions for Mixed reality ++This article lists the permissions for the Azure resource providers in the Mixed reality category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.MixedReality ++Azure service: [Azure Spatial Anchors](/azure/spatial-anchors/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.MixedReality/register/action | Registers a subscription for the Mixed Reality resource provider. | +> | Microsoft.MixedReality/unregister/action | Unregisters a subscription for the Mixed Reality resource provider. | +> | Microsoft.MixedReality/register/action | Register the subscription for Microsoft.MixedReality | +> | Microsoft.MixedReality/unregister/action | Unregister the subscription for Microsoft.MixedReality | +> | Microsoft.MixedReality/locations/checknameavailability/read | Checks for name availability | +> | Microsoft.MixedReality/ObjectAnchorsAccounts/delete | Delete an Object Anchors account | +> | Microsoft.MixedReality/ObjectAnchorsAccounts/listkeys/action | List the keys an Object Anchors account | +> | Microsoft.MixedReality/ObjectAnchorsAccounts/read | Read the properties an Object Anchors account | +> | Microsoft.MixedReality/ObjectAnchorsAccounts/regeneratekeys/action | Regenerate the keys of an Object Anchors account | +> | Microsoft.MixedReality/ObjectAnchorsAccounts/write | Update the properties an Object Anchors account | +> | Microsoft.MixedReality/ObjectUnderstandingAccounts/delete | Delete an Object Understanding account | +> | Microsoft.MixedReality/ObjectUnderstandingAccounts/listkeys/action | List the keys an Object Understanding account | +> | Microsoft.MixedReality/ObjectUnderstandingAccounts/read | Read the properties an Object Understanding account | +> | Microsoft.MixedReality/ObjectUnderstandingAccounts/regeneratekeys/action | Regenerate the keys of an Object Understanding account | +> | Microsoft.MixedReality/ObjectUnderstandingAccounts/write | Update the properties an Object Understanding account | +> | Microsoft.MixedReality/operations/read | List available operations for Microsoft Mixed Reality | +> | Microsoft.MixedReality/RemoteRenderingAccounts/delete | Delete a remote rendering account | +> | Microsoft.MixedReality/RemoteRenderingAccounts/listkeys/action | List keys of a remote rendering account | +> | Microsoft.MixedReality/RemoteRenderingAccounts/read | Read the properties of a remote rendering account | +> | Microsoft.MixedReality/RemoteRenderingAccounts/regeneratekeys/action | Regenerate the keys of a remote rendering account | +> | Microsoft.MixedReality/RemoteRenderingAccounts/write | Update the properties of a remote rendering account | +> | Microsoft.MixedReality/RemoteRenderingAccounts/keys/read | Read keys of a remote rendering account | +> | Microsoft.MixedReality/remoteRenderingAccounts/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Microsoft.MixedReality/remoteRenderingAccounts | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/listkeys/action | List keys of a Spatial Anchors account | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/read | Read the properties of a Spatial Anchors account | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/regeneratekeys/action | Regenerate the keys of a Spatial Anchors account | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/keys/read | Read keys of a Spatial Anchors account | +> | Microsoft.MixedReality/spatialAnchorsAccounts/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for Microsoft.MixedReality/spatialAnchorsAccounts | +> | Microsoft.MixedReality/spatialAnchorsAccounts/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for Microsoft.MixedReality/spatialAnchorsAccounts | +> | Microsoft.MixedReality/spatialAnchorsAccounts/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Microsoft.MixedReality/spatialAnchorsAccounts | +> | Microsoft.MixedReality/spatialMapsAccounts/read | List Spatial Anchors Accounts by Subscription | +> | Microsoft.MixedReality/spatialMapsAccounts/read | Returns list of spatialMapsAccounts. | +> | Microsoft.MixedReality/spatialMapsAccounts/read | Returns spatialMapsAccounts resource for a given name. | +> | Microsoft.MixedReality/spatialMapsAccounts/write | Create or update spatialMapsAccounts resource. | +> | Microsoft.MixedReality/spatialMapsAccounts/delete | Deletes a spatialMapsAccounts resource for a given name. | +> | Microsoft.MixedReality/spatialMapsAccounts/write | Update spatialMapsAccounts details. | +> | **DataAction** | **Description** | +> | Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/action | Create model Ingestion Job | +> | Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read | Get model Ingestion Job Status | +> | Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action | Create Model Ingestion Job | +> | Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read | Get model Ingestion Job Status | +> | Microsoft.MixedReality/RemoteRenderingAccounts/convert/action | Start asset conversion | +> | Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action | Start sessions | +> | Microsoft.MixedReality/RemoteRenderingAccounts/convert/read | Get asset conversion properties | +> | Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete | Stop asset conversion | +> | Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector | +> | Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read | Get session properties | +> | Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete | Stop sessions | +> | Microsoft.MixedReality/RemoteRenderingAccounts/render/read | Connect to a session | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/create/action | Create spatial anchors | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/delete | Delete spatial anchors | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/write | Update spatial anchors properties | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/maps/read | Get list of existing maps and allow localizing into a map. | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/maps/write | Contribute mapping data to a map. | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/maps/delete | Delete maps for Spatial Anchors | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/query/read | Locate spatial anchors | +> | Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service | +> | Microsoft.MixedReality/spatialMapsAccounts/read | Returns spatialMapsAccounts data for a given name. | +> | Microsoft.MixedReality/spatialMapsAccounts/write | Create or update spatialMapsAccounts data. | +> | Microsoft.MixedReality/spatialMapsAccounts/delete | Deletes a spatialMapsAccounts data for a given name. | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/monitor.md | + + Title: Azure permissions for Monitor - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Monitor category. +++++ Last updated : 02/07/2024++++# Azure permissions for Monitor ++This article lists the permissions for the Azure resource providers in the Monitor category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.AlertsManagement ++Azure service: [Azure Monitor](/azure/azure-monitor/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AlertsManagement/register/action | Subscription Registration Action | +> | Microsoft.AlertsManagement/register/action | Registers the subscription for the Microsoft Alerts Management | +> | Microsoft.AlertsManagement/migrateFromSmartDetection/action | Starts an asynchronous migration process of Smart Detection to smart alerts in an Application Insights resource | +> | Microsoft.AlertsManagement/actionRules/read | Get all the alert processing rules for the input filters. | +> | Microsoft.AlertsManagement/actionRules/write | Create or update alert processing rule in a given subscription | +> | Microsoft.AlertsManagement/actionRules/delete | Delete alert processing rule in a given subscription. | +> | Microsoft.AlertsManagement/alertRuleRecommendations/read | Read alertRuleRecommendations | +> | Microsoft.AlertsManagement/alerts/read | Get all the alerts for the input filters. | +> | Microsoft.AlertsManagement/alerts/changestate/action | Change the state of the alert. | +> | Microsoft.AlertsManagement/alerts/history/read | Get history of the alert | +> | Microsoft.AlertsManagement/alertsMetaData/read | Get alerts meta data for the input parameter. | +> | Microsoft.AlertsManagement/alertsSummary/read | Get the summary of alerts | +> | Microsoft.AlertsManagement/investigations/write | Set Investigation | +> | Microsoft.AlertsManagement/investigations/delete | Delete Investigation | +> | Microsoft.AlertsManagement/investigations/read | Read Investigation | +> | Microsoft.AlertsManagement/migrateFromSmartDetection/read | Get the status of an asynchronous Smart Detection to smart alerts migration process | +> | Microsoft.AlertsManagement/Operations/read | Reads the operations provided | +> | Microsoft.AlertsManagement/prometheusRuleGroups/write | Set prometheusRuleGroups | +> | Microsoft.AlertsManagement/prometheusRuleGroups/delete | Delete prometheusRuleGroups | +> | Microsoft.AlertsManagement/prometheusRuleGroups/read | Read prometheusRuleGroups | +> | Microsoft.AlertsManagement/smartDetectorAlertRules/write | Create or update Smart Detector alert rule in a given subscription | +> | Microsoft.AlertsManagement/smartDetectorAlertRules/read | Get all the Smart Detector alert rules for the input filters | +> | Microsoft.AlertsManagement/smartDetectorAlertRules/delete | Delete Smart Detector alert rule in a given subscription | +> | Microsoft.AlertsManagement/smartGroups/read | Get all the smart groups for the input filters | +> | Microsoft.AlertsManagement/smartGroups/changestate/action | Change the state of the smart group | +> | Microsoft.AlertsManagement/smartGroups/history/read | Get history of the smart group | +> | Microsoft.AlertsManagement/tenantActivityLogAlerts/write | Write tenantLevelActivityLogAlerts | +> | Microsoft.AlertsManagement/tenantActivityLogAlerts/delete | Delete tenantLevelActivityLogAlerts | +> | Microsoft.AlertsManagement/tenantActivityLogAlerts/read | Read tenantLevelActivityLogAlerts | ++## Microsoft.Dashboard ++Azure service: [Azure Managed Grafana](/azure/managed-grafana/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Dashboard/grafana/action | Operate grafana | +> | Microsoft.Dashboard/checkNameAvailability/action | Checks if grafana resource name is available | +> | Microsoft.Dashboard/register/action | Registers the subscription for the Microsoft.Dashboard resource provider | +> | Microsoft.Dashboard/unregister/action | Unregisters the subscription for the Microsoft.Dashboard resource provider | +> | Microsoft.Dashboard/grafana/read | Read grafana | +> | Microsoft.Dashboard/grafana/write | Write grafana | +> | Microsoft.Dashboard/grafana/delete | Delete grafana | +> | Microsoft.Dashboard/grafana/PrivateEndpointConnectionsApproval/action | Approve PrivateEndpointConnection | +> | Microsoft.Dashboard/grafana/managedPrivateEndpoints/action | Operations on Private Endpoints | +> | Microsoft.Dashboard/grafana/managedPrivateEndpoints/read | Read Managed Private Endpoints | +> | Microsoft.Dashboard/grafana/managedPrivateEndpoints/write | Write Managed Private Endpoints | +> | Microsoft.Dashboard/grafana/managedPrivateEndpoints/delete | Delete Managed Private Endpoints | +> | Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/validate/action | Validate PrivateEndpointConnectionProxy | +> | Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/read | Get PrivateEndpointConnectionProxy | +> | Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/write | Create/Update PrivateEndpointConnectionProxy | +> | Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/delete | Delete PrivateEndpointConnectionProxy | +> | Microsoft.Dashboard/grafana/privateEndpointConnections/read | Get PrivateEndpointConnection | +> | Microsoft.Dashboard/grafana/privateEndpointConnections/write | Update PrivateEndpointConnection | +> | Microsoft.Dashboard/grafana/privateEndpointConnections/delete | Delete PrivateEndpointConnection | +> | Microsoft.Dashboard/grafana/privateLinkResources/read | Get PrivateLinkResources | +> | Microsoft.Dashboard/locations/read | Get locations | +> | Microsoft.Dashboard/locations/operationStatuses/read | Get operation statuses | +> | Microsoft.Dashboard/locations/operationStatuses/write | Write operation statuses | +> | Microsoft.Dashboard/operations/read | List operations available on Microsoft.Dashboard resource provider | +> | Microsoft.Dashboard/registeredSubscriptions/read | Get registered subscription details | +> | **DataAction** | **Description** | +> | Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action | Act as Grafana Admin role | +> | Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action | Act as Grafana Editor role | +> | Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action | Act as Grafana Viewer role | ++## Microsoft.Insights ++Azure service: [Azure Monitor](/azure/azure-monitor/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Insights/Metrics/Action | Metric Action | +> | Microsoft.Insights/Register/Action | Register the Microsoft Insights provider | +> | Microsoft.Insights/Unregister/Action | Register the Microsoft Insights provider | +> | Microsoft.Insights/ListMigrationDate/Action | Get back Subscription migration date | +> | Microsoft.Insights/MigrateToNewpricingModel/Action | Migrate subscription to new pricing model | +> | Microsoft.Insights/RollbackToLegacyPricingModel/Action | Rollback subscription to legacy pricing model | +> | Microsoft.Insights/ActionGroups/Write | Create or update an action group | +> | Microsoft.Insights/ActionGroups/Delete | Delete an action group | +> | Microsoft.Insights/ActionGroups/Read | Read an action group | +> | Microsoft.Insights/actionGroups/NetworkSecurityPerimeterAssociationProxies/Read | Read a action group endpoint NSP association proxy | +> | Microsoft.Insights/actionGroups/NetworkSecurityPerimeterAssociationProxies/Write | Create or update a action group endpoint NSP association proxy | +> | Microsoft.Insights/actionGroups/NetworkSecurityPerimeterAssociationProxies/Delete | Delete a action group endpoint NSP association proxy | +> | Microsoft.Insights/actionGroups/NetworkSecurityPerimeterConfigurations/Read | Read action group endpoint effective NSP configuration | +> | Microsoft.Insights/actionGroups/NetworkSecurityPerimeterConfigurations/Reconcile/Action | Reconcile action group endpoint NSP configuration | +> | Microsoft.Insights/ActivityLogAlerts/Write | Create or update an activity log alert | +> | Microsoft.Insights/ActivityLogAlerts/Delete | Delete an activity log alert | +> | Microsoft.Insights/ActivityLogAlerts/Read | Read an activity log alert | +> | Microsoft.Insights/ActivityLogAlerts/Activated/Action | Activity Log Alert activated | +> | Microsoft.Insights/AlertRules/Write | Create or update a classic metric alert | +> | Microsoft.Insights/AlertRules/Delete | Delete a classic metric alert | +> | Microsoft.Insights/AlertRules/Read | Read a classic metric alert | +> | Microsoft.Insights/AlertRules/Activated/Action | Classic metric alert activated | +> | Microsoft.Insights/AlertRules/Resolved/Action | Classic metric alert resolved | +> | Microsoft.Insights/AlertRules/Throttled/Action | Classic metric alert rule throttled | +> | Microsoft.Insights/AlertRules/Incidents/Read | Read a classic metric alert incident | +> | Microsoft.Insights/AutoscaleSettings/Write | Create or update an autoscale setting | +> | Microsoft.Insights/AutoscaleSettings/Delete | Delete an autoscale setting | +> | Microsoft.Insights/AutoscaleSettings/Read | Read an autoscale setting | +> | Microsoft.Insights/AutoscaleSettings/Scaleup/Action | Autoscale scale up initiated | +> | Microsoft.Insights/AutoscaleSettings/PredictiveScaleup/Action | Predictive Autoscale scale up initiated | +> | Microsoft.Insights/AutoscaleSettings/Scaledown/Action | Autoscale scale down initiated | +> | Microsoft.Insights/AutoscaleSettings/PredictiveScaleupResult/Action | Predictive Autoscale scale up completed | +> | Microsoft.Insights/AutoscaleSettings/ScaleupResult/Action | Autoscale scale up completed | +> | Microsoft.Insights/AutoscaleSettings/ScaledownResult/Action | Autoscale scale down completed | +> | Microsoft.Insights/AutoscaleSettings/providers/Microsoft.Insights/diagnosticSettings/Read | Read a resource diagnostic setting | +> | Microsoft.Insights/AutoscaleSettings/providers/Microsoft.Insights/diagnosticSettings/Write | Create or update a resource diagnostic setting | +> | Microsoft.Insights/AutoscaleSettings/providers/Microsoft.Insights/logDefinitions/Read | Read log definitions | +> | Microsoft.Insights/AutoscaleSettings/providers/Microsoft.Insights/MetricDefinitions/Read | Read metric definitions | +> | Microsoft.Insights/Baseline/Read | Read a metric baseline (preview) | +> | Microsoft.Insights/CalculateBaseline/Read | Calculate baseline for metric values (preview) | +> | Microsoft.Insights/Components/AnalyticsTables/Action | Application Insights analytics table action | +> | Microsoft.Insights/Components/ApiKeys/Action | Generating an Application Insights API key | +> | Microsoft.Insights/Components/Purge/Action | Purging data from Application Insights | +> | Microsoft.Insights/Components/DailyCapReached/Action | Reached the daily cap for Application Insights component | +> | Microsoft.Insights/Components/DailyCapWarningThresholdReached/Action | Reached the daily cap warning threshold for Application Insights component | +> | Microsoft.Insights/Components/Write | Writing to an application insights component configuration | +> | Microsoft.Insights/Components/Delete | Deleting an application insights component configuration | +> | Microsoft.Insights/Components/Read | Reading an application insights component configuration | +> | Microsoft.Insights/Components/ExportConfiguration/Action | Application Insights export settings action | +> | Microsoft.Insights/Components/Move/Action | Move an Application Insights Component to another resource group or subscription | +> | Microsoft.Insights/Components/AnalyticsItems/Delete | Deleting an Application Insights analytics item | +> | Microsoft.Insights/Components/AnalyticsItems/Read | Reading an Application Insights analytics item | +> | Microsoft.Insights/Components/AnalyticsItems/Write | Writing an Application Insights analytics item | +> | Microsoft.Insights/Components/AnalyticsTables/Delete | Deleting an Application Insights analytics table schema | +> | Microsoft.Insights/Components/AnalyticsTables/Read | Reading an Application Insights analytics table schema | +> | Microsoft.Insights/Components/AnalyticsTables/Write | Writing an Application Insights analytics table schema | +> | Microsoft.Insights/Components/Annotations/Delete | Deleting an Application Insights annotation | +> | Microsoft.Insights/Components/Annotations/Read | Reading an Application Insights annotation | +> | Microsoft.Insights/Components/Annotations/Write | Writing an Application Insights annotation | +> | Microsoft.Insights/Components/Api/Read | Reading Application Insights component data API | +> | Microsoft.Insights/Components/ApiKeys/Delete | Deleting an Application Insights API key | +> | Microsoft.Insights/Components/ApiKeys/Read | Reading an Application Insights API key | +> | Microsoft.Insights/Components/BillingPlanForComponent/Read | Reading a billing plan for Application Insights component | +> | Microsoft.Insights/Components/CurrentBillingFeatures/Read | Reading current billing features for Application Insights component | +> | Microsoft.Insights/Components/CurrentBillingFeatures/Write | Writing current billing features for Application Insights component | +> | Microsoft.Insights/Components/DefaultWorkItemConfig/Read | Reading an Application Insights default ALM integration configuration | +> | Microsoft.Insights/Components/Events/Read | Get logs from Application Insights using OData query format | +> | Microsoft.Insights/Components/ExportConfiguration/Delete | Deleting Application Insights export settings | +> | Microsoft.Insights/Components/ExportConfiguration/Read | Reading Application Insights export settings | +> | Microsoft.Insights/Components/ExportConfiguration/Write | Writing Application Insights export settings | +> | Microsoft.Insights/Components/ExtendQueries/Read | Reading Application Insights component extended query results | +> | Microsoft.Insights/Components/Favorites/Delete | Deleting an Application Insights favorite | +> | Microsoft.Insights/Components/Favorites/Read | Reading an Application Insights favorite | +> | Microsoft.Insights/Components/Favorites/Write | Writing an Application Insights favorite | +> | Microsoft.Insights/Components/FeatureCapabilities/Read | Reading Application Insights component feature capabilities | +> | Microsoft.Insights/Components/GetAvailableBillingFeatures/Read | Reading Application Insights component available billing features | +> | Microsoft.Insights/Components/GetToken/Read | Reading an Application Insights component token | +> | Microsoft.Insights/Components/MetricDefinitions/Read | Reading Application Insights component metric definitions | +> | Microsoft.Insights/Components/Metrics/Read | Reading Application Insights component metrics | +> | Microsoft.Insights/Components/MyAnalyticsItems/Delete | Deleting an Application Insights personal analytics item | +> | Microsoft.Insights/Components/MyAnalyticsItems/Write | Writing an Application Insights personal analytics item | +> | Microsoft.Insights/Components/MyAnalyticsItems/Read | Reading an Application Insights personal analytics item | +> | Microsoft.Insights/Components/MyFavorites/Read | Reading an Application Insights personal favorite | +> | Microsoft.Insights/Components/Operations/Read | Get status of long-running operations in Application Insights | +> | Microsoft.Insights/Components/PricingPlans/Read | Reading an Application Insights component pricing plan | +> | Microsoft.Insights/Components/PricingPlans/Write | Writing an Application Insights component pricing plan | +> | Microsoft.Insights/Components/ProactiveDetectionConfigs/Read | Reading Application Insights proactive detection configuration | +> | Microsoft.Insights/Components/ProactiveDetectionConfigs/Write | Writing Application Insights proactive detection configuration | +> | Microsoft.Insights/Components/providers/Microsoft.Insights/diagnosticSettings/Read | Read a resource diagnostic setting | +> | Microsoft.Insights/Components/providers/Microsoft.Insights/diagnosticSettings/Write | Create or update a resource diagnostic setting | +> | Microsoft.Insights/Components/providers/Microsoft.Insights/logDefinitions/Read | Read log definitions | +> | Microsoft.Insights/Components/providers/Microsoft.Insights/MetricDefinitions/Read | Read metric definitions | +> | Microsoft.Insights/Components/Query/Read | Run queries against Application Insights logs | +> | Microsoft.Insights/Components/QuotaStatus/Read | Reading Application Insights component quota status | +> | Microsoft.Insights/Components/SyntheticMonitorLocations/Read | Reading Application Insights webtest locations | +> | Microsoft.Insights/Components/Webtests/Read | Reading a webtest configuration | +> | Microsoft.Insights/Components/WorkItemConfigs/Delete | Deleting an Application Insights ALM integration configuration | +> | Microsoft.Insights/Components/WorkItemConfigs/Read | Reading an Application Insights ALM integration configuration | +> | Microsoft.Insights/Components/WorkItemConfigs/Write | Writing an Application Insights ALM integration configuration | +> | Microsoft.Insights/CreateNotifications/Write | Send test notifications to the provided receiver list | +> | Microsoft.Insights/DataCollectionEndpoints/Read | Read a data collection endpoint | +> | Microsoft.Insights/DataCollectionEndpoints/Write | Create or update a data collection endpoint | +> | Microsoft.Insights/DataCollectionEndpoints/Delete | Delete a data collection endpoint | +> | Microsoft.Insights/DataCollectionEndpoints/TriggerFailover/Action | Trigger failover on a data collection endpoint | +> | Microsoft.Insights/DataCollectionEndpoints/TriggerFailback/Action | Trigger failback on a data collection endpoint | +> | Microsoft.Insights/DataCollectionEndpoints/NetworkSecurityPerimeterAssociationProxies/Read | Read a data collection endpoint NSP association proxy | +> | Microsoft.Insights/DataCollectionEndpoints/NetworkSecurityPerimeterAssociationProxies/Write | Create or update a data collection endpoint NSP association proxy | +> | Microsoft.Insights/DataCollectionEndpoints/NetworkSecurityPerimeterAssociationProxies/Delete | Delete a data collection endpoint NSP association proxy | +> | Microsoft.Insights/DataCollectionEndpoints/NetworkSecurityPerimeterConfigurations/Read | Read data collection endpoint effective NSP configuration | +> | Microsoft.Insights/DataCollectionEndpoints/NetworkSecurityPerimeterConfigurations/Reconcile/Action | Reconcile data collection endpoint NSP configuration | +> | Microsoft.Insights/DataCollectionEndpoints/ScopedPrivateLinkProxies/Read | Read a data collection endpoint private link proxy | +> | Microsoft.Insights/DataCollectionEndpoints/ScopedPrivateLinkProxies/Write | Create or update a data collection endpoint private link proxy | +> | Microsoft.Insights/DataCollectionEndpoints/ScopedPrivateLinkProxies/Delete | Delete a data collection endpoint private link proxy | +> | Microsoft.Insights/DataCollectionRuleAssociations/Read | Read a resource's association with a data collection rule | +> | Microsoft.Insights/DataCollectionRuleAssociations/Write | Create or update a resource's association with a data collection rule | +> | Microsoft.Insights/DataCollectionRuleAssociations/Delete | Delete a resource's association with a data collection rule | +> | Microsoft.Insights/DataCollectionRules/Read | Read a data collection rule | +> | Microsoft.Insights/DataCollectionRules/Write | Create or update a data collection rule | +> | Microsoft.Insights/DataCollectionRules/Delete | Delete a data collection rule | +> | Microsoft.Insights/DiagnosticSettings/Write | Create or update a resource diagnostic setting | +> | Microsoft.Insights/DiagnosticSettings/Delete | Delete a resource diagnostic setting | +> | Microsoft.Insights/DiagnosticSettings/Read | Read a resource diagnostic setting | +> | Microsoft.Insights/DiagnosticSettingsCategories/Read | Read diagnostic settings categories | +> | Microsoft.Insights/EventCategories/Read | Read available Activity Log event categories | +> | Microsoft.Insights/eventtypes/digestevents/Read | Read management event type digest | +> | Microsoft.Insights/eventtypes/values/Read | Read Activity Log events | +> | Microsoft.Insights/ExtendedDiagnosticSettings/Write | Create or update a network flow log diagnostic setting | +> | Microsoft.Insights/ExtendedDiagnosticSettings/Delete | Delete a network flow log diagnostic setting | +> | Microsoft.Insights/ExtendedDiagnosticSettings/Read | Read a network flow log diagnostic setting | +> | Microsoft.Insights/generateLiveToken/Read | Live Metrics get token | +> | Microsoft.Insights/ListMigrationDate/Read | Get back subscription migration date | +> | Microsoft.Insights/LogDefinitions/Read | Read log definitions | +> | Microsoft.Insights/LogProfiles/Write | Create or update an Activity Log log profile | +> | Microsoft.Insights/LogProfiles/Delete | Delete an Activity Log log profile | +> | Microsoft.Insights/LogProfiles/Read | Read an Activity Log log profile | +> | Microsoft.Insights/Logs/Read | Reading data from all your logs | +> | Microsoft.Insights/Logs/AADDomainServicesAccountLogon/Read | Read data from the AADDomainServicesAccountLogon table | +> | Microsoft.Insights/Logs/AADDomainServicesAccountManagement/Read | Read data from the AADDomainServicesAccountManagement table | +> | Microsoft.Insights/Logs/AADDomainServicesDirectoryServiceAccess/Read | Read data from the AADDomainServicesDirectoryServiceAccess table | +> | Microsoft.Insights/Logs/AADDomainServicesLogonLogoff/Read | Read data from the AADDomainServicesLogonLogoff table | +> | Microsoft.Insights/Logs/AADDomainServicesPolicyChange/Read | Read data from the AADDomainServicesPolicyChange table | +> | Microsoft.Insights/Logs/AADDomainServicesPrivilegeUse/Read | Read data from the AADDomainServicesPrivilegeUse table | +> | Microsoft.Insights/Logs/AADDomainServicesSystemSecurity/Read | Read data from the AADDomainServicesSystemSecurity table | +> | Microsoft.Insights/Logs/AADManagedIdentitySignInLogs/Read | Read data from the AADManagedIdentitySignInLogs table | +> | Microsoft.Insights/Logs/AADNonInteractiveUserSignInLogs/Read | Read data from the AADNonInteractiveUserSignInLogs table | +> | Microsoft.Insights/Logs/AADServicePrincipalSignInLogs/Read | Read data from the AADServicePrincipalSignInLogs table | +> | Microsoft.Insights/Logs/ADAssessmentRecommendation/Read | Read data from the ADAssessmentRecommendation table | +> | Microsoft.Insights/Logs/AddonAzureBackupAlerts/Read | Read data from the AddonAzureBackupAlerts table | +> | Microsoft.Insights/Logs/AddonAzureBackupJobs/Read | Read data from the AddonAzureBackupJobs table | +> | Microsoft.Insights/Logs/AddonAzureBackupPolicy/Read | Read data from the AddonAzureBackupPolicy table | +> | Microsoft.Insights/Logs/AddonAzureBackupProtectedInstance/Read | Read data from the AddonAzureBackupProtectedInstance table | +> | Microsoft.Insights/Logs/AddonAzureBackupStorage/Read | Read data from the AddonAzureBackupStorage table | +> | Microsoft.Insights/Logs/ADFActivityRun/Read | Read data from the ADFActivityRun table | +> | Microsoft.Insights/Logs/ADFPipelineRun/Read | Read data from the ADFPipelineRun table | +> | Microsoft.Insights/Logs/ADFSSISIntegrationRuntimeLogs/Read | Read data from the ADFSSISIntegrationRuntimeLogs table | +> | Microsoft.Insights/Logs/ADFSSISPackageEventMessageContext/Read | Read data from the ADFSSISPackageEventMessageContext table | +> | Microsoft.Insights/Logs/ADFSSISPackageEventMessages/Read | Read data from the ADFSSISPackageEventMessages table | +> | Microsoft.Insights/Logs/ADFSSISPackageExecutableStatistics/Read | Read data from the ADFSSISPackageExecutableStatistics table | +> | Microsoft.Insights/Logs/ADFSSISPackageExecutionComponentPhases/Read | Read data from the ADFSSISPackageExecutionComponentPhases table | +> | Microsoft.Insights/Logs/ADFSSISPackageExecutionDataStatistics/Read | Read data from the ADFSSISPackageExecutionDataStatistics table | +> | Microsoft.Insights/Logs/ADFTriggerRun/Read | Read data from the ADFTriggerRun table | +> | Microsoft.Insights/Logs/ADReplicationResult/Read | Read data from the ADReplicationResult table | +> | Microsoft.Insights/Logs/ADSecurityAssessmentRecommendation/Read | Read data from the ADSecurityAssessmentRecommendation table | +> | Microsoft.Insights/Logs/ADTDigitalTwinsOperation/Read | Read data from the ADTDigitalTwinsOperation table | +> | Microsoft.Insights/Logs/ADTEventRoutesOperation/Read | Read data from the ADTEventRoutesOperation table | +> | Microsoft.Insights/Logs/ADTModelsOperation/Read | Read data from the ADTModelsOperation table | +> | Microsoft.Insights/Logs/ADTQueryOperation/Read | Read data from the ADTQueryOperation table | +> | Microsoft.Insights/Logs/AegDeliveryFailureLogs/Read | Read data from the AegDeliveryFailureLogs table | +> | Microsoft.Insights/Logs/AegPublishFailureLogs/Read | Read data from the AegPublishFailureLogs table | +> | Microsoft.Insights/Logs/Alert/Read | Read data from the Alert table | +> | Microsoft.Insights/Logs/AlertHistory/Read | Read data from the AlertHistory table | +> | Microsoft.Insights/Logs/AmlComputeClusterEvent/Read | Read data from the AmlComputeClusterEvent table | +> | Microsoft.Insights/Logs/AmlComputeClusterNodeEvent/Read | Read data from the AmlComputeClusterNodeEvent table | +> | Microsoft.Insights/Logs/AmlComputeCpuGpuUtilization/Read | Read data from the AmlComputeCpuGpuUtilization table | +> | Microsoft.Insights/Logs/AmlComputeJobEvent/Read | Read data from the AmlComputeJobEvent table | +> | Microsoft.Insights/Logs/AmlRunStatusChangedEvent/Read | Read data from the AmlRunStatusChangedEvent table | +> | Microsoft.Insights/Logs/ApiManagementGatewayLogs/Read | Read data from the ApiManagementGatewayLogs table | +> | Microsoft.Insights/Logs/AppAvailabilityResults/Read | Read data from the AppAvailabilityResults table | +> | Microsoft.Insights/Logs/AppBrowserTimings/Read | Read data from the AppBrowserTimings table | +> | Microsoft.Insights/Logs/AppCenterError/Read | Read data from the AppCenterError table | +> | Microsoft.Insights/Logs/AppDependencies/Read | Read data from the AppDependencies table | +> | Microsoft.Insights/Logs/AppEvents/Read | Read data from the AppEvents table | +> | Microsoft.Insights/Logs/AppExceptions/Read | Read data from the AppExceptions table | +> | Microsoft.Insights/Logs/ApplicationInsights/Read | Read data from the ApplicationInsights table | +> | Microsoft.Insights/Logs/AppMetrics/Read | Read data from the AppMetrics table | +> | Microsoft.Insights/Logs/AppPageViews/Read | Read data from the AppPageViews table | +> | Microsoft.Insights/Logs/AppPerformanceCounters/Read | Read data from the AppPerformanceCounters table | +> | Microsoft.Insights/Logs/AppPlatformLogsforSpring/Read | Read data from the AppPlatformLogsforSpring table | +> | Microsoft.Insights/Logs/AppPlatformSystemLogs/Read | Read data from the AppPlatformSystemLogs table | +> | Microsoft.Insights/Logs/AppRequests/Read | Read data from the AppRequests table | +> | Microsoft.Insights/Logs/AppServiceAntivirusScanLogs/Read | Read data from the AppServiceAntivirusScanLogs table | +> | Microsoft.Insights/Logs/AppServiceAppLogs/Read | Read data from the AppServiceAppLogs table | +> | Microsoft.Insights/Logs/AppServiceAuditLogs/Read | Read data from the AppServiceAuditLogs table | +> | Microsoft.Insights/Logs/AppServiceConsoleLogs/Read | Read data from the AppServiceConsoleLogs table | +> | Microsoft.Insights/Logs/AppServiceEnvironmentPlatformLogs/Read | Read data from the AppServiceEnvironmentPlatformLogs table | +> | Microsoft.Insights/Logs/AppServiceFileAuditLogs/Read | Read data from the AppServiceFileAuditLogs table | +> | Microsoft.Insights/Logs/AppServiceHTTPLogs/Read | Read data from the AppServiceHTTPLogs table | +> | Microsoft.Insights/Logs/AppServicePlatformLogs/Read | Read data from the AppServicePlatformLogs table | +> | Microsoft.Insights/Logs/AppSystemEvents/Read | Read data from the AppSystemEvents table | +> | Microsoft.Insights/Logs/AppTraces/Read | Read data from the AppTraces table | +> | Microsoft.Insights/Logs/AuditLogs/Read | Read data from the AuditLogs table | +> | Microsoft.Insights/Logs/AutoscaleEvaluationsLog/Read | Read data from the AutoscaleEvaluationsLog table | +> | Microsoft.Insights/Logs/AutoscaleScaleActionsLog/Read | Read data from the AutoscaleScaleActionsLog table | +> | Microsoft.Insights/Logs/AWSCloudTrail/Read | Read data from the AWSCloudTrail table | +> | Microsoft.Insights/Logs/AzureActivity/Read | Read data from the AzureActivity table | +> | Microsoft.Insights/Logs/AzureAssessmentRecommendation/Read | Read data from the AzureAssessmentRecommendation table | +> | Microsoft.Insights/Logs/AzureDevOpsAuditing/Read | Read data from the AzureDevOpsAuditing table | +> | Microsoft.Insights/Logs/AzureDiagnostics/Read | Read data from the AzureDiagnostics table | +> | Microsoft.Insights/Logs/AzureMetrics/Read | Read data from the AzureMetrics table | +> | Microsoft.Insights/Logs/BaiClusterEvent/Read | Read data from the BaiClusterEvent table | +> | Microsoft.Insights/Logs/BaiClusterNodeEvent/Read | Read data from the BaiClusterNodeEvent table | +> | Microsoft.Insights/Logs/BaiJobEvent/Read | Read data from the BaiJobEvent table | +> | Microsoft.Insights/Logs/BehaviorAnalytics/Read | Read data from the BehaviorAnalytics table | +> | Microsoft.Insights/Logs/BlockchainApplicationLog/Read | Read data from the BlockchainApplicationLog table | +> | Microsoft.Insights/Logs/BlockchainProxyLog/Read | Read data from the BlockchainProxyLog table | +> | Microsoft.Insights/Logs/BoundPort/Read | Read data from the BoundPort table | +> | Microsoft.Insights/Logs/CommonSecurityLog/Read | Read data from the CommonSecurityLog table | +> | Microsoft.Insights/Logs/ComputerGroup/Read | Read data from the ComputerGroup table | +> | Microsoft.Insights/Logs/ConfigurationChange/Read | Read data from the ConfigurationChange table | +> | Microsoft.Insights/Logs/ConfigurationData/Read | Read data from the ConfigurationData table | +> | Microsoft.Insights/Logs/ContainerImageInventory/Read | Read data from the ContainerImageInventory table | +> | Microsoft.Insights/Logs/ContainerInventory/Read | Read data from the ContainerInventory table | +> | Microsoft.Insights/Logs/ContainerLog/Read | Read data from the ContainerLog table | +> | Microsoft.Insights/Logs/ContainerNodeInventory/Read | Read data from the ContainerNodeInventory table | +> | Microsoft.Insights/Logs/ContainerRegistryLoginEvents/Read | Read data from the ContainerRegistryLoginEvents table | +> | Microsoft.Insights/Logs/ContainerRegistryRepositoryEvents/Read | Read data from the ContainerRegistryRepositoryEvents table | +> | Microsoft.Insights/Logs/ContainerServiceLog/Read | Read data from the ContainerServiceLog table | +> | Microsoft.Insights/Logs/CoreAzureBackup/Read | Read data from the CoreAzureBackup table | +> | Microsoft.Insights/Logs/DatabricksAccounts/Read | Read data from the DatabricksAccounts table | +> | Microsoft.Insights/Logs/DatabricksClusters/Read | Read data from the DatabricksClusters table | +> | Microsoft.Insights/Logs/DatabricksDBFS/Read | Read data from the DatabricksDBFS table | +> | Microsoft.Insights/Logs/DatabricksInstancePools/Read | Read data from the DatabricksInstancePools table | +> | Microsoft.Insights/Logs/DatabricksJobs/Read | Read data from the DatabricksJobs table | +> | Microsoft.Insights/Logs/DatabricksNotebook/Read | Read data from the DatabricksNotebook table | +> | Microsoft.Insights/Logs/DatabricksSecrets/Read | Read data from the DatabricksSecrets table | +> | Microsoft.Insights/Logs/DatabricksSQLPermissions/Read | Read data from the DatabricksSQLPermissions table | +> | Microsoft.Insights/Logs/DatabricksSSH/Read | Read data from the DatabricksSSH table | +> | Microsoft.Insights/Logs/DatabricksTables/Read | Read data from the DatabricksTables table | +> | Microsoft.Insights/Logs/DatabricksWorkspace/Read | Read data from the DatabricksWorkspace table | +> | Microsoft.Insights/Logs/DeviceAppCrash/Read | Read data from the DeviceAppCrash table | +> | Microsoft.Insights/Logs/DeviceAppLaunch/Read | Read data from the DeviceAppLaunch table | +> | Microsoft.Insights/Logs/DeviceCalendar/Read | Read data from the DeviceCalendar table | +> | Microsoft.Insights/Logs/DeviceCleanup/Read | Read data from the DeviceCleanup table | +> | Microsoft.Insights/Logs/DeviceConnectSession/Read | Read data from the DeviceConnectSession table | +> | Microsoft.Insights/Logs/DeviceEtw/Read | Read data from the DeviceEtw table | +> | Microsoft.Insights/Logs/DeviceHardwareHealth/Read | Read data from the DeviceHardwareHealth table | +> | Microsoft.Insights/Logs/DeviceHealth/Read | Read data from the DeviceHealth table | +> | Microsoft.Insights/Logs/DeviceHeartbeat/Read | Read data from the DeviceHeartbeat table | +> | Microsoft.Insights/Logs/DeviceSkypeHeartbeat/Read | Read data from the DeviceSkypeHeartbeat table | +> | Microsoft.Insights/Logs/DeviceSkypeSignIn/Read | Read data from the DeviceSkypeSignIn table | +> | Microsoft.Insights/Logs/DeviceSleepState/Read | Read data from the DeviceSleepState table | +> | Microsoft.Insights/Logs/DHAppFailure/Read | Read data from the DHAppFailure table | +> | Microsoft.Insights/Logs/DHAppReliability/Read | Read data from the DHAppReliability table | +> | Microsoft.Insights/Logs/DHCPActivity/Read | Read data from the DHCPActivity table | +> | Microsoft.Insights/Logs/DHDriverReliability/Read | Read data from the DHDriverReliability table | +> | Microsoft.Insights/Logs/DHLogonFailures/Read | Read data from the DHLogonFailures table | +> | Microsoft.Insights/Logs/DHLogonMetrics/Read | Read data from the DHLogonMetrics table | +> | Microsoft.Insights/Logs/DHOSCrashData/Read | Read data from the DHOSCrashData table | +> | Microsoft.Insights/Logs/DHOSReliability/Read | Read data from the DHOSReliability table | +> | Microsoft.Insights/Logs/DHWipAppLearning/Read | Read data from the DHWipAppLearning table | +> | Microsoft.Insights/Logs/DnsEvents/Read | Read data from the DnsEvents table | +> | Microsoft.Insights/Logs/DnsInventory/Read | Read data from the DnsInventory table | +> | Microsoft.Insights/Logs/Dynamics365Activity/Read | Read data from the Dynamics365Activity table | +> | Microsoft.Insights/Logs/ETWEvent/Read | Read data from the ETWEvent table | +> | Microsoft.Insights/Logs/Event/Read | Read data from the Event table | +> | Microsoft.Insights/Logs/ExchangeAssessmentRecommendation/Read | Read data from the ExchangeAssessmentRecommendation table | +> | Microsoft.Insights/Logs/ExchangeOnlineAssessmentRecommendation/Read | Read data from the ExchangeOnlineAssessmentRecommendation table | +> | Microsoft.Insights/Logs/FailedIngestion/Read | Read data from the FailedIngestion table | +> | Microsoft.Insights/Logs/FunctionAppLogs/Read | Read data from the FunctionAppLogs table | +> | Microsoft.Insights/Logs/Heartbeat/Read | Read data from the Heartbeat table | +> | Microsoft.Insights/Logs/HuntingBookmark/Read | Read data from the HuntingBookmark table | +> | Microsoft.Insights/Logs/IISAssessmentRecommendation/Read | Read data from the IISAssessmentRecommendation table | +> | Microsoft.Insights/Logs/InboundConnection/Read | Read data from the InboundConnection table | +> | Microsoft.Insights/Logs/InsightsMetrics/Read | Read data from the InsightsMetrics table | +> | Microsoft.Insights/Logs/IntuneAuditLogs/Read | Read data from the IntuneAuditLogs table | +> | Microsoft.Insights/Logs/IntuneDeviceComplianceOrg/Read | Read data from the IntuneDeviceComplianceOrg table | +> | Microsoft.Insights/Logs/IntuneOperationalLogs/Read | Read data from the IntuneOperationalLogs table | +> | Microsoft.Insights/Logs/IoTHubDistributedTracing/Read | Read data from the IoTHubDistributedTracing table | +> | Microsoft.Insights/Logs/KubeEvents/Read | Read data from the KubeEvents table | +> | Microsoft.Insights/Logs/KubeHealth/Read | Read data from the KubeHealth table | +> | Microsoft.Insights/Logs/KubeMonAgentEvents/Read | Read data from the KubeMonAgentEvents table | +> | Microsoft.Insights/Logs/KubeNodeInventory/Read | Read data from the KubeNodeInventory table | +> | Microsoft.Insights/Logs/KubePodInventory/Read | Read data from the KubePodInventory table | +> | Microsoft.Insights/Logs/KubeServices/Read | Read data from the KubeServices table | +> | Microsoft.Insights/Logs/LinuxAuditLog/Read | Read data from the LinuxAuditLog table | +> | Microsoft.Insights/Logs/MAApplication/Read | Read data from the MAApplication table | +> | Microsoft.Insights/Logs/MAApplicationHealth/Read | Read data from the MAApplicationHealth table | +> | Microsoft.Insights/Logs/MAApplicationHealthAlternativeVersions/Read | Read data from the MAApplicationHealthAlternativeVersions table | +> | Microsoft.Insights/Logs/MAApplicationHealthIssues/Read | Read data from the MAApplicationHealthIssues table | +> | Microsoft.Insights/Logs/MAApplicationInstance/Read | Read data from the MAApplicationInstance table | +> | Microsoft.Insights/Logs/MAApplicationInstanceReadiness/Read | Read data from the MAApplicationInstanceReadiness table | +> | Microsoft.Insights/Logs/MAApplicationReadiness/Read | Read data from the MAApplicationReadiness table | +> | Microsoft.Insights/Logs/MADeploymentPlan/Read | Read data from the MADeploymentPlan table | +> | Microsoft.Insights/Logs/MADevice/Read | Read data from the MADevice table | +> | Microsoft.Insights/Logs/MADeviceNotEnrolled/Read | Read data from the MADeviceNotEnrolled table | +> | Microsoft.Insights/Logs/MADeviceNRT/Read | Read data from the MADeviceNRT table | +> | Microsoft.Insights/Logs/MADevicePnPHealth/Read | Read data from the MADevicePnPHealth table | +> | Microsoft.Insights/Logs/MADevicePnPHealthAlternativeVersions/Read | Read data from the MADevicePnPHealthAlternativeVersions table | +> | Microsoft.Insights/Logs/MADevicePnPHealthIssues/Read | Read data from the MADevicePnPHealthIssues table | +> | Microsoft.Insights/Logs/MADeviceReadiness/Read | Read data from the MADeviceReadiness table | +> | Microsoft.Insights/Logs/MADriverInstanceReadiness/Read | Read data from the MADriverInstanceReadiness table | +> | Microsoft.Insights/Logs/MADriverReadiness/Read | Read data from the MADriverReadiness table | +> | Microsoft.Insights/Logs/MAOfficeAddin/Read | Read data from the MAOfficeAddin table | +> | Microsoft.Insights/Logs/MAOfficeAddinEntityHealth/Read | Read data from the MAOfficeAddinEntityHealth table | +> | Microsoft.Insights/Logs/MAOfficeAddinHealth/Read | Read data from the MAOfficeAddinHealth table | +> | Microsoft.Insights/Logs/MAOfficeAddinHealthEventNRT/Read | Read data from the MAOfficeAddinHealthEventNRT table | +> | Microsoft.Insights/Logs/MAOfficeAddinHealthIssues/Read | Read data from the MAOfficeAddinHealthIssues table | +> | Microsoft.Insights/Logs/MAOfficeAddinInstance/Read | Read data from the MAOfficeAddinInstance table | +> | Microsoft.Insights/Logs/MAOfficeAddinInstanceReadiness/Read | Read data from the MAOfficeAddinInstanceReadiness table | +> | Microsoft.Insights/Logs/MAOfficeAddinReadiness/Read | Read data from the MAOfficeAddinReadiness table | +> | Microsoft.Insights/Logs/MAOfficeApp/Read | Read data from the MAOfficeApp table | +> | Microsoft.Insights/Logs/MAOfficeAppCrashesNRT/Read | Read data from the MAOfficeAppCrashesNRT table | +> | Microsoft.Insights/Logs/MAOfficeAppHealth/Read | Read data from the MAOfficeAppHealth table | +> | Microsoft.Insights/Logs/MAOfficeAppInstance/Read | Read data from the MAOfficeAppInstance table | +> | Microsoft.Insights/Logs/MAOfficeAppInstanceHealth/Read | Read data from the MAOfficeAppInstanceHealth table | +> | Microsoft.Insights/Logs/MAOfficeAppReadiness/Read | Read data from the MAOfficeAppReadiness table | +> | Microsoft.Insights/Logs/MAOfficeAppSessionsNRT/Read | Read data from the MAOfficeAppSessionsNRT table | +> | Microsoft.Insights/Logs/MAOfficeBuildInfo/Read | Read data from the MAOfficeBuildInfo table | +> | Microsoft.Insights/Logs/MAOfficeCurrencyAssessment/Read | Read data from the MAOfficeCurrencyAssessment table | +> | Microsoft.Insights/Logs/MAOfficeCurrencyAssessmentDailyCounts/Read | Read data from the MAOfficeCurrencyAssessmentDailyCounts table | +> | Microsoft.Insights/Logs/MAOfficeDeploymentStatus/Read | Read data from the MAOfficeDeploymentStatus table | +> | Microsoft.Insights/Logs/MAOfficeDeploymentStatusNRT/Read | Read data from the MAOfficeDeploymentStatusNRT table | +> | Microsoft.Insights/Logs/MAOfficeMacroErrorNRT/Read | Read data from the MAOfficeMacroErrorNRT table | +> | Microsoft.Insights/Logs/MAOfficeMacroGlobalHealth/Read | Read data from the MAOfficeMacroGlobalHealth table | +> | Microsoft.Insights/Logs/MAOfficeMacroHealth/Read | Read data from the MAOfficeMacroHealth table | +> | Microsoft.Insights/Logs/MAOfficeMacroHealthIssues/Read | Read data from the MAOfficeMacroHealthIssues table | +> | Microsoft.Insights/Logs/MAOfficeMacroIssueInstanceReadiness/Read | Read data from the MAOfficeMacroIssueInstanceReadiness table | +> | Microsoft.Insights/Logs/MAOfficeMacroIssueReadiness/Read | Read data from the MAOfficeMacroIssueReadiness table | +> | Microsoft.Insights/Logs/MAOfficeMacroSummary/Read | Read data from the MAOfficeMacroSummary table | +> | Microsoft.Insights/Logs/MAOfficeSuite/Read | Read data from the MAOfficeSuite table | +> | Microsoft.Insights/Logs/MAOfficeSuiteInstance/Read | Read data from the MAOfficeSuiteInstance table | +> | Microsoft.Insights/Logs/MAProposedPilotDevices/Read | Read data from the MAProposedPilotDevices table | +> | Microsoft.Insights/Logs/MAWindowsBuildInfo/Read | Read data from the MAWindowsBuildInfo table | +> | Microsoft.Insights/Logs/MAWindowsCurrencyAssessment/Read | Read data from the MAWindowsCurrencyAssessment table | +> | Microsoft.Insights/Logs/MAWindowsCurrencyAssessmentDailyCounts/Read | Read data from the MAWindowsCurrencyAssessmentDailyCounts table | +> | Microsoft.Insights/Logs/MAWindowsDeploymentStatus/Read | Read data from the MAWindowsDeploymentStatus table | +> | Microsoft.Insights/Logs/MAWindowsDeploymentStatusNRT/Read | Read data from the MAWindowsDeploymentStatusNRT table | +> | Microsoft.Insights/Logs/MAWindowsSysReqInstanceReadiness/Read | Read data from the MAWindowsSysReqInstanceReadiness table | +> | Microsoft.Insights/Logs/McasShadowItReporting/Read | Read data from the McasShadowItReporting table | +> | Microsoft.Insights/Logs/MicrosoftAzureBastionAuditLogs/Read | Read data from the MicrosoftAzureBastionAuditLogs table | +> | Microsoft.Insights/Logs/MicrosoftDataShareReceivedSnapshotLog/Read | Read data from the MicrosoftDataShareReceivedSnapshotLog table | +> | Microsoft.Insights/Logs/MicrosoftDataShareSentSnapshotLog/Read | Read data from the MicrosoftDataShareSentSnapshotLog table | +> | Microsoft.Insights/Logs/MicrosoftDataShareShareLog/Read | Read data from the MicrosoftDataShareShareLog table | +> | Microsoft.Insights/Logs/MicrosoftDynamicsTelemetryPerformanceLogs/Read | Read data from the MicrosoftDynamicsTelemetryPerformanceLogs table | +> | Microsoft.Insights/Logs/MicrosoftDynamicsTelemetrySystemMetricsLogs/Read | Read data from the MicrosoftDynamicsTelemetrySystemMetricsLogs table | +> | Microsoft.Insights/Logs/MicrosoftHealthcareApisAuditLogs/Read | Read data from the MicrosoftHealthcareApisAuditLogs table | +> | Microsoft.Insights/Logs/NetworkMonitoring/Read | Read data from the NetworkMonitoring table | +> | Microsoft.Insights/Logs/OfficeActivity/Read | Read data from the OfficeActivity table | +> | Microsoft.Insights/Logs/Operation/Read | Read data from the Operation table | +> | Microsoft.Insights/Logs/OutboundConnection/Read | Read data from the OutboundConnection table | +> | Microsoft.Insights/Logs/Perf/Read | Read data from the Perf table | +> | Microsoft.Insights/Logs/ProtectionStatus/Read | Read data from the ProtectionStatus table | +> | Microsoft.Insights/Logs/ReservedAzureCommonFields/Read | Read data from the ReservedAzureCommonFields table | +> | Microsoft.Insights/Logs/ReservedCommonFields/Read | Read data from the ReservedCommonFields table | +> | Microsoft.Insights/Logs/SCCMAssessmentRecommendation/Read | Read data from the SCCMAssessmentRecommendation table | +> | Microsoft.Insights/Logs/SCOMAssessmentRecommendation/Read | Read data from the SCOMAssessmentRecommendation table | +> | Microsoft.Insights/Logs/SecurityAlert/Read | Read data from the SecurityAlert table | +> | Microsoft.Insights/Logs/SecurityBaseline/Read | Read data from the SecurityBaseline table | +> | Microsoft.Insights/Logs/SecurityBaselineSummary/Read | Read data from the SecurityBaselineSummary table | +> | Microsoft.Insights/Logs/SecurityDetection/Read | Read data from the SecurityDetection table | +> | Microsoft.Insights/Logs/SecurityEvent/Read | Read data from the SecurityEvent table | +> | Microsoft.Insights/Logs/SecurityIncident/Read | Read data from the SecurityIncident table | +> | Microsoft.Insights/Logs/SecurityIoTRawEvent/Read | Read data from the SecurityIoTRawEvent table | +> | Microsoft.Insights/Logs/SecurityNestedRecommendation/Read | Read data from the SecurityNestedRecommendation table | +> | Microsoft.Insights/Logs/SecurityRecommendation/Read | Read data from the SecurityRecommendation table | +> | Microsoft.Insights/Logs/ServiceFabricOperationalEvent/Read | Read data from the ServiceFabricOperationalEvent table | +> | Microsoft.Insights/Logs/ServiceFabricReliableActorEvent/Read | Read data from the ServiceFabricReliableActorEvent table | +> | Microsoft.Insights/Logs/ServiceFabricReliableServiceEvent/Read | Read data from the ServiceFabricReliableServiceEvent table | +> | Microsoft.Insights/Logs/SfBAssessmentRecommendation/Read | Read data from the SfBAssessmentRecommendation table | +> | Microsoft.Insights/Logs/SfBOnlineAssessmentRecommendation/Read | Read data from the SfBOnlineAssessmentRecommendation table | +> | Microsoft.Insights/Logs/SharePointOnlineAssessmentRecommendation/Read | Read data from the SharePointOnlineAssessmentRecommendation table | +> | Microsoft.Insights/Logs/SignalRServiceDiagnosticLogs/Read | Read data from the SignalRServiceDiagnosticLogs table | +> | Microsoft.Insights/Logs/SigninLogs/Read | Read data from the SigninLogs table | +> | Microsoft.Insights/Logs/SPAssessmentRecommendation/Read | Read data from the SPAssessmentRecommendation table | +> | Microsoft.Insights/Logs/SQLAssessmentRecommendation/Read | Read data from the SQLAssessmentRecommendation table | +> | Microsoft.Insights/Logs/SqlDataClassification/Read | Read data from the SqlDataClassification table | +> | Microsoft.Insights/Logs/SQLQueryPerformance/Read | Read data from the SQLQueryPerformance table | +> | Microsoft.Insights/Logs/SqlVulnerabilityAssessmentResult/Read | Read data from the SqlVulnerabilityAssessmentResult table | +> | Microsoft.Insights/Logs/StorageBlobLogs/Read | Read data from the StorageBlobLogs table | +> | Microsoft.Insights/Logs/StorageFileLogs/Read | Read data from the StorageFileLogs table | +> | Microsoft.Insights/Logs/StorageQueueLogs/Read | Read data from the StorageQueueLogs table | +> | Microsoft.Insights/Logs/StorageTableLogs/Read | Read data from the StorageTableLogs table | +> | Microsoft.Insights/Logs/SucceededIngestion/Read | Read data from the SucceededIngestion table | +> | Microsoft.Insights/Logs/Syslog/Read | Read data from the Syslog table | +> | Microsoft.Insights/Logs/SysmonEvent/Read | Read data from the SysmonEvent table | +> | Microsoft.Insights/Logs/Tables.Custom/Read | Reading data from any custom log | +> | Microsoft.Insights/Logs/ThreatIntelligenceIndicator/Read | Read data from the ThreatIntelligenceIndicator table | +> | Microsoft.Insights/Logs/TSIIngress/Read | Read data from the TSIIngress table | +> | Microsoft.Insights/Logs/UAApp/Read | Read data from the UAApp table | +> | Microsoft.Insights/Logs/UAComputer/Read | Read data from the UAComputer table | +> | Microsoft.Insights/Logs/UAComputerRank/Read | Read data from the UAComputerRank table | +> | Microsoft.Insights/Logs/UADriver/Read | Read data from the UADriver table | +> | Microsoft.Insights/Logs/UADriverProblemCodes/Read | Read data from the UADriverProblemCodes table | +> | Microsoft.Insights/Logs/UAFeedback/Read | Read data from the UAFeedback table | +> | Microsoft.Insights/Logs/UAHardwareSecurity/Read | Read data from the UAHardwareSecurity table | +> | Microsoft.Insights/Logs/UAIESiteDiscovery/Read | Read data from the UAIESiteDiscovery table | +> | Microsoft.Insights/Logs/UAOfficeAddIn/Read | Read data from the UAOfficeAddIn table | +> | Microsoft.Insights/Logs/UAProposedActionPlan/Read | Read data from the UAProposedActionPlan table | +> | Microsoft.Insights/Logs/UASysReqIssue/Read | Read data from the UASysReqIssue table | +> | Microsoft.Insights/Logs/UAUpgradedComputer/Read | Read data from the UAUpgradedComputer table | +> | Microsoft.Insights/Logs/Update/Read | Read data from the Update table | +> | Microsoft.Insights/Logs/UpdateRunProgress/Read | Read data from the UpdateRunProgress table | +> | Microsoft.Insights/Logs/UpdateSummary/Read | Read data from the UpdateSummary table | +> | Microsoft.Insights/Logs/Usage/Read | Read data from the Usage table | +> | Microsoft.Insights/Logs/UserAccessAnalytics/Read | Read data from the UserAccessAnalytics table | +> | Microsoft.Insights/Logs/UserPeerAnalytics/Read | Read data from the UserPeerAnalytics table | +> | Microsoft.Insights/Logs/VMBoundPort/Read | Read data from the VMBoundPort table | +> | Microsoft.Insights/Logs/VMComputer/Read | Read data from the VMComputer table | +> | Microsoft.Insights/Logs/VMConnection/Read | Read data from the VMConnection table | +> | Microsoft.Insights/Logs/VMProcess/Read | Read data from the VMProcess table | +> | Microsoft.Insights/Logs/W3CIISLog/Read | Read data from the W3CIISLog table | +> | Microsoft.Insights/Logs/WaaSDeploymentStatus/Read | Read data from the WaaSDeploymentStatus table | +> | Microsoft.Insights/Logs/WaaSInsiderStatus/Read | Read data from the WaaSInsiderStatus table | +> | Microsoft.Insights/Logs/WaaSUpdateStatus/Read | Read data from the WaaSUpdateStatus table | +> | Microsoft.Insights/Logs/WDAVStatus/Read | Read data from the WDAVStatus table | +> | Microsoft.Insights/Logs/WDAVThreat/Read | Read data from the WDAVThreat table | +> | Microsoft.Insights/Logs/WindowsClientAssessmentRecommendation/Read | Read data from the WindowsClientAssessmentRecommendation table | +> | Microsoft.Insights/Logs/WindowsEvent/Read | Read data from the WindowsEvent table | +> | Microsoft.Insights/Logs/WindowsFirewall/Read | Read data from the WindowsFirewall table | +> | Microsoft.Insights/Logs/WindowsServerAssessmentRecommendation/Read | Read data from the WindowsServerAssessmentRecommendation table | +> | Microsoft.Insights/Logs/WireData/Read | Read data from the WireData table | +> | Microsoft.Insights/Logs/WorkloadMonitoringPerf/Read | Read data from the WorkloadMonitoringPerf table | +> | Microsoft.Insights/Logs/WUDOAggregatedStatus/Read | Read data from the WUDOAggregatedStatus table | +> | Microsoft.Insights/Logs/WUDOStatus/Read | Read data from the WUDOStatus table | +> | Microsoft.Insights/Logs/WVDCheckpoints/Read | Read data from the WVDCheckpoints table | +> | Microsoft.Insights/Logs/WVDConnections/Read | Read data from the WVDConnections table | +> | Microsoft.Insights/Logs/WVDErrors/Read | Read data from the WVDErrors table | +> | Microsoft.Insights/Logs/WVDFeeds/Read | Read data from the WVDFeeds table | +> | Microsoft.Insights/Logs/WVDHostRegistrations/Read | Read data from the WVDHostRegistrations table | +> | Microsoft.Insights/Logs/WVDManagement/Read | Read data from the WVDManagement table | +> | Microsoft.Insights/MetricAlerts/Write | Create or update a metric alert | +> | Microsoft.Insights/MetricAlerts/Delete | Delete a metric alert | +> | Microsoft.Insights/MetricAlerts/Read | Read a metric alert | +> | Microsoft.Insights/MetricAlerts/Status/Read | Read metric alert status | +> | Microsoft.Insights/MetricBaselines/Read | Read metric baselines | +> | Microsoft.Insights/MetricDefinitions/Read | Read metric definitions | +> | Microsoft.Insights/MetricDefinitions/Microsoft.Insights/Read | Read metric definitions | +> | Microsoft.Insights/MetricDefinitions/providers/Microsoft.Insights/Read | Read metric definitions | +> | Microsoft.Insights/Metricnamespaces/Read | Read metric namespaces | +> | Microsoft.Insights/Metrics/Read | Read metrics | +> | Microsoft.Insights/Metrics/Microsoft.Insights/Read | Read metrics | +> | Microsoft.Insights/Metrics/providers/Metrics/Read | Read metrics | +> | Microsoft.Insights/MonitoredObjects/Read | Read a monitored object | +> | Microsoft.Insights/MonitoredObjects/Write | Create or update a monitored object | +> | Microsoft.Insights/MonitoredObjects/Delete | Delete a monitored object | +> | Microsoft.Insights/MyWorkbooks/Read | Read a private Workbook | +> | Microsoft.Insights/MyWorkbooks/Delete | Delete a private workbook | +> | Microsoft.Insights/NotificationStatus/Read | Get the test notification status/detail | +> | Microsoft.Insights/Operations/Read | Read operations | +> | Microsoft.Insights/PrivateLinkScopeOperationStatuses/Read | Read a private link scoped operation status | +> | Microsoft.Insights/PrivateLinkScopes/Read | Read a private link scope | +> | Microsoft.Insights/PrivateLinkScopes/Write | Create or update a private link scope | +> | Microsoft.Insights/PrivateLinkScopes/Delete | Delete a private link scope | +> | Microsoft.Insights/PrivateLinkScopes/PrivateEndpointConnectionsApproval/action | Approve or reject a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.Insights/PrivateLinkScopes/PrivateEndpointConnectionProxies/Read | Read a private endpoint connection proxy | +> | Microsoft.Insights/PrivateLinkScopes/PrivateEndpointConnectionProxies/Write | Create or update a private endpoint connection proxy | +> | Microsoft.Insights/PrivateLinkScopes/PrivateEndpointConnectionProxies/Delete | Delete a private endpoint connection proxy | +> | Microsoft.Insights/PrivateLinkScopes/PrivateEndpointConnectionProxies/Validate/Action | Validate a private endpoint connection proxy | +> | Microsoft.Insights/PrivateLinkScopes/PrivateEndpointConnections/Read | Read a private endpoint connection | +> | Microsoft.Insights/PrivateLinkScopes/PrivateEndpointConnections/Write | Create or update a private endpoint connection | +> | Microsoft.Insights/PrivateLinkScopes/PrivateEndpointConnections/Delete | Delete a private endpoint connection | +> | Microsoft.Insights/PrivateLinkScopes/PrivateLinkResources/Read | Read a private link resource | +> | Microsoft.Insights/PrivateLinkScopes/ScopedResources/Read | Read a private link scoped resource | +> | Microsoft.Insights/PrivateLinkScopes/ScopedResources/Write | Create or update a private link scoped resource | +> | Microsoft.Insights/PrivateLinkScopes/ScopedResources/Delete | Delete a private link scoped resource | +> | Microsoft.Insights/ScheduledQueryRules/Write | Writing a scheduled query rule | +> | Microsoft.Insights/ScheduledQueryRules/Read | Reading a scheduled query rule | +> | Microsoft.Insights/ScheduledQueryRules/Delete | Deleting a scheduled query rule | +> | Microsoft.Insights/ScheduledQueryRules/NetworkSecurityPerimeterAssociationProxies/Read | Reading a network security perimeter association proxy for scheduled query rules | +> | Microsoft.Insights/ScheduledQueryRules/NetworkSecurityPerimeterAssociationProxies/Write | Writing a network security perimeter association proxy for scheduled query rules | +> | Microsoft.Insights/ScheduledQueryRules/NetworkSecurityPerimeterAssociationProxies/Delete | Deleting a network security perimeter association proxy for scheduled query rules | +> | Microsoft.Insights/ScheduledQueryRules/networkSecurityPerimeterConfigurations/Read | Reading a network security perimeter configuration for scheduled query rules | +> | Microsoft.Insights/ScheduledQueryRules/networkSecurityPerimeterConfigurations/Write | Writing a network security perimeter configuration for scheduled query rules | +> | Microsoft.Insights/ScheduledQueryRules/networkSecurityPerimeterConfigurations/Delete | Deleting a network security perimeter configuration for scheduled query rules | +> | Microsoft.Insights/TenantActionGroups/Write | Create or update a tenant action group | +> | Microsoft.Insights/TenantActionGroups/Delete | Delete a tenant action group | +> | Microsoft.Insights/TenantActionGroups/Read | Read a tenant action group | +> | Microsoft.Insights/Tenants/Register/Action | Initializes the Microsoft Insights provider | +> | Microsoft.Insights/topology/Read | Read Topology | +> | Microsoft.Insights/transactions/Read | Read Transactions | +> | Microsoft.Insights/Webtests/Write | Writing to a webtest configuration | +> | Microsoft.Insights/Webtests/Delete | Deleting a webtest configuration | +> | Microsoft.Insights/Webtests/Read | Reading a webtest configuration | +> | Microsoft.Insights/Webtests/GetToken/Read | Reading a webtest token | +> | Microsoft.Insights/Webtests/MetricDefinitions/Read | Reading a webtest metric definitions | +> | Microsoft.Insights/Webtests/Metrics/Read | Reading a webtest metrics | +> | Microsoft.Insights/Workbooks/Write | Create or update a workbook | +> | Microsoft.Insights/Workbooks/Delete | Delete a workbook | +> | Microsoft.Insights/Workbooks/Read | Read a workbook | +> | Microsoft.Insights/Workbooks/Revisions/Read | Get the workbook revisions | +> | Microsoft.Insights/WorkbookTemplates/Write | Create or update a workbook template | +> | Microsoft.Insights/WorkbookTemplates/Delete | Delete a workbook template | +> | Microsoft.Insights/WorkbookTemplates/Read | Read a workbook template | +> | **DataAction** | **Description** | +> | Microsoft.Insights/DataCollectionRules/Data/Write | Send data to a data collection rule | +> | Microsoft.Insights/Metrics/Write | Write metrics | +> | Microsoft.Insights/Telemetry/Write | Write telemetry | ++## Microsoft.Monitor ++Azure service: [Azure Monitor](/azure/azure-monitor/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | microsoft.monitor/accounts/read | Read any Monitoring Account | +> | microsoft.monitor/accounts/write | Create or Update any Monitoring Account | +> | microsoft.monitor/accounts/delete | Delete any Monitoring Account | +> | microsoft.monitor/accounts/privateEndpointConnectionsApproval/action | Give approval to any Monitoring Account Private Endpoint Connection | +> | microsoft.monitor/accounts/accessPolicies/read | Read any Monitoring Account Access Policy | +> | microsoft.monitor/accounts/accessPolicies/write | Create or Update any Monitoring Account Access Policy | +> | microsoft.monitor/accounts/accessPolicies/delete | Delete any Monitoring Account Access Policy | +> | microsoft.monitor/accounts/privateEndpointConnectionProxies/read | Read any Monitoring Account Private Endpoint Connection Proxy | +> | microsoft.monitor/accounts/privateEndpointConnectionProxies/write | Create or Update any Monitoring Account Private Endpoint Connection Proxy | +> | microsoft.monitor/accounts/privateEndpointConnectionProxies/delete | Delete any Monitoring Account Private Endpoint Connection Proxy | +> | microsoft.monitor/accounts/privateEndpointConnectionProxies/validate/action | Perform validation on any Monitoring Account Private Endpoint Connection Proxy | +> | microsoft.monitor/accounts/privateEndpointConnectionProxies/operationResults/read | Read Status of any Private Endpoint Connection Proxy Asynchronous Operation | +> | microsoft.monitor/accounts/privateEndpointConnections/read | Read any Monitoring Account Private Endpoint Connection | +> | microsoft.monitor/accounts/privateEndpointConnections/write | Create or Update any Monitoring Account Private Endpoint Connection | +> | microsoft.monitor/accounts/privateEndpointConnections/delete | Delete any Monitoring Account Private Endpoint Connection | +> | microsoft.monitor/accounts/privateEndpointConnections/operationResults/read | Read Status of any Private Endpoint Connections Asynchronous Operation | +> | microsoft.monitor/accounts/privateLinkResources/read | Read all Monitoring Account Private Link Resources | +> | microsoft.monitor/locations/operationStatuses/read | Read any Operation Status | +> | microsoft.monitor/locations/operationStatuses/write | Create or Update any Operation Status | +> | microsoft.monitor/operations/read | Read All Operations | +> | microsoft.monitor/pipelineGroups/read | Read any Pipeline Group | +> | microsoft.monitor/pipelineGroups/write | Create or Update any Pipeline Group | +> | microsoft.monitor/pipelineGroups/delete | Delete any Pipeline Group | +> | **DataAction** | **Description** | +> | microsoft.monitor/accounts/data/metrics/read | Read metrics data in any Monitoring Account | +> | microsoft.monitor/accounts/data/metrics/write | Write metrics data to any Monitoring Account | ++## Microsoft.OperationalInsights ++Azure service: [Azure Monitor](/azure/azure-monitor/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.OperationalInsights/register/action | Register a subscription to a resource provider. | +> | Microsoft.OperationalInsights/unregister/action | UnRegister a subscription to a resource provider. | +> | Microsoft.OperationalInsights/querypacks/action | Perform Query Pack Action. | +> | microsoft.operationalinsights/unregister/action | Unregisters the subscription. | +> | microsoft.operationalinsights/querypacks/action | Perform Query Packs Actions. | +> | microsoft.operationalinsights/availableservicetiers/read | Get the available service tiers. | +> | Microsoft.OperationalInsights/clusters/read | Get Cluster | +> | Microsoft.OperationalInsights/clusters/write | Create or updates a Cluster | +> | Microsoft.OperationalInsights/clusters/delete | Delete Cluster | +> | Microsoft.OperationalInsights/deletedworkspaces/read | Lists workspaces in soft deleted period. | +> | Microsoft.OperationalInsights/linktargets/read | Lists workspaces in soft deleted period. | +> | Microsoft.OperationalInsights/locations/operationstatuses/read | Get Log Analytics Azure Async Operation Status | +> | microsoft.operationalinsights/locations/operationStatuses/read | Get Log Analytics Azure Async Operation Status. | +> | Microsoft.OperationalInsights/operations/read | Lists all of the available OperationalInsights REST API operations. | +> | microsoft.operationalinsights/operations/read | Lists all of the available OperationalInsights REST API operations. | +> | Microsoft.OperationalInsights/querypacks/read | Get Query Pack. | +> | Microsoft.OperationalInsights/querypacks/write | Create or update Query Pack. | +> | Microsoft.OperationalInsights/querypacks/delete | Delete Query Pack. | +> | microsoft.operationalinsights/querypacks/write | Create or Update Query Packs. | +> | microsoft.operationalinsights/querypacks/read | Get Query Packs. | +> | microsoft.operationalinsights/querypacks/delete | Delete Query Packs. | +> | microsoft.operationalinsights/querypacks/queries/action | Perform Actions on Queries in QueryPack. | +> | microsoft.operationalinsights/querypacks/queries/write | Create or Update Query Pack Queries. | +> | microsoft.operationalinsights/querypacks/queries/read | Get Query Pack Queries. | +> | microsoft.operationalinsights/querypacks/queries/delete | Delete Query Pack Queries. | +> | Microsoft.OperationalInsights/workspaces/write | Creates a new workspace or links to an existing workspace by providing the customer id from the existing workspace. | +> | Microsoft.OperationalInsights/workspaces/read | Gets an existing workspace | +> | Microsoft.OperationalInsights/workspaces/delete | Deletes a workspace. If the workspace was linked to an existing workspace at creation time then the workspace it was linked to is not deleted. | +> | Microsoft.OperationalInsights/workspaces/generateRegistrationCertificate/action | Generates Registration Certificate for the workspace. This Certificate is used to connect Microsoft System Center Operation Manager to the workspace. | +> | Microsoft.OperationalInsights/workspaces/sharedkeys/action | Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | +> | Microsoft.OperationalInsights/workspaces/listKeys/action | Retrieves the list keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | +> | Microsoft.OperationalInsights/workspaces/regenerateSharedKey/action | Regenerates the specified workspace shared key | +> | Microsoft.OperationalInsights/workspaces/search/action | Executes a search query | +> | Microsoft.OperationalInsights/workspaces/purge/action | Delete specified data by query from workspace. | +> | microsoft.operationalinsights/workspaces/customfields/action | Extract custom fields. | +> | Microsoft.OperationalInsights/workspaces/analytics/query/action | Search using new engine. | +> | Microsoft.OperationalInsights/workspaces/analytics/query/schema/read | Get search schema V2. | +> | Microsoft.OperationalInsights/workspaces/api/query/action | Search using new engine. | +> | Microsoft.OperationalInsights/workspaces/api/query/schema/read | Get search schema V2. | +> | Microsoft.OperationalInsights/workspaces/availableservicetiers/read | List of all the available service tiers for workspace. | +> | Microsoft.OperationalInsights/workspaces/configurationscopes/read | Get configuration scope in a workspace. | +> | Microsoft.OperationalInsights/workspaces/configurationscopes/write | Create configuration scope in a workspace. | +> | Microsoft.OperationalInsights/workspaces/configurationscopes/delete | Delete configuration scope in a workspace. | +> | microsoft.operationalinsights/workspaces/customfields/read | Get a custom field. | +> | microsoft.operationalinsights/workspaces/customfields/write | Create or update a custom field. | +> | microsoft.operationalinsights/workspaces/customfields/delete | Delete a custom field. | +> | Microsoft.OperationalInsights/workspaces/dataexports/read | Get data export. | +> | Microsoft.OperationalInsights/workspaces/dataexports/write | Create or update specific data export. | +> | Microsoft.OperationalInsights/workspaces/dataexports/delete | Delete specific Data Export/ | +> | microsoft.operationalinsights/workspaces/dataExports/read | Get specific data export. | +> | microsoft.operationalinsights/workspaces/dataExports/write | Create or update data export. | +> | microsoft.operationalinsights/workspaces/dataExports/delete | Delete specific data export. | +> | Microsoft.OperationalInsights/workspaces/datasources/read | Get data source under a workspace. | +> | Microsoft.OperationalInsights/workspaces/datasources/write | Upsert Data Source | +> | Microsoft.OperationalInsights/workspaces/datasources/delete | Delete data source under a workspace. | +> | Microsoft.OperationalInsights/workspaces/features/clientGroups/members/read | Get the Client Groups Members of a resource. | +> | microsoft.operationalinsights/workspaces/features/clientgroups/memebers/read | Get Client Group Members of a resource. | +> | Microsoft.OperationalInsights/workspaces/features/generateMap/read | Get the Service Map of a resource. | +> | microsoft.operationalinsights/workspaces/features/generateMap/read | Get the Service Map of a resource. | +> | Microsoft.OperationalInsights/workspaces/features/machineGroups/read | Get the Service Map Machine Groups of a resource. | +> | microsoft.operationalinsights/workspaces/features/machineGroups/read | Get the Service Map Machine Groups. | +> | Microsoft.OperationalInsights/workspaces/features/serverGroups/members/read | Get the Server Groups Members of a resource. | +> | microsoft.operationalinsights/workspaces/features/servergroups/members/read | Get Server Group Members of a resource. | +> | Microsoft.OperationalInsights/workspaces/gateways/delete | Removes a gateway configured for the workspace. | +> | Microsoft.OperationalInsights/workspaces/intelligencepacks/read | Lists all intelligence packs that are visible for a given workspace and also lists whether the pack is enabled or disabled for that workspace. | +> | Microsoft.OperationalInsights/workspaces/intelligencepacks/enable/action | Enables an intelligence pack for a given workspace. | +> | Microsoft.OperationalInsights/workspaces/intelligencepacks/disable/action | Disables an intelligence pack for a given workspace. | +> | Microsoft.OperationalInsights/workspaces/linkedservices/read | Get linked services under given workspace. | +> | Microsoft.OperationalInsights/workspaces/linkedservices/write | Create or update linked services under given workspace. | +> | Microsoft.OperationalInsights/workspaces/linkedservices/delete | Delete linked services under given workspace. | +> | Microsoft.OperationalInsights/workspaces/listKeys/read | Retrieves the list keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | +> | Microsoft.OperationalInsights/workspaces/managementgroups/read | Gets the names and metadata for System Center Operations Manager management groups connected to this workspace. | +> | Microsoft.OperationalInsights/workspaces/metricDefinitions/read | Get Metric Definitions under workspace | +> | microsoft.operationalinsights/workspaces/networkSecurityPerimeterAssociationProxies/read | Read Network Security Perimeter Association Proxies | +> | microsoft.operationalinsights/workspaces/networkSecurityPerimeterAssociationProxies/write | Write Network Security Perimeter Association Proxies | +> | microsoft.operationalinsights/workspaces/networkSecurityPerimeterAssociationProxies/delete | Delete Network Security Perimeter Association Proxies | +> | microsoft.operationalinsights/workspaces/networkSecurityPerimeterConfigurations/read | Read Network Security Perimeter Configurations | +> | microsoft.operationalinsights/workspaces/networkSecurityPerimeterConfigurations/write | Write Network Security Perimeter Configurations | +> | microsoft.operationalinsights/workspaces/networkSecurityPerimeterConfigurations/delete | Delete Network Security Perimeter Configurations | +> | Microsoft.OperationalInsights/workspaces/notificationsettings/read | Get the user's notification settings for the workspace. | +> | Microsoft.OperationalInsights/workspaces/notificationsettings/write | Set the user's notification settings for the workspace. | +> | Microsoft.OperationalInsights/workspaces/notificationsettings/delete | Delete the user's notification settings for the workspace. | +> | Microsoft.OperationalInsights/workspaces/operations/read | Gets the status of an OperationalInsights workspace operation. | +> | microsoft.operationalinsights/workspaces/operations/read | Gets the status of an OperationalInsights workspace operation. | +> | Microsoft.OperationalInsights/workspaces/providers/Microsoft.Insights/diagnosticSettings/Read | Gets the diagnostic setting for the resource | +> | Microsoft.OperationalInsights/workspaces/providers/Microsoft.Insights/diagnosticSettings/Write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.OperationalInsights/workspaces/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for a Workspace | +> | Microsoft.OperationalInsights/workspaces/query/read | Run queries over the data in the workspace | +> | Microsoft.OperationalInsights/workspaces/query/AACAudit/read | Read data from the AACAudit table | +> | Microsoft.OperationalInsights/workspaces/query/AACHttpRequest/read | Read data from the AACHttpRequest table | +> | Microsoft.OperationalInsights/workspaces/query/AADB2CRequestLogs/read | Read data from the AADB2CRequestLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AADCustomSecurityAttributeAuditLogs/read | Read data from the AADCustomSecurityAttributeAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesAccountLogon/read | Read data from the AADDomainServicesAccountLogon table | +> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesAccountManagement/read | Read data from the AADDomainServicesAccountManagement table | +> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesDirectoryServiceAccess/read | Read data from the AADDomainServicesDirectoryServiceAccess table | +> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesDNSAuditsDynamicUpdates/read | Read data from the AADDomainServicesDNSAuditsDynamicUpdates table | +> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesDNSAuditsGeneral/read | Read data from the AADDomainServicesDNSAuditsGeneral table | +> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesLogonLogoff/read | Read data from the AADDomainServicesLogonLogoff table | +> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesPolicyChange/read | Read data from the AADDomainServicesPolicyChange table | +> | Microsoft.OperationalInsights/workspaces/query/AADDomainServicesPrivilegeUse/read | Read data from the AADDomainServicesPrivilegeUse table | +> | Microsoft.OperationalInsights/workspaces/query/AADManagedIdentitySignInLogs/read | Read data from the AADManagedIdentitySignInLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AADNonInteractiveUserSignInLogs/read | Read data from the AADNonInteractiveUserSignInLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AADProvisioningLogs/read | Read data from the AADProvisioningLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AADRiskyServicePrincipals/read | Read data from the AADRiskyServicePrincipals table | +> | Microsoft.OperationalInsights/workspaces/query/AADRiskyUsers/read | Read data from the AADRiskyUsers table | +> | Microsoft.OperationalInsights/workspaces/query/AADServicePrincipalRiskEvents/read | Read data from the AADServicePrincipalRiskEvents table | +> | Microsoft.OperationalInsights/workspaces/query/AADServicePrincipalSignInLogs/read | Read data from the AADServicePrincipalSignInLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AADUserRiskEvents/read | Read data from the AADUserRiskEvents table | +> | Microsoft.OperationalInsights/workspaces/query/ABSBotRequests/read | Read data from the ABSBotRequests table | +> | Microsoft.OperationalInsights/workspaces/query/ABSChannelToBotRequests/read | Read data from the ABSChannelToBotRequests table | +> | Microsoft.OperationalInsights/workspaces/query/ABSDependenciesRequests/read | Read data from the ABSDependenciesRequests table | +> | Microsoft.OperationalInsights/workspaces/query/ACICollaborationAudit/read | Read data from the ACICollaborationAudit table | +> | Microsoft.OperationalInsights/workspaces/query/ACRConnectedClientList/read | Read data from the ACRConnectedClientList table | +> | Microsoft.OperationalInsights/workspaces/query/ACSAuthIncomingOperations/read | Read data from the ACSAuthIncomingOperations table | +> | Microsoft.OperationalInsights/workspaces/query/ACSBillingUsage/read | Read data from the ACSBillingUsage table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallAutomationIncomingOperations/read | Read data from the ACSCallAutomationIncomingOperations table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallAutomationMediaSummary/read | Read data from the ACSCallAutomationMediaSummary table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallClientMediaStatsTimeSeries/read | Read data from the ACSCallClientMediaStatsTimeSeries table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallClientOperations/read | Read data from the ACSCallClientOperations table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallClosedCaptionsSummary/read | Read data from the ACSCallClosedCaptionsSummary table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallDiagnostics/read | Read data from the ACSCallDiagnostics table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallRecordingIncomingOperations/read | Read data from the ACSCallRecordingIncomingOperations table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallRecordingSummary/read | Read data from the ACSCallRecordingSummary table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallSummary/read | Read data from the ACSCallSummary table | +> | Microsoft.OperationalInsights/workspaces/query/ACSCallSurvey/read | Read data from the ACSCallSurvey table | +> | Microsoft.OperationalInsights/workspaces/query/ACSChatIncomingOperations/read | Read data from the ACSChatIncomingOperations table | +> | Microsoft.OperationalInsights/workspaces/query/ACSEmailSendMailOperational/read | Read data from the ACSEmailSendMailOperational table | +> | Microsoft.OperationalInsights/workspaces/query/ACSEmailStatusUpdateOperational/read | Read data from the ACSEmailStatusUpdateOperational table | +> | Microsoft.OperationalInsights/workspaces/query/ACSEmailUserEngagementOperational/read | Read data from the ACSEmailUserEngagementOperational table | +> | Microsoft.OperationalInsights/workspaces/query/ACSJobRouterIncomingOperations/read | Read data from the ACSJobRouterIncomingOperations table | +> | Microsoft.OperationalInsights/workspaces/query/ACSNetworkTraversalDiagnostics/read | Read data from the ACSNetworkTraversalDiagnostics table | +> | Microsoft.OperationalInsights/workspaces/query/ACSNetworkTraversalIncomingOperations/read | Read data from the ACSNetworkTraversalIncomingOperations table | +> | Microsoft.OperationalInsights/workspaces/query/ACSRoomsIncomingOperations/read | Read data from the ACSRoomsIncomingOperations table | +> | Microsoft.OperationalInsights/workspaces/query/ACSSMSIncomingOperations/read | Read data from the ACSSMSIncomingOperations table | +> | Microsoft.OperationalInsights/workspaces/query/ADAssessmentRecommendation/read | Read data from the ADAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/AddonAzureBackupAlerts/read | Read data from the AddonAzureBackupAlerts table | +> | Microsoft.OperationalInsights/workspaces/query/AddonAzureBackupJobs/read | Read data from the AddonAzureBackupJobs table | +> | Microsoft.OperationalInsights/workspaces/query/AddonAzureBackupPolicy/read | Read data from the AddonAzureBackupPolicy table | +> | Microsoft.OperationalInsights/workspaces/query/AddonAzureBackupProtectedInstance/read | Read data from the AddonAzureBackupProtectedInstance table | +> | Microsoft.OperationalInsights/workspaces/query/AddonAzureBackupStorage/read | Read data from the AddonAzureBackupStorage table | +> | Microsoft.OperationalInsights/workspaces/query/ADFActivityRun/read | Read data from the ADFActivityRun table | +> | Microsoft.OperationalInsights/workspaces/query/ADFAirflowSchedulerLogs/read | Read data from the ADFAirflowSchedulerLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ADFAirflowTaskLogs/read | Read data from the ADFAirflowTaskLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ADFAirflowWebLogs/read | Read data from the ADFAirflowWebLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ADFAirflowWorkerLogs/read | Read data from the ADFAirflowWorkerLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ADFPipelineRun/read | Read data from the ADFPipelineRun table | +> | Microsoft.OperationalInsights/workspaces/query/ADFSandboxActivityRun/read | Read data from the ADFSandboxActivityRun table | +> | Microsoft.OperationalInsights/workspaces/query/ADFSandboxPipelineRun/read | Read data from the ADFSandboxPipelineRun table | +> | Microsoft.OperationalInsights/workspaces/query/ADFSSignInLogs/read | Read data from the ADFSSignInLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ADFSSISIntegrationRuntimeLogs/read | Read data from the ADFSSISIntegrationRuntimeLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ADFSSISPackageEventMessageContext/read | Read data from the ADFSSISPackageEventMessageContext table | +> | Microsoft.OperationalInsights/workspaces/query/ADFSSISPackageEventMessages/read | Read data from the ADFSSISPackageEventMessages table | +> | Microsoft.OperationalInsights/workspaces/query/ADFSSISPackageExecutableStatistics/read | Read data from the ADFSSISPackageExecutableStatistics table | +> | Microsoft.OperationalInsights/workspaces/query/ADFSSISPackageExecutionComponentPhases/read | Read data from the ADFSSISPackageExecutionComponentPhases table | +> | Microsoft.OperationalInsights/workspaces/query/ADFSSISPackageExecutionDataStatistics/read | Read data from the ADFSSISPackageExecutionDataStatistics table | +> | Microsoft.OperationalInsights/workspaces/query/ADFTriggerRun/read | Read data from the ADFTriggerRun table | +> | Microsoft.OperationalInsights/workspaces/query/ADPAudit/read | Read data from the ADPAudit table | +> | Microsoft.OperationalInsights/workspaces/query/ADPDiagnostics/read | Read data from the ADPDiagnostics table | +> | Microsoft.OperationalInsights/workspaces/query/ADPRequests/read | Read data from the ADPRequests table | +> | Microsoft.OperationalInsights/workspaces/query/ADReplicationResult/read | Read data from the ADReplicationResult table | +> | Microsoft.OperationalInsights/workspaces/query/ADSecurityAssessmentRecommendation/read | Read data from the ADSecurityAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/ADTDataHistoryOperation/read | Read data from the ADTDataHistoryOperation table | +> | Microsoft.OperationalInsights/workspaces/query/ADTDigitalTwinsOperation/read | Read data from the ADTDigitalTwinsOperation table | +> | Microsoft.OperationalInsights/workspaces/query/ADTEventRoutesOperation/read | Read data from the ADTEventRoutesOperation table | +> | Microsoft.OperationalInsights/workspaces/query/ADTModelsOperation/read | Read data from the ADTModelsOperation table | +> | Microsoft.OperationalInsights/workspaces/query/ADTQueryOperation/read | Read data from the ADTQueryOperation table | +> | Microsoft.OperationalInsights/workspaces/query/ADXCommand/read | Read data from the ADXCommand table | +> | Microsoft.OperationalInsights/workspaces/query/ADXIngestionBatching/read | Read data from the ADXIngestionBatching table | +> | Microsoft.OperationalInsights/workspaces/query/ADXJournal/read | Read data from the ADXJournal table | +> | Microsoft.OperationalInsights/workspaces/query/ADXQuery/read | Read data from the ADXQuery table | +> | Microsoft.OperationalInsights/workspaces/query/ADXTableDetails/read | Read data from the ADXTableDetails table | +> | Microsoft.OperationalInsights/workspaces/query/ADXTableUsageStatistics/read | Read data from the ADXTableUsageStatistics table | +> | Microsoft.OperationalInsights/workspaces/query/AegDataPlaneRequests/read | Read data from the AegDataPlaneRequests table | +> | Microsoft.OperationalInsights/workspaces/query/AegDeliveryFailureLogs/read | Read data from the AegDeliveryFailureLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AegPublishFailureLogs/read | Read data from the AegPublishFailureLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AEWAssignmentBlobLogs/read | Read data from the AEWAssignmentBlobLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AEWAuditLogs/read | Read data from the AEWAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AEWComputePipelinesLogs/read | Read data from the AEWComputePipelinesLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AFSAuditLogs/read | Read data from the AFSAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AGCAccessLogs/read | Read data from the AGCAccessLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodApplicationAuditLogs/read | Read data from the AgriFoodApplicationAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodFarmManagementLogs/read | Read data from the AgriFoodFarmManagementLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodFarmOperationLogs/read | Read data from the AgriFoodFarmOperationLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodInsightLogs/read | Read data from the AgriFoodInsightLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodJobProcessedLogs/read | Read data from the AgriFoodJobProcessedLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodModelInferenceLogs/read | Read data from the AgriFoodModelInferenceLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodProviderAuthLogs/read | Read data from the AgriFoodProviderAuthLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodSatelliteLogs/read | Read data from the AgriFoodSatelliteLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodSensorManagementLogs/read | Read data from the AgriFoodSensorManagementLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AgriFoodWeatherLogs/read | Read data from the AgriFoodWeatherLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AGSGrafanaLoginEvents/read | Read data from the AGSGrafanaLoginEvents table | +> | Microsoft.OperationalInsights/workspaces/query/AGWAccessLogs/read | Read data from the AGWAccessLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AGWFirewallLogs/read | Read data from the AGWFirewallLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AGWPerformanceLogs/read | Read data from the AGWPerformanceLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AHDSDicomAuditLogs/read | Read data from the AHDSDicomAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AHDSDicomDiagnosticLogs/read | Read data from the AHDSDicomDiagnosticLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AHDSMedTechDiagnosticLogs/read | Read data from the AHDSMedTechDiagnosticLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AirflowDagProcessingLogs/read | Read data from the AirflowDagProcessingLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AKSAudit/read | Read data from the AKSAudit table | +> | Microsoft.OperationalInsights/workspaces/query/AKSAuditAdmin/read | Read data from the AKSAuditAdmin table | +> | Microsoft.OperationalInsights/workspaces/query/AKSControlPlane/read | Read data from the AKSControlPlane table | +> | Microsoft.OperationalInsights/workspaces/query/Alert/read | Read data from the Alert table | +> | Microsoft.OperationalInsights/workspaces/query/AlertEvidence/read | Read data from the AlertEvidence table | +> | Microsoft.OperationalInsights/workspaces/query/AlertHistory/read | Read data from the AlertHistory table | +> | Microsoft.OperationalInsights/workspaces/query/AlertInfo/read | Read data from the AlertInfo table | +> | Microsoft.OperationalInsights/workspaces/query/AmlComputeClusterEvent/read | Read data from the AmlComputeClusterEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlComputeClusterNodeEvent/read | Read data from the AmlComputeClusterNodeEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlComputeCpuGpuUtilization/read | Read data from the AmlComputeCpuGpuUtilization table | +> | Microsoft.OperationalInsights/workspaces/query/AmlComputeInstanceEvent/read | Read data from the AmlComputeInstanceEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlComputeJobEvent/read | Read data from the AmlComputeJobEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlDataLabelEvent/read | Read data from the AmlDataLabelEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlDataSetEvent/read | Read data from the AmlDataSetEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlDataStoreEvent/read | Read data from the AmlDataStoreEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlDeploymentEvent/read | Read data from the AmlDeploymentEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlEnvironmentEvent/read | Read data from the AmlEnvironmentEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlInferencingEvent/read | Read data from the AmlInferencingEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlModelsEvent/read | Read data from the AmlModelsEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlOnlineEndpointConsoleLog/read | Read data from the AmlOnlineEndpointConsoleLog table | +> | Microsoft.OperationalInsights/workspaces/query/AmlOnlineEndpointEventLog/read | Read data from the AmlOnlineEndpointEventLog table | +> | Microsoft.OperationalInsights/workspaces/query/AmlOnlineEndpointTrafficLog/read | Read data from the AmlOnlineEndpointTrafficLog table | +> | Microsoft.OperationalInsights/workspaces/query/AmlPipelineEvent/read | Read data from the AmlPipelineEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlRegistryReadEventsLog/read | Read data from the AmlRegistryReadEventsLog table | +> | Microsoft.OperationalInsights/workspaces/query/AmlRegistryWriteEventsLog/read | Read data from the AmlRegistryWriteEventsLog table | +> | Microsoft.OperationalInsights/workspaces/query/AmlRunEvent/read | Read data from the AmlRunEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AmlRunStatusChangedEvent/read | Read data from the AmlRunStatusChangedEvent table | +> | Microsoft.OperationalInsights/workspaces/query/AMSKeyDeliveryRequests/read | Read data from the AMSKeyDeliveryRequests table | +> | Microsoft.OperationalInsights/workspaces/query/AMSLiveEventOperations/read | Read data from the AMSLiveEventOperations table | +> | Microsoft.OperationalInsights/workspaces/query/AMSMediaAccountHealth/read | Read data from the AMSMediaAccountHealth table | +> | Microsoft.OperationalInsights/workspaces/query/AMSStreamingEndpointRequests/read | Read data from the AMSStreamingEndpointRequests table | +> | Microsoft.OperationalInsights/workspaces/query/ANFFileAccess/read | Read data from the ANFFileAccess table | +> | Microsoft.OperationalInsights/workspaces/query/Anomalies/read | Read data from the Anomalies table | +> | Microsoft.OperationalInsights/workspaces/query/AOIDatabaseQuery/read | Read data from the AOIDatabaseQuery table | +> | Microsoft.OperationalInsights/workspaces/query/AOIDigestion/read | Read data from the AOIDigestion table | +> | Microsoft.OperationalInsights/workspaces/query/AOIStorage/read | Read data from the AOIStorage table | +> | Microsoft.OperationalInsights/workspaces/query/ApiManagementGatewayLogs/read | Read data from the ApiManagementGatewayLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ApiManagementWebSocketConnectionLogs/read | Read data from the ApiManagementWebSocketConnectionLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppAvailabilityResults/read | Read data from the AppAvailabilityResults table | +> | Microsoft.OperationalInsights/workspaces/query/AppBrowserTimings/read | Read data from the AppBrowserTimings table | +> | Microsoft.OperationalInsights/workspaces/query/AppCenterError/read | Read data from the AppCenterError table | +> | Microsoft.OperationalInsights/workspaces/query/AppDependencies/read | Read data from the AppDependencies table | +> | Microsoft.OperationalInsights/workspaces/query/AppEnvSpringAppConsoleLogs/read | Read data from the AppEnvSpringAppConsoleLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppEvents/read | Read data from the AppEvents table | +> | Microsoft.OperationalInsights/workspaces/query/AppExceptions/read | Read data from the AppExceptions table | +> | Microsoft.OperationalInsights/workspaces/query/ApplicationInsights/read | Read data from the ApplicationInsights table | +> | Microsoft.OperationalInsights/workspaces/query/AppMetrics/read | Read data from the AppMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/AppPageViews/read | Read data from the AppPageViews table | +> | Microsoft.OperationalInsights/workspaces/query/AppPerformanceCounters/read | Read data from the AppPerformanceCounters table | +> | Microsoft.OperationalInsights/workspaces/query/AppPlatformBuildLogs/read | Read data from the AppPlatformBuildLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppPlatformContainerEventLogs/read | Read data from the AppPlatformContainerEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppPlatformIngressLogs/read | Read data from the AppPlatformIngressLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppPlatformLogsforSpring/read | Read data from the AppPlatformLogsforSpring table | +> | Microsoft.OperationalInsights/workspaces/query/AppPlatformSystemLogs/read | Read data from the AppPlatformSystemLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppRequests/read | Read data from the AppRequests table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceAntivirusScanAuditLogs/read | Read data from the AppServiceAntivirusScanAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceAppLogs/read | Read data from the AppServiceAppLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceAuditLogs/read | Read data from the AppServiceAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceAuthenticationLogs/read | Read data from the AppServiceAuthenticationLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceConsoleLogs/read | Read data from the AppServiceConsoleLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceEnvironmentPlatformLogs/read | Read data from the AppServiceEnvironmentPlatformLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceFileAuditLogs/read | Read data from the AppServiceFileAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceHTTPLogs/read | Read data from the AppServiceHTTPLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceIPSecAuditLogs/read | Read data from the AppServiceIPSecAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServicePlatformLogs/read | Read data from the AppServicePlatformLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AppServiceServerlessSecurityPluginData/read | Read data from the AppServiceServerlessSecurityPluginData table | +> | Microsoft.OperationalInsights/workspaces/query/AppSystemEvents/read | Read data from the AppSystemEvents table | +> | Microsoft.OperationalInsights/workspaces/query/AppTraces/read | Read data from the AppTraces table | +> | Microsoft.OperationalInsights/workspaces/query/ArcK8sAudit/read | Read data from the ArcK8sAudit table | +> | Microsoft.OperationalInsights/workspaces/query/ArcK8sAuditAdmin/read | Read data from the ArcK8sAuditAdmin table | +> | Microsoft.OperationalInsights/workspaces/query/ArcK8sControlPlane/read | Read data from the ArcK8sControlPlane table | +> | Microsoft.OperationalInsights/workspaces/query/ASCAuditLogs/read | Read data from the ASCAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASCDeviceEvents/read | Read data from the ASCDeviceEvents table | +> | Microsoft.OperationalInsights/workspaces/query/ASimAuditEventLogs/read | Read data from the ASimAuditEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASimAuthenticationEventLogs/read | Read data from the ASimAuthenticationEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASimDhcpEventLogs/read | Read data from the ASimDhcpEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASimDnsActivityLogs/read | Read data from the ASimDnsActivityLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASimFileEventLogs/read | Read data from the ASimFileEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASimNetworkSessionLogs/read | Read data from the ASimNetworkSessionLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASimProcessEventLogs/read | Read data from the ASimProcessEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASimRegistryEventLogs/read | Read data from the ASimRegistryEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASimUserManagementActivityLogs/read | Read data from the ASimUserManagementActivityLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASimWebSessionLogs/read | Read data from the ASimWebSessionLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ASRJobs/read | Read data from the ASRJobs table | +> | Microsoft.OperationalInsights/workspaces/query/ASRReplicatedItems/read | Read data from the ASRReplicatedItems table | +> | Microsoft.OperationalInsights/workspaces/query/ATCExpressRouteCircuitIpfix/read | Read data from the ATCExpressRouteCircuitIpfix table | +> | Microsoft.OperationalInsights/workspaces/query/AuditLogs/read | Read data from the AuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AUIEventsAudit/read | Read data from the AUIEventsAudit table | +> | Microsoft.OperationalInsights/workspaces/query/AUIEventsOperational/read | Read data from the AUIEventsOperational table | +> | Microsoft.OperationalInsights/workspaces/query/AutoscaleEvaluationsLog/read | Read data from the AutoscaleEvaluationsLog table | +> | Microsoft.OperationalInsights/workspaces/query/AutoscaleScaleActionsLog/read | Read data from the AutoscaleScaleActionsLog table | +> | Microsoft.OperationalInsights/workspaces/query/AVNMConnectivityConfigurationChange/read | Read data from the AVNMConnectivityConfigurationChange table | +> | Microsoft.OperationalInsights/workspaces/query/AVNMIPAMPoolAllocationChange/read | Read data from the AVNMIPAMPoolAllocationChange table | +> | Microsoft.OperationalInsights/workspaces/query/AVNMNetworkGroupMembershipChange/read | Read data from the AVNMNetworkGroupMembershipChange table | +> | Microsoft.OperationalInsights/workspaces/query/AVNMRuleCollectionChange/read | Read data from the AVNMRuleCollectionChange table | +> | Microsoft.OperationalInsights/workspaces/query/AVSSyslog/read | Read data from the AVSSyslog table | +> | Microsoft.OperationalInsights/workspaces/query/AWSCloudTrail/read | Read data from the AWSCloudTrail table | +> | Microsoft.OperationalInsights/workspaces/query/AWSCloudWatch/read | Read data from the AWSCloudWatch table | +> | Microsoft.OperationalInsights/workspaces/query/AWSGuardDuty/read | Read data from the AWSGuardDuty table | +> | Microsoft.OperationalInsights/workspaces/query/AWSVPCFlow/read | Read data from the AWSVPCFlow table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWApplicationRule/read | Read data from the AZFWApplicationRule table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWApplicationRuleAggregation/read | Read data from the AZFWApplicationRuleAggregation table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWDnsQuery/read | Read data from the AZFWDnsQuery table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWFatFlow/read | Read data from the AZFWFatFlow table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWFlowTrace/read | Read data from the AZFWFlowTrace table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWIdpsSignature/read | Read data from the AZFWIdpsSignature table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWInternalFqdnResolutionFailure/read | Read data from the AZFWInternalFqdnResolutionFailure table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWNatRule/read | Read data from the AZFWNatRule table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWNatRuleAggregation/read | Read data from the AZFWNatRuleAggregation table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWNetworkRule/read | Read data from the AZFWNetworkRule table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWNetworkRuleAggregation/read | Read data from the AZFWNetworkRuleAggregation table | +> | Microsoft.OperationalInsights/workspaces/query/AZFWThreatIntel/read | Read data from the AZFWThreatIntel table | +> | Microsoft.OperationalInsights/workspaces/query/AZKVAuditLogs/read | Read data from the AZKVAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZKVPolicyEvaluationDetailsLogs/read | Read data from the AZKVPolicyEvaluationDetailsLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSApplicationMetricLogs/read | Read data from the AZMSApplicationMetricLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSArchiveLogs/read | Read data from the AZMSArchiveLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSAutoscaleLogs/read | Read data from the AZMSAutoscaleLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSCustomerManagedKeyUserLogs/read | Read data from the AZMSCustomerManagedKeyUserLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSHybridConnectionsEvents/read | Read data from the AZMSHybridConnectionsEvents table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSKafkaCoordinatorLogs/read | Read data from the AZMSKafkaCoordinatorLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSKafkaUserErrorLogs/read | Read data from the AZMSKafkaUserErrorLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSOperationalLogs/read | Read data from the AZMSOperationalLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSRunTimeAuditLogs/read | Read data from the AZMSRunTimeAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/AZMSVnetConnectionEvents/read | Read data from the AZMSVnetConnectionEvents table | +> | Microsoft.OperationalInsights/workspaces/query/AzureActivity/read | Read data from the AzureActivity table | +> | Microsoft.OperationalInsights/workspaces/query/AzureActivityV2/read | Read data from the AzureActivityV2 table | +> | Microsoft.OperationalInsights/workspaces/query/AzureAssessmentRecommendation/read | Read data from the AzureAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/AzureAttestationDiagnostics/read | Read data from the AzureAttestationDiagnostics table | +> | Microsoft.OperationalInsights/workspaces/query/AzureBackupOperations/read | Read data from the AzureBackupOperations table | +> | Microsoft.OperationalInsights/workspaces/query/AzureDevOpsAuditing/read | Read data from the AzureDevOpsAuditing table | +> | Microsoft.OperationalInsights/workspaces/query/AzureDiagnostics/read | Read data from the AzureDiagnostics table | +> | Microsoft.OperationalInsights/workspaces/query/AzureLoadTestingOperation/read | Read data from the AzureLoadTestingOperation table | +> | Microsoft.OperationalInsights/workspaces/query/AzureMetrics/read | Read data from the AzureMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/AzureMetricsV2/read | Read data from the AzureMetricsV2 table | +> | Microsoft.OperationalInsights/workspaces/query/BaiClusterEvent/read | Read data from the BaiClusterEvent table | +> | Microsoft.OperationalInsights/workspaces/query/BaiClusterNodeEvent/read | Read data from the BaiClusterNodeEvent table | +> | Microsoft.OperationalInsights/workspaces/query/BaiJobEvent/read | Read data from the BaiJobEvent table | +> | Microsoft.OperationalInsights/workspaces/query/BehaviorAnalytics/read | Read data from the BehaviorAnalytics table | +> | Microsoft.OperationalInsights/workspaces/query/BlockchainApplicationLog/read | Read data from the BlockchainApplicationLog table | +> | Microsoft.OperationalInsights/workspaces/query/BlockchainProxyLog/read | Read data from the BlockchainProxyLog table | +> | Microsoft.OperationalInsights/workspaces/query/CassandraAudit/read | Read data from the CassandraAudit table | +> | Microsoft.OperationalInsights/workspaces/query/CassandraLogs/read | Read data from the CassandraLogs table | +> | Microsoft.OperationalInsights/workspaces/query/CCFApplicationLogs/read | Read data from the CCFApplicationLogs table | +> | Microsoft.OperationalInsights/workspaces/query/CDBCassandraRequests/read | Read data from the CDBCassandraRequests table | +> | Microsoft.OperationalInsights/workspaces/query/CDBControlPlaneRequests/read | Read data from the CDBControlPlaneRequests table | +> | Microsoft.OperationalInsights/workspaces/query/CDBDataPlaneRequests/read | Read data from the CDBDataPlaneRequests table | +> | Microsoft.OperationalInsights/workspaces/query/CDBGremlinRequests/read | Read data from the CDBGremlinRequests table | +> | Microsoft.OperationalInsights/workspaces/query/CDBMongoRequests/read | Read data from the CDBMongoRequests table | +> | Microsoft.OperationalInsights/workspaces/query/CDBPartitionKeyRUConsumption/read | Read data from the CDBPartitionKeyRUConsumption table | +> | Microsoft.OperationalInsights/workspaces/query/CDBPartitionKeyStatistics/read | Read data from the CDBPartitionKeyStatistics table | +> | Microsoft.OperationalInsights/workspaces/query/CDBQueryRuntimeStatistics/read | Read data from the CDBQueryRuntimeStatistics table | +> | Microsoft.OperationalInsights/workspaces/query/ChaosStudioExperimentEventLogs/read | Read data from the ChaosStudioExperimentEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/CHSMManagementAuditLogs/read | Read data from the CHSMManagementAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/CIEventsAudit/read | Read data from the CIEventsAudit table | +> | Microsoft.OperationalInsights/workspaces/query/CIEventsOperational/read | Read data from the CIEventsOperational table | +> | Microsoft.OperationalInsights/workspaces/query/CloudAppEvents/read | Read data from the CloudAppEvents table | +> | Microsoft.OperationalInsights/workspaces/query/CommonSecurityLog/read | Read data from the CommonSecurityLog table | +> | Microsoft.OperationalInsights/workspaces/query/ComputerGroup/read | Read data from the ComputerGroup table | +> | Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/read | Read data from the ConfidentialWatchlist table | +> | Microsoft.OperationalInsights/workspaces/query/ConfigurationChange/read | Read data from the ConfigurationChange table | +> | Microsoft.OperationalInsights/workspaces/query/ConfigurationData/read | Read data from the ConfigurationData table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerAppConsoleLogs/read | Read data from the ContainerAppConsoleLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerAppSystemLogs/read | Read data from the ContainerAppSystemLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerEvent/read | Read data from the ContainerEvent table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerImageInventory/read | Read data from the ContainerImageInventory table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerInstanceLog/read | Read data from the ContainerInstanceLog table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerInventory/read | Read data from the ContainerInventory table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerLog/read | Read data from the ContainerLog table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerLogV2/read | Read data from the ContainerLogV2 table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerNodeInventory/read | Read data from the ContainerNodeInventory table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerRegistryLoginEvents/read | Read data from the ContainerRegistryLoginEvents table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerRegistryRepositoryEvents/read | Read data from the ContainerRegistryRepositoryEvents table | +> | Microsoft.OperationalInsights/workspaces/query/ContainerServiceLog/read | Read data from the ContainerServiceLog table | +> | Microsoft.OperationalInsights/workspaces/query/CoreAzureBackup/read | Read data from the CoreAzureBackup table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksAccounts/read | Read data from the DatabricksAccounts table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksCapsule8Dataplane/read | Read data from the DatabricksCapsule8Dataplane table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksClamAVScan/read | Read data from the DatabricksClamAVScan table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksClusterLibraries/read | Read data from the DatabricksClusterLibraries table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksClusters/read | Read data from the DatabricksClusters table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksDatabricksSQL/read | Read data from the DatabricksDatabricksSQL table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksDBFS/read | Read data from the DatabricksDBFS table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksDeltaPipelines/read | Read data from the DatabricksDeltaPipelines table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksFeatureStore/read | Read data from the DatabricksFeatureStore table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksGenie/read | Read data from the DatabricksGenie table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksGitCredentials/read | Read data from the DatabricksGitCredentials table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksGlobalInitScripts/read | Read data from the DatabricksGlobalInitScripts table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksIAMRole/read | Read data from the DatabricksIAMRole table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksInstancePools/read | Read data from the DatabricksInstancePools table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksJobs/read | Read data from the DatabricksJobs table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksMLflowAcledArtifact/read | Read data from the DatabricksMLflowAcledArtifact table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksMLflowExperiment/read | Read data from the DatabricksMLflowExperiment table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksModelRegistry/read | Read data from the DatabricksModelRegistry table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksNotebook/read | Read data from the DatabricksNotebook table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksPartnerHub/read | Read data from the DatabricksPartnerHub table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksRemoteHistoryService/read | Read data from the DatabricksRemoteHistoryService table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksRepos/read | Read data from the DatabricksRepos table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksSecrets/read | Read data from the DatabricksSecrets table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksServerlessRealTimeInference/read | Read data from the DatabricksServerlessRealTimeInference table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksSQL/read | Read data from the DatabricksSQL table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksSQLPermissions/read | Read data from the DatabricksSQLPermissions table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksSSH/read | Read data from the DatabricksSSH table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksUnityCatalog/read | Read data from the DatabricksUnityCatalog table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksWebTerminal/read | Read data from the DatabricksWebTerminal table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksWorkspace/read | Read data from the DatabricksWorkspace table | +> | Microsoft.OperationalInsights/workspaces/query/DatabricksWorkspaceLogs/read | Read data from the DatabricksWorkspaceLogs table | +> | Microsoft.OperationalInsights/workspaces/query/DataTransferOperations/read | Read data from the DataTransferOperations table | +> | Microsoft.OperationalInsights/workspaces/query/DataverseActivity/read | Read data from the DataverseActivity table | +> | Microsoft.OperationalInsights/workspaces/query/DCRLogErrors/read | Read data from the DCRLogErrors table | +> | Microsoft.OperationalInsights/workspaces/query/DCRLogTroubleshooting/read | Read data from the DCRLogTroubleshooting table | +> | Microsoft.OperationalInsights/workspaces/query/DefenderIoTRawEvent/read | Read data from the DefenderIoTRawEvent table | +> | Microsoft.OperationalInsights/workspaces/query/dependencies/read | Read data from the dependencies table | +> | Microsoft.OperationalInsights/workspaces/query/DevCenterBillingEventLogs/read | Read data from the DevCenterBillingEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/DevCenterDiagnosticLogs/read | Read data from the DevCenterDiagnosticLogs table | +> | Microsoft.OperationalInsights/workspaces/query/DevCenterResourceOperationLogs/read | Read data from the DevCenterResourceOperationLogs table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceAppCrash/read | Read data from the DeviceAppCrash table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceAppLaunch/read | Read data from the DeviceAppLaunch table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceCalendar/read | Read data from the DeviceCalendar table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceCleanup/read | Read data from the DeviceCleanup table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceConnectSession/read | Read data from the DeviceConnectSession table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceEtw/read | Read data from the DeviceEtw table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceEvents/read | Read data from the DeviceEvents table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceFileCertificateInfo/read | Read data from the DeviceFileCertificateInfo table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceFileEvents/read | Read data from the DeviceFileEvents table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceHardwareHealth/read | Read data from the DeviceHardwareHealth table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceHealth/read | Read data from the DeviceHealth table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceHeartbeat/read | Read data from the DeviceHeartbeat table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceImageLoadEvents/read | Read data from the DeviceImageLoadEvents table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceInfo/read | Read data from the DeviceInfo table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceLogonEvents/read | Read data from the DeviceLogonEvents table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceNetworkEvents/read | Read data from the DeviceNetworkEvents table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceNetworkInfo/read | Read data from the DeviceNetworkInfo table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceProcessEvents/read | Read data from the DeviceProcessEvents table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceRegistryEvents/read | Read data from the DeviceRegistryEvents table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceSkypeHeartbeat/read | Read data from the DeviceSkypeHeartbeat table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceSkypeSignIn/read | Read data from the DeviceSkypeSignIn table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceTvmSecureConfigurationAssessment/read | Read data from the DeviceTvmSecureConfigurationAssessment table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceTvmSecureConfigurationAssessmentKB/read | Read data from the DeviceTvmSecureConfigurationAssessmentKB table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceTvmSoftwareInventory/read | Read data from the DeviceTvmSoftwareInventory table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceTvmSoftwareVulnerabilities/read | Read data from the DeviceTvmSoftwareVulnerabilities table | +> | Microsoft.OperationalInsights/workspaces/query/DeviceTvmSoftwareVulnerabilitiesKB/read | Read data from the DeviceTvmSoftwareVulnerabilitiesKB table | +> | Microsoft.OperationalInsights/workspaces/query/DHAppReliability/read | Read data from the DHAppReliability table | +> | Microsoft.OperationalInsights/workspaces/query/DHDriverReliability/read | Read data from the DHDriverReliability table | +> | Microsoft.OperationalInsights/workspaces/query/DHLogonFailures/read | Read data from the DHLogonFailures table | +> | Microsoft.OperationalInsights/workspaces/query/DHLogonMetrics/read | Read data from the DHLogonMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/DHOSCrashData/read | Read data from the DHOSCrashData table | +> | Microsoft.OperationalInsights/workspaces/query/DHOSReliability/read | Read data from the DHOSReliability table | +> | Microsoft.OperationalInsights/workspaces/query/DHWipAppLearning/read | Read data from the DHWipAppLearning table | +> | Microsoft.OperationalInsights/workspaces/query/DnsEvents/read | Read data from the DnsEvents table | +> | Microsoft.OperationalInsights/workspaces/query/DnsInventory/read | Read data from the DnsInventory table | +> | Microsoft.OperationalInsights/workspaces/query/DNSQueryLogs/read | Read data from the DNSQueryLogs table | +> | Microsoft.OperationalInsights/workspaces/query/DSMAzureBlobStorageLogs/read | Read data from the DSMAzureBlobStorageLogs table | +> | Microsoft.OperationalInsights/workspaces/query/DSMDataClassificationLogs/read | Read data from the DSMDataClassificationLogs table | +> | Microsoft.OperationalInsights/workspaces/query/DSMDataLabelingLogs/read | Read data from the DSMDataLabelingLogs table | +> | Microsoft.OperationalInsights/workspaces/query/DynamicEventCollection/read | Read data from the DynamicEventCollection table | +> | Microsoft.OperationalInsights/workspaces/query/Dynamics365Activity/read | Read data from the Dynamics365Activity table | +> | Microsoft.OperationalInsights/workspaces/query/DynamicSummary/read | Read data from the DynamicSummary table | +> | Microsoft.OperationalInsights/workspaces/query/EGNFailedMqttConnections/read | Read data from the EGNFailedMqttConnections table | +> | Microsoft.OperationalInsights/workspaces/query/EGNFailedMqttPublishedMessages/read | Read data from the EGNFailedMqttPublishedMessages table | +> | Microsoft.OperationalInsights/workspaces/query/EGNFailedMqttSubscriptions/read | Read data from the EGNFailedMqttSubscriptions table | +> | Microsoft.OperationalInsights/workspaces/query/EGNMqttDisconnections/read | Read data from the EGNMqttDisconnections table | +> | Microsoft.OperationalInsights/workspaces/query/EGNSuccessfulMqttConnections/read | Read data from the EGNSuccessfulMqttConnections table | +> | Microsoft.OperationalInsights/workspaces/query/EmailAttachmentInfo/read | Read data from the EmailAttachmentInfo table | +> | Microsoft.OperationalInsights/workspaces/query/EmailEvents/read | Read data from the EmailEvents table | +> | Microsoft.OperationalInsights/workspaces/query/EmailPostDeliveryEvents/read | Read data from the EmailPostDeliveryEvents table | +> | Microsoft.OperationalInsights/workspaces/query/EmailUrlInfo/read | Read data from the EmailUrlInfo table | +> | Microsoft.OperationalInsights/workspaces/query/EnrichedMicrosoft365AuditLogs/read | Read data from the EnrichedMicrosoft365AuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/ETWEvent/read | Read data from the ETWEvent table | +> | Microsoft.OperationalInsights/workspaces/query/Event/read | Read data from the Event table | +> | Microsoft.OperationalInsights/workspaces/query/ExchangeAssessmentRecommendation/read | Read data from the ExchangeAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/ExchangeOnlineAssessmentRecommendation/read | Read data from the ExchangeOnlineAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/FailedIngestion/read | Read data from the FailedIngestion table | +> | Microsoft.OperationalInsights/workspaces/query/FunctionAppLogs/read | Read data from the FunctionAppLogs table | +> | Microsoft.OperationalInsights/workspaces/query/GCPAuditLogs/read | Read data from the GCPAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/GoogleCloudSCC/read | Read data from the GoogleCloudSCC table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightAmbariClusterAlerts/read | Read data from the HDInsightAmbariClusterAlerts table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightAmbariSystemMetrics/read | Read data from the HDInsightAmbariSystemMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightGatewayAuditLogs/read | Read data from the HDInsightGatewayAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightHadoopAndYarnLogs/read | Read data from the HDInsightHadoopAndYarnLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightHadoopAndYarnMetrics/read | Read data from the HDInsightHadoopAndYarnMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightHBaseLogs/read | Read data from the HDInsightHBaseLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightHBaseMetrics/read | Read data from the HDInsightHBaseMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightHiveAndLLAPLogs/read | Read data from the HDInsightHiveAndLLAPLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightHiveAndLLAPMetrics/read | Read data from the HDInsightHiveAndLLAPMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightHiveQueryAppStats/read | Read data from the HDInsightHiveQueryAppStats table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightHiveTezAppStats/read | Read data from the HDInsightHiveTezAppStats table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightJupyterNotebookEvents/read | Read data from the HDInsightJupyterNotebookEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightKafkaLogs/read | Read data from the HDInsightKafkaLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightKafkaMetrics/read | Read data from the HDInsightKafkaMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightKafkaServerLog/read | Read data from the HDInsightKafkaServerLog table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightOozieLogs/read | Read data from the HDInsightOozieLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightRangerAuditLogs/read | Read data from the HDInsightRangerAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSecurityLogs/read | Read data from the HDInsightSecurityLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkApplicationEvents/read | Read data from the HDInsightSparkApplicationEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkBlockManagerEvents/read | Read data from the HDInsightSparkBlockManagerEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkEnvironmentEvents/read | Read data from the HDInsightSparkEnvironmentEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkExecutorEvents/read | Read data from the HDInsightSparkExecutorEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkExtraEvents/read | Read data from the HDInsightSparkExtraEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkJobEvents/read | Read data from the HDInsightSparkJobEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkLogs/read | Read data from the HDInsightSparkLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkSQLExecutionEvents/read | Read data from the HDInsightSparkSQLExecutionEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkStageEvents/read | Read data from the HDInsightSparkStageEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkStageTaskAccumulables/read | Read data from the HDInsightSparkStageTaskAccumulables table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightSparkTaskEvents/read | Read data from the HDInsightSparkTaskEvents table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightStormLogs/read | Read data from the HDInsightStormLogs table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightStormMetrics/read | Read data from the HDInsightStormMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/HDInsightStormTopologyMetrics/read | Read data from the HDInsightStormTopologyMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/HealthStateChangeEvent/read | Read data from the HealthStateChangeEvent table | +> | Microsoft.OperationalInsights/workspaces/query/Heartbeat/read | Read data from the Heartbeat table | +> | Microsoft.OperationalInsights/workspaces/query/HuntingBookmark/read | Read data from the HuntingBookmark table | +> | Microsoft.OperationalInsights/workspaces/query/IdentityDirectoryEvents/read | Read data from the IdentityDirectoryEvents table | +> | Microsoft.OperationalInsights/workspaces/query/IdentityInfo/read | Read data from the IdentityInfo table | +> | Microsoft.OperationalInsights/workspaces/query/IdentityLogonEvents/read | Read data from the IdentityLogonEvents table | +> | Microsoft.OperationalInsights/workspaces/query/IdentityQueryEvents/read | Read data from the IdentityQueryEvents table | +> | Microsoft.OperationalInsights/workspaces/query/IISAssessmentRecommendation/read | Read data from the IISAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read | Read data from the InsightsMetrics table | +> | Microsoft.OperationalInsights/workspaces/query/IntuneAuditLogs/read | Read data from the IntuneAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/IntuneDeviceComplianceOrg/read | Read data from the IntuneDeviceComplianceOrg table | +> | Microsoft.OperationalInsights/workspaces/query/IntuneDevices/read | Read data from the IntuneDevices table | +> | Microsoft.OperationalInsights/workspaces/query/IntuneOperationalLogs/read | Read data from the IntuneOperationalLogs table | +> | Microsoft.OperationalInsights/workspaces/query/IoTHubDistributedTracing/read | Read data from the IoTHubDistributedTracing table | +> | Microsoft.OperationalInsights/workspaces/query/KubeEvents/read | Read data from the KubeEvents table | +> | Microsoft.OperationalInsights/workspaces/query/KubeHealth/read | Read data from the KubeHealth table | +> | Microsoft.OperationalInsights/workspaces/query/KubeMonAgentEvents/read | Read data from the KubeMonAgentEvents table | +> | Microsoft.OperationalInsights/workspaces/query/KubeNodeInventory/read | Read data from the KubeNodeInventory table | +> | Microsoft.OperationalInsights/workspaces/query/KubePodInventory/read | Read data from the KubePodInventory table | +> | Microsoft.OperationalInsights/workspaces/query/KubePVInventory/read | Read data from the KubePVInventory table | +> | Microsoft.OperationalInsights/workspaces/query/KubeServices/read | Read data from the KubeServices table | +> | Microsoft.OperationalInsights/workspaces/query/LAQueryLogs/read | Read data from the LAQueryLogs table | +> | Microsoft.OperationalInsights/workspaces/query/LASummaryLogs/read | Read data from the LASummaryLogs table | +> | Microsoft.OperationalInsights/workspaces/query/LinuxAuditLog/read | Read data from the LinuxAuditLog table | +> | Microsoft.OperationalInsights/workspaces/query/LogicAppWorkflowRuntime/read | Read data from the LogicAppWorkflowRuntime table | +> | Microsoft.OperationalInsights/workspaces/query/MAApplication/read | Read data from the MAApplication table | +> | Microsoft.OperationalInsights/workspaces/query/MAApplicationHealth/read | Read data from the MAApplicationHealth table | +> | Microsoft.OperationalInsights/workspaces/query/MAApplicationHealthAlternativeVersions/read | Read data from the MAApplicationHealthAlternativeVersions table | +> | Microsoft.OperationalInsights/workspaces/query/MAApplicationHealthIssues/read | Read data from the MAApplicationHealthIssues table | +> | Microsoft.OperationalInsights/workspaces/query/MAApplicationInstance/read | Read data from the MAApplicationInstance table | +> | Microsoft.OperationalInsights/workspaces/query/MAApplicationInstanceReadiness/read | Read data from the MAApplicationInstanceReadiness table | +> | Microsoft.OperationalInsights/workspaces/query/MAApplicationReadiness/read | Read data from the MAApplicationReadiness table | +> | Microsoft.OperationalInsights/workspaces/query/MADeploymentPlan/read | Read data from the MADeploymentPlan table | +> | Microsoft.OperationalInsights/workspaces/query/MADevice/read | Read data from the MADevice table | +> | Microsoft.OperationalInsights/workspaces/query/MADeviceNotEnrolled/read | Read data from the MADeviceNotEnrolled table | +> | Microsoft.OperationalInsights/workspaces/query/MADeviceNRT/read | Read data from the MADeviceNRT table | +> | Microsoft.OperationalInsights/workspaces/query/MADeviceReadiness/read | Read data from the MADeviceReadiness table | +> | Microsoft.OperationalInsights/workspaces/query/MADriverInstanceReadiness/read | Read data from the MADriverInstanceReadiness table | +> | Microsoft.OperationalInsights/workspaces/query/MADriverReadiness/read | Read data from the MADriverReadiness table | +> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddin/read | Read data from the MAOfficeAddin table | +> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddinInstance/read | Read data from the MAOfficeAddinInstance table | +> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAddinReadiness/read | Read data from the MAOfficeAddinReadiness table | +> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAppInstance/read | Read data from the MAOfficeAppInstance table | +> | Microsoft.OperationalInsights/workspaces/query/MAOfficeAppReadiness/read | Read data from the MAOfficeAppReadiness table | +> | Microsoft.OperationalInsights/workspaces/query/MAOfficeBuildInfo/read | Read data from the MAOfficeBuildInfo table | +> | Microsoft.OperationalInsights/workspaces/query/MAOfficeCurrencyAssessment/read | Read data from the MAOfficeCurrencyAssessment table | +> | Microsoft.OperationalInsights/workspaces/query/MAOfficeSuiteInstance/read | Read data from the MAOfficeSuiteInstance table | +> | Microsoft.OperationalInsights/workspaces/query/MAProposedPilotDevices/read | Read data from the MAProposedPilotDevices table | +> | Microsoft.OperationalInsights/workspaces/query/MAWindowsBuildInfo/read | Read data from the MAWindowsBuildInfo table | +> | Microsoft.OperationalInsights/workspaces/query/MAWindowsCurrencyAssessment/read | Read data from the MAWindowsCurrencyAssessment table | +> | Microsoft.OperationalInsights/workspaces/query/MAWindowsCurrencyAssessmentDailyCounts/read | Read data from the MAWindowsCurrencyAssessmentDailyCounts table | +> | Microsoft.OperationalInsights/workspaces/query/MAWindowsDeploymentStatus/read | Read data from the MAWindowsDeploymentStatus table | +> | Microsoft.OperationalInsights/workspaces/query/MAWindowsDeploymentStatusNRT/read | Read data from the MAWindowsDeploymentStatusNRT table | +> | Microsoft.OperationalInsights/workspaces/query/McasShadowItReporting/read | Read data from the McasShadowItReporting table | +> | Microsoft.OperationalInsights/workspaces/query/MCCEventLogs/read | Read data from the MCCEventLogs table | +> | Microsoft.OperationalInsights/workspaces/query/MCVPAuditLogs/read | Read data from the MCVPAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/MCVPOperationLogs/read | Read data from the MCVPOperationLogs table | +> | Microsoft.OperationalInsights/workspaces/query/MicrosoftAzureBastionAuditLogs/read | Read data from the MicrosoftAzureBastionAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/MicrosoftDataShareReceivedSnapshotLog/read | Read data from the MicrosoftDataShareReceivedSnapshotLog table | +> | Microsoft.OperationalInsights/workspaces/query/MicrosoftDataShareSentSnapshotLog/read | Read data from the MicrosoftDataShareSentSnapshotLog table | +> | Microsoft.OperationalInsights/workspaces/query/MicrosoftDataShareShareLog/read | Read data from the MicrosoftDataShareShareLog table | +> | Microsoft.OperationalInsights/workspaces/query/MicrosoftDynamicsTelemetryPerformanceLogs/read | Read data from the MicrosoftDynamicsTelemetryPerformanceLogs table | +> | Microsoft.OperationalInsights/workspaces/query/MicrosoftDynamicsTelemetrySystemMetricsLogs/read | Read data from the MicrosoftDynamicsTelemetrySystemMetricsLogs table | +> | Microsoft.OperationalInsights/workspaces/query/MicrosoftGraphActivityLogs/read | Read data from the MicrosoftGraphActivityLogs table | +> | Microsoft.OperationalInsights/workspaces/query/MicrosoftHealthcareApisAuditLogs/read | Read data from the MicrosoftHealthcareApisAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/MicrosoftPurviewInformationProtection/read | Read data from the MicrosoftPurviewInformationProtection table | +> | Microsoft.OperationalInsights/workspaces/query/MNFDeviceUpdates/read | Read data from the MNFDeviceUpdates table | +> | Microsoft.OperationalInsights/workspaces/query/MNFSystemStateMessageUpdates/read | Read data from the MNFSystemStateMessageUpdates table | +> | Microsoft.OperationalInsights/workspaces/query/NCBMSecurityLogs/read | Read data from the NCBMSecurityLogs table | +> | Microsoft.OperationalInsights/workspaces/query/NCBMSystemLogs/read | Read data from the NCBMSystemLogs table | +> | Microsoft.OperationalInsights/workspaces/query/NCCKubernetesLogs/read | Read data from the NCCKubernetesLogs table | +> | Microsoft.OperationalInsights/workspaces/query/NCCVMOrchestrationLogs/read | Read data from the NCCVMOrchestrationLogs table | +> | Microsoft.OperationalInsights/workspaces/query/NCSStorageAlerts/read | Read data from the NCSStorageAlerts table | +> | Microsoft.OperationalInsights/workspaces/query/NCSStorageLogs/read | Read data from the NCSStorageLogs table | +> | Microsoft.OperationalInsights/workspaces/query/NetworkAccessTraffic/read | Read data from the NetworkAccessTraffic table | +> | Microsoft.OperationalInsights/workspaces/query/NetworkMonitoring/read | Read data from the NetworkMonitoring table | +> | Microsoft.OperationalInsights/workspaces/query/NetworkSessions/read | Read data from the NetworkSessions table | +> | Microsoft.OperationalInsights/workspaces/query/NGXOperationLogs/read | Read data from the NGXOperationLogs table | +> | Microsoft.OperationalInsights/workspaces/query/NSPAccessLogs/read | Read data from the NSPAccessLogs table | +> | Microsoft.OperationalInsights/workspaces/query/NTAIpDetails/read | Read data from the NTAIpDetails table | +> | Microsoft.OperationalInsights/workspaces/query/NTANetAnalytics/read | Read data from the NTANetAnalytics table | +> | Microsoft.OperationalInsights/workspaces/query/NTATopologyDetails/read | Read data from the NTATopologyDetails table | +> | Microsoft.OperationalInsights/workspaces/query/NWConnectionMonitorDestinationListenerResult/read | Read data from the NWConnectionMonitorDestinationListenerResult table | +> | Microsoft.OperationalInsights/workspaces/query/NWConnectionMonitorDNSResult/read | Read data from the NWConnectionMonitorDNSResult table | +> | Microsoft.OperationalInsights/workspaces/query/NWConnectionMonitorPathResult/read | Read data from the NWConnectionMonitorPathResult table | +> | Microsoft.OperationalInsights/workspaces/query/NWConnectionMonitorTestResult/read | Read data from the NWConnectionMonitorTestResult table | +> | Microsoft.OperationalInsights/workspaces/query/OEPAirFlowTask/read | Read data from the OEPAirFlowTask table | +> | Microsoft.OperationalInsights/workspaces/query/OEPAuditLogs/read | Read data from the OEPAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/OEPDataplaneLogs/read | Read data from the OEPDataplaneLogs table | +> | Microsoft.OperationalInsights/workspaces/query/OEPElasticOperator/read | Read data from the OEPElasticOperator table | +> | Microsoft.OperationalInsights/workspaces/query/OEPElasticsearch/read | Read data from the OEPElasticsearch table | +> | Microsoft.OperationalInsights/workspaces/query/OfficeActivity/read | Read data from the OfficeActivity table | +> | Microsoft.OperationalInsights/workspaces/query/OLPSupplyChainEntityOperations/read | Read data from the OLPSupplyChainEntityOperations table | +> | Microsoft.OperationalInsights/workspaces/query/OLPSupplyChainEvents/read | Read data from the OLPSupplyChainEvents table | +> | Microsoft.OperationalInsights/workspaces/query/Operation/read | Read data from the Operation table | +> | Microsoft.OperationalInsights/workspaces/query/Perf/read | Read data from the Perf table | +> | Microsoft.OperationalInsights/workspaces/query/PFTitleAuditLogs/read | Read data from the PFTitleAuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/PowerAppsActivity/read | Read data from the PowerAppsActivity table | +> | Microsoft.OperationalInsights/workspaces/query/PowerAutomateActivity/read | Read data from the PowerAutomateActivity table | +> | Microsoft.OperationalInsights/workspaces/query/PowerBIActivity/read | Read data from the PowerBIActivity table | +> | Microsoft.OperationalInsights/workspaces/query/PowerBIAuditTenant/read | Read data from the PowerBIAuditTenant table | +> | Microsoft.OperationalInsights/workspaces/query/PowerBIDatasetsTenant/read | Read data from the PowerBIDatasetsTenant table | +> | Microsoft.OperationalInsights/workspaces/query/PowerBIDatasetsTenantPreview/read | Read data from the PowerBIDatasetsTenantPreview table | +> | Microsoft.OperationalInsights/workspaces/query/PowerBIDatasetsWorkspace/read | Read data from the PowerBIDatasetsWorkspace table | +> | Microsoft.OperationalInsights/workspaces/query/PowerBIDatasetsWorkspacePreview/read | Read data from the PowerBIDatasetsWorkspacePreview table | +> | Microsoft.OperationalInsights/workspaces/query/PowerBIReportUsageTenant/read | Read data from the PowerBIReportUsageTenant table | +> | Microsoft.OperationalInsights/workspaces/query/PowerBIReportUsageWorkspace/read | Read data from the PowerBIReportUsageWorkspace table | +> | Microsoft.OperationalInsights/workspaces/query/PowerPlatformAdminActivity/read | Read data from the PowerPlatformAdminActivity table | +> | Microsoft.OperationalInsights/workspaces/query/PowerPlatformConnectorActivity/read | Read data from the PowerPlatformConnectorActivity table | +> | Microsoft.OperationalInsights/workspaces/query/PowerPlatformDlpActivity/read | Read data from the PowerPlatformDlpActivity table | +> | Microsoft.OperationalInsights/workspaces/query/ProjectActivity/read | Read data from the ProjectActivity table | +> | Microsoft.OperationalInsights/workspaces/query/ProtectionStatus/read | Read data from the ProtectionStatus table | +> | Microsoft.OperationalInsights/workspaces/query/PurviewDataSensitivityLogs/read | Read data from the PurviewDataSensitivityLogs table | +> | Microsoft.OperationalInsights/workspaces/query/PurviewScanStatusLogs/read | Read data from the PurviewScanStatusLogs table | +> | Microsoft.OperationalInsights/workspaces/query/PurviewSecurityLogs/read | Read data from the PurviewSecurityLogs table | +> | Microsoft.OperationalInsights/workspaces/query/REDConnectionEvents/read | Read data from the REDConnectionEvents table | +> | Microsoft.OperationalInsights/workspaces/query/requests/read | Read data from the requests table | +> | Microsoft.OperationalInsights/workspaces/query/ResourceManagementPublicAccessLogs/read | Read data from the ResourceManagementPublicAccessLogs table | +> | Microsoft.OperationalInsights/workspaces/query/SCCMAssessmentRecommendation/read | Read data from the SCCMAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/SCOMAssessmentRecommendation/read | Read data from the SCOMAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/SecureScoreControls/read | Read data from the SecureScoreControls table | +> | Microsoft.OperationalInsights/workspaces/query/SecureScores/read | Read data from the SecureScores table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityAlert/read | Read data from the SecurityAlert table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityAttackPathData/read | Read data from the SecurityAttackPathData table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityBaseline/read | Read data from the SecurityBaseline table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityBaselineSummary/read | Read data from the SecurityBaselineSummary table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityDetection/read | Read data from the SecurityDetection table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityEvent/read | Read data from the SecurityEvent table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityIncident/read | Read data from the SecurityIncident table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityIoTRawEvent/read | Read data from the SecurityIoTRawEvent table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityNestedRecommendation/read | Read data from the SecurityNestedRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityRecommendation/read | Read data from the SecurityRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/SecurityRegulatoryCompliance/read | Read data from the SecurityRegulatoryCompliance table | +> | Microsoft.OperationalInsights/workspaces/query/SentinelAudit/read | Read data from the SentinelAudit table | +> | Microsoft.OperationalInsights/workspaces/query/SentinelHealth/read | Read data from the SentinelHealth table | +> | Microsoft.OperationalInsights/workspaces/query/ServiceFabricOperationalEvent/read | Read data from the ServiceFabricOperationalEvent table | +> | Microsoft.OperationalInsights/workspaces/query/ServiceFabricReliableActorEvent/read | Read data from the ServiceFabricReliableActorEvent table | +> | Microsoft.OperationalInsights/workspaces/query/ServiceFabricReliableServiceEvent/read | Read data from the ServiceFabricReliableServiceEvent table | +> | Microsoft.OperationalInsights/workspaces/query/SfBAssessmentRecommendation/read | Read data from the SfBAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/SfBOnlineAssessmentRecommendation/read | Read data from the SfBOnlineAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/SharePointOnlineAssessmentRecommendation/read | Read data from the SharePointOnlineAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/SignalRServiceDiagnosticLogs/read | Read data from the SignalRServiceDiagnosticLogs table | +> | Microsoft.OperationalInsights/workspaces/query/SigninLogs/read | Read data from the SigninLogs table | +> | Microsoft.OperationalInsights/workspaces/query/SPAssessmentRecommendation/read | Read data from the SPAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/SQLAssessmentRecommendation/read | Read data from the SQLAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/SqlAtpStatus/read | Read data from the SqlAtpStatus table | +> | Microsoft.OperationalInsights/workspaces/query/SqlDataClassification/read | Read data from the SqlDataClassification table | +> | Microsoft.OperationalInsights/workspaces/query/SQLSecurityAuditEvents/read | Read data from the SQLSecurityAuditEvents table | +> | Microsoft.OperationalInsights/workspaces/query/SqlVulnerabilityAssessmentResult/read | Read data from the SqlVulnerabilityAssessmentResult table | +> | Microsoft.OperationalInsights/workspaces/query/SqlVulnerabilityAssessmentScanStatus/read | Read data from the SqlVulnerabilityAssessmentScanStatus table | +> | Microsoft.OperationalInsights/workspaces/query/StorageBlobLogs/read | Read data from the StorageBlobLogs table | +> | Microsoft.OperationalInsights/workspaces/query/StorageCacheOperationEvents/read | Read data from the StorageCacheOperationEvents table | +> | Microsoft.OperationalInsights/workspaces/query/StorageCacheUpgradeEvents/read | Read data from the StorageCacheUpgradeEvents table | +> | Microsoft.OperationalInsights/workspaces/query/StorageCacheWarningEvents/read | Read data from the StorageCacheWarningEvents table | +> | Microsoft.OperationalInsights/workspaces/query/StorageFileLogs/read | Read data from the StorageFileLogs table | +> | Microsoft.OperationalInsights/workspaces/query/StorageMalwareScanningResults/read | Read data from the StorageMalwareScanningResults table | +> | Microsoft.OperationalInsights/workspaces/query/StorageMoverCopyLogsFailed/read | Read data from the StorageMoverCopyLogsFailed table | +> | Microsoft.OperationalInsights/workspaces/query/StorageMoverCopyLogsTransferred/read | Read data from the StorageMoverCopyLogsTransferred table | +> | Microsoft.OperationalInsights/workspaces/query/StorageMoverJobRunLogs/read | Read data from the StorageMoverJobRunLogs table | +> | Microsoft.OperationalInsights/workspaces/query/StorageQueueLogs/read | Read data from the StorageQueueLogs table | +> | Microsoft.OperationalInsights/workspaces/query/StorageTableLogs/read | Read data from the StorageTableLogs table | +> | Microsoft.OperationalInsights/workspaces/query/SucceededIngestion/read | Read data from the SucceededIngestion table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseBigDataPoolApplicationsEnded/read | Read data from the SynapseBigDataPoolApplicationsEnded table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseBuiltinSqlPoolRequestsEnded/read | Read data from the SynapseBuiltinSqlPoolRequestsEnded table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseDXCommand/read | Read data from the SynapseDXCommand table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseDXFailedIngestion/read | Read data from the SynapseDXFailedIngestion table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseDXIngestionBatching/read | Read data from the SynapseDXIngestionBatching table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseDXQuery/read | Read data from the SynapseDXQuery table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseDXSucceededIngestion/read | Read data from the SynapseDXSucceededIngestion table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseDXTableDetails/read | Read data from the SynapseDXTableDetails table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseDXTableUsageStatistics/read | Read data from the SynapseDXTableUsageStatistics table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseGatewayApiRequests/read | Read data from the SynapseGatewayApiRequests table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseGatewayEvents/read | Read data from the SynapseGatewayEvents table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseIntegrationActivityRuns/read | Read data from the SynapseIntegrationActivityRuns table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseIntegrationPipelineRuns/read | Read data from the SynapseIntegrationPipelineRuns table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseIntegrationTriggerRuns/read | Read data from the SynapseIntegrationTriggerRuns table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseLinkEvent/read | Read data from the SynapseLinkEvent table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseRBACEvents/read | Read data from the SynapseRBACEvents table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseRbacOperations/read | Read data from the SynapseRbacOperations table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseScopePoolScopeJobsEnded/read | Read data from the SynapseScopePoolScopeJobsEnded table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseScopePoolScopeJobsStateChange/read | Read data from the SynapseScopePoolScopeJobsStateChange table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseSqlPoolDmsWorkers/read | Read data from the SynapseSqlPoolDmsWorkers table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseSqlPoolExecRequests/read | Read data from the SynapseSqlPoolExecRequests table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseSqlPoolRequestSteps/read | Read data from the SynapseSqlPoolRequestSteps table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseSqlPoolSqlRequests/read | Read data from the SynapseSqlPoolSqlRequests table | +> | Microsoft.OperationalInsights/workspaces/query/SynapseSqlPoolWaits/read | Read data from the SynapseSqlPoolWaits table | +> | Microsoft.OperationalInsights/workspaces/query/Syslog/read | Read data from the Syslog table | +> | Microsoft.OperationalInsights/workspaces/query/Tables.Custom/read | Reading data from any custom log | +> | Microsoft.OperationalInsights/workspaces/query/ThreatIntelligenceIndicator/read | Read data from the ThreatIntelligenceIndicator table | +> | Microsoft.OperationalInsights/workspaces/query/TSIIngress/read | Read data from the TSIIngress table | +> | Microsoft.OperationalInsights/workspaces/query/UAApp/read | Read data from the UAApp table | +> | Microsoft.OperationalInsights/workspaces/query/UAComputer/read | Read data from the UAComputer table | +> | Microsoft.OperationalInsights/workspaces/query/UAComputerRank/read | Read data from the UAComputerRank table | +> | Microsoft.OperationalInsights/workspaces/query/UADriver/read | Read data from the UADriver table | +> | Microsoft.OperationalInsights/workspaces/query/UADriverProblemCodes/read | Read data from the UADriverProblemCodes table | +> | Microsoft.OperationalInsights/workspaces/query/UAFeedback/read | Read data from the UAFeedback table | +> | Microsoft.OperationalInsights/workspaces/query/UAIESiteDiscovery/read | Read data from the UAIESiteDiscovery table | +> | Microsoft.OperationalInsights/workspaces/query/UAOfficeAddIn/read | Read data from the UAOfficeAddIn table | +> | Microsoft.OperationalInsights/workspaces/query/UAProposedActionPlan/read | Read data from the UAProposedActionPlan table | +> | Microsoft.OperationalInsights/workspaces/query/UASysReqIssue/read | Read data from the UASysReqIssue table | +> | Microsoft.OperationalInsights/workspaces/query/UAUpgradedComputer/read | Read data from the UAUpgradedComputer table | +> | Microsoft.OperationalInsights/workspaces/query/UCClient/read | Read data from the UCClient table | +> | Microsoft.OperationalInsights/workspaces/query/UCClientReadinessStatus/read | Read data from the UCClientReadinessStatus table | +> | Microsoft.OperationalInsights/workspaces/query/UCClientUpdateStatus/read | Read data from the UCClientUpdateStatus table | +> | Microsoft.OperationalInsights/workspaces/query/UCDeviceAlert/read | Read data from the UCDeviceAlert table | +> | Microsoft.OperationalInsights/workspaces/query/UCDOAggregatedStatus/read | Read data from the UCDOAggregatedStatus table | +> | Microsoft.OperationalInsights/workspaces/query/UCDOStatus/read | Read data from the UCDOStatus table | +> | Microsoft.OperationalInsights/workspaces/query/UCServiceUpdateStatus/read | Read data from the UCServiceUpdateStatus table | +> | Microsoft.OperationalInsights/workspaces/query/UCUpdateAlert/read | Read data from the UCUpdateAlert table | +> | Microsoft.OperationalInsights/workspaces/query/Update/read | Read data from the Update table | +> | Microsoft.OperationalInsights/workspaces/query/UpdateRunProgress/read | Read data from the UpdateRunProgress table | +> | Microsoft.OperationalInsights/workspaces/query/UpdateSummary/read | Read data from the UpdateSummary table | +> | Microsoft.OperationalInsights/workspaces/query/UrlClickEvents/read | Read data from the UrlClickEvents table | +> | Microsoft.OperationalInsights/workspaces/query/Usage/read | Read data from the Usage table | +> | Microsoft.OperationalInsights/workspaces/query/UserAccessAnalytics/read | Read data from the UserAccessAnalytics table | +> | Microsoft.OperationalInsights/workspaces/query/UserPeerAnalytics/read | Read data from the UserPeerAnalytics table | +> | Microsoft.OperationalInsights/workspaces/query/VCoreMongoRequests/read | Read data from the VCoreMongoRequests table | +> | Microsoft.OperationalInsights/workspaces/query/VIAudit/read | Read data from the VIAudit table | +> | Microsoft.OperationalInsights/workspaces/query/VIIndexing/read | Read data from the VIIndexing table | +> | Microsoft.OperationalInsights/workspaces/query/VMBoundPort/read | Read data from the VMBoundPort table | +> | Microsoft.OperationalInsights/workspaces/query/VMComputer/read | Read data from the VMComputer table | +> | Microsoft.OperationalInsights/workspaces/query/VMConnection/read | Read data from the VMConnection table | +> | Microsoft.OperationalInsights/workspaces/query/VMProcess/read | Read data from the VMProcess table | +> | Microsoft.OperationalInsights/workspaces/query/W3CIISLog/read | Read data from the W3CIISLog table | +> | Microsoft.OperationalInsights/workspaces/query/WaaSDeploymentStatus/read | Read data from the WaaSDeploymentStatus table | +> | Microsoft.OperationalInsights/workspaces/query/WaaSInsiderStatus/read | Read data from the WaaSInsiderStatus table | +> | Microsoft.OperationalInsights/workspaces/query/WaaSUpdateStatus/read | Read data from the WaaSUpdateStatus table | +> | Microsoft.OperationalInsights/workspaces/query/Watchlist/read | Read data from the Watchlist table | +> | Microsoft.OperationalInsights/workspaces/query/WDAVStatus/read | Read data from the WDAVStatus table | +> | Microsoft.OperationalInsights/workspaces/query/WDAVThreat/read | Read data from the WDAVThreat table | +> | Microsoft.OperationalInsights/workspaces/query/WebPubSubConnectivity/read | Read data from the WebPubSubConnectivity table | +> | Microsoft.OperationalInsights/workspaces/query/WebPubSubHttpRequest/read | Read data from the WebPubSubHttpRequest table | +> | Microsoft.OperationalInsights/workspaces/query/WebPubSubMessaging/read | Read data from the WebPubSubMessaging table | +> | Microsoft.OperationalInsights/workspaces/query/Windows365AuditLogs/read | Read data from the Windows365AuditLogs table | +> | Microsoft.OperationalInsights/workspaces/query/WindowsClientAssessmentRecommendation/read | Read data from the WindowsClientAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/WindowsEvent/read | Read data from the WindowsEvent table | +> | Microsoft.OperationalInsights/workspaces/query/WindowsFirewall/read | Read data from the WindowsFirewall table | +> | Microsoft.OperationalInsights/workspaces/query/WindowsServerAssessmentRecommendation/read | Read data from the WindowsServerAssessmentRecommendation table | +> | Microsoft.OperationalInsights/workspaces/query/WireData/read | Read data from the WireData table | +> | Microsoft.OperationalInsights/workspaces/query/WorkloadDiagnosticLogs/read | Read data from the WorkloadDiagnosticLogs table | +> | Microsoft.OperationalInsights/workspaces/query/WorkloadMonitoringPerf/read | Read data from the WorkloadMonitoringPerf table | +> | Microsoft.OperationalInsights/workspaces/query/WUDOAggregatedStatus/read | Read data from the WUDOAggregatedStatus table | +> | Microsoft.OperationalInsights/workspaces/query/WUDOStatus/read | Read data from the WUDOStatus table | +> | Microsoft.OperationalInsights/workspaces/query/WVDAgentHealthStatus/read | Read data from the WVDAgentHealthStatus table | +> | Microsoft.OperationalInsights/workspaces/query/WVDAutoscaleEvaluationPooled/read | Read data from the WVDAutoscaleEvaluationPooled table | +> | Microsoft.OperationalInsights/workspaces/query/WVDCheckpoints/read | Read data from the WVDCheckpoints table | +> | Microsoft.OperationalInsights/workspaces/query/WVDConnectionGraphicsDataPreview/read | Read data from the WVDConnectionGraphicsDataPreview table | +> | Microsoft.OperationalInsights/workspaces/query/WVDConnectionNetworkData/read | Read data from the WVDConnectionNetworkData table | +> | Microsoft.OperationalInsights/workspaces/query/WVDConnections/read | Read data from the WVDConnections table | +> | Microsoft.OperationalInsights/workspaces/query/WVDErrors/read | Read data from the WVDErrors table | +> | Microsoft.OperationalInsights/workspaces/query/WVDFeeds/read | Read data from the WVDFeeds table | +> | Microsoft.OperationalInsights/workspaces/query/WVDHostRegistrations/read | Read data from the WVDHostRegistrations table | +> | Microsoft.OperationalInsights/workspaces/query/WVDManagement/read | Read data from the WVDManagement table | +> | Microsoft.OperationalInsights/workspaces/query/WVDSessionHostManagement/read | Read data from the WVDSessionHostManagement table | +> | Microsoft.OperationalInsights/workspaces/restoreLogs/write | Restore data from a table. | +> | microsoft.operationalinsights/workspaces/restoreLogs/write | Restore data from a table. | +> | Microsoft.OperationalInsights/workspaces/rules/read | Get alert rule. | +> | microsoft.operationalinsights/workspaces/rules/read | Get all alert rules. | +> | Microsoft.OperationalInsights/workspaces/savedSearches/read | Gets a saved search query. | +> | Microsoft.OperationalInsights/workspaces/savedSearches/write | Creates a saved search query | +> | Microsoft.OperationalInsights/workspaces/savedSearches/delete | Deletes a saved search query | +> | Microsoft.OperationalInsights/workspaces/savedSearches/results/read | Get saved searches results. Deprecated. | +> | microsoft.operationalinsights/workspaces/savedsearches/results/read | Get saved searches results. Deprecated | +> | microsoft.operationalinsights/workspaces/savedsearches/schedules/read | Get scheduled searches. | +> | microsoft.operationalinsights/workspaces/savedsearches/schedules/delete | Delete scheduled searches. | +> | microsoft.operationalinsights/workspaces/savedsearches/schedules/write | Create or update scheduled searches. | +> | microsoft.operationalinsights/workspaces/savedsearches/schedules/actions/read | Get scheduled search actions. | +> | microsoft.operationalinsights/workspaces/savedsearches/schedules/actions/delete | Delete scheduled search actions. | +> | microsoft.operationalinsights/workspaces/savedsearches/schedules/actions/write | Create or update scheduled search actions. | +> | Microsoft.OperationalInsights/workspaces/schedules/read | Get scheduled saved search. | +> | Microsoft.OperationalInsights/workspaces/schedules/delete | Delete scheduled saved search. | +> | Microsoft.OperationalInsights/workspaces/schedules/write | Create or update scheduled saved search. | +> | Microsoft.OperationalInsights/workspaces/schedules/actions/read | Get Management Configuration action. | +> | Microsoft.OperationalInsights/workspaces/schema/read | Gets the search schema for the workspace. Search schema includes the exposed fields and their types. | +> | Microsoft.OperationalInsights/workspaces/scopedprivatelinkproxies/read | Get Scoped Private Link Proxy | +> | Microsoft.OperationalInsights/workspaces/scopedprivatelinkproxies/write | Put Scoped Private Link Proxy | +> | Microsoft.OperationalInsights/workspaces/scopedprivatelinkproxies/delete | Delete Scoped Private Link Proxy | +> | microsoft.operationalinsights/workspaces/scopedPrivateLinkProxies/read | Get Scoped Private Link Proxy. | +> | microsoft.operationalinsights/workspaces/scopedPrivateLinkProxies/write | Put Scoped Private Link Proxy. | +> | microsoft.operationalinsights/workspaces/scopedPrivateLinkProxies/delete | Delete Scoped Private Link Proxy. | +> | Microsoft.OperationalInsights/workspaces/search/read | Get search results. Deprecated. | +> | microsoft.operationalinsights/workspaces/search/read | Get search results. Deprecated. | +> | Microsoft.OperationalInsights/workspaces/searchJobs/write | Run a search job. | +> | microsoft.operationalinsights/workspaces/searchJobs/write | Run a search job. | +> | Microsoft.OperationalInsights/workspaces/sharedkeys/read | Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. | +> | Microsoft.OperationalInsights/workspaces/storageinsightconfigs/write | Creates a new storage configuration. These configurations are used to pull data from a location in an existing storage account. | +> | Microsoft.OperationalInsights/workspaces/storageinsightconfigs/read | Gets a storage configuration. | +> | Microsoft.OperationalInsights/workspaces/storageinsightconfigs/delete | Deletes a storage configuration. This will stop Microsoft Operational Insights from reading data from the storage account. | +> | Microsoft.OperationalInsights/workspaces/summarylogs/write | Create or update a log analytics table. | +> | Microsoft.OperationalInsights/workspaces/summarylogs/read | Get a log analytics table. | +> | Microsoft.OperationalInsights/workspaces/summarylogs/delete | Delete a log analytics summary logs. | +> | Microsoft.OperationalInsights/workspaces/summarylogs/start/action | Starting a suspended summary log rule. | +> | Microsoft.OperationalInsights/workspaces/summarylogs/stop/action | Suspending a summary log rule. | +> | Microsoft.OperationalInsights/workspaces/tables/write | Create or update a log analytics table. | +> | Microsoft.OperationalInsights/workspaces/tables/read | Get a log analytics table. | +> | Microsoft.OperationalInsights/workspaces/tables/delete | Delete a log analytics table. | +> | Microsoft.OperationalInsights/workspaces/tables/migrate/action | Migrating a log analytics V1 table to V2 variation. | +> | microsoft.operationalinsights/workspaces/tables/write | Create or update a log analytics table. | +> | microsoft.operationalinsights/workspaces/tables/read | Get a log analytics table. | +> | microsoft.operationalinsights/workspaces/tables/delete | Delete a log analytics table. | +> | Microsoft.OperationalInsights/workspaces/tables/query/read | Run queries over the data of a specific table in the workspace | +> | Microsoft.OperationalInsights/workspaces/upgradetranslationfailures/read | Get Search Upgrade Translation Failure log for the workspace | +> | Microsoft.OperationalInsights/workspaces/usages/read | Gets usage data for a workspace including the amount of data read by the workspace. | +> | Microsoft.OperationalInsights/workspaces/views/read | Get workspace view. | +> | Microsoft.OperationalInsights/workspaces/views/delete | Delete workspace view. | +> | Microsoft.OperationalInsights/workspaces/views/write | Create or update workspace view. | +> | microsoft.operationalinsights/workspaces/views/read | Get workspace views. | +> | microsoft.operationalinsights/workspaces/views/write | Create or update a workspace view. | +> | microsoft.operationalinsights/workspaces/views/delete | Delete a workspace view. | ++## Microsoft.OperationsManagement ++Azure service: [Azure Monitor](/azure/azure-monitor/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.OperationsManagement/register/action | Register a subscription to a resource provider. | +> | Microsoft.OperationsManagement/unregister/action | UnRegister a subscription to a resource provider. | +> | Microsoft.OperationsManagement/managementassociations/write | Create or update Management Association. | +> | Microsoft.OperationsManagement/managementassociations/read | Get Management Association. | +> | Microsoft.OperationsManagement/managementassociations/delete | Delete Management Association. | +> | Microsoft.OperationsManagement/managementconfigurations/write | Create or update management configuration. | +> | Microsoft.OperationsManagement/managementconfigurations/read | Get management configuration. | +> | Microsoft.OperationsManagement/managementconfigurations/delete | Delete management configuration. | +> | Microsoft.OperationsManagement/solutions/write | Create new OMS solution | +> | Microsoft.OperationsManagement/solutions/read | Get existing OMS solution | +> | Microsoft.OperationsManagement/solutions/delete | Delete existing OMS solution | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Networking | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/networking.md | + + Title: Azure permissions for Networking - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Networking category. +++++ Last updated : 02/07/2024++++# Azure permissions for Networking ++This article lists the permissions for the Azure resource providers in the Networking category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.Cdn ++Azure service: [Content Delivery Network](/azure/cdn/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Cdn/register/action | Registers the subscription for the CDN resource provider and enables the creation of CDN profiles. | +> | Microsoft.Cdn/unregister/action | UnRegisters the subscription for the CDN resource provider. | +> | Microsoft.Cdn/CheckNameAvailability/action | | +> | Microsoft.Cdn/ValidateProbe/action | | +> | Microsoft.Cdn/CheckResourceUsage/action | | +> | Microsoft.Cdn/ValidateSecret/action | | +> | Microsoft.Cdn/cdnwebapplicationfirewallmanagedrulesets/read | | +> | Microsoft.Cdn/cdnwebapplicationfirewallmanagedrulesets/write | | +> | Microsoft.Cdn/cdnwebapplicationfirewallmanagedrulesets/delete | | +> | Microsoft.Cdn/cdnwebapplicationfirewallpolicies/read | | +> | Microsoft.Cdn/cdnwebapplicationfirewallpolicies/write | | +> | Microsoft.Cdn/cdnwebapplicationfirewallpolicies/delete | | +> | Microsoft.Cdn/cdnwebapplicationfirewallpolicies/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for the resource | +> | Microsoft.Cdn/cdnwebapplicationfirewallpolicies/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for the resource | +> | Microsoft.Cdn/cdnwebapplicationfirewallpolicies/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Microsoft.Cdn/cdnwebapplicationfirewallpolicies | +> | Microsoft.Cdn/cdnwebapplicationfirewallpolicies/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Microsoft.Cdn | +> | Microsoft.Cdn/edgenodes/read | | +> | Microsoft.Cdn/edgenodes/write | | +> | Microsoft.Cdn/edgenodes/delete | | +> | Microsoft.Cdn/operationresults/read | | +> | Microsoft.Cdn/operationresults/write | | +> | Microsoft.Cdn/operationresults/delete | | +> | Microsoft.Cdn/operationresults/cdnwebapplicationfirewallpolicyresults/read | | +> | Microsoft.Cdn/operationresults/cdnwebapplicationfirewallpolicyresults/write | | +> | Microsoft.Cdn/operationresults/cdnwebapplicationfirewallpolicyresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/CheckResourceUsage/action | | +> | Microsoft.Cdn/operationresults/profileresults/GenerateSsoUri/action | | +> | Microsoft.Cdn/operationresults/profileresults/GetSupportedOptimizationTypes/action | | +> | Microsoft.Cdn/operationresults/profileresults/CheckHostNameAvailability/action | | +> | Microsoft.Cdn/operationresults/profileresults/Usages/action | | +> | Microsoft.Cdn/operationresults/profileresults/Upgrade/action | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/Purge/action | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/Usages/action | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/ValidateCustomDomain/action | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckEndpointNameAvailability/action | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/routeresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/routeresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/afdendpointresults/routeresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/customdomainresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/customdomainresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/customdomainresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/customdomainresults/RefreshValidationToken/action | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/CheckResourceUsage/action | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/Start/action | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/Stop/action | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/Purge/action | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/Load/action | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/ValidateCustomDomain/action | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/customdomainresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/customdomainresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/customdomainresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/customdomainresults/DisableCustomHttps/action | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/customdomainresults/EnableCustomHttps/action | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/origingroupresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/origingroupresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/origingroupresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/originresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/originresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/endpointresults/originresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/origingroupresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/origingroupresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/origingroupresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/origingroupresults/Usages/action | | +> | Microsoft.Cdn/operationresults/profileresults/origingroupresults/originresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/origingroupresults/originresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/origingroupresults/originresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/rulesetresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/rulesetresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/rulesetresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/rulesetresults/Usages/action | | +> | Microsoft.Cdn/operationresults/profileresults/rulesetresults/ruleresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/rulesetresults/ruleresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/rulesetresults/ruleresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/secretresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/secretresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/secretresults/delete | | +> | Microsoft.Cdn/operationresults/profileresults/securitypolicyresults/read | | +> | Microsoft.Cdn/operationresults/profileresults/securitypolicyresults/write | | +> | Microsoft.Cdn/operationresults/profileresults/securitypolicyresults/delete | | +> | Microsoft.Cdn/operations/read | | +> | Microsoft.Cdn/profiles/read | | +> | Microsoft.Cdn/profiles/write | | +> | Microsoft.Cdn/profiles/delete | | +> | Microsoft.Cdn/profiles/CheckResourceUsage/action | | +> | Microsoft.Cdn/profiles/GenerateSsoUri/action | | +> | Microsoft.Cdn/profiles/GetSupportedOptimizationTypes/action | | +> | Microsoft.Cdn/profiles/CheckHostNameAvailability/action | | +> | Microsoft.Cdn/profiles/Usages/action | | +> | Microsoft.Cdn/profiles/Upgrade/action | | +> | Microsoft.Cdn/profiles/queryloganalyticsmetrics/action | | +> | Microsoft.Cdn/profiles/queryloganalyticsrankings/action | | +> | Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action | | +> | Microsoft.Cdn/profiles/querywafloganalyticsrankings/action | | +> | Microsoft.Cdn/profiles/afdendpoints/read | | +> | Microsoft.Cdn/profiles/afdendpoints/write | | +> | Microsoft.Cdn/profiles/afdendpoints/delete | | +> | Microsoft.Cdn/profiles/afdendpoints/Purge/action | | +> | Microsoft.Cdn/profiles/afdendpoints/Usages/action | | +> | Microsoft.Cdn/profiles/afdendpoints/ValidateCustomDomain/action | | +> | Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action | | +> | Microsoft.Cdn/profiles/afdendpoints/CheckEndpointNameAvailability/action | | +> | Microsoft.Cdn/profiles/afdendpoints/routes/read | | +> | Microsoft.Cdn/profiles/afdendpoints/routes/write | | +> | Microsoft.Cdn/profiles/afdendpoints/routes/delete | | +> | Microsoft.Cdn/profiles/customdomains/read | | +> | Microsoft.Cdn/profiles/customdomains/write | | +> | Microsoft.Cdn/profiles/customdomains/delete | | +> | Microsoft.Cdn/profiles/customdomains/RefreshValidationToken/action | | +> | Microsoft.Cdn/profiles/endpoints/read | | +> | Microsoft.Cdn/profiles/endpoints/write | | +> | Microsoft.Cdn/profiles/endpoints/delete | | +> | Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action | | +> | Microsoft.Cdn/profiles/endpoints/Start/action | | +> | Microsoft.Cdn/profiles/endpoints/Stop/action | | +> | Microsoft.Cdn/profiles/endpoints/Purge/action | | +> | Microsoft.Cdn/profiles/endpoints/Load/action | | +> | Microsoft.Cdn/profiles/endpoints/ValidateCustomDomain/action | | +> | Microsoft.Cdn/profiles/endpoints/customdomains/read | | +> | Microsoft.Cdn/profiles/endpoints/customdomains/write | | +> | Microsoft.Cdn/profiles/endpoints/customdomains/delete | | +> | Microsoft.Cdn/profiles/endpoints/customdomains/DisableCustomHttps/action | | +> | Microsoft.Cdn/profiles/endpoints/customdomains/EnableCustomHttps/action | | +> | Microsoft.Cdn/profiles/endpoints/origingroups/read | | +> | Microsoft.Cdn/profiles/endpoints/origingroups/write | | +> | Microsoft.Cdn/profiles/endpoints/origingroups/delete | | +> | Microsoft.Cdn/profiles/endpoints/origins/read | | +> | Microsoft.Cdn/profiles/endpoints/origins/write | | +> | Microsoft.Cdn/profiles/endpoints/origins/delete | | +> | Microsoft.Cdn/profiles/endpoints/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for the resource | +> | Microsoft.Cdn/profiles/endpoints/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for the resource | +> | Microsoft.Cdn/profiles/endpoints/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Microsoft.Cdn/profiles/endpoints | +> | Microsoft.Cdn/profiles/getloganalyticslocations/read | | +> | Microsoft.Cdn/profiles/getloganalyticsmetrics/read | | +> | Microsoft.Cdn/profiles/getloganalyticsrankings/read | | +> | Microsoft.Cdn/profiles/getloganalyticsresources/read | | +> | Microsoft.Cdn/profiles/getwafloganalyticsmetrics/read | | +> | Microsoft.Cdn/profiles/getwafloganalyticsrankings/read | | +> | Microsoft.Cdn/profiles/origingroups/read | | +> | Microsoft.Cdn/profiles/origingroups/write | | +> | Microsoft.Cdn/profiles/origingroups/delete | | +> | Microsoft.Cdn/profiles/origingroups/Usages/action | | +> | Microsoft.Cdn/profiles/origingroups/origins/read | | +> | Microsoft.Cdn/profiles/origingroups/origins/write | | +> | Microsoft.Cdn/profiles/origingroups/origins/delete | | +> | Microsoft.Cdn/profiles/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic settings for the resource | +> | Microsoft.Cdn/profiles/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic settings for the resource | +> | Microsoft.Cdn/profiles/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Microsoft.Cdn/profiles | +> | Microsoft.Cdn/profiles/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Microsoft.Cdn | +> | Microsoft.Cdn/profiles/rulesets/read | | +> | Microsoft.Cdn/profiles/rulesets/write | | +> | Microsoft.Cdn/profiles/rulesets/delete | | +> | Microsoft.Cdn/profiles/rulesets/Usages/action | | +> | Microsoft.Cdn/profiles/rulesets/rules/read | | +> | Microsoft.Cdn/profiles/rulesets/rules/write | | +> | Microsoft.Cdn/profiles/rulesets/rules/delete | | +> | Microsoft.Cdn/profiles/secrets/read | | +> | Microsoft.Cdn/profiles/secrets/write | | +> | Microsoft.Cdn/profiles/secrets/delete | | +> | Microsoft.Cdn/profiles/securitypolicies/read | | +> | Microsoft.Cdn/profiles/securitypolicies/write | | +> | Microsoft.Cdn/profiles/securitypolicies/delete | | ++## Microsoft.ClassicNetwork ++Azure service: Classic deployment model virtual network ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ClassicNetwork/register/action | Register to Classic Network | +> | Microsoft.ClassicNetwork/expressroutecrossconnections/read | Get express route cross connections. | +> | Microsoft.ClassicNetwork/expressroutecrossconnections/write | Add express route cross connections. | +> | Microsoft.ClassicNetwork/expressroutecrossconnections/operationstatuses/read | Get an express route cross connection operation status. | +> | Microsoft.ClassicNetwork/expressroutecrossconnections/peerings/read | Get express route cross connection peering. | +> | Microsoft.ClassicNetwork/expressroutecrossconnections/peerings/write | Add express route cross connection peering. | +> | Microsoft.ClassicNetwork/expressroutecrossconnections/peerings/delete | Delete express route cross connection peering. | +> | Microsoft.ClassicNetwork/expressroutecrossconnections/peerings/operationstatuses/read | Get an express route cross connection peering operation status. | +> | Microsoft.ClassicNetwork/gatewaySupportedDevices/read | Retrieves the list of supported devices. | +> | Microsoft.ClassicNetwork/networkSecurityGroups/read | Gets the network security group. | +> | Microsoft.ClassicNetwork/networkSecurityGroups/write | Adds a new network security group. | +> | Microsoft.ClassicNetwork/networkSecurityGroups/delete | Deletes the network security group. | +> | Microsoft.ClassicNetwork/networkSecurityGroups/operationStatuses/read | Reads the operation status for the network security group. | +> | Microsoft.ClassicNetwork/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/read | Gets the Network Security Groups Diagnostic Settings | +> | Microsoft.ClassicNetwork/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the Network Security Groups diagnostic settings, this operation is supplemented by insights resource provider. | +> | Microsoft.ClassicNetwork/networksecuritygroups/providers/Microsoft.Insights/logDefinitions/read | Gets the events for network security group | +> | Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/read | Gets the security rule. | +> | Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write | Adds or update a security rule. | +> | Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete | Deletes the security rule. | +> | Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/operationStatuses/read | Reads the operation status for the network security group security rules. | +> | Microsoft.ClassicNetwork/operations/read | Get classic network operations. | +> | Microsoft.ClassicNetwork/quotas/read | Get the quota for the subscription. | +> | Microsoft.ClassicNetwork/reservedIps/read | Gets the reserved Ips | +> | Microsoft.ClassicNetwork/reservedIps/write | Add a new reserved Ip | +> | Microsoft.ClassicNetwork/reservedIps/delete | Delete a reserved Ip. | +> | Microsoft.ClassicNetwork/reservedIps/link/action | Link a reserved Ip | +> | Microsoft.ClassicNetwork/reservedIps/join/action | Join a reserved Ip | +> | Microsoft.ClassicNetwork/reservedIps/operationStatuses/read | Reads the operation status for the reserved ips. | +> | Microsoft.ClassicNetwork/virtualNetworks/read | Get the virtual network. | +> | Microsoft.ClassicNetwork/virtualNetworks/write | Add a new virtual network. | +> | Microsoft.ClassicNetwork/virtualNetworks/delete | Deletes the virtual network. | +> | Microsoft.ClassicNetwork/virtualNetworks/peer/action | Peers a virtual network with another virtual network. | +> | Microsoft.ClassicNetwork/virtualNetworks/join/action | Joins the virtual network. | +> | Microsoft.ClassicNetwork/virtualNetworks/checkIPAddressAvailability/action | Checks the availability of a given IP address in a virtual network. | +> | Microsoft.ClassicNetwork/virtualNetworks/validateMigration/action | Validates the migration of a Virtual Network | +> | Microsoft.ClassicNetwork/virtualNetworks/prepareMigration/action | Prepares the migration of a Virtual Network | +> | Microsoft.ClassicNetwork/virtualNetworks/commitMigration/action | Commits the migration of a Virtual Network | +> | Microsoft.ClassicNetwork/virtualNetworks/abortMigration/action | Aborts the migration of a Virtual Network | +> | Microsoft.ClassicNetwork/virtualNetworks/capabilities/read | Shows the capabilities | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/read | Gets the virtual network gateways. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/write | Adds a virtual network gateway. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/delete | Deletes the virtual network gateway. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/startDiagnostics/action | Starts diagnostic for the virtual network gateway. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/stopDiagnostics/action | Stops the diagnostic for the virtual network gateway. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/downloadDiagnostics/action | Downloads the gateway diagnostics. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/listCircuitServiceKey/action | Retrieves the circuit service key. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/downloadDeviceConfigurationScript/action | Downloads the device configuration script. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/listPackage/action | Lists the virtual network gateway package. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRevokedCertificates/read | Read the revoked client certificates. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRevokedCertificates/write | Revokes a client certificate. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRevokedCertificates/delete | Unrevokes a client certificate. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/read | Find the client root certificates. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/write | Uploads a new client root certificate. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/delete | Deletes the virtual network gateway client certificate. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/download/action | Downloads certificate by thumbprint. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/listPackage/action | Lists the virtual network gateway certificate package. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/read | Retrieves the list of connections. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/connect/action | Connects a site to site gateway connection. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/disconnect/action | Disconnects a site to site gateway connection. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/test/action | Tests a site to site gateway connection. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/operationStatuses/read | Reads the operation status for the virtual networks gateways. | +> | Microsoft.ClassicNetwork/virtualNetworks/gateways/packages/read | Gets the virtual network gateway package. | +> | Microsoft.ClassicNetwork/virtualNetworks/operationStatuses/read | Reads the operation status for the virtual networks. | +> | Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies/read | Gets the remote virtual network peering proxy. | +> | Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies/write | Adds or updates the remote virtual network peering proxy. | +> | Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies/delete | Deletes the remote virtual network peering proxy. | +> | Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/read | Gets the network security group associated with the subnet. | +> | Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/write | Adds a network security group associated with the subnet. | +> | Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/delete | Deletes the network security group associated with the subnet. | +> | Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/operationStatuses/read | Reads the operation status for the virtual network subnet associated network security group. | +> | Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings/read | Gets the virtual network peering. | ++## Microsoft.MobileNetwork ++Azure service: [Mobile networks](/azure/private-5g-core/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.MobileNetwork/register/action | Register the subscription for Microsoft.MobileNetwork | +> | Microsoft.MobileNetwork/unregister/action | Unregister the subscription for Microsoft.MobileNetwork | +> | Microsoft.MobileNetwork/Locations/OperationStatuses/read | read OperationStatuses | +> | Microsoft.MobileNetwork/Locations/OperationStatuses/write | write OperationStatuses | +> | Microsoft.MobileNetwork/mobileNetworks/read | Gets information about the specified mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/write | Creates or updates a mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/delete | Deletes the specified mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/write | Updates mobile network tags. | +> | Microsoft.MobileNetwork/mobileNetworks/read | Lists all the mobile networks in a subscription. | +> | Microsoft.MobileNetwork/mobileNetworks/read | Lists all the mobile networks in a resource group. | +> | Microsoft.MobileNetwork/mobileNetworks/dataNetworks/read | Gets information about the specified data network. | +> | Microsoft.MobileNetwork/mobileNetworks/dataNetworks/write | Creates or updates a data network. Must be created in the same location as its parent mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/dataNetworks/delete | Deletes the specified data network. | +> | Microsoft.MobileNetwork/mobileNetworks/dataNetworks/write | Updates data network tags. | +> | Microsoft.MobileNetwork/mobileNetworks/dataNetworks/read | Lists all data networks in the mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/edgeNetworkSecurityGroups/read | Gets information about the specified Edge Network Security Group. | +> | Microsoft.MobileNetwork/mobileNetworks/edgeNetworkSecurityGroups/write | Creates or updates a Edge Network Security Group. Must be created in the same location as its parent mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/edgeNetworkSecurityGroups/delete | Deletes the specified Edge Network Security Group. | +> | Microsoft.MobileNetwork/mobileNetworks/edgeNetworkSecurityGroups/write | Updates Edge Network Security Group. | +> | Microsoft.MobileNetwork/mobileNetworks/edgeNetworkSecurityGroups/read | Lists all Edge Network Security Groups in the mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/services/read | Gets information about the specified service. | +> | Microsoft.MobileNetwork/mobileNetworks/services/write | Creates or updates a service. Must be created in the same location as its parent mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/services/delete | Deletes the specified service. | +> | Microsoft.MobileNetwork/mobileNetworks/services/write | Updates service tags. | +> | Microsoft.MobileNetwork/mobileNetworks/services/read | Gets all the services in a mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/simPolicies/read | Gets information about the specified SIM policy. | +> | Microsoft.MobileNetwork/mobileNetworks/simPolicies/write | Creates or updates a SIM policy. Must be created in the same location as its parent mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/simPolicies/delete | Deletes the specified SIM policy. | +> | Microsoft.MobileNetwork/mobileNetworks/simPolicies/write | Updates SIM policy tags. | +> | Microsoft.MobileNetwork/mobileNetworks/simPolicies/read | Gets all the SIM policies in a mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/sites/deletePacketCore/action | Deletes a packet core under the specified mobile network site. | +> | Microsoft.MobileNetwork/mobileNetworks/sites/read | Gets information about the specified mobile network site. | +> | Microsoft.MobileNetwork/mobileNetworks/sites/write | Creates or updates a mobile network site. Must be created in the same location as its parent mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/sites/delete | Deletes the specified mobile network site. This will also delete any network functions that are a part of this site. | +> | Microsoft.MobileNetwork/mobileNetworks/sites/write | Updates site tags. | +> | Microsoft.MobileNetwork/mobileNetworks/sites/read | Lists all sites in the mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/slices/read | Gets information about the specified network slice. | +> | Microsoft.MobileNetwork/mobileNetworks/slices/write | Creates or updates a network slice. Must be created in the same location as its parent mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/slices/delete | Deletes the specified network slice. | +> | Microsoft.MobileNetwork/mobileNetworks/slices/write | Updates slice tags. | +> | Microsoft.MobileNetwork/mobileNetworks/slices/read | Lists all slices in the mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/wifiSsids/read | Gets information about the specified Wi-Fi SSID. | +> | Microsoft.MobileNetwork/mobileNetworks/wifiSsids/write | Creates or updates a Wi-Fi SSID. Must be created in the same location as its parent mobile network. | +> | Microsoft.MobileNetwork/mobileNetworks/wifiSsids/delete | Deletes the specified Wi-Fi SSID. | +> | Microsoft.MobileNetwork/mobileNetworks/wifiSsids/write | Updates Wi-Fi SSID. | +> | Microsoft.MobileNetwork/mobileNetworks/wifiSsids/read | Lists all Wi-Fi SSIDs in the mobile network. | +> | Microsoft.MobileNetwork/Operations/read | read Operations | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/rollback/action | Roll back the specified packet core control plane to the previous version, "rollbackVersion". Multiple consecutive rollbacks are not possible. This action may cause a service outage. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/reinstall/action | Reinstall the specified packet core control plane. This action will remove any transaction state from the packet core to return it to a known state. This action will cause a service outage. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/collectDiagnosticsPackage/action | Collect a diagnostics package for the specified packet core control plane. This action will upload the diagnostics to a storage account. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/read | Gets information about the specified packet core control plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/write | Creates or updates a packet core control plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/delete | Deletes the specified packet core control plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/write | Patch packet core control plane resource. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/read | Lists all the packet core control planes in a subscription. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/read | Lists all the packet core control planes in a resource group. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCaptures/stop/action | Stop a packet capture session. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCaptures/read | Gets information about the specified packet capture session. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCaptures/write | Creates or updates a packet capture. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCaptures/delete | Deletes the specified packet capture. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCaptures/read | Lists all the packet capture sessions under a packet core control plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/read | Gets information about the specified packet core data plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/write | Creates or updates a packet core data plane. Must be created in the same location as its parent packet core control plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/delete | Deletes the specified packet core data plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/write | Updates packet core data planes tags. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/read | Lists all the packet core data planes associated with a packet core control plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedDataNetworks/read | Gets information about the specified attached data network. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedDataNetworks/write | Creates or updates an attached data network. Must be created in the same location as its parent packet core data plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedDataNetworks/delete | Deletes the specified attached data network. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedDataNetworks/write | Updates an attached data network tags. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedDataNetworks/read | Gets all the attached data networks associated with a packet core data plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedWifiSsids/read | Gets information about the specified Wi-Fi Attached SSID. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedWifiSsids/write | Creates or updates an Wi-Fi Attached SSID. Must be created in the same location as its parent packet core data plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedWifiSsids/delete | Deletes the specified Wi-Fi Attached SSID. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedWifiSsids/write | Updates an Wi-Fi Attached SSID. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedWifiSsids/read | Gets all the Wi-Fi Attached SSIDs associated with a packet core data plane. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/edgeVirtualNetworks/read | Gets information about the specified Edge Virtual Network. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/edgeVirtualNetworks/write | Creates or updates an Edge Virtual Network . | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/edgeVirtualNetworks/delete | Deletes the specified Edge Virtual Network. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/edgeVirtualNetworks/write | Update Edge Virtual Network resource. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/edgeVirtualNetworks/read | Lists all the Edge Virtual Networks in a resource group. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/routingInfo/read | List all of the routing information for the packet core. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/routingInfo/read | Get the routing information for the packet core. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/ues/read | List all UEs and their state in a packet core. | +> | Microsoft.MobileNetwork/packetCoreControlPlanes/ues/extendedInformation/read | Gets extended information about the specified UE from the packet core. | +> | Microsoft.MobileNetwork/packetCoreControlPlaneVersions/read | Gets information about the specified packet core control plane version. | +> | Microsoft.MobileNetwork/packetCoreControlPlaneVersions/read | Lists all supported packet core control planes versions. | +> | Microsoft.MobileNetwork/packetCoreControlPlaneVersions/read | Gets information about the specified packet core control plane version. | +> | Microsoft.MobileNetwork/packetCoreControlPlaneVersions/read | Lists all supported packet core control planes versions. | +> | Microsoft.MobileNetwork/radioAccessNetworks/read | Gets information about the specified radio access network. | +> | Microsoft.MobileNetwork/radioAccessNetworks/write | Creates or updates a radio access network. | +> | Microsoft.MobileNetwork/radioAccessNetworks/delete | Deletes the specified radio access network. | +> | Microsoft.MobileNetwork/radioAccessNetworks/write | Updates a radio access network. | +> | Microsoft.MobileNetwork/radioAccessNetworks/read | Gets all the radio access networks in a subscription. | +> | Microsoft.MobileNetwork/radioAccessNetworks/read | Gets all the radio access networks in a resource group. | +> | Microsoft.MobileNetwork/simGroups/uploadSims/action | Bulk upload SIMs to a SIM group. | +> | Microsoft.MobileNetwork/simGroups/deleteSims/action | Bulk delete SIMs from a SIM group. | +> | Microsoft.MobileNetwork/simGroups/uploadEncryptedSims/action | Bulk upload SIMs in encrypted form to a SIM group. The SIM credentials must be encrypted. | +> | Microsoft.MobileNetwork/simGroups/read | Gets information about the specified SIM group. | +> | Microsoft.MobileNetwork/simGroups/write | Creates or updates a SIM group. | +> | Microsoft.MobileNetwork/simGroups/delete | Deletes the specified SIM group. | +> | Microsoft.MobileNetwork/simGroups/write | Patch SIM group resource. | +> | Microsoft.MobileNetwork/simGroups/read | Gets all the SIM groups in a subscription. | +> | Microsoft.MobileNetwork/simGroups/read | Gets all the SIM groups in a resource group. | +> | Microsoft.MobileNetwork/simGroups/sims/read | Gets information about the specified SIM. | +> | Microsoft.MobileNetwork/simGroups/sims/write | Creates or updates a SIM. | +> | Microsoft.MobileNetwork/simGroups/sims/delete | Deletes the specified SIM. | +> | Microsoft.MobileNetwork/simGroups/sims/read | Gets all the SIMs in a SIM group. | +> | Microsoft.MobileNetwork/sims/read | Gets information about the specified SIM. | +> | Microsoft.MobileNetwork/sims/write | Creates or updates a SIM. | +> | Microsoft.MobileNetwork/sims/delete | Deletes the specified SIM. | +> | Microsoft.MobileNetwork/sims/write | Updates SIM tags. | +> | Microsoft.MobileNetwork/sims/read | Gets all the SIMs in a subscription. | +> | Microsoft.MobileNetwork/sims/read | Gets all the SIMs in a resource group. | ++## Microsoft.Network ++Azure service: [Application Gateway](/azure/application-gateway/), [Azure Bastion](/azure/bastion/), [Azure DDoS Protection](/azure/ddos-protection/ddos-protection-overview), [Azure DNS](/azure/dns/), [Azure ExpressRoute](/azure/expressroute/), [Azure Firewall](/azure/firewall/), [Azure Front Door Service](/azure/frontdoor/), [Azure Private Link](/azure/private-link/), [Load Balancer](/azure/load-balancer/), [Network Watcher](/azure/network-watcher/), [Traffic Manager](/azure/traffic-manager/), [Virtual Network](/azure/virtual-network/), [Virtual WAN](/azure/virtual-wan/), [VPN Gateway](/azure/vpn-gateway/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Network/register/action | Registers the subscription | +> | Microsoft.Network/unregister/action | Unregisters the subscription | +> | Microsoft.Network/checkTrafficManagerNameAvailability/action | Checks the availability of a Traffic Manager Relative DNS name. | +> | Microsoft.Network/internalNotify/action | DNS alias resource notification | +> | Microsoft.Network/getDnsResourceReference/action | DNS alias resource dependency request | +> | Microsoft.Network/queryExpressRoutePortsBandwidth/action | Queries ExpressRoute Ports Bandwidth | +> | Microsoft.Network/checkFrontDoorNameAvailability/action | Checks whether a Front Door name is available | +> | Microsoft.Network/privateDnsZonesInternal/action | Executes Private DNS Zones Internal APIs | +> | Microsoft.Network/applicationGatewayAvailableRequestHeaders/read | Get Application Gateway available Request Headers | +> | Microsoft.Network/applicationGatewayAvailableResponseHeaders/read | Get Application Gateway available Response Header | +> | Microsoft.Network/applicationGatewayAvailableServerVariables/read | Get Application Gateway available Server Variables | +> | Microsoft.Network/applicationGatewayAvailableSslOptions/read | Application Gateway available Ssl Options | +> | Microsoft.Network/applicationGatewayAvailableSslOptions/predefinedPolicies/read | Application Gateway Ssl Predefined Policy | +> | Microsoft.Network/applicationGatewayAvailableWafRuleSets/read | Gets Application Gateway Available Waf Rule Sets | +> | Microsoft.Network/applicationGateways/read | Gets an application gateway | +> | Microsoft.Network/applicationGateways/write | Creates an application gateway or updates an application gateway | +> | Microsoft.Network/applicationGateways/delete | Deletes an application gateway | +> | Microsoft.Network/applicationGateways/backendhealth/action | Gets an application gateway backend health | +> | Microsoft.Network/applicationGateways/getBackendHealthOnDemand/action | Gets an application gateway backend health on demand for given http setting and backend pool | +> | Microsoft.Network/applicationGateways/getListenerCertificateMetadata/action | Gets an application gateway listener certificate metadata | +> | Microsoft.Network/applicationGateways/resolvePrivateLinkServiceId/action | Resolves privateLinkServiceId for application gateway private link resource | +> | Microsoft.Network/applicationGateways/start/action | Starts an application gateway | +> | Microsoft.Network/applicationGateways/stop/action | Stops an application gateway | +> | Microsoft.Network/applicationGateways/restart/action | Restarts an application gateway | +> | Microsoft.Network/applicationGateways/migrateV1ToV2/action | Migrate Application Gateway from v1 sku to v2 sku | +> | Microsoft.Network/applicationGateways/getMigrationStatus/action | Get Status Of Migrate Application Gateway From V1 sku To V2 sku | +> | Microsoft.Network/applicationGateways/setSecurityCenterConfiguration/action | Sets Application Gateway Security Center Configuration | +> | Microsoft.Network/applicationGateways/effectiveNetworkSecurityGroups/action | Get Route Table configured On Application Gateway | +> | Microsoft.Network/applicationGateways/effectiveRouteTable/action | Get Route Table configured On Application Gateway | +> | Microsoft.Network/applicationGateways/backendAddressPools/join/action | Joins an application gateway backend address pool. Not Alertable. | +> | Microsoft.Network/applicationGateways/privateEndpointConnections/read | Gets Application Gateway PrivateEndpoint Connections | +> | Microsoft.Network/applicationGateways/privateEndpointConnections/write | Updates Application Gateway PrivateEndpoint Connection | +> | Microsoft.Network/applicationGateways/privateEndpointConnections/delete | Deletes Application Gateway PrivateEndpoint Connection | +> | Microsoft.Network/applicationGateways/privateLinkConfigurations/read | Gets Application Gateway Private Link Configurations | +> | Microsoft.Network/applicationGateways/privateLinkResources/read | Gets ApplicationGateway PrivateLink Resources | +> | Microsoft.Network/applicationGateways/providers/Microsoft.Insights/logDefinitions/read | Gets the events for Application Gateway | +> | Microsoft.Network/applicationGateways/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Application Gateway | +> | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read | Gets an Application Gateway WAF policy | +> | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/write | Creates an Application Gateway WAF policy or updates an Application Gateway WAF policy | +> | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/delete | Deletes an Application Gateway WAF policy | +> | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/attachWafPolicyToAgc/action | Attaches Web application firewall policy to application gateway for containers | +> | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/detachWafPolicyFromAgc/action | Detaches Web application firewall policy from application gateway for containers | +> | Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action | Joins an IP Configuration to Application Security Groups. Not alertable. | +> | Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action | Joins a Security Rule to Application Security Groups. Not alertable. | +> | Microsoft.Network/applicationSecurityGroups/read | Gets an Application Security Group ID. | +> | Microsoft.Network/applicationSecurityGroups/write | Creates an Application Security Group, or updates an existing Application Security Group. | +> | Microsoft.Network/applicationSecurityGroups/delete | Deletes an Application Security Group | +> | Microsoft.Network/applicationSecurityGroups/listIpConfigurations/action | Lists IP Configurations in the ApplicationSecurityGroup | +> | Microsoft.Network/azureFirewallFqdnTags/read | Gets Azure Firewall FQDN Tags | +> | Microsoft.Network/azurefirewalls/read | Get Azure Firewall | +> | Microsoft.Network/azurefirewalls/write | Creates or updates an Azure Firewall | +> | Microsoft.Network/azurefirewalls/delete | Delete Azure Firewall | +> | Microsoft.Network/azurefirewalls/learnedIPPrefixes/action | Gets IP prefixes learned by Azure Firewall to not perform SNAT | +> | Microsoft.Network/azurefirewalls/packetCapture/action | AzureFirewallPacketCaptureOperation | +> | Microsoft.Network/azureFirewalls/applicationRuleCollections/read | Gets Azure Firewall ApplicationRuleCollection | +> | Microsoft.Network/azureFirewalls/applicationRuleCollections/write | CreatesOrUpdates Azure Firewall ApplicationRuleCollection | +> | Microsoft.Network/azureFirewalls/applicationRuleCollections/delete | Deletes Azure Firewall ApplicationRuleCollection | +> | Microsoft.Network/azureFirewalls/natRuleCollections/read | Gets Azure Firewall NatRuleCollection | +> | Microsoft.Network/azureFirewalls/natRuleCollections/write | CreatesOrUpdates Azure Firewall NatRuleCollection | +> | Microsoft.Network/azureFirewalls/natRuleCollections/delete | Deletes Azure Firewall NatRuleCollection | +> | Microsoft.Network/azureFirewalls/networkRuleCollections/read | Gets Azure Firewall NetworkRuleCollection | +> | Microsoft.Network/azureFirewalls/networkRuleCollections/write | CreatesOrUpdates Azure Firewall NetworkRuleCollection | +> | Microsoft.Network/azureFirewalls/networkRuleCollections/delete | Deletes Azure Firewall NetworkRuleCollection | +> | Microsoft.Network/azureFirewalls/providers/Microsoft.Insights/DiagnosticSettings/Read | Get the diagnostic settings of Azure Firewalls | +> | Microsoft.Network/azureFirewalls/providers/Microsoft.Insights/DiagnosticSettings/Write | Create or update the diagnostic settings of Azure Firewalls | +> | Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/logDefinitions/read | Gets the events for Azure Firewall | +> | Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Azure Firewall | +> | Microsoft.Network/azureWebCategories/read | Gets Azure WebCategories | +> | Microsoft.Network/azureWebCategories/getwebcategory/action | Looks up WebCategory | +> | Microsoft.Network/azureWebCategories/classifyUnknown/action | Classifies Unknown WebCategory | +> | Microsoft.Network/azureWebCategories/reclassify/action | Reclassifies WebCategory | +> | Microsoft.Network/azureWebCategories/getMiscategorizationStatus/action | Gets Miscategorization Status | +> | Microsoft.Network/bastionHosts/read | Gets a Bastion Host | +> | Microsoft.Network/bastionHosts/write | Create or Update a Bastion Host | +> | Microsoft.Network/bastionHosts/delete | Deletes a Bastion Host | +> | Microsoft.Network/bastionHosts/getactivesessions/action | Get Active Sessions in the Bastion Host | +> | Microsoft.Network/bastionHosts/disconnectactivesessions/action | Disconnect given Active Sessions in the Bastion Host | +> | Microsoft.Network/bastionHosts/getShareableLinks/action | Returns the shareable urls for the specified VMs in a Bastion subnet provided their urls are created | +> | Microsoft.Network/bastionHosts/createShareableLinks/action | Creates shareable urls for the VMs under a bastion and returns the urls | +> | Microsoft.Network/bastionHosts/deleteShareableLinks/action | Deletes shareable urls for the provided VMs under a bastion | +> | Microsoft.Network/bastionHosts/deleteShareableLinksByToken/action | Deletes shareable urls for the provided tokens under a bastion | +> | Microsoft.Network/bastionHosts/setsessionrecordingsasurl/action | Sets SAS URL for BastionHost Session Recording Feature | +> | Microsoft.Network/bastionHosts/getsessionrecordingsasurl/action | Gets SAS URL for BastionHost Session Recording Feature | +> | Microsoft.Network/bastionHosts/getsessionrecordingsasurl/read | Gets SAS URL for BastionHost Session Recording Feature | +> | Microsoft.Network/bastionHosts/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Network/bastionHosts/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Network/bastionHosts/providers/Microsoft.Insights/logDefinitions/read | Gets the available audit logs for Bastion Host | +> | Microsoft.Network/bastionHosts/setsessionrecordingsasurl/read | Sets SAS URL for BastionHost Session Recording Feature | +> | Microsoft.Network/bgpServiceCommunities/read | Get Bgp Service Communities | +> | Microsoft.Network/connections/read | Gets VirtualNetworkGatewayConnection | +> | Microsoft.Network/connections/write | Creates or updates an existing VirtualNetworkGatewayConnection | +> | Microsoft.Network/connections/delete | Deletes VirtualNetworkGatewayConnection | +> | Microsoft.Network/connections/sharedkey/action | Get VirtualNetworkGatewayConnection SharedKey | +> | Microsoft.Network/connections/vpndeviceconfigurationscript/action | Gets Vpn Device Configuration of VirtualNetworkGatewayConnection | +> | Microsoft.Network/connections/revoke/action | Marks an Express Route Connection status as Revoked | +> | Microsoft.Network/connections/startpacketcapture/action | Starts a Virtual Network Gateway Connection Packet Capture. | +> | Microsoft.Network/connections/stoppacketcapture/action | Stops a Virtual Network Gateway Connection Packet Capture. | +> | Microsoft.Network/connections/getikesas/action | Lists IKE Security Associations for the connection | +> | Microsoft.Network/connections/resetconnection/action | Resets connection for VNG | +> | Microsoft.Network/connections/providers/Microsoft.Insights/diagnosticSettings/read | Gets diagnostic settings for Connections | +> | Microsoft.Network/connections/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates diagnostic settings for Connections | +> | Microsoft.Network/connections/providers/Microsoft.Insights/metricDefinitions/read | Gets the metric definitions for Connections | +> | Microsoft.Network/connections/sharedKey/read | Gets VirtualNetworkGatewayConnection SharedKey | +> | Microsoft.Network/connections/sharedKey/write | Creates or updates an existing VirtualNetworkGatewayConnection SharedKey | +> | Microsoft.Network/customIpPrefixes/read | Gets a Custom Ip Prefix Definition | +> | Microsoft.Network/customIpPrefixes/write | Creates A Custom Ip Prefix Or Updates An Existing Custom Ip Prefix | +> | Microsoft.Network/customIpPrefixes/delete | Deletes A Custom Ip Prefix | +> | Microsoft.Network/customIpPrefixes/join/action | Joins a CustomIpPrefix. Not alertable. | +> | Microsoft.Network/ddosCustomPolicies/read | Gets a DDoS customized policy definition Definition | +> | Microsoft.Network/ddosCustomPolicies/write | Creates a DDoS customized policy or updates an existing DDoS customized policy | +> | Microsoft.Network/ddosCustomPolicies/delete | Deletes a DDoS customized policy | +> | Microsoft.Network/ddosProtectionPlans/read | Gets a DDoS Protection Plan | +> | Microsoft.Network/ddosProtectionPlans/write | Creates a DDoS Protection Plan or updates a DDoS Protection Plan | +> | Microsoft.Network/ddosProtectionPlans/delete | Deletes a DDoS Protection Plan | +> | Microsoft.Network/ddosProtectionPlans/join/action | Joins a DDoS Protection Plan. Not alertable. | +> | Microsoft.Network/ddosProtectionPlans/ddosProtectionPlanProxies/read | Gets a DDoS Protection Plan Proxy definition | +> | Microsoft.Network/ddosProtectionPlans/ddosProtectionPlanProxies/write | Creates a DDoS Protection Plan Proxy or updates and existing DDoS Protection Plan Proxy | +> | Microsoft.Network/ddosProtectionPlans/ddosProtectionPlanProxies/delete | Deletes a DDoS Protection Plan Proxy | +> | Microsoft.Network/dnsForwardingRulesets/read | Gets a DNS Forwarding Ruleset, in JSON format | +> | Microsoft.Network/dnsForwardingRulesets/write | Creates Or Updates a DNS Forwarding Ruleset | +> | Microsoft.Network/dnsForwardingRulesets/join/action | Join DNS Forwarding Ruleset | +> | Microsoft.Network/dnsForwardingRulesets/delete | Deletes a DNS Forwarding Ruleset, in JSON format | +> | Microsoft.Network/dnsForwardingRulesets/forwardingRules/read | Gets a DNS Forwarding Rule, in JSON format | +> | Microsoft.Network/dnsForwardingRulesets/forwardingRules/write | Creates Or Updates a DNS Forwarding Rule, in JSON format | +> | Microsoft.Network/dnsForwardingRulesets/forwardingRules/delete | Deletes a DNS Forwarding Rule, in JSON format | +> | Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/read | Gets the DNS Forwarding Ruleset Link to virtual network properties, in JSON format | +> | Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/write | Creates Or Updates DNS Forwarding Ruleset Link to virtual network properties, in JSON format | +> | Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/delete | Deletes DNS Forwarding Ruleset Link to Virtual Network | +> | Microsoft.Network/dnsoperationresults/read | Gets results of a DNS operation | +> | Microsoft.Network/dnsoperationstatuses/read | Gets status of a DNS operation | +> | Microsoft.Network/dnsResolvers/read | Gets the DNS Resolver Properties, in JSON format | +> | Microsoft.Network/dnsResolvers/write | Creates Or Updates a DNS Resolver, in JSON format | +> | Microsoft.Network/dnsResolvers/join/action | Join DNS Resolver | +> | Microsoft.Network/dnsResolvers/delete | Deletes a DNS Resolver | +> | Microsoft.Network/dnsResolvers/inboundEndpoints/read | Gets the DNS Resolver Inbound Endpoint, in JSON format | +> | Microsoft.Network/dnsResolvers/inboundEndpoints/write | Creates Or Updates a DNS Resolver Inbound Endpoint, in JSON format | +> | Microsoft.Network/dnsResolvers/inboundEndpoints/join/action | Join DNS Resolver | +> | Microsoft.Network/dnsResolvers/inboundEndpoints/delete | Deletes a DNS Resolver Inbound Endpoint, in JSON format | +> | Microsoft.Network/dnsResolvers/outboundEndpoints/read | Gets the DNS Resolver Outbound Endpoint Properties, in JSON format | +> | Microsoft.Network/dnsResolvers/outboundEndpoints/write | Creates Or Updates a DNS Resolver Outbound Endpoint, in JSON format | +> | Microsoft.Network/dnsResolvers/outboundEndpoints/join/action | Join DNS Resolver | +> | Microsoft.Network/dnsResolvers/outboundEndpoints/delete | Deletes a DNS Resolver Outbound Endpoint description. | +> | Microsoft.Network/dnsResolvers/outboundEndpoints/listDnsForwardingRulesets/action | Gets the DNS Forwarding Rulesets Properties for DNS Resolver Outbound Endpoint, in JSON format | +> | Microsoft.Network/dnszones/read | Get the DNS zone, in JSON format. The zone properties include tags, etag, numberOfRecordSets, and maxNumberOfRecordSets. Note that this command does not retrieve the record sets contained within the zone. | +> | Microsoft.Network/dnszones/write | Create or update a DNS zone within a resource group. Used to update the tags on a DNS zone resource. Note that this command can not be used to create or update record sets within the zone. | +> | Microsoft.Network/dnszones/delete | Delete the DNS zone, in JSON format. The zone properties include tags, etag, numberOfRecordSets, and maxNumberOfRecordSets. | +> | Microsoft.Network/dnszones/A/read | Get the record set of type 'A', in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/dnszones/A/write | Create or update a record set of type 'A' within a DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/dnszones/A/delete | Remove the record set of a given name and type 'A' from a DNS zone. | +> | Microsoft.Network/dnszones/AAAA/read | Get the record set of type 'AAAA', in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/dnszones/AAAA/write | Create or update a record set of type 'AAAA' within a DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/dnszones/AAAA/delete | Remove the record set of a given name and type 'AAAA' from a DNS zone. | +> | Microsoft.Network/dnszones/all/read | Gets DNS record sets across types | +> | Microsoft.Network/dnszones/CAA/read | Get the record set of type 'CAA', in JSON format. The record set contains the TTL, tags, and etag. | +> | Microsoft.Network/dnszones/CAA/write | Create or update a record set of type 'CAA' within a DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/dnszones/CAA/delete | Remove the record set of a given name and type 'CAA' from a DNS zone. | +> | Microsoft.Network/dnszones/CNAME/read | Get the record set of type 'CNAME', in JSON format. The record set contains the TTL, tags, and etag. | +> | Microsoft.Network/dnszones/CNAME/write | Create or update a record set of type 'CNAME' within a DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/dnszones/CNAME/delete | Remove the record set of a given name and type 'CNAME' from a DNS zone. | +> | Microsoft.Network/dnszones/dnssecConfigs/default/read | Gets the DNSSEC configuration for a DNS zone | +> | Microsoft.Network/dnszones/dnssecConfigs/default/write | Creates or updates the DNSSEC configuration for a DNS zone | +> | Microsoft.Network/dnszones/dnssecConfigs/default/delete | Deletes the DNSSEC configuration for a DNS zone | +> | Microsoft.Network/dnszones/DS/read | Gets DNS record set of type DS | +> | Microsoft.Network/dnszones/DS/write | Creates or updates DNS record set of type DS | +> | Microsoft.Network/dnszones/DS/delete | Deletes the DNS record set of type DS | +> | Microsoft.Network/dnszones/MX/read | Get the record set of type 'MX', in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/dnszones/MX/write | Create or update a record set of type 'MX' within a DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/dnszones/MX/delete | Remove the record set of a given name and type 'MX' from a DNS zone. | +> | Microsoft.Network/dnszones/NS/read | Gets DNS record set of type NS | +> | Microsoft.Network/dnszones/NS/write | Creates or updates DNS record set of type NS | +> | Microsoft.Network/dnszones/NS/delete | Deletes the DNS record set of type NS | +> | Microsoft.Network/dnszones/providers/Microsoft.Insights/diagnosticSettings/read | Gets the DNS zone diagnostic settings | +> | Microsoft.Network/dnszones/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the DNS zone diagnostic settings | +> | Microsoft.Network/dnszones/providers/Microsoft.Insights/metricDefinitions/read | Gets the DNS zone metric definitions | +> | Microsoft.Network/dnszones/PTR/read | Get the record set of type 'PTR', in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/dnszones/PTR/write | Create or update a record set of type 'PTR' within a DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/dnszones/PTR/delete | Remove the record set of a given name and type 'PTR' from a DNS zone. | +> | Microsoft.Network/dnszones/recordsets/read | Gets DNS record sets across types | +> | Microsoft.Network/dnszones/SOA/read | Gets DNS record set of type SOA | +> | Microsoft.Network/dnszones/SOA/write | Creates or updates DNS record set of type SOA | +> | Microsoft.Network/dnszones/SRV/read | Get the record set of type 'SRV', in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/dnszones/SRV/write | Create or update record set of type SRV | +> | Microsoft.Network/dnszones/SRV/delete | Remove the record set of a given name and type 'SRV' from a DNS zone. | +> | Microsoft.Network/dnszones/TLSA/read | Gets DNS record set of type TLSA | +> | Microsoft.Network/dnszones/TLSA/write | Creates or updates DNS record set of type TLSA | +> | Microsoft.Network/dnszones/TLSA/delete | Deletes the DNS record set of type TLSA | +> | Microsoft.Network/dnszones/TXT/read | Get the record set of type 'TXT', in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/dnszones/TXT/write | Create or update a record set of type 'TXT' within a DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/dnszones/TXT/delete | Remove the record set of a given name and type 'TXT' from a DNS zone. | +> | Microsoft.Network/dscpConfiguration/write | Operation to put the DSCP configuration | +> | Microsoft.Network/dscpConfiguration/read | Operation to put the DSCP configuration | +> | Microsoft.Network/dscpConfiguration/join/action | Joins DSCP Configuration | +> | Microsoft.Network/expressRouteCircuits/read | Get an ExpressRouteCircuit | +> | Microsoft.Network/expressRouteCircuits/write | Creates or updates an existing ExpressRouteCircuit | +> | Microsoft.Network/expressRouteCircuits/join/action | Joins an Express Route Circuit. Not alertable. | +> | Microsoft.Network/expressRouteCircuits/delete | Deletes an ExpressRouteCircuit | +> | Microsoft.Network/expressRouteCircuits/nrpinternalupdate/action | Create or Update ExpressRouteCircuit | +> | Microsoft.Network/expressRouteCircuits/authorizations/read | Gets an ExpressRouteCircuit Authorization | +> | Microsoft.Network/expressRouteCircuits/authorizations/write | Creates or updates an existing ExpressRouteCircuit Authorization | +> | Microsoft.Network/expressRouteCircuits/authorizations/delete | Deletes an ExpressRouteCircuit Authorization | +> | Microsoft.Network/expressRouteCircuits/peerings/read | Gets an ExpressRouteCircuit Peering | +> | Microsoft.Network/expressRouteCircuits/peerings/write | Creates or updates an existing ExpressRouteCircuit Peering | +> | Microsoft.Network/expressRouteCircuits/peerings/delete | Deletes an ExpressRouteCircuit Peering | +> | Microsoft.Network/expressRouteCircuits/peerings/arpTables/read | Gets an ExpressRouteCircuit Peering ArpTable | +> | Microsoft.Network/expressRouteCircuits/peerings/connections/read | Gets an ExpressRouteCircuit Connection | +> | Microsoft.Network/expressRouteCircuits/peerings/connections/write | Creates or updates an existing ExpressRouteCircuit Connection Resource | +> | Microsoft.Network/expressRouteCircuits/peerings/connections/delete | Deletes an ExpressRouteCircuit Connection | +> | Microsoft.Network/expressRouteCircuits/peerings/peerConnections/read | Gets Peer Express Route Circuit Connection | +> | Microsoft.Network/expressRouteCircuits/peerings/providers/Microsoft.Insights/diagnosticSettings/read | Gets diagnostic settings for ExpressRoute Circuit Peerings | +> | Microsoft.Network/expressRouteCircuits/peerings/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates diagnostic settings for ExpressRoute Circuit Peerings | +> | Microsoft.Network/expressRouteCircuits/peerings/providers/Microsoft.Insights/metricDefinitions/read | Gets the metric definitions for ExpressRoute Circuit Peerings | +> | Microsoft.Network/expressRouteCircuits/peerings/routeTables/read | Gets an ExpressRouteCircuit Peering RouteTable | +> | Microsoft.Network/expressRouteCircuits/peerings/routeTablesSummary/read | Gets an ExpressRouteCircuit Peering RouteTable Summary | +> | Microsoft.Network/expressRouteCircuits/peerings/stats/read | Gets an ExpressRouteCircuit Peering Stat | +> | Microsoft.Network/expressRouteCircuits/providers/Microsoft.Insights/diagnosticSettings/read | Gets diagnostic settings for ExpressRoute Circuits | +> | Microsoft.Network/expressRouteCircuits/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates diagnostic settings for ExpressRoute Circuits | +> | Microsoft.Network/expressRouteCircuits/providers/Microsoft.Insights/logDefinitions/read | Get the events for ExpressRoute Circuits | +> | Microsoft.Network/expressRouteCircuits/providers/Microsoft.Insights/metricDefinitions/read | Gets the metric definitions for ExpressRoute Circuits | +> | Microsoft.Network/expressRouteCircuits/stats/read | Gets an ExpressRouteCircuit Stat | +> | Microsoft.Network/expressRouteCrossConnections/read | Get Express Route Cross Connection | +> | Microsoft.Network/expressRouteCrossConnections/write | Create or Update Express Route Cross Connection | +> | Microsoft.Network/expressRouteCrossConnections/delete | Delete Express Route Cross Connection | +> | Microsoft.Network/expressRouteCrossConnections/serviceProviders/action | Backfill Express Route Cross Connection | +> | Microsoft.Network/expressRouteCrossConnections/join/action | Joins an Express Route Cross Connection. Not alertable. | +> | Microsoft.Network/expressRouteCrossConnections/peerings/read | Gets an Express Route Cross Connection Peering | +> | Microsoft.Network/expressRouteCrossConnections/peerings/write | Creates an Express Route Cross Connection Peering or Updates an existing Express Route Cross Connection Peering | +> | Microsoft.Network/expressRouteCrossConnections/peerings/delete | Deletes an Express Route Cross Connection Peering | +> | Microsoft.Network/expressRouteCrossConnections/peerings/arpTables/read | Gets an Express Route Cross Connection Peering Arp Table | +> | Microsoft.Network/expressRouteCrossConnections/peerings/routeTables/read | Gets an Express Route Cross Connection Peering Route Table | +> | Microsoft.Network/expressRouteCrossConnections/peerings/routeTableSummary/read | Gets an Express Route Cross Connection Peering Route Table Summary | +> | Microsoft.Network/expressRouteGateways/read | Get Express Route Gateway | +> | Microsoft.Network/expressRouteGateways/write | Create or Update Express Route Gateway | +> | Microsoft.Network/expressRouteGateways/delete | Delete Express Route Gateway | +> | Microsoft.Network/expressRouteGateways/join/action | Joins an Express Route Gateway. Not alertable. | +> | Microsoft.Network/expressRouteGateways/expressRouteConnections/read | Gets an Express Route Connection | +> | Microsoft.Network/expressRouteGateways/expressRouteConnections/write | Creates an Express Route Connection or Updates an existing Express Route Connection | +> | Microsoft.Network/expressRouteGateways/expressRouteConnections/delete | Deletes an Express Route Connection | +> | Microsoft.Network/expressRouteGateways/providers/Microsoft.Insights/metricDefinitions/read | Gets the metric definitions for ExpressRoute Gateways | +> | Microsoft.Network/expressRoutePorts/read | Gets ExpressRoutePorts | +> | Microsoft.Network/expressRoutePorts/write | Creates or updates ExpressRoutePorts | +> | Microsoft.Network/expressRoutePorts/join/action | Joins Express Route ports. Not alertable. | +> | Microsoft.Network/expressRoutePorts/delete | Deletes ExpressRoutePorts | +> | Microsoft.Network/expressRoutePorts/generateloa/action | Generates LOA for ExpressRoutePorts | +> | Microsoft.Network/expressRoutePorts/authorizations/read | Gets an ExpressRoutePorts Authorization | +> | Microsoft.Network/expressRoutePorts/authorizations/write | Creates or updates an existing ExpressRoutePorts Authorization | +> | Microsoft.Network/expressRoutePorts/authorizations/delete | Deletes an ExpressRoutePorts Authorization | +> | Microsoft.Network/expressRoutePorts/links/read | Gets ExpressRouteLink | +> | Microsoft.Network/expressRoutePorts/providers/Microsoft.Insights/metricDefinitions/read | Gets the metric definitions for ExpressRoute Ports | +> | Microsoft.Network/expressRoutePortsLocations/read | Get Express Route Ports Locations | +> | Microsoft.Network/expressRouteServiceProviders/read | Gets Express Route Service Providers | +> | Microsoft.Network/firewallPolicies/read | Gets a Firewall Policy | +> | Microsoft.Network/firewallPolicies/write | Creates a Firewall Policy or Updates an existing Firewall Policy | +> | Microsoft.Network/firewallPolicies/join/action | Joins a Firewall Policy. Not alertable. | +> | Microsoft.Network/firewallPolicies/certificates/action | Generate Firewall Policy Certificates | +> | Microsoft.Network/firewallPolicies/deploy/action | Deploy Firewall Policy Draft | +> | Microsoft.Network/firewallPolicies/delete | Deletes a Firewall Policy | +> | Microsoft.Network/firewallPolicies/firewallPolicyDrafts/read | Gets a Firewall Policy Draft | +> | Microsoft.Network/firewallPolicies/firewallPolicyDrafts/write | Creates a Firewall Policy Draft or Updates an existing Firewall Policy Draft | +> | Microsoft.Network/firewallPolicies/firewallPolicyDrafts/delete | Deletes a Firewall Policy Draft | +> | Microsoft.Network/firewallPolicies/ruleCollectionGroups/read | Gets a Firewall Policy Rule Collection Group | +> | Microsoft.Network/firewallPolicies/ruleCollectionGroups/write | Creates a Firewall Policy Rule Collection Group or Updates an existing Firewall Policy Rule Collection Group | +> | Microsoft.Network/firewallPolicies/ruleCollectionGroups/delete | Deletes a Firewall Policy Rule Collection Group | +> | Microsoft.Network/firewallPolicies/ruleCollectionGroups/ruleCollectionGroupsDrafts/read | Gets a Firewall Policy Rule Collection Group raft | +> | Microsoft.Network/firewallPolicies/ruleCollectionGroups/ruleCollectionGroupsDrafts/write | Creates a Firewall Policy Rule Collection Group Draft or Updates an existing Firewall Policy Rule Collection Group Draft | +> | Microsoft.Network/firewallPolicies/ruleCollectionGroups/ruleCollectionGroupsDrafts/delete | Deletes a Firewall Policy Rule Collection Group Draft | +> | Microsoft.Network/firewallPolicies/ruleGroups/read | Gets a Firewall Policy Rule Group | +> | Microsoft.Network/firewallPolicies/ruleGroups/write | Creates a Firewall Policy Rule Group or Updates an existing Firewall Policy Rule Group | +> | Microsoft.Network/firewallPolicies/ruleGroups/delete | Deletes a Firewall Policy Rule Group | +> | Microsoft.Network/frontdooroperationresults/read | Gets Frontdoor operation result | +> | Microsoft.Network/frontdooroperationresults/frontdoorResults/read | Gets Frontdoor operation result | +> | Microsoft.Network/frontdooroperationresults/rulesenginesresults/read | Gets Rules Engine operation result | +> | Microsoft.Network/frontDoors/read | Gets a Front Door | +> | Microsoft.Network/frontDoors/write | Creates or updates a Front Door | +> | Microsoft.Network/frontDoors/delete | Deletes a Front Door | +> | Microsoft.Network/frontDoors/purge/action | Purge cached content from a Front Door | +> | Microsoft.Network/frontDoors/validateCustomDomain/action | Validates a frontend endpoint for a Front Door | +> | Microsoft.Network/frontDoors/backendPools/read | Gets a backend pool | +> | Microsoft.Network/frontDoors/backendPools/write | Creates or updates a backend pool | +> | Microsoft.Network/frontDoors/backendPools/delete | Deletes a backend pool | +> | Microsoft.Network/frontDoors/frontendEndpoints/read | Gets a frontend endpoint | +> | Microsoft.Network/frontDoors/frontendEndpoints/write | Creates or updates a frontend endpoint | +> | Microsoft.Network/frontDoors/frontendEndpoints/delete | Deletes a frontend endpoint | +> | Microsoft.Network/frontDoors/frontendEndpoints/enableHttps/action | Enables HTTPS on a Frontend Endpoint | +> | Microsoft.Network/frontDoors/frontendEndpoints/disableHttps/action | Disables HTTPS on a Frontend Endpoint | +> | Microsoft.Network/frontDoors/healthProbeSettings/read | Gets health probe settings | +> | Microsoft.Network/frontDoors/healthProbeSettings/write | Creates or updates health probe settings | +> | Microsoft.Network/frontDoors/healthProbeSettings/delete | Deletes health probe settings | +> | Microsoft.Network/frontDoors/loadBalancingSettings/read | Gets load balancing settings | +> | Microsoft.Network/frontDoors/loadBalancingSettings/write | Creates or updates load balancing settings | +> | Microsoft.Network/frontDoors/loadBalancingSettings/delete | Creates or updates load balancing settings | +> | Microsoft.Network/frontdoors/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic setting for the Frontdoor resource | +> | Microsoft.Network/frontdoors/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the Frontdoor resource | +> | Microsoft.Network/frontdoors/providers/Microsoft.Insights/logDefinitions/read | Get available logs for Frontdoor resources | +> | Microsoft.Network/frontdoors/providers/Microsoft.Insights/metricDefinitions/read | Get available metrics for Frontdoor resources | +> | Microsoft.Network/frontDoors/routingRules/read | Gets a routing rule | +> | Microsoft.Network/frontDoors/routingRules/write | Creates or updates a routing rule | +> | Microsoft.Network/frontDoors/routingRules/delete | Deletes a routing rule | +> | Microsoft.Network/frontDoors/rulesEngines/read | Gets a Rules Engine | +> | Microsoft.Network/frontDoors/rulesEngines/write | Creates or updates a Rules Engine | +> | Microsoft.Network/frontDoors/rulesEngines/delete | Deletes a Rules Engine | +> | Microsoft.Network/frontDoorWebApplicationFirewallManagedRuleSets/read | Gets Web Application Firewall Managed Rule Sets | +> | Microsoft.Network/frontDoorWebApplicationFirewallPolicies/read | Gets a Web Application Firewall Policy | +> | Microsoft.Network/frontDoorWebApplicationFirewallPolicies/write | Creates or updates a Web Application Firewall Policy | +> | Microsoft.Network/frontDoorWebApplicationFirewallPolicies/delete | Deletes a Web Application Firewall Policy | +> | Microsoft.Network/frontDoorWebApplicationFirewallPolicies/join/action | Joins a Web Application Firewall Policy. Not Alertable. | +> | Microsoft.Network/gatewayLoadBalancerAliases/write | Creates a Gateway LoadBalancer Alias Or Updates An Existing Gateway LoadBalancer Alias | +> | Microsoft.Network/gatewayLoadBalancerAliases/delete | Delete Gateway LoadBalancer Alias | +> | Microsoft.Network/gatewayLoadBalancerAliases/read | Get a Gateway LoadBalancer Alias definition | +> | Microsoft.Network/internalPublicIpAddresses/read | Returns internal public IP addresses in subscription | +> | Microsoft.Network/ipAllocations/read | Get The IpAllocation | +> | Microsoft.Network/ipAllocations/write | Creates A IpAllocation Or Updates An Existing IpAllocation | +> | Microsoft.Network/ipAllocations/delete | Deletes A IpAllocation | +> | Microsoft.Network/ipGroups/read | Gets an IpGroup | +> | Microsoft.Network/ipGroups/write | Creates an IpGroup or Updates an Existing IpGroup | +> | Microsoft.Network/ipGroups/validate/action | Validates an IpGroup | +> | Microsoft.Network/ipGroups/updateReferences/action | Update references in an IpGroup | +> | Microsoft.Network/ipGroups/join/action | Joins an IpGroup. Not alertable. | +> | Microsoft.Network/ipGroups/delete | Deletes an IpGroup | +> | Microsoft.Network/loadBalancers/read | Gets a load balancer definition | +> | Microsoft.Network/loadBalancers/write | Creates a load balancer or updates an existing load balancer | +> | Microsoft.Network/loadBalancers/delete | Deletes a load balancer | +> | Microsoft.Network/loadBalancers/health/action | Get Health Summary of Load Balancer | +> | Microsoft.Network/loadBalancers/migrateToIpBased/action | Migrate from NIC based to IP based Load Balancer | +> | Microsoft.Network/loadBalancers/backendAddressPools/queryInboundNatRulePortMapping/action | Query inbound Nat rule port mapping. | +> | Microsoft.Network/loadBalancers/backendAddressPools/updateAdminState/action | Update AdminStates of backend addresses of a pool | +> | Microsoft.Network/loadBalancers/backendAddressPools/health/action | Get Health Details of Backend Instance | +> | Microsoft.Network/loadBalancers/backendAddressPools/read | Gets a load balancer backend address pool definition | +> | Microsoft.Network/loadBalancers/backendAddressPools/write | Creates a load balancer backend address pool or updates an existing load balancer backend address pool | +> | Microsoft.Network/loadBalancers/backendAddressPools/delete | Deletes a load balancer backend address pool | +> | Microsoft.Network/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. | +> | Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read | Lists the backend addresses of the Load Balancer backend address pool | +> | Microsoft.Network/loadBalancers/frontendIPConfigurations/read | Gets a load balancer frontend IP configuration definition | +> | Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action | Joins a Load Balancer Frontend IP Configuration. Not alertable. | +> | Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read | Gets a load balancer frontend IP address backend pool definition | +> | Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/write | Creates a load balancer frontend IP address backend pool or updates an existing public IP Address load balancer backend pool | +> | Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/delete | Deletes a load balancer frontend IP address backend pool | +> | Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/join/action | Joins a load balancer frontend IP address backend pool. Not alertable. | +> | Microsoft.Network/loadBalancers/inboundNatPools/read | Gets a load balancer inbound nat pool definition | +> | Microsoft.Network/loadBalancers/inboundNatPools/join/action | Joins a load balancer inbound NAT pool. Not alertable. | +> | Microsoft.Network/loadBalancers/inboundNatRules/read | Gets a load balancer inbound nat rule definition | +> | Microsoft.Network/loadBalancers/inboundNatRules/write | Creates a load balancer inbound nat rule or updates an existing load balancer inbound nat rule | +> | Microsoft.Network/loadBalancers/inboundNatRules/delete | Deletes a load balancer inbound nat rule | +> | Microsoft.Network/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. | +> | Microsoft.Network/loadBalancers/loadBalancingRules/read | Gets a load balancer load balancing rule definition | +> | Microsoft.Network/loadBalancers/loadBalancingRules/health/action | Get Health Details of Load Balancing Rule | +> | Microsoft.Network/loadBalancers/networkInterfaces/read | Gets references to all the network interfaces under a load balancer | +> | Microsoft.Network/loadBalancers/outboundRules/read | Gets a load balancer outbound rule definition | +> | Microsoft.Network/loadBalancers/probes/read | Gets a load balancer probe | +> | Microsoft.Network/loadBalancers/probes/join/action | Allows using probes of a load balancer. For example, with this permission healthProbe property of VM scale set can reference the probe. Not alertable. | +> | Microsoft.Network/loadBalancers/providers/Microsoft.Insights/diagnosticSettings/read | Gets the Load Balancer Diagnostic Settings | +> | Microsoft.Network/loadBalancers/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the Load Balancer Diagnostic Settings | +> | Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read | Gets the events for Load Balancer | +> | Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Load Balancer | +> | Microsoft.Network/loadBalancers/virtualMachines/read | Gets references to all the virtual machines under a load balancer | +> | Microsoft.Network/localnetworkgateways/read | Gets LocalNetworkGateway | +> | Microsoft.Network/localnetworkgateways/write | Creates or updates an existing LocalNetworkGateway | +> | Microsoft.Network/localnetworkgateways/delete | Deletes LocalNetworkGateway | +> | Microsoft.Network/locations/checkAcceleratedNetworkingSupport/action | Checks Accelerated Networking support | +> | Microsoft.Network/locations/batchValidatePrivateEndpointsForResourceMove/action | Validates private endpoints in batches for resource move. | +> | Microsoft.Network/locations/batchNotifyPrivateEndpointsForResourceMove/action | Notifies to private endpoint in batches for resource move. | +> | Microsoft.Network/locations/checkPrivateLinkServiceVisibility/action | Checks Private Link Service Visibility | +> | Microsoft.Network/locations/validateResourceOwnership/action | Validates Resource Ownership | +> | Microsoft.Network/locations/setResourceOwnership/action | Sets Resource Ownership | +> | Microsoft.Network/locations/effectiveResourceOwnership/action | Gets Effective Resource Ownership | +> | Microsoft.Network/locations/setAzureNetworkManagerConfiguration/action | Sets Azure Network Manager Configuration | +> | Microsoft.Network/locations/publishResources/action | Publish Subscrioption Resources | +> | Microsoft.Network/locations/getAzureNetworkManagerConfiguration/action | Gets Azure Network Manager Configuration | +> | Microsoft.Network/locations/bareMetalTenants/action | Allocates or validates a Bare Metal Tenant | +> | Microsoft.Network/locations/commitInternalAzureNetworkManagerConfiguration/action | Commits Internal AzureNetworkManager Configuration In ANM | +> | Microsoft.Network/locations/internalAzureVirtualNetworkManagerOperation/action | Internal AzureVirtualNetworkManager Operation In ANM | +> | Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses/action | SetLoadBalancerFrontendPublicIpAddresses targets frontend IP configurations of 2 load balancers. Azure Resource Manager IDs of the IP configurations are provided in the body of the request. | +> | Microsoft.Network/locations/queryNetworkSecurityPerimeter/action | Queries Network Security Perimeter by the perimeter GUID | +> | Microsoft.Network/locations/startPacketTagging/action | Starts Packet Tagging | +> | Microsoft.Network/locations/getPacketTagging/action | Gets Packet Tagging | +> | Microsoft.Network/locations/deletePacketTagging/action | Deletes Packet Tagging | +> | Microsoft.Network/locations/rnmEffectiveRouteTable/action | Gets Effective Routes Configured In Rnm Format | +> | Microsoft.Network/locations/rnmEffectiveNetworkSecurityGroups/action | Gets Effective Security Groups Configured In Rnm Format | +> | Microsoft.Network/locations/applicationGatewayWafDynamicManifests/read | Get the application gateway waf dynamic manifest | +> | Microsoft.Network/locations/applicationGatewayWafDynamicManifests/default/read | Get Application Gateway Waf Dynamic Manifest Default entry | +> | Microsoft.Network/locations/autoApprovedPrivateLinkServices/read | Gets Auto Approved Private Link Services | +> | Microsoft.Network/locations/availableDelegations/read | Gets Available Delegations | +> | Microsoft.Network/locations/availablePrivateEndpointTypes/read | Gets available Private Endpoint resources | +> | Microsoft.Network/locations/availableServiceAliases/read | Gets Available Service Aliases | +> | Microsoft.Network/locations/checkDnsNameAvailability/read | Checks if dns label is available at the specified location | +> | Microsoft.Network/locations/dataTasks/run/action | Runs Data Task | +> | Microsoft.Network/locations/dnsResolverOperationResults/read | Gets results of a DNS Resolver operation, in JSON format | +> | Microsoft.Network/locations/dnsResolverOperationStatuses/read | Gets status of a DNS Resolver operation | +> | Microsoft.Network/locations/getPacketTagging/read | Gets Packet Tagging | +> | Microsoft.Network/locations/operationResults/read | Gets operation result of an async POST or DELETE operation | +> | Microsoft.Network/locations/operations/read | Gets operation resource that represents status of an asynchronous operation | +> | Microsoft.Network/locations/perimeterAssociableResourceTypes/read | Gets Network Security Perimeter Associable Resources | +> | Microsoft.Network/locations/privateLinkServices/privateEndpointConnectionProxies/read | Gets an private endpoint connection proxy resource. | +> | Microsoft.Network/locations/privateLinkServices/privateEndpointConnectionProxies/write | Creates a new private endpoint connection proxy, or updates an existing private endpoint connection proxy. | +> | Microsoft.Network/locations/privateLinkServices/privateEndpointConnectionProxies/delete | Deletes an private endpoint connection proxy resource. | +> | Microsoft.Network/locations/serviceTagDetails/read | GetServiceTagDetails | +> | Microsoft.Network/locations/serviceTags/read | Get Service Tags | +> | Microsoft.Network/locations/setAzureNetworkManagerConfiguration/read | Permission for calling Set Azure Network Manager Configuration operation. This read permission, not setAzureNetworkManagerConfiguration/action, is required to call Set Azure Network Manager Configuration. | +> | Microsoft.Network/locations/supportedVirtualMachineSizes/read | Gets supported virtual machines sizes | +> | Microsoft.Network/locations/usages/read | Gets the resources usage metrics | +> | Microsoft.Network/locations/virtualNetworkAvailableEndpointServices/read | Gets a list of available Virtual Network Endpoint Services | +> | Microsoft.Network/masterCustomIpPrefixes/read | Gets a Master Custom Ip Prefix Definition | +> | Microsoft.Network/masterCustomIpPrefixes/write | Creates A Master Custom Ip Prefix Or Updates An Existing Master Custom Ip Prefix | +> | Microsoft.Network/masterCustomIpPrefixes/delete | Deletes A Master Custom Ip Prefix | +> | Microsoft.Network/natGateways/join/action | Joins a NAT Gateway | +> | Microsoft.Network/natGateways/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Nat Gateway | +> | Microsoft.Network/networkExperimentProfiles/read | Get an Internet Analyzer profile | +> | Microsoft.Network/networkExperimentProfiles/write | Create or update an Internet Analyzer profile | +> | Microsoft.Network/networkExperimentProfiles/delete | Delete an Internet Analyzer profile | +> | Microsoft.Network/networkExperimentProfiles/experiments/read | Get an Internet Analyzer test | +> | Microsoft.Network/networkExperimentProfiles/experiments/write | Create or update an Internet Analyzer test | +> | Microsoft.Network/networkExperimentProfiles/experiments/delete | Delete an Internet Analyzer test | +> | Microsoft.Network/networkExperimentProfiles/experiments/timeseries/action | Get an Internet Analyzer test's time series | +> | Microsoft.Network/networkExperimentProfiles/experiments/latencyScorecard/action | Get an Internet Analyzer test's latency scorecard | +> | Microsoft.Network/networkExperimentProfiles/preconfiguredEndpoints/read | Get an Internet Analyzer profile's pre-configured endpoints | +> | Microsoft.Network/networkGroupMemberships/read | List Network Group Memberships | +> | Microsoft.Network/networkIntentPolicies/read | Gets an Network Intent Policy Description | +> | Microsoft.Network/networkIntentPolicies/write | Creates an Network Intent Policy or updates an existing Network Intent Policy | +> | Microsoft.Network/networkIntentPolicies/delete | Deletes an Network Intent Policy | +> | Microsoft.Network/networkIntentPolicies/join/action | Joins a Network Intent Policy. Not alertable. | +> | Microsoft.Network/networkInterfaces/read | Gets a network interface definition. | +> | Microsoft.Network/networkInterfaces/write | Creates a network interface or updates an existing network interface. | +> | Microsoft.Network/networkInterfaces/join/action | Joins a Virtual Machine to a network interface. Not Alertable. | +> | Microsoft.Network/networkInterfaces/delete | Deletes a network interface | +> | Microsoft.Network/networkInterfaces/effectiveRouteTable/action | Get Route Table configured On Network Interface Of The Vm | +> | Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action | Get Network Security Groups configured On Network Interface Of The Vm | +> | Microsoft.Network/networkInterfaces/UpdateParentNicAttachmentOnElasticNic/action | Updates the parent NIC associated to the elastic NIC | +> | Microsoft.Network/networkInterfaces/diagnosticIdentity/read | Gets Diagnostic Identity Of The Resource | +> | Microsoft.Network/networkInterfaces/ipconfigurations/read | Gets a network interface ip configuration definition. | +> | Microsoft.Network/networkInterfaces/ipconfigurations/join/action | Joins a Network Interface IP Configuration. Not alertable. | +> | Microsoft.Network/networkInterfaces/loadBalancers/read | Gets all the load balancers that the network interface is part of | +> | Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the Network Interface | +> | Microsoft.Network/networkInterfaces/tapConfigurations/read | Gets a Network Interface Tap Configuration. | +> | Microsoft.Network/networkInterfaces/tapConfigurations/write | Creates a Network Interface Tap Configuration or updates an existing Network Interface Tap Configuration. | +> | Microsoft.Network/networkInterfaces/tapConfigurations/delete | Deletes a Network Interface Tap Configuration. | +> | Microsoft.Network/networkManagerConnections/read | Get Network Manager Connection | +> | Microsoft.Network/networkManagerConnections/write | Create Or Update Network Manager Connection | +> | Microsoft.Network/networkManagerConnections/delete | Delete Network Manager Connection | +> | Microsoft.Network/networkManagers/read | Get Network Manager | +> | Microsoft.Network/networkManagers/write | Create Or Update Network Manager | +> | Microsoft.Network/networkManagers/delete | Delete Network Manager | +> | Microsoft.Network/networkManagers/commit/action | Network Manager Commit | +> | Microsoft.Network/networkManagers/listDeploymentStatus/action | List Deployment Status | +> | Microsoft.Network/networkManagers/listActiveSecurityAdminRules/action | Lists Active Security Admin Rules | +> | Microsoft.Network/networkManagers/listActiveSecurityUserRules/action | Lists Active Security User Rules | +> | Microsoft.Network/networkManagers/listActiveConnectivityConfigurations/action | Lists Active Connectivity Configurations | +> | Microsoft.Network/networkManagers/associatedResources/read | Permission for calling List Associated Resource To Ipam Pool operation. This read permission, not associatedResources/action, is required to call List Ipam Pool Associated Resources. | +> | Microsoft.Network/networkManagers/connectivityConfigurations/read | Get Connectivity Configuration | +> | Microsoft.Network/networkManagers/connectivityConfigurations/write | Create Or Update Connectivity Configuration | +> | Microsoft.Network/networkManagers/connectivityConfigurations/delete | Delete Connectivity Configuration | +> | Microsoft.Network/networkManagers/ipamPools/read | Gets a Ipam Pool | +> | Microsoft.Network/networkManagers/ipamPools/write | Creates or Updates a Ipam Pool | +> | Microsoft.Network/networkManagers/ipamPools/delete | Deletes a Ipam Pool | +> | Microsoft.Network/networkManagers/ipamPools/associateResourcesToPool/action | Action permission for associate resources to Ipam Pool | +> | Microsoft.Network/networkManagers/ipamPools/associatedResources/action | Action permission for list Associated Resource To Ipam Pool | +> | Microsoft.Network/networkManagers/listActiveConnectivityConfigurations/read | Permission for calling List Active Connectivity Configurations operation. This read permission, not listActiveConnectivityConfigurations/action, is required to call List Active Connectivity Configurations. | +> | Microsoft.Network/networkManagers/listActiveSecurityAdminRules/read | Permission for calling List Active Security Admin Rules operation. This read permission, not listActiveSecurityAdminRules/action, is required to call List Active Security Admin Rules. | +> | Microsoft.Network/networkManagers/listActiveSecurityUserRules/read | Permission for calling List Active Security User Rules operation. This read permission, not listActiveSecurityUserRules/action, is required to call List Active Security User Rules. | +> | Microsoft.Network/networkManagers/networkGroups/read | Get Network Group | +> | Microsoft.Network/networkManagers/networkGroups/write | Create Or Update Network Group | +> | Microsoft.Network/networkManagers/networkGroups/delete | Delete Network Group | +> | Microsoft.Network/networkManagers/networkGroups/join/action | Join Network Group | +> | Microsoft.Network/networkManagers/networkGroups/staticMembers/read | Get Network Group Static Member | +> | Microsoft.Network/networkManagers/networkGroups/staticMembers/write | Create Or Update Network Group Static Member | +> | Microsoft.Network/networkManagers/networkGroups/staticMembers/delete | Delete Network Group Static Member | +> | Microsoft.Network/networkManagers/scopeConnections/read | Get Network Manager Scope Connection | +> | Microsoft.Network/networkManagers/scopeConnections/write | Create Or Update Network Manager Scope Connection | +> | Microsoft.Network/networkManagers/scopeConnections/delete | Delete Network Manager Scope Connection | +> | Microsoft.Network/networkManagers/securityAdminConfigurations/read | Get Security Admin Configuration | +> | Microsoft.Network/networkManagers/securityAdminConfigurations/write | Create Or Update Security Admin Configuration | +> | Microsoft.Network/networkManagers/securityAdminConfigurations/delete | Delete Security Admin Configuration | +> | Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/read | Get Security Admin Rule Collection | +> | Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/write | Create Or Update Security Admin Rule Collection | +> | Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/delete | Delete Security Admin Rule Collection | +> | Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules/read | Get Security Admin Rule | +> | Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules/write | Create Or Update Security Admin Rule | +> | Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules/delete | Delete Security Admin Rule | +> | Microsoft.Network/networkManagers/securityUserConfigurations/read | Get Security User Configuration | +> | Microsoft.Network/networkManagers/securityUserConfigurations/write | Create Or Update Security User Configuration | +> | Microsoft.Network/networkManagers/securityUserConfigurations/delete | Delete Security User Configuration | +> | Microsoft.Network/networkManagers/securityUserConfigurations/ruleCollections/read | Get Security User Rule Collection | +> | Microsoft.Network/networkManagers/securityUserConfigurations/ruleCollections/write | Create Or Update Security User Rule Collection | +> | Microsoft.Network/networkManagers/securityUserConfigurations/ruleCollections/delete | Delete Security User Rule Collection | +> | Microsoft.Network/networkManagers/securityUserConfigurations/ruleCollections/rules/read | Get Security User Rule | +> | Microsoft.Network/networkManagers/securityUserConfigurations/ruleCollections/rules/write | Create Or Update Security User Rule | +> | Microsoft.Network/networkManagers/securityUserConfigurations/ruleCollections/rules/delete | Delete Security User Rule | +> | Microsoft.Network/networkProfiles/read | Gets a Network Profile | +> | Microsoft.Network/networkProfiles/write | Creates or updates a Network Profile | +> | Microsoft.Network/networkProfiles/delete | Deletes a Network Profile | +> | Microsoft.Network/networkProfiles/setContainers/action | Sets Containers | +> | Microsoft.Network/networkProfiles/removeContainers/action | Removes Containers | +> | Microsoft.Network/networkProfiles/setNetworkInterfaces/action | Sets Container Network Interfaces | +> | Microsoft.Network/networkSecurityGroups/read | Gets a network security group definition | +> | Microsoft.Network/networkSecurityGroups/write | Creates a network security group or updates an existing network security group | +> | Microsoft.Network/networkSecurityGroups/delete | Deletes a network security group | +> | Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. | +> | Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition | +> | Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/read | Gets the Network Security Groups Diagnostic Settings | +> | Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the Network Security Groups diagnostic settings, this operation is supplemented by insights resource provider. | +> | Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/logDefinitions/read | Gets the events for network security group | +> | Microsoft.Network/networkSecurityGroups/securityRules/read | Gets a security rule definition | +> | Microsoft.Network/networkSecurityGroups/securityRules/write | Creates a security rule or updates an existing security rule | +> | Microsoft.Network/networkSecurityGroups/securityRules/delete | Deletes a security rule | +> | Microsoft.Network/networkSecurityPerimeters/read | Gets a Network Security Perimeter | +> | Microsoft.Network/networkSecurityPerimeters/write | Creates or Updates a Network Security Perimeter | +> | Microsoft.Network/networkSecurityPerimeters/delete | Deletes a Network Security Perimeter | +> | Microsoft.Network/networkSecurityPerimeters/joinPerimeterRule/action | Joins an NSP Access Rule | +> | Microsoft.Network/networkSecurityPerimeters/linkPerimeter/action | Link Perimeter in Auto-Approval mode | +> | Microsoft.Network/networkSecurityPerimeters/backingResourceAssociations/read | Gets a Network Security Perimeter Backing Resource Association | +> | Microsoft.Network/networkSecurityPerimeters/backingResourceAssociations/write | Creates or Updates a Network Security Perimeter Backing Resource Association | +> | Microsoft.Network/networkSecurityPerimeters/backingResourceAssociations/delete | Deletes a Network Security Perimeter Backing Resource Association | +> | Microsoft.Network/networkSecurityPerimeters/linkReferences/read | Gets a Network Security Perimeter LinkReference | +> | Microsoft.Network/networkSecurityPerimeters/linkReferences/write | Creates or Updates a Network Security Perimeter LinkReference | +> | Microsoft.Network/networkSecurityPerimeters/linkReferences/delete | Deletes a Network Security Perimeter LinkReference | +> | Microsoft.Network/networkSecurityPerimeters/links/read | Gets a Network Security Perimeter Link | +> | Microsoft.Network/networkSecurityPerimeters/links/write | Creates or Updates a Network Security Perimeter Link | +> | Microsoft.Network/networkSecurityPerimeters/links/delete | Deletes a Network Security Perimeter Link | +> | Microsoft.Network/networkSecurityPerimeters/profiles/read | Gets a Network Security Perimeter Profile | +> | Microsoft.Network/networkSecurityPerimeters/profiles/write | Creates or Updates a Network Security Perimeter Profile | +> | Microsoft.Network/networkSecurityPerimeters/profiles/delete | Deletes a Network Security Perimeter Profile | +> | Microsoft.Network/networkSecurityPerimeters/profiles/join/action | Joins a Network Security Perimeter Profile | +> | Microsoft.Network/networkSecurityPerimeters/profiles/checkMembers/action | Checks if members can be accessed or not | +> | Microsoft.Network/networkSecurityPerimeters/profiles/accessRules/read | Gets a Network Security Perimeter Access Rule | +> | Microsoft.Network/networkSecurityPerimeters/profiles/accessRules/write | Creates or Updates a Network Security Perimeter Access Rule | +> | Microsoft.Network/networkSecurityPerimeters/profiles/accessRules/delete | Deletes a Network Security Perimeter Access Rule | +> | Microsoft.Network/networkSecurityPerimeters/profiles/diagnosticSettingsProxies/read | Gets a Network Security Perimeter Diagnostic Settings Proxy | +> | Microsoft.Network/networkSecurityPerimeters/resourceAssociationProxies/read | Gets a Network Security Perimeter Resource Association Proxy | +> | Microsoft.Network/networkSecurityPerimeters/resourceAssociationProxies/write | Creates or Updates a Network Security Perimeter Resource Association Proxy | +> | Microsoft.Network/networkSecurityPerimeters/resourceAssociationProxies/delete | Deletes a Network Security Perimeter Resource Association Proxy | +> | Microsoft.Network/networkSecurityPerimeters/resourceAssociations/read | Gets a Network Security Perimeter Resource Association | +> | Microsoft.Network/networkSecurityPerimeters/resourceAssociations/write | Creates or Updates a Network Security Perimeter Resource Association | +> | Microsoft.Network/networkSecurityPerimeters/resourceAssociations/delete | Deletes a Network Security Perimeter Resource Association | +> | Microsoft.Network/networkVerifiers/read | Gets a Network Verifier | +> | Microsoft.Network/networkVerifiers/write | Creates or Updates a Network Verifier | +> | Microsoft.Network/networkVerifiers/delete | Deletes a Network Verifier | +> | Microsoft.Network/networkVerifiers/analysisIntents/read | Gets a Analysis Intent | +> | Microsoft.Network/networkVerifiers/analysisIntents/write | Creates or Updates a Analysis Intent | +> | Microsoft.Network/networkVerifiers/analysisIntents/delete | Deletes a Analysis Intent | +> | Microsoft.Network/networkVerifiers/analysisIntents/analysisRuns/read | Gets a Analysis Run | +> | Microsoft.Network/networkVerifiers/analysisIntents/analysisRuns/write | Creates or Updates a Analysis Run | +> | Microsoft.Network/networkVerifiers/analysisIntents/analysisRuns/delete | Deletes a Analysis Run | +> | Microsoft.Network/networkVerifiers/configurationSnapshots/read | Gets a Configuration Snapshot | +> | Microsoft.Network/networkVerifiers/configurationSnapshots/write | Creates or Updates a Configuration Snapshot | +> | Microsoft.Network/networkVerifiers/configurationSnapshots/delete | Deletes a Configuration Snapshot | +> | Microsoft.Network/networkVirtualAppliances/delete | Delete a Network Virtual Appliance | +> | Microsoft.Network/networkVirtualAppliances/read | Get a Network Virtual Appliance | +> | Microsoft.Network/networkVirtualAppliances/write | Create or update a Network Virtual Appliance | +> | Microsoft.Network/networkVirtualAppliances/getDelegatedSubnets/action | Get Network Virtual Appliance delegated subnets | +> | Microsoft.Network/networkVirtualAppliances/restart/action | Restart Network Virtual Appliance | +> | Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/read | Get a InboundSecurityRule | +> | Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/write | Create or update a InboundSecurityRule | +> | Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/delete | Delete a InboundSecurityRule | +> | Microsoft.Network/networkVirtualAppliances/networkVirtualApplianceConnections/read | Get a Network Virtual Appliance Connection | +> | Microsoft.Network/networkVirtualAppliances/networkVirtualApplianceConnections/write | Update a Network Virtual Appliance Connection | +> | Microsoft.Network/networkVirtualAppliances/networkVirtualApplianceConnections/delete | Delete a Network Virtual Appliance Connection | +> | Microsoft.Network/networkWatchers/read | Get the network watcher definition | +> | Microsoft.Network/networkWatchers/write | Creates a network watcher or updates an existing network watcher | +> | Microsoft.Network/networkWatchers/delete | Deletes a network watcher | +> | Microsoft.Network/networkWatchers/configureFlowLog/action | Configures flow logging for a target resource. | +> | Microsoft.Network/networkWatchers/ipFlowVerify/action | Returns whether the packet is allowed or denied to or from a particular destination. | +> | Microsoft.Network/networkWatchers/nextHop/action | For a specified target and destination IP address, return the next hop type and next hope IP address. | +> | Microsoft.Network/networkWatchers/queryFlowLogStatus/action | Gets the status of flow logging on a resource. | +> | Microsoft.Network/networkWatchers/queryTroubleshootResult/action | Gets the troubleshooting result from the previously run or currently running troubleshooting operation. | +> | Microsoft.Network/networkWatchers/securityGroupView/action | View the configured and effective network security group rules applied on a VM. | +> | Microsoft.Network/networkWatchers/networkConfigurationDiagnostic/action | Diagnostic of network configuration. | +> | Microsoft.Network/networkWatchers/queryConnectionMonitors/action | Batch query monitoring connectivity between specified endpoints | +> | Microsoft.Network/networkWatchers/topology/action | Gets a network level view of resources and their relationships in a resource group. | +> | Microsoft.Network/networkWatchers/troubleshoot/action | Starts troubleshooting on a Networking resource in Azure. | +> | Microsoft.Network/networkWatchers/connectivityCheck/action | Verifies the possibility of establishing a direct TCP connection from a virtual machine to a given endpoint including another VM or an arbitrary remote server. | +> | Microsoft.Network/networkWatchers/azureReachabilityReport/action | Returns the relative latency score for internet service providers from a specified location to Azure regions. | +> | Microsoft.Network/networkWatchers/availableProvidersList/action | Returns all available internet service providers for a specified Azure region. | +> | Microsoft.Network/networkWatchers/connectionMonitors/start/action | Start monitoring connectivity between specified endpoints | +> | Microsoft.Network/networkWatchers/connectionMonitors/stop/action | Stop/pause monitoring connectivity between specified endpoints | +> | Microsoft.Network/networkWatchers/connectionMonitors/query/action | Query monitoring connectivity between specified endpoints | +> | Microsoft.Network/networkWatchers/connectionMonitors/read | Get Connection Monitor details | +> | Microsoft.Network/networkWatchers/connectionMonitors/write | Creates a Connection Monitor | +> | Microsoft.Network/networkWatchers/connectionMonitors/delete | Deletes a Connection Monitor | +> | Microsoft.Network/networkWatchers/connectionMonitors/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Connection Monitor | +> | Microsoft.Network/networkWatchers/connectivityCheck/read | Verifies the possibility of establishing a direct TCP connection from a virtual machine to a given endpoint including another VM or an arbitrary remote server. | +> | Microsoft.Network/networkWatchers/flowLogs/read | Get Flow Log details | +> | Microsoft.Network/networkWatchers/flowLogs/write | Creates a Flow Log | +> | Microsoft.Network/networkWatchers/flowLogs/delete | Deletes a Flow Log | +> | Microsoft.Network/networkWatchers/ipFlowVerify/read | Returns whether the packet is allowed or denied to or from a particular destination. | +> | Microsoft.Network/networkWatchers/lenses/start/action | Start monitoring network traffic on a specified endpoint | +> | Microsoft.Network/networkWatchers/lenses/stop/action | Stop/pause monitoring network traffic on a specified endpoint | +> | Microsoft.Network/networkWatchers/lenses/query/action | Query monitoring network traffic on a specified endpoint | +> | Microsoft.Network/networkWatchers/lenses/read | Get Lens details | +> | Microsoft.Network/networkWatchers/lenses/write | Creates a Lens | +> | Microsoft.Network/networkWatchers/lenses/delete | Deletes a Lens | +> | Microsoft.Network/networkWatchers/networkConfigurationDiagnostic/read | Diagnostic of network configuration. | +> | Microsoft.Network/networkWatchers/nextHop/read | For a specified target and destination IP address, return the next hop type and next hope IP address. | +> | Microsoft.Network/networkWatchers/packetCaptures/queryStatus/action | Gets information about properties and status of a packet capture resource. | +> | Microsoft.Network/networkWatchers/packetCaptures/stop/action | Stop the running packet capture session. | +> | Microsoft.Network/networkWatchers/packetCaptures/read | Get the packet capture definition | +> | Microsoft.Network/networkWatchers/packetCaptures/write | Creates a packet capture | +> | Microsoft.Network/networkWatchers/packetCaptures/delete | Deletes a packet capture | +> | Microsoft.Network/networkWatchers/packetCaptures/queryStatus/read | Read Packet Capture Status | +> | Microsoft.Network/networkWatchers/pingMeshes/start/action | Start PingMesh between specified VMs | +> | Microsoft.Network/networkWatchers/pingMeshes/stop/action | Stop PingMesh between specified VMs | +> | Microsoft.Network/networkWatchers/pingMeshes/read | Get PingMesh details | +> | Microsoft.Network/networkWatchers/pingMeshes/write | Creates a PingMesh | +> | Microsoft.Network/networkWatchers/pingMeshes/delete | Deletes a PingMesh | +> | Microsoft.Network/networkWatchers/topology/read | Gets a network level view of resources and their relationships in a resource group. | +> | Microsoft.Network/operations/read | Get Available Operations | +> | Microsoft.Network/p2sVpnGateways/read | Gets a P2SVpnGateway. | +> | Microsoft.Network/p2sVpnGateways/write | Puts a P2SVpnGateway. | +> | Microsoft.Network/p2sVpnGateways/delete | Deletes a P2SVpnGateway. | +> | microsoft.network/p2sVpnGateways/reset/action | Resets a P2SVpnGateway | +> | microsoft.network/p2sVpnGateways/detach/action | Detaches a P2SVpnGateway Hub from WAN Traffic manager | +> | microsoft.network/p2sVpnGateways/attach/action | Attaches a P2SVpnGateway Hub from WAN Traffic manager | +> | Microsoft.Network/p2sVpnGateways/generatevpnprofile/action | Generate Vpn Profile for P2SVpnGateway | +> | Microsoft.Network/p2sVpnGateways/getp2svpnconnectionhealth/action | Gets a P2S Vpn Connection health for P2SVpnGateway | +> | Microsoft.Network/p2sVpnGateways/getp2svpnconnectionhealthdetailed/action | Gets a P2S Vpn Connection health detailed for P2SVpnGateway | +> | Microsoft.Network/p2sVpnGateways/disconnectp2svpnconnections/action | Disconnect p2s vpn connections | +> | Microsoft.Network/p2sVpnGateways/providers/Microsoft.Insights/diagnosticSettings/read | Gets the P2S Vpn Gateway Diagnostic Settings | +> | Microsoft.Network/p2sVpnGateways/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the P2S Vpn Gateway diagnostic settings, this operation is supplemented by insights resource provider. | +> | Microsoft.Network/p2sVpnGateways/providers/Microsoft.Insights/logDefinitions/read | Gets the events for P2S Vpn Gateway | +> | Microsoft.Network/p2sVpnGateways/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for P2S Vpn Gateway | +> | Microsoft.Network/privateDnsOperationResults/read | Gets results of a Private DNS operation | +> | Microsoft.Network/privateDnsOperationStatuses/read | Gets status of a Private DNS operation | +> | Microsoft.Network/privateDnsZones/read | Get the Private DNS zone properties, in JSON format. Note that this command does not retrieve the virtual networks to which the Private DNS zone is linked or the record sets contained within the zone. | +> | Microsoft.Network/privateDnsZones/write | Create or update a Private DNS zone within a resource group. Note that this command cannot be used to create or update virtual network links or record sets within the zone. | +> | Microsoft.Network/privateDnsZones/delete | Delete a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/join/action | Joins a Private DNS Zone | +> | Microsoft.Network/privateDnsZones/A/read | Get the record set of type 'A' within a Private DNS zone, in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/privateDnsZones/A/write | Create or update a record set of type 'A' within a Private DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/privateDnsZones/A/delete | Remove the record set of a given name and type 'A' from a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/AAAA/read | Get the record set of type 'AAAA' within a Private DNS zone, in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/privateDnsZones/AAAA/write | Create or update a record set of type 'AAAA' within a Private DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/privateDnsZones/AAAA/delete | Remove the record set of a given name and type 'AAAA' from a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/ALL/read | Gets Private DNS record sets across types | +> | Microsoft.Network/privateDnsZones/CNAME/read | Get the record set of type 'CNAME' within a Private DNS zone, in JSON format. | +> | Microsoft.Network/privateDnsZones/CNAME/write | Create or update a record set of type 'CNAME' within a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/CNAME/delete | Remove the record set of a given name and type 'CNAME' from a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/MX/read | Get the record set of type 'MX' within a Private DNS zone, in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/privateDnsZones/MX/write | Create or update a record set of type 'MX' within a Private DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/privateDnsZones/MX/delete | Remove the record set of a given name and type 'MX' from a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/providers/Microsoft.Insights/diagnosticSettings/read | Gets the Private DNS zone diagnostic settings | +> | Microsoft.Network/privateDnsZones/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the Private DNS zone diagnostic settings | +> | Microsoft.Network/privateDnsZones/providers/Microsoft.Insights/metricDefinitions/read | Gets the Private DNS zone metric settings | +> | Microsoft.Network/privateDnsZones/PTR/read | Get the record set of type 'PTR' within a Private DNS zone, in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/privateDnsZones/PTR/write | Create or update a record set of type 'PTR' within a Private DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/privateDnsZones/PTR/delete | Remove the record set of a given name and type 'PTR' from a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/recordsets/read | Gets Private DNS record sets across types | +> | Microsoft.Network/privateDnsZones/SOA/read | Get the record set of type 'SOA' within a Private DNS zone, in JSON format. | +> | Microsoft.Network/privateDnsZones/SOA/write | Update a record set of type 'SOA' within a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/SRV/read | Get the record set of type 'SRV' within a Private DNS zone, in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/privateDnsZones/SRV/write | Create or update a record set of type 'SRV' within a Private DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/privateDnsZones/SRV/delete | Remove the record set of a given name and type 'SRV' from a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/TXT/read | Get the record set of type 'TXT' within a Private DNS zone, in JSON format. The record set contains a list of records as well as the TTL, tags, and etag. | +> | Microsoft.Network/privateDnsZones/TXT/write | Create or update a record set of type 'TXT' within a Private DNS zone. The records specified will replace the current records in the record set. | +> | Microsoft.Network/privateDnsZones/TXT/delete | Remove the record set of a given name and type 'TXT' from a Private DNS zone. | +> | Microsoft.Network/privateDnsZones/virtualNetworkLinks/read | Get the Private DNS zone link to virtual network properties, in JSON format. | +> | Microsoft.Network/privateDnsZones/virtualNetworkLinks/write | Create or update a Private DNS zone link to virtual network. | +> | Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete | Delete a Private DNS zone link to virtual network. | +> | Microsoft.Network/privateEndpointRedirectMaps/read | Gets a Private Endpoint RedirectMap | +> | Microsoft.Network/privateEndpointRedirectMaps/write | Creates Private Endpoint RedirectMap Or Updates An Existing Private Endpoint RedirectMap | +> | Microsoft.Network/privateEndpoints/pushPropertiesToResource/action | Operation to push private endpoint property updates from NRP client | +> | Microsoft.Network/privateEndpoints/read | Gets an private endpoint resource. | +> | Microsoft.Network/privateEndpoints/write | Creates a new private endpoint, or updates an existing private endpoint. | +> | Microsoft.Network/privateEndpoints/delete | Deletes an private endpoint resource. | +> | Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read | Gets a Private DNS Zone Group | +> | Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write | Puts a Private DNS Zone Group | +> | Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete | Deletes a Private DNS Zone Group | +> | Microsoft.Network/privateEndpoints/privateLinkServiceProxies/read | Gets a private link service proxy resource. | +> | Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write | Creates a new private link service proxy, or updates an existing private link service proxy. | +> | Microsoft.Network/privateEndpoints/privateLinkServiceProxies/delete | Deletes an private link service proxy resource. | +> | Microsoft.Network/privateEndpoints/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Private Endpoint | +> | Microsoft.Network/privateLinkServices/read | Gets an private link service resource. | +> | Microsoft.Network/privateLinkServices/write | Creates a new private link service, or updates an existing private link service. | +> | Microsoft.Network/privateLinkServices/delete | Deletes an private link service resource. | +> | Microsoft.Network/privateLinkServices/notifyPrivateEndpointMove/action | Notifies a connected Private Link Service of Private Endpoint move | +> | Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action | Approve or reject PrivateEndpoint connection on PrivateLinkService | +> | Microsoft.Network/privateLinkServices/privateEndpointConnectionProxies/read | Gets an private endpoint connection proxy resource. | +> | Microsoft.Network/privateLinkServices/privateEndpointConnectionProxies/write | Creates a new private endpoint connection proxy, or updates an existing private endpoint connection proxy. | +> | Microsoft.Network/privateLinkServices/privateEndpointConnectionProxies/delete | Deletes an private endpoint connection proxy resource. | +> | Microsoft.Network/privateLinkServices/privateEndpointConnections/read | Gets an private endpoint connection definition. | +> | Microsoft.Network/privateLinkServices/privateEndpointConnections/write | Creates a new private endpoint connection, or updates an existing private endpoint connection. | +> | Microsoft.Network/privateLinkServices/privateEndpointConnections/delete | Deletes an private endpoint connection. | +> | Microsoft.Network/privateLinkServices/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Private Link Service | +> | Microsoft.Network/publicIPAddresses/read | Gets a public IP address definition. | +> | Microsoft.Network/publicIPAddresses/write | Creates a public IP address or updates an existing public IP address. | +> | Microsoft.Network/publicIPAddresses/delete | Deletes a public IP address. | +> | Microsoft.Network/publicIPAddresses/join/action | Joins a public IP address. Not Alertable. | +> | Microsoft.Network/publicIPAddresses/ddosProtectionStatus/action | Gets the effective Ddos protection status for a Public IP Address resource. | +> | Microsoft.Network/publicIPAddresses/dnsAliases/read | Gets a Public IP Address Dns Alias resource | +> | Microsoft.Network/publicIPAddresses/dnsAliases/write | Creates a Public IP Address Dns Alias resource | +> | Microsoft.Network/publicIPAddresses/dnsAliases/delete | Deletes a Public IP Address Dns Alias resource | +> | Microsoft.Network/publicIPAddresses/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings of Public IP Address | +> | Microsoft.Network/publicIPAddresses/providers/Microsoft.Insights/diagnosticSettings/write | Create or update the diagnostic settings of Public IP Address | +> | Microsoft.Network/publicIPAddresses/providers/Microsoft.Insights/logDefinitions/read | Get the log definitions of Public IP Address | +> | Microsoft.Network/publicIPAddresses/providers/Microsoft.Insights/metricDefinitions/read | Get the metrics definitions of Public IP Address | +> | Microsoft.Network/publicIPPrefixes/read | Gets a Public Ip Prefix Definition | +> | Microsoft.Network/publicIPPrefixes/write | Creates A Public Ip Prefix Or Updates An Existing Public Ip Prefix | +> | Microsoft.Network/publicIPPrefixes/delete | Deletes A Public Ip Prefix | +> | Microsoft.Network/publicIPPrefixes/join/action | Joins a PublicIPPrefix. Not alertable. | +> | Microsoft.Network/routeFilters/read | Gets a route filter definition | +> | Microsoft.Network/routeFilters/join/action | Joins a route filter. Not Alertable. | +> | Microsoft.Network/routeFilters/delete | Deletes a route filter definition | +> | Microsoft.Network/routeFilters/write | Creates a route filter or Updates an existing route filter | +> | Microsoft.Network/routeFilters/routeFilterRules/read | Gets a route filter rule definition | +> | Microsoft.Network/routeFilters/routeFilterRules/write | Creates a route filter rule or Updates an existing route filter rule | +> | Microsoft.Network/routeFilters/routeFilterRules/delete | Deletes a route filter rule definition | +> | Microsoft.Network/routeTables/read | Gets a route table definition | +> | Microsoft.Network/routeTables/write | Creates a route table or Updates an existing route table | +> | Microsoft.Network/routeTables/delete | Deletes a route table definition | +> | Microsoft.Network/routeTables/join/action | Joins a route table. Not Alertable. | +> | Microsoft.Network/routeTables/routes/read | Gets a route definition | +> | Microsoft.Network/routeTables/routes/write | Creates a route or Updates an existing route | +> | Microsoft.Network/routeTables/routes/delete | Deletes a route definition | +> | Microsoft.Network/securityPartnerProviders/read | Gets a SecurityPartnerProvider | +> | Microsoft.Network/securityPartnerProviders/write | Creates a SecurityPartnerProvider or Updates An Existing SecurityPartnerProvider | +> | Microsoft.Network/securityPartnerProviders/validate/action | Validates a SecurityPartnerProvider | +> | Microsoft.Network/securityPartnerProviders/updateReferences/action | Update references in a SecurityPartnerProvider | +> | Microsoft.Network/securityPartnerProviders/join/action | Joins a SecurityPartnerProvider. Not alertable. | +> | Microsoft.Network/securityPartnerProviders/delete | Deletes a SecurityPartnerProvider | +> | Microsoft.Network/serviceEndpointPolicies/read | Gets a Service Endpoint Policy Description | +> | Microsoft.Network/serviceEndpointPolicies/write | Creates a Service Endpoint Policy or updates an existing Service Endpoint Policy | +> | Microsoft.Network/serviceEndpointPolicies/delete | Deletes a Service Endpoint Policy | +> | Microsoft.Network/serviceEndpointPolicies/join/action | Joins a Service Endpoint Policy. Not alertable. | +> | Microsoft.Network/serviceEndpointPolicies/joinSubnet/action | Joins a Subnet To Service Endpoint Policies. Not alertable. | +> | Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions/read | Gets a Service Endpoint Policy Definition Description | +> | Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions/write | Creates a Service Endpoint Policy Definition or updates an existing Service Endpoint Policy Definition | +> | Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions/delete | Deletes a Service Endpoint Policy Definition | +> | Microsoft.Network/trafficManagerGeographicHierarchies/read | Gets the Traffic Manager Geographic Hierarchy containing regions which can be used with the Geographic traffic routing method | +> | Microsoft.Network/trafficManagerProfiles/read | Get the Traffic Manager profile configuration. This includes DNS settings, traffic routing settings, endpoint monitoring settings, and the list of endpoints routed by this Traffic Manager profile. | +> | Microsoft.Network/trafficManagerProfiles/write | Create a Traffic Manager profile, or modify the configuration of an existing Traffic Manager profile.<br>This includes enabling or disabling a profile and modifying DNS settings, traffic routing settings, or endpoint monitoring settings.<br>Endpoints routed by the Traffic Manager profile can be added, removed, enabled or disabled. | +> | Microsoft.Network/trafficManagerProfiles/delete | Delete the Traffic Manager profile. All settings associated with the Traffic Manager profile will be lost, and the profile can no longer be used to route traffic. | +> | Microsoft.Network/trafficManagerProfiles/azureEndpoints/read | Gets an Azure Endpoint which belongs to a Traffic Manager Profile, including all the properties of that Azure Endpoint. | +> | Microsoft.Network/trafficManagerProfiles/azureEndpoints/write | Add a new Azure Endpoint in an existing Traffic Manager Profile or update the properties of an existing Azure Endpoint in that Traffic Manager Profile. | +> | Microsoft.Network/trafficManagerProfiles/azureEndpoints/delete | Deletes an Azure Endpoint from an existing Traffic Manager Profile. Traffic Manager will stop routing traffic to the deleted Azure Endpoint. | +> | Microsoft.Network/trafficManagerProfiles/externalEndpoints/read | Gets an External Endpoint which belongs to a Traffic Manager Profile, including all the properties of that External Endpoint. | +> | Microsoft.Network/trafficManagerProfiles/externalEndpoints/write | Add a new External Endpoint in an existing Traffic Manager Profile or update the properties of an existing External Endpoint in that Traffic Manager Profile. | +> | Microsoft.Network/trafficManagerProfiles/externalEndpoints/delete | Deletes an External Endpoint from an existing Traffic Manager Profile. Traffic Manager will stop routing traffic to the deleted External Endpoint. | +> | Microsoft.Network/trafficManagerProfiles/heatMaps/read | Gets the Traffic Manager Heat Map for the given Traffic Manager profile which contains query counts and latency data by location and source IP. | +> | Microsoft.Network/trafficManagerProfiles/nestedEndpoints/read | Gets an Nested Endpoint which belongs to a Traffic Manager Profile, including all the properties of that Nested Endpoint. | +> | Microsoft.Network/trafficManagerProfiles/nestedEndpoints/write | Add a new Nested Endpoint in an existing Traffic Manager Profile or update the properties of an existing Nested Endpoint in that Traffic Manager Profile. | +> | Microsoft.Network/trafficManagerProfiles/nestedEndpoints/delete | Deletes an Nested Endpoint from an existing Traffic Manager Profile. Traffic Manager will stop routing traffic to the deleted Nested Endpoint. | +> | Microsoft.Network/trafficManagerProfiles/providers/Microsoft.Insights/diagnosticSettings/read | Gets the Traffic Manager Diagnostic Settings | +> | Microsoft.Network/trafficManagerProfiles/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the Traffic Manager diagnostic settings, this operation is supplemented by insights resource provider. | +> | Microsoft.Network/trafficManagerProfiles/providers/Microsoft.Insights/logDefinitions/read | Gets the events for Traffic Manager | +> | Microsoft.Network/trafficManagerProfiles/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Traffic Manager. | +> | Microsoft.Network/trafficManagerUserMetricsKeys/read | Gets the subscription-level key used for Realtime User Metrics collection. | +> | Microsoft.Network/trafficManagerUserMetricsKeys/write | Creates a new subscription-level key to be used for Realtime User Metrics collection. | +> | Microsoft.Network/trafficManagerUserMetricsKeys/delete | Deletes the subscription-level key used for Realtime User Metrics collection. | +> | Microsoft.Network/virtualHubs/delete | Deletes a Virtual Hub | +> | Microsoft.Network/virtualHubs/read | Get a Virtual Hub | +> | Microsoft.Network/virtualHubs/write | Create or update a Virtual Hub | +> | Microsoft.Network/virtualHubs/effectiveRoutes/action | Gets effective route configured on Virtual Hub | +> | Microsoft.Network/virtualHubs/migrateRouteService/action | Validate or execute the hub router migration | +> | Microsoft.Network/virtualHubs/inboundRoutes/action | Gets routes learnt from a virtual wan connection | +> | Microsoft.Network/virtualHubs/outboundRoutes/action | Get Routes advertised by a virtual wan connection | +> | Microsoft.Network/virtualHubs/bgpConnections/read | Gets a Hub Bgp Connection child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/bgpConnections/write | Creates or Updates a Hub Bgp Connection child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/bgpConnections/delete | Deletes a Hub Bgp Connection child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/bgpConnections/advertisedRoutes/action | Gets virtualrouter advertised routes | +> | Microsoft.Network/virtualHubs/bgpConnections/learnedRoutes/action | Gets virtualrouter learned routes | +> | Microsoft.Network/virtualHubs/connectionPolicies/read | Gets Connection Policy child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/connectionPolicies/write | Creates or Updates Connection Policy child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/connectionPolicies/delete | Deletes Connection Policy child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/hubRouteTables/read | Gets a Route Table child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/hubRouteTables/write | Creates or Updates a Route Table child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/hubRouteTables/delete | Deletes a Route Table child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read | Get a HubVirtualNetworkConnection | +> | Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/write | Create or update a HubVirtualNetworkConnection | +> | Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/delete | Deletes a HubVirtualNetworkConnection | +> | Microsoft.Network/virtualHubs/ipConfigurations/read | Gets a Hub IpConfiguration child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/ipConfigurations/write | Creates or Updates a Hub IpConfiguration child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/ipConfigurations/delete | Deletes a Hub IpConfiguration child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/routeMaps/read | Gets a Route Map child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/routeMaps/write | Creates or Updates a Route Map child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/routeMaps/delete | Deletes a Route Map child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/routeTables/read | Get a VirtualHubRouteTableV2 | +> | Microsoft.Network/virtualHubs/routeTables/write | Create or Update a VirtualHubRouteTableV2 | +> | Microsoft.Network/virtualHubs/routeTables/delete | Delete a VirtualHubRouteTableV2 | +> | Microsoft.Network/virtualHubs/routingIntent/read | Gets a Routing Intent child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/routingIntent/write | Creates or Updates a Routing Intent child resource of Virtual Hub | +> | Microsoft.Network/virtualHubs/routingIntent/delete | Deletes a Routing Intent child resource of Virtual Hub | +> | Microsoft.Network/virtualnetworkgateways/supportedvpndevices/action | Lists Supported Vpn Devices | +> | Microsoft.Network/virtualNetworkGateways/read | Gets a VirtualNetworkGateway | +> | Microsoft.Network/virtualNetworkGateways/write | Creates or updates a VirtualNetworkGateway | +> | Microsoft.Network/virtualNetworkGateways/delete | Deletes a virtualNetworkGateway | +> | microsoft.network/virtualnetworkgateways/generatevpnclientpackage/action | Generate VpnClient package for virtualNetworkGateway | +> | microsoft.network/virtualnetworkgateways/generatevpnprofile/action | Generate VpnProfile package for VirtualNetworkGateway | +> | microsoft.network/virtualnetworkgateways/getvpnclientconnectionhealth/action | Get Per Vpn Client Connection Health for VirtualNetworkGateway | +> | microsoft.network/virtualnetworkgateways/disconnectvirtualnetworkgatewayvpnconnections/action | Disconnect virtual network gateway vpn connections | +> | microsoft.network/virtualnetworkgateways/getvpnprofilepackageurl/action | Gets the URL of a pre-generated vpn client profile package | +> | microsoft.network/virtualnetworkgateways/setvpnclientipsecparameters/action | Set Vpnclient Ipsec parameters for VirtualNetworkGateway P2S client. | +> | microsoft.network/virtualnetworkgateways/getvpnclientipsecparameters/action | Get Vpnclient Ipsec parameters for VirtualNetworkGateway P2S client. | +> | microsoft.network/virtualnetworkgateways/resetvpnclientsharedkey/action | Reset Vpnclient shared key for VirtualNetworkGateway P2S client. | +> | microsoft.network/virtualnetworkgateways/reset/action | Resets a virtualNetworkGateway | +> | microsoft.network/virtualnetworkgateways/getadvertisedroutes/action | Gets virtualNetworkGateway advertised routes | +> | microsoft.network/virtualnetworkgateways/getbgppeerstatus/action | Gets virtualNetworkGateway bgp peer status | +> | microsoft.network/virtualnetworkgateways/getlearnedroutes/action | Gets virtualnetworkgateway learned routes | +> | microsoft.network/virtualnetworkgateways/startpacketcapture/action | Starts a Virtual Network Gateway Packet Capture. | +> | microsoft.network/virtualnetworkgateways/stoppacketcapture/action | Stops a Virtual Network Gateway Packet Capture. | +> | microsoft.network/virtualnetworkgateways/connections/read | Get VirtualNetworkGatewayConnection | +> | microsoft.network/virtualNetworkGateways/natRules/read | Gets a NAT rule resource | +> | microsoft.network/virtualNetworkGateways/natRules/write | Puts a NAT rule resource | +> | microsoft.network/virtualNetworkGateways/natRules/delete | Deletes a NAT rule resource | +> | Microsoft.Network/virtualNetworkGateways/providers/Microsoft.Insights/diagnosticSettings/read | Gets the Virtual Network Gateway Diagnostic Settings | +> | Microsoft.Network/virtualNetworkGateways/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the Virtual Network Gateway diagnostic settings, this operation is supplemented by insights resource provider. | +> | Microsoft.Network/virtualNetworkGateways/providers/Microsoft.Insights/logDefinitions/read | Gets the events for Virtual Network Gateway | +> | Microsoft.Network/virtualNetworkGateways/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Virtual Network Gateway | +> | Microsoft.Network/virtualNetworks/read | Get the virtual network definition | +> | Microsoft.Network/virtualNetworks/write | Creates a virtual network or updates an existing virtual network | +> | Microsoft.Network/virtualNetworks/delete | Deletes a virtual network | +> | Microsoft.Network/virtualNetworks/joinLoadBalancer/action | Joins a load balancer to virtual networks | +> | Microsoft.Network/virtualNetworks/peer/action | Peers a virtual network with another virtual network | +> | Microsoft.Network/virtualNetworks/join/action | Joins a virtual network. Not Alertable. | +> | Microsoft.Network/virtualNetworks/BastionHosts/action | Gets Bastion Host references in a Virtual Network. | +> | Microsoft.Network/virtualNetworks/ddosProtectionStatus/action | Gets the effective Ddos protection status for a Virtual Network resource. | +> | Microsoft.Network/virtualNetworks/rnmEffectiveRouteTable/action | Gets RouteTables Configured On CA Of The Vnet In Rnm Format | +> | Microsoft.Network/virtualNetworks/rnmEffectiveNetworkSecurityGroups/action | Gets Security Groups Configured On CA Of The Vnet In Rnm Format | +> | Microsoft.Network/virtualNetworks/listNetworkManagerEffectiveConnectivityConfigurations/action | Lists Network Manager Effective Connectivity Configurations | +> | Microsoft.Network/virtualNetworks/listNetworkManagerEffectiveSecurityAdminRules/action | Lists Network Manager Effective Security Admin Rules | +> | Microsoft.Network/virtualNetworks/listDnsResolvers/action | Gets the DNS Resolver for Virtual Network, in JSON format | +> | Microsoft.Network/virtualNetworks/listDnsForwardingRulesets/action | Gets the DNS Forwarding Ruleset for Virtual Network, in JSON format | +> | Microsoft.Network/virtualNetworks/bastionHosts/default/action | Gets Bastion Host references in a Virtual Network. | +> | Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read | Check if IP Address is available at the specified virtual network | +> | Microsoft.Network/virtualNetworks/customViews/read | Get definition of a custom view of Virtual Network | +> | Microsoft.Network/virtualNetworks/customViews/get/action | Get a Virtual Network custom view content | +> | Microsoft.Network/virtualNetworks/listNetworkManagerEffectiveConnectivityConfigurations/read | Permission for calling List Network Manager Effective Connectivity Configurations operation. This read permission, not listNetworkManagerEffectiveConnectivityConfigurations/action, is required to call List Network Manager Effective Connectivity Configurations. | +> | Microsoft.Network/virtualNetworks/listNetworkManagerEffectiveSecurityAdminRules/read | Permission for calling List Network Manager Effective Security Admin Rules operation. This read permission, not listNetworkManagerEffectiveSecurityAdminRules/action, is required to call List Network Manager Effective Security Admin Rules. | +> | Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read | Get the Private DNS zone link to a virtual network properties, in JSON format. | +> | Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings of Virtual Network | +> | Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/write | Create or update the diagnostic settings of the Virtual Network | +> | Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/logDefinitions/read | Get the log definitions of Virtual Network | +> | Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the PingMesh | +> | Microsoft.Network/virtualNetworks/remoteVirtualNetworkPeeringProxies/read | Gets a virtual network peering proxy definition | +> | Microsoft.Network/virtualNetworks/remoteVirtualNetworkPeeringProxies/write | Creates a virtual network peering proxy or updates an existing virtual network peering proxy | +> | Microsoft.Network/virtualNetworks/remoteVirtualNetworkPeeringProxies/delete | Deletes a virtual network peering proxy | +> | Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition | +> | Microsoft.Network/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet | +> | Microsoft.Network/virtualNetworks/subnets/delete | Deletes a virtual network subnet | +> | Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action | Joins a load balancer to virtual network subnets | +> | Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. | +> | Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. | +> | Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action | Prepares a subnet by applying necessary Network Policies | +> | Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action | Unprepare a subnet by removing the applied Network Policies | +> | Microsoft.Network/virtualNetworks/subnets/contextualServiceEndpointPolicies/read | Gets Contextual Service Endpoint Policies | +> | Microsoft.Network/virtualNetworks/subnets/contextualServiceEndpointPolicies/write | Creates a Contextual Service Endpoint Policy or updates an existing Contextual Service Endpoint Policy | +> | Microsoft.Network/virtualNetworks/subnets/contextualServiceEndpointPolicies/delete | Deletes A Contextual Service Endpoint Policy | +> | Microsoft.Network/virtualNetworks/subnets/resourceNavigationLinks/read | Get the Resource Navigation Link definition | +> | Microsoft.Network/virtualNetworks/subnets/resourceNavigationLinks/write | Creates a Resource Navigation Link or updates an existing Resource Navigation Link | +> | Microsoft.Network/virtualNetworks/subnets/resourceNavigationLinks/delete | Deletes a Resource Navigation Link | +> | Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/read | Gets a Service Association Link definition | +> | Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/write | Creates a Service Association Link or updates an existing Service Association Link | +> | Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete | Deletes a Service Association Link | +> | Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/validate/action | Validates a Service Association Link | +> | Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/details/read | Gets a Service Association Link Detail Definition | +> | Microsoft.Network/virtualNetworks/subnets/virtualMachines/read | Gets references to all the virtual machines in a virtual network subnet | +> | Microsoft.Network/virtualNetworks/taggedTrafficConsumers/read | Get the Tagged Traffic Consumer definition | +> | Microsoft.Network/virtualNetworks/taggedTrafficConsumers/write | Creates a Tagged Traffic Consumer or updates an existing Tagged Traffic Consumer | +> | Microsoft.Network/virtualNetworks/taggedTrafficConsumers/delete | Deletes a Tagged Traffic Consumer | +> | Microsoft.Network/virtualNetworks/taggedTrafficConsumers/validate/action | Validates a Tagged Traffic Consumer | +> | Microsoft.Network/virtualNetworks/usages/read | Get the IP usages for each subnet of the virtual network | +> | Microsoft.Network/virtualNetworks/virtualMachines/read | Gets references to all the virtual machines in a virtual network | +> | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | Gets a virtual network peering definition | +> | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write | Creates a virtual network peering or updates an existing virtual network peering | +> | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete | Deletes a virtual network peering | +> | Microsoft.Network/virtualNetworkTaps/read | Get Virtual Network Tap | +> | Microsoft.Network/virtualNetworkTaps/join/action | Joins a virtual network tap. Not Alertable. | +> | Microsoft.Network/virtualNetworkTaps/delete | Delete Virtual Network Tap | +> | Microsoft.Network/virtualNetworkTaps/write | Create or Update Virtual Network Tap | +> | Microsoft.Network/virtualNetworkTaps/networkInterfaceTapConfigurationProxies/read | Gets a Network Interface Tap Configuration Proxy. | +> | Microsoft.Network/virtualNetworkTaps/networkInterfaceTapConfigurationProxies/write | Creates a Network Interface Tap Configuration Proxy Or updates an existing Network Interface Tap Configuration Proxy. | +> | Microsoft.Network/virtualNetworkTaps/networkInterfaceTapConfigurationProxies/delete | Deletes a Network Interface Tap Configuration Proxy. | +> | Microsoft.Network/virtualRouters/read | Gets A VirtualRouter | +> | Microsoft.Network/virtualRouters/write | Creates A VirtualRouter or Updates An Existing VirtualRouter | +> | Microsoft.Network/virtualRouters/delete | Deletes A VirtualRouter | +> | Microsoft.Network/virtualRouters/join/action | Joins A VirtualRouter. Not alertable. | +> | Microsoft.Network/virtualRouters/peerings/read | Gets A VirtualRouterPeering | +> | Microsoft.Network/virtualRouters/peerings/write | Creates A VirtualRouterPeering or Updates An Existing VirtualRouterPeering | +> | Microsoft.Network/virtualRouters/peerings/delete | Deletes A VirtualRouterPeering | +> | Microsoft.Network/virtualRouters/providers/Microsoft.Insights/metricDefinitions/read | Gets The Metric Definitions For VirtualRouter | +> | Microsoft.Network/virtualWans/delete | Deletes a Virtual Wan | +> | Microsoft.Network/virtualWans/read | Get a Virtual Wan | +> | Microsoft.Network/virtualWans/write | Create or update a Virtual Wan | +> | Microsoft.Network/virtualWans/join/action | Joins a Virtual WAN. Not alertable. | +> | Microsoft.Network/virtualwans/vpnconfiguration/action | Gets a Vpn Configuration | +> | Microsoft.Network/virtualwans/vpnServerConfigurations/action | Get VirtualWanVpnServerConfigurations | +> | Microsoft.Network/virtualwans/generateVpnProfile/action | Generate VirtualWanVpnServerConfiguration VpnProfile | +> | Microsoft.Network/virtualWans/updateVpnReferences/action | Update VPN reference in VirtualWan | +> | Microsoft.Network/virtualWans/updateVhubReferences/action | Update VirtualHub reference in VirtualWan | +> | Microsoft.Network/virtualWans/p2sVpnServerConfigurations/read | Gets a virtual Wan P2SVpnServerConfiguration | +> | Microsoft.network/virtualWans/p2sVpnServerConfigurations/write | Creates a virtual Wan P2SVpnServerConfiguration or updates an existing virtual Wan P2SVpnServerConfiguration | +> | Microsoft.network/virtualWans/p2sVpnServerConfigurations/delete | Deletes a virtual Wan P2SVpnServerConfiguration | +> | Microsoft.Network/virtualwans/supportedSecurityProviders/read | Gets supported VirtualWan Security Providers. | +> | Microsoft.Network/virtualWans/virtualHubProxies/read | Gets a Virtual Hub proxy definition | +> | Microsoft.Network/virtualWans/virtualHubProxies/write | Creates a Virtual Hub proxy or updates a Virtual Hub proxy | +> | Microsoft.Network/virtualWans/virtualHubProxies/delete | Deletes a Virtual Hub proxy | +> | Microsoft.Network/virtualWans/virtualHubs/read | Gets all Virtual Hubs that reference a Virtual Wan. | +> | Microsoft.Network/virtualWans/vpnSiteProxies/read | Gets a Vpn Site proxy definition | +> | Microsoft.Network/virtualWans/vpnSiteProxies/write | Creates a Vpn Site proxy or updates a Vpn Site proxy | +> | Microsoft.Network/virtualWans/vpnSiteProxies/delete | Deletes a Vpn Site proxy | +> | Microsoft.Network/virtualWans/vpnSites/read | Gets all VPN Sites that reference a Virtual Wan. | +> | Microsoft.Network/vpnGateways/read | Gets a VpnGateway. | +> | Microsoft.Network/vpnGateways/write | Puts a VpnGateway. | +> | Microsoft.Network/vpnGateways/delete | Deletes a VpnGateway. | +> | microsoft.network/vpngateways/reset/action | Resets a VpnGateway | +> | microsoft.network/vpngateways/getbgppeerstatus/action | Gets bgp peer status of a VpnGateway | +> | microsoft.network/vpngateways/getlearnedroutes/action | Gets learned routes of a VpnGateway | +> | microsoft.network/vpngateways/getadvertisedroutes/action | Gets advertised routes of a VpnGateway | +> | microsoft.network/vpngateways/startpacketcapture/action | Start Vpn gateway Packet Capture with according resource | +> | microsoft.network/vpngateways/stoppacketcapture/action | Stop Vpn gateway Packet Capture with sasURL | +> | microsoft.network/vpngateways/listvpnconnectionshealth/action | Gets connection health for all or a subset of connections on a VpnGateway | +> | microsoft.network/vpnGateways/natRules/read | Gets a NAT rule resource | +> | microsoft.network/vpnGateways/natRules/write | Puts a NAT rule resource | +> | microsoft.network/vpnGateways/natRules/delete | Deletes a NAT rule resource | +> | Microsoft.Network/vpnGateways/providers/Microsoft.Insights/diagnosticSettings/read | Gets the Vpn Gateway Diagnostic Settings | +> | Microsoft.Network/vpnGateways/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the Vpn Gateway diagnostic settings, this operation is supplemented by insights resource provider. | +> | Microsoft.Network/vpnGateways/providers/Microsoft.Insights/logDefinitions/read | Gets the events for Vpn Gateway | +> | Microsoft.Network/vpnGateways/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Vpn Gateway | +> | microsoft.network/vpnGateways/vpnConnections/read | Gets a VpnConnection. | +> | microsoft.network/vpnGateways/vpnConnections/write | Puts a VpnConnection. | +> | microsoft.network/vpnGateways/vpnConnections/delete | Deletes a VpnConnection. | +> | microsoft.network/vpnGateways/vpnConnections/startpacketcapture/action | Start packet capture for selected linked in vpn connection | +> | microsoft.network/vpnGateways/vpnConnections/stoppacketcapture/action | Stop packet capture for selected linked in vpn connection | +> | microsoft.network/vpnGateways/vpnConnections/vpnLinkConnections/getikesas/action | Lists Vpn Link Connection IKE Security Associations | +> | microsoft.network/vpnGateways/vpnConnections/vpnLinkConnections/resetconnection/action | Resets connection for vWAN | +> | microsoft.network/vpnGateways/vpnConnections/vpnLinkConnections/read | Gets a Vpn Link Connection | +> | microsoft.network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKey/action | Puts Vpn Link Connection Shared Key | +> | microsoft.network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKey/read | Gets Vpn Link Connection Shared Key | +> | microsoft.network/vpnGateways/vpnConnections/vpnLinkConnections/sharedKey/reset/action | Resets Vpn Link Connection Shared Key | +> | Microsoft.Network/vpnServerConfigurations/read | Get VpnServerConfiguration | +> | Microsoft.Network/vpnServerConfigurations/write | Create or Update VpnServerConfiguration | +> | Microsoft.Network/vpnServerConfigurations/delete | Delete VpnServerConfiguration | +> | microsoft.network/vpnServerConfigurations/configurationPolicyGroups/read | Gets a Configuration Policy Group | +> | microsoft.network/vpnServerConfigurations/configurationPolicyGroups/write | Puts a Configuration Policy Group | +> | microsoft.network/vpnServerConfigurations/configurationPolicyGroups/delete | Deletes a Configuration Policy Group | +> | Microsoft.Network/vpnServerConfigurations/configurationPolicyGroups/p2sConnectionConfigurationProxies/read | Gets A P2S Connection Configuration Proxy Definition | +> | Microsoft.Network/vpnServerConfigurations/configurationPolicyGroups/p2sConnectionConfigurationProxies/write | Creates A P2S Connection Configuration Proxy Or Updates An Existing P2S Connection Configuration Proxy | +> | Microsoft.Network/vpnServerConfigurations/configurationPolicyGroups/p2sConnectionConfigurationProxies/delete | Deletes A P2S Connection Configuration Proxy | +> | Microsoft.Network/vpnServerConfigurations/p2sVpnGatewayProxies/read | Gets a P2SVpnGateway Proxy definition | +> | Microsoft.Network/vpnServerConfigurations/p2sVpnGatewayProxies/write | Creates a P2SVpnGateway Proxy or updates a P2SVpnGateway Proxy | +> | Microsoft.Network/vpnServerConfigurations/p2sVpnGatewayProxies/delete | Deletes a P2SVpnGateway Proxy | +> | Microsoft.Network/vpnsites/read | Gets a Vpn Site resource. | +> | Microsoft.Network/vpnsites/write | Creates or updates a Vpn Site resource. | +> | Microsoft.Network/vpnsites/delete | Deletes a Vpn Site resource. | +> | microsoft.network/vpnSites/vpnSiteLinks/read | Gets a Vpn Site Link | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/security.md | + + Title: Azure permissions for Security - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Security category. +++++ Last updated : 02/07/2024++++# Azure permissions for Security ++This article lists the permissions for the Azure resource providers in the Security category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.AppComplianceAutomation ++Azure service: [App Compliance Automation Tool for Microsoft 365](/microsoft-365-app-certification/docs/acat-overview) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AppComplianceAutomation/onboard/action | Onboard given subscriptions to Microsoft.AppComplianceAutomation provider. | +> | Microsoft.AppComplianceAutomation/triggerEvaluation/action | Trigger evaluation for given resourceIds to get quick compliance result. | +> | Microsoft.AppComplianceAutomation/listInUseStorageAccounts/action | List the storage accounts which are in use by related reports | +> | Microsoft.AppComplianceAutomation/checkNameAvailability/action | action checkNameAvailability | +> | Microsoft.AppComplianceAutomation/getCollectionCount/action | Get the resource count. | +> | Microsoft.AppComplianceAutomation/getOverviewStatus/action | Get the resource overview status. | +> | Microsoft.AppComplianceAutomation/register/action | Register the subscription for Microsoft.AppComplianceAutomation | +> | Microsoft.AppComplianceAutomation/unregister/action | Unregister the subscription for Microsoft.AppComplianceAutomation | +> | Microsoft.AppComplianceAutomation/locations/operationStatuses/read | read operationStatuses | +> | Microsoft.AppComplianceAutomation/locations/operationStatuses/write | write operationStatuses | +> | Microsoft.AppComplianceAutomation/operations/read | read operations | +> | Microsoft.AppComplianceAutomation/reports/read | Get the AppComplianceAutomation report list for the tenant. | +> | Microsoft.AppComplianceAutomation/reports/read | Get the AppComplianceAutomation report and its properties. | +> | Microsoft.AppComplianceAutomation/reports/write | Create a new AppComplianceAutomation report or update an exiting AppComplianceAutomation report. | +> | Microsoft.AppComplianceAutomation/reports/delete | Delete an AppComplianceAutomation report. | +> | Microsoft.AppComplianceAutomation/reports/write | Update an exiting AppComplianceAutomation report. | +> | Microsoft.AppComplianceAutomation/reports/syncCertRecord/action | Synchronize attestation record from app compliance. | +> | Microsoft.AppComplianceAutomation/reports/checkNameAvailability/action | Checks the report's nested resource name availability, e.g: Webhooks, Evidences, Snapshots. | +> | Microsoft.AppComplianceAutomation/reports/fix/action | Fix the AppComplianceAutomation report error. e.g: App Compliance Automation Tool service unregistered, automation removed. | +> | Microsoft.AppComplianceAutomation/reports/verify/action | Verify the AppComplianceAutomation report health status. | +> | Microsoft.AppComplianceAutomation/reports/evidences/read | Returns a paginated list of evidences for a specified report. | +> | Microsoft.AppComplianceAutomation/reports/evidences/read | Get the evidence metadata | +> | Microsoft.AppComplianceAutomation/reports/evidences/write | Create or Update an evidence a specified report | +> | Microsoft.AppComplianceAutomation/reports/evidences/delete | Delete an existent evidence from a specified report | +> | Microsoft.AppComplianceAutomation/reports/evidences/download/action | Download evidence file. | +> | Microsoft.AppComplianceAutomation/reports/scopingConfigurations/read | Returns a list format of the singleton scopingConfiguration for a specified report. | +> | Microsoft.AppComplianceAutomation/reports/scopingConfigurations/read | Get the AppComplianceAutomation scoping configuration of the specific report. | +> | Microsoft.AppComplianceAutomation/reports/scopingConfigurations/write | Get the AppComplianceAutomation scoping configuration of the specific report. | +> | Microsoft.AppComplianceAutomation/reports/scopingConfigurations/delete | Clean the AppComplianceAutomation scoping configuration of the specific report. | +> | Microsoft.AppComplianceAutomation/reports/snapshots/read | Get the AppComplianceAutomation snapshot list. | +> | Microsoft.AppComplianceAutomation/reports/snapshots/read | Get the AppComplianceAutomation snapshot and its properties. | +> | Microsoft.AppComplianceAutomation/reports/snapshots/download/action | Download compliance needs from snapshot, like: Compliance Report, Resource List. | +> | Microsoft.AppComplianceAutomation/reports/webhooks/read | Get the AppComplianceAutomation webhook list. | +> | Microsoft.AppComplianceAutomation/reports/webhooks/read | Get the AppComplianceAutomation webhook and its properties. | +> | Microsoft.AppComplianceAutomation/reports/webhooks/write | Create a new AppComplianceAutomation webhook or update an exiting AppComplianceAutomation webhook. | +> | Microsoft.AppComplianceAutomation/reports/webhooks/delete | Delete an AppComplianceAutomation webhook. | +> | Microsoft.AppComplianceAutomation/reports/webhooks/write | Update an exiting AppComplianceAutomation webhook. | ++## Microsoft.KeyVault ++Azure service: [Key Vault](/azure/key-vault/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.KeyVault/register/action | Registers a subscription | +> | Microsoft.KeyVault/unregister/action | Unregisters a subscription | +> | Microsoft.KeyVault/checkNameAvailability/read | Checks that a key vault name is valid and is not in use | +> | Microsoft.KeyVault/deletedManagedHsms/read | View the properties of a deleted managed hsm | +> | Microsoft.KeyVault/deletedVaults/read | View the properties of soft deleted key vaults | +> | Microsoft.KeyVault/hsmPools/read | View the properties of an HSM pool | +> | Microsoft.KeyVault/hsmPools/write | Create a new HSM pool of update the properties of an existing HSM pool | +> | Microsoft.KeyVault/hsmPools/delete | Delete an HSM pool | +> | Microsoft.KeyVault/hsmPools/joinVault/action | Join a key vault to an HSM pool | +> | Microsoft.KeyVault/locations/deleteVirtualNetworkOrSubnets/action | Notifies Microsoft.KeyVault that a virtual network or subnet is being deleted | +> | Microsoft.KeyVault/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action | Check if the configuration of the Network Security Perimeter needs updating. | +> | Microsoft.KeyVault/locations/deletedManagedHsms/read | View the properties of a deleted managed hsm | +> | Microsoft.KeyVault/locations/deletedManagedHsms/purge/action | Purge a soft deleted managed hsm | +> | Microsoft.KeyVault/locations/deletedManagedHsms/delete | Purge a soft deleted managed hsm | +> | Microsoft.KeyVault/locations/deletedVaults/read | View the properties of a soft deleted key vault | +> | Microsoft.KeyVault/locations/deletedVaults/purge/action | Purge a soft deleted key vault | +> | Microsoft.KeyVault/locations/managedHsmOperationResults/read | Check the result of a long run operation | +> | Microsoft.KeyVault/locations/operationResults/read | Check the result of a long run operation | +> | Microsoft.KeyVault/managedHSMs/read | View the properties of a Managed HSM | +> | Microsoft.KeyVault/managedHSMs/write | Create a new Managed HSM or update the properties of an existing Managed HSM | +> | Microsoft.KeyVault/managedHSMs/delete | Delete a Managed HSM | +> | Microsoft.KeyVault/managedHSMs/PrivateEndpointConnectionsApproval/action | Approve or reject a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/managedHSMs/keys/read | List the keys in a specified managed hsm, or read the current version of a specified key. | +> | Microsoft.KeyVault/managedHSMs/keys/write | Creates the first version of a new key if it does not exist. If it already exists, then the existing key is returned without any modification. This API does not create subsequent versions, and does not update existing keys. | +> | Microsoft.KeyVault/managedHSMs/keys/versions/read | List the versions of a specified key, or read the specified version of a key. | +> | Microsoft.KeyVault/managedHSMs/privateEndpointConnectionProxies/read | View the state of a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/managedHSMs/privateEndpointConnectionProxies/write | Change the state of a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/managedHSMs/privateEndpointConnectionProxies/delete | Delete a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/managedHSMs/privateEndpointConnectionProxies/validate/action | Validate a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/managedHSMs/privateEndpointConnections/read | View the state of a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/managedHSMs/privateEndpointConnections/write | Change the state of a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/managedHSMs/privateEndpointConnections/delete | Delete a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/managedHSMs/privateLinkResources/read | Get the available private link resources for the specified instance of Managed HSM. | +> | Microsoft.KeyVault/managedHSMs/providers/Microsoft.Insights/diagnosticSettings/Read | Gets the diagnostic setting for the resource | +> | Microsoft.KeyVault/managedHSMs/providers/Microsoft.Insights/diagnosticSettings/Write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.KeyVault/managedHSMs/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for a Managed HSM | +> | Microsoft.KeyVault/managedHSMs/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for a key vault | +> | Microsoft.KeyVault/operations/read | Lists operations available on Microsoft.KeyVault resource provider | +> | Microsoft.KeyVault/vaults/read | View the properties of a key vault | +> | Microsoft.KeyVault/vaults/write | Creates a new key vault or updates the properties of an existing key vault. Certain properties may require more permissions. | +> | Microsoft.KeyVault/vaults/delete | Deletes a key vault | +> | Microsoft.KeyVault/vaults/deploy/action | Enables access to secrets in a key vault when deploying Azure resources | +> | Microsoft.KeyVault/vaults/PrivateEndpointConnectionsApproval/action | Approve or reject a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/vaults/joinPerimeter/action | Action to join the Network Security Perimeter, used by linked access checks by NRP. | +> | Microsoft.KeyVault/vaults/accessPolicies/write | Updates an existing access policy by merging or replacing, or adds a new access policy to the key vault. | +> | Microsoft.KeyVault/vaults/eventGridFilters/read | Notifies Microsoft.KeyVault that an EventGrid Subscription for Key Vault is being viewed | +> | Microsoft.KeyVault/vaults/eventGridFilters/write | Notifies Microsoft.KeyVault that a new EventGrid Subscription for Key Vault is being created | +> | Microsoft.KeyVault/vaults/eventGridFilters/delete | Notifies Microsoft.KeyVault that an EventGrid Subscription for Key Vault is being deleted | +> | Microsoft.KeyVault/vaults/keys/read | List the keys in a specified vault, or read the current version of a specified key. | +> | Microsoft.KeyVault/vaults/keys/write | Creates the first version of a new key if it does not exist. If it already exists, then the existing key is returned without any modification. This API does not create subsequent versions, and does not update existing keys. | +> | Microsoft.KeyVault/vaults/keys/versions/read | List the versions of a specified key, or read the specified version of a key. | +> | Microsoft.KeyVault/vaults/networkSecurityPerimeterAssociationProxies/delete | Delete an association proxy to a Network Security Perimeter resource of Microsoft.Network provider. | +> | Microsoft.KeyVault/vaults/networkSecurityPerimeterAssociationProxies/read | Delete an association proxy to a Network Security Perimeter resource of Microsoft.Network provider. | +> | Microsoft.KeyVault/vaults/networkSecurityPerimeterAssociationProxies/write | Change the state of an association to a Network Security Perimeter resource of Microsoft.Network provider | +> | Microsoft.KeyVault/vaults/networkSecurityPerimeterConfigurations/read | Read the Network Security Perimeter configuration stored in a vault. | +> | Microsoft.KeyVault/vaults/networkSecurityPerimeterConfigurations/reconcile/action | Reconcile the Network Security Perimeter configuration stored in a vault with NRP's (Microsoft.Network Resource Provider) copy. | +> | Microsoft.KeyVault/vaults/privateEndpointConnectionProxies/read | View the state of a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/vaults/privateEndpointConnectionProxies/write | Change the state of a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/vaults/privateEndpointConnectionProxies/delete | Delete a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/vaults/privateEndpointConnectionProxies/validate/action | Validate a connection proxy to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/vaults/privateEndpointConnections/read | View the state of a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/vaults/privateEndpointConnections/write | Change the state of a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/vaults/privateEndpointConnections/delete | Delete a connection to a Private Endpoint resource of Microsoft.Network provider | +> | Microsoft.KeyVault/vaults/privateLinkResources/read | Get the available private link resources for the specified instance of Key Vault | +> | Microsoft.KeyVault/vaults/providers/Microsoft.Insights/diagnosticSettings/Read | Gets the diagnostic setting for the resource | +> | Microsoft.KeyVault/vaults/providers/Microsoft.Insights/diagnosticSettings/Write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.KeyVault/vaults/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for a key vault | +> | Microsoft.KeyVault/vaults/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for a key vault | +> | Microsoft.KeyVault/vaults/secrets/read | View the properties of a secret, but not its value. | +> | Microsoft.KeyVault/vaults/secrets/write | Creates a new secret or updates the value of an existing secret. | +> | **DataAction** | **Description** | +> | Microsoft.KeyVault/vaults/certificatecas/delete | Delete Certificate Issuer | +> | Microsoft.KeyVault/vaults/certificatecas/read | Read Certificate Issuer | +> | Microsoft.KeyVault/vaults/certificatecas/write | Write Certificate Issuer | +> | Microsoft.KeyVault/vaults/certificatecontacts/write | Manage Certificate Contact | +> | Microsoft.KeyVault/vaults/certificates/delete | Deletes a certificate. All versions are deleted. | +> | Microsoft.KeyVault/vaults/certificates/read | List certificates in a specified key vault, or get information about a certificate. | +> | Microsoft.KeyVault/vaults/certificates/backup/action | Creates the backup file of a certificate. The file can used to restore the certificate in a Key Vault of same subscription. Restrictions may apply. | +> | Microsoft.KeyVault/vaults/certificates/purge/action | Purges a certificate, making it unrecoverable. | +> | Microsoft.KeyVault/vaults/certificates/update/action | Updates the specified attributes associated with the given certificate. | +> | Microsoft.KeyVault/vaults/certificates/create/action | Creates a new certificate. If the certificate does not exist, the first version is created. Otherwise, a new version is created. | +> | Microsoft.KeyVault/vaults/certificates/import/action | Imports an existing valid certificate containing a private key.<br>The certificate to be imported can be in either PFX or PEM format.<br>If the certificate does not exist in Key Vault, the first version is created with specified content.<br>Otherwise, a new version is created with specified content. | +> | Microsoft.KeyVault/vaults/certificates/recover/action | Recovers the deleted certificate. The operation performs the reversal of the Delete operation. The operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval. | +> | Microsoft.KeyVault/vaults/certificates/restore/action | Restores a certificate and all its versions from a backup file generated by Key Vault. | +> | Microsoft.KeyVault/vaults/keyrotationpolicies/read | Retrieves the rotation policy of a given key. | +> | Microsoft.KeyVault/vaults/keyrotationpolicies/write | Updates the rotation policy of a given key. | +> | Microsoft.KeyVault/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key.<br>For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature.<br>Private keys and symmetric keys are never exposed. | +> | Microsoft.KeyVault/vaults/keys/update/action | Updates the specified attributes associated with the given key. | +> | Microsoft.KeyVault/vaults/keys/create/action | Creates a new key. If the key does not exist, the first version is created. Otherwise, a new version is created with the specified value. | +> | Microsoft.KeyVault/vaults/keys/import/action | Imports an externally created key. If the key does not exist, the first version is created with the imported material. Otherwise, a new version is created with the imported material. | +> | Microsoft.KeyVault/vaults/keys/recover/action | Recovers the deleted key. The operation performs the reversal of the Delete operation. The operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval. | +> | Microsoft.KeyVault/vaults/keys/restore/action | Restores a key and all its versions from a backup file generated by Key Vault. | +> | Microsoft.KeyVault/vaults/keys/delete | Deletes a key. All versions are deleted. | +> | Microsoft.KeyVault/vaults/keys/backup/action | Creates the backup file of a key. The file can used to restore the key in a Key Vault of same subscription. Restrictions may apply. | +> | Microsoft.KeyVault/vaults/keys/purge/action | Purges a key, making it unrecoverable. | +> | Microsoft.KeyVault/vaults/keys/encrypt/action | Encrypts plaintext with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. | +> | Microsoft.KeyVault/vaults/keys/decrypt/action | Decrypts ciphertext with a key. | +> | Microsoft.KeyVault/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. | +> | Microsoft.KeyVault/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. | +> | Microsoft.KeyVault/vaults/keys/sign/action | Signs a message digest (hash) with a key. | +> | Microsoft.KeyVault/vaults/keys/verify/action | Verifies the signature of a message digest (hash) with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. | +> | Microsoft.KeyVault/vaults/keys/release/action | Release a key using public part of KEK from attestation token. | +> | Microsoft.KeyVault/vaults/keys/rotate/action | Creates a new version of an existing key (with the same parameters). | +> | Microsoft.KeyVault/vaults/secrets/delete | Deletes a secret. All versions are deleted. | +> | Microsoft.KeyVault/vaults/secrets/backup/action | Creates the backup file of a secret. The file can used to restore the secret in a Key Vault of same subscription. Restrictions may apply. | +> | Microsoft.KeyVault/vaults/secrets/purge/action | Purges a secret, making it unrecoverable. | +> | Microsoft.KeyVault/vaults/secrets/update/action | Updates the specified attributes associated with the given secret. | +> | Microsoft.KeyVault/vaults/secrets/recover/action | Recovers the deleted secret. The operation performs the reversal of the Delete operation. The operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval. | +> | Microsoft.KeyVault/vaults/secrets/restore/action | Restores a secret and all its versions from a backup file generated by Key Vault. | +> | Microsoft.KeyVault/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. | +> | Microsoft.KeyVault/vaults/secrets/getSecret/action | Gets the value of a secret. | +> | Microsoft.KeyVault/vaults/secrets/setSecret/action | Sets the value of a secret. If the secret does not exist, the first version is created. Otherwise, a new version is created with the specified value. | +> | Microsoft.KeyVault/vaults/storageaccounts/read | Read definition of managed storage accounts. | +> | Microsoft.KeyVault/vaults/storageaccounts/set/action | Creates or updates the definition of a managed storage account. | +> | Microsoft.KeyVault/vaults/storageaccounts/delete | Delete the definition of a managed storage account. | +> | Microsoft.KeyVault/vaults/storageaccounts/backup/action | Creates a backup file of the definition of a managed storage account and its SAS (Shared Access Signature). | +> | Microsoft.KeyVault/vaults/storageaccounts/purge/action | Purge the soft-deleted definition of a managed storage account or SAS (Shared Access Signature). | +> | Microsoft.KeyVault/vaults/storageaccounts/regeneratekey/action | Regenerate the access key of a managed storage account. | +> | Microsoft.KeyVault/vaults/storageaccounts/recover/action | Recover the soft-deleted definition of a managed storage account or SAS (Shared Access Signature). | +> | Microsoft.KeyVault/vaults/storageaccounts/restore/action | Restores the definition of a managed storage account and its SAS (Shared Access Signature) from a backup file generated by Key Vault. | +> | Microsoft.KeyVault/vaults/storageaccounts/sas/set/action | Creates or updates the SAS (Shared Access Signature) definition for a managed storage account. | +> | Microsoft.KeyVault/vaults/storageaccounts/sas/delete | Delete the SAS (Shared Access Signature) definition for a managed storage account. | +> | Microsoft.KeyVault/vaults/storageaccounts/sas/read | Read the SAS (Shared Access Signature) definition for a managed storage account. | ++## Microsoft.Security ++Azure service: [Security Center](/azure/security-center/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Security/register/action | Registers the subscription for Azure Security Center | +> | Microsoft.Security/unregister/action | Unregisters the subscription from Azure Security Center | +> | Microsoft.Security/aggregations/action | Gets aggregations | +> | Microsoft.Security/adaptiveNetworkHardenings/read | Gets Adaptive Network Hardening recommendations of an Azure protected resource | +> | Microsoft.Security/adaptiveNetworkHardenings/enforce/action | Enforces the given traffic hardening rules by creating matching security rules on the given Network Security Group(s) | +> | Microsoft.Security/advancedThreatProtectionSettings/read | Gets the Advanced Threat Protection Settings for the resource | +> | Microsoft.Security/advancedThreatProtectionSettings/write | Updates the Advanced Threat Protection Settings for the resource | +> | Microsoft.Security/aggregations/read | Gets aggregations | +> | Microsoft.Security/alerts/read | Gets all available security alerts | +> | Microsoft.Security/alertsSuppressionRules/read | Gets all available security alert suppression rule | +> | Microsoft.Security/alertsSuppressionRules/write | Creates a new security alert suppression rule or update an existing rule | +> | Microsoft.Security/alertsSuppressionRules/delete | Delete a security alert suppression rule | +> | Microsoft.Security/apiCollections/read | Get Api Collections | +> | Microsoft.Security/apiCollections/write | Create Api Collections | +> | Microsoft.Security/apiCollections/delete | Delete Api Collections | +> | Microsoft.Security/applicationWhitelistings/read | Gets the application allowlistings | +> | Microsoft.Security/applicationWhitelistings/write | Creates a new application allowlisting or updates an existing one | +> | Microsoft.Security/assessmentMetadata/read | Get available security assessment metadata on your subscription | +> | Microsoft.Security/assessmentMetadata/write | Create or update a security assessment metadata | +> | Microsoft.Security/assessments/read | Get security assessments on your subscription | +> | Microsoft.Security/assessments/write | Create or update security assessments on your subscription | +> | Microsoft.Security/assessments/governanceAssignments/read | Get governance assignments for security assessments | +> | Microsoft.Security/assessments/governanceAssignments/write | Create or update governance assignments for security assessments | +> | Microsoft.Security/assessments/subAssessments/read | Get security sub assessments on your subscription | +> | Microsoft.Security/assessments/subAssessments/write | Create or update security sub assessments on your subscription | +> | Microsoft.Security/assignments/read | Get the security assignment | +> | Microsoft.Security/assignments/write | Create or update the security assignment | +> | Microsoft.Security/assignments/delete | Deletes the security assignment | +> | Microsoft.Security/automations/read | Gets the automations for the scope | +> | Microsoft.Security/automations/write | Creates or updates the automation for the scope | +> | Microsoft.Security/automations/delete | Deletes the automation for the scope | +> | Microsoft.Security/automations/validate/action | Validates the automation model for the scope | +> | Microsoft.Security/autoProvisioningSettings/read | Get security auto provisioning setting for the subscription | +> | Microsoft.Security/autoProvisioningSettings/write | Create or update security auto provisioning setting for the subscription | +> | Microsoft.Security/complianceResults/read | Gets the compliance results for the resource | +> | Microsoft.Security/customRecommendations/read | Get the custom recommendations | +> | Microsoft.Security/customRecommendations/write | Create or update the custom recommendation | +> | Microsoft.Security/customRecommendations/delete | Deletes the custom recommendation | +> | Microsoft.Security/datascanners/read | Gets the datascanners for the scope | +> | Microsoft.Security/datascanners/write | Creates or updates the datascanners for the scope | +> | Microsoft.Security/datascanners/delete | Deletes the datascanners for the scope | +> | Microsoft.Security/defenderforstoragesettings/read | Gets the defenderforstoragesettings for the scope | +> | Microsoft.Security/defenderforstoragesettings/write | Creates or updates the defenderforstoragesettings for the scope | +> | Microsoft.Security/defenderforstoragesettings/delete | Deletes the defenderforstoragesettings for the scope | +> | Microsoft.Security/deviceSecurityGroups/write | Creates or updates IoT device security groups | +> | Microsoft.Security/deviceSecurityGroups/delete | Deletes IoT device security groups | +> | Microsoft.Security/deviceSecurityGroups/read | Gets IoT device security groups | +> | Microsoft.Security/governanceRules/read | Get governance rules for managing security posture | +> | Microsoft.Security/governanceRules/write | Create or update governance rules for managing security posture | +> | Microsoft.Security/informationProtectionPolicies/read | Gets the information protection policies for the resource | +> | Microsoft.Security/informationProtectionPolicies/write | Updates the information protection policies for the resource | +> | Microsoft.Security/integration/read | Get integration on your scope | +> | Microsoft.Security/integration/write | Create or update integration on your scope | +> | Microsoft.Security/integration/delete | Deleate or update integration on your scope | +> | Microsoft.Security/iotDefenderSettings/read | Gets IoT Defender Settings | +> | Microsoft.Security/iotDefenderSettings/write | Create or updates IoT Defender Settings | +> | Microsoft.Security/iotDefenderSettings/delete | Deletes IoT Defender Settings | +> | Microsoft.Security/iotDefenderSettings/PackageDownloads/action | Gets downloadable IoT Defender packages information | +> | Microsoft.Security/iotDefenderSettings/DownloadManagerActivation/action | Download manager activation file with subscription quota data | +> | Microsoft.Security/iotSecuritySolutions/write | Creates or updates IoT security solutions | +> | Microsoft.Security/iotSecuritySolutions/delete | Deletes IoT security solutions | +> | Microsoft.Security/iotSecuritySolutions/read | Gets IoT security solutions | +> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT security analytics model | +> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT alert types | +> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT alerts | +> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT recommendation types | +> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets IoT recommendations | +> | Microsoft.Security/iotSecuritySolutions/analyticsModels/read | Gets devices | +> | Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedAlerts/read | Gets IoT aggregated alerts | +> | Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedAlerts/dismiss/action | Dismisses IoT aggregated alerts | +> | Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedRecommendations/read | Gets IoT aggregated recommendations | +> | Microsoft.Security/iotSensors/read | Gets IoT Sensors | +> | Microsoft.Security/iotSensors/write | Create or updates IoT Sensors | +> | Microsoft.Security/iotSensors/delete | Deletes IoT Sensors | +> | Microsoft.Security/iotSensors/DownloadActivation/action | Downloads activation file for IoT Sensors | +> | Microsoft.Security/iotSensors/TriggerTiPackageUpdate/action | Triggers threat intelligence package update | +> | Microsoft.Security/iotSensors/DownloadResetPassword/action | Downloads reset password file for IoT Sensors | +> | Microsoft.Security/iotSite/read | Gets IoT site | +> | Microsoft.Security/iotSite/write | Creates or updates IoT site | +> | Microsoft.Security/iotSite/delete | Deletes IoT site | +> | Microsoft.Security/locations/read | Gets the security data location | +> | Microsoft.Security/locations/alerts/read | Gets all available security alerts | +> | Microsoft.Security/locations/alerts/dismiss/action | Dismiss a security alert | +> | Microsoft.Security/locations/alerts/activate/action | Activate a security alert | +> | Microsoft.Security/locations/alerts/resolve/action | Resolve a security alert | +> | Microsoft.Security/locations/alerts/simulate/action | Simulate a security alert | +> | Microsoft.Security/locations/jitNetworkAccessPolicies/read | Gets the just-in-time network access policies | +> | Microsoft.Security/locations/jitNetworkAccessPolicies/write | Creates a new just-in-time network access policy or updates an existing one | +> | Microsoft.Security/locations/jitNetworkAccessPolicies/delete | Deletes the just-in-time network access policy | +> | Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action | Initiates a just-in-time network access policy request | +> | Microsoft.Security/locations/tasks/read | Gets all available security recommendations | +> | Microsoft.Security/locations/tasks/start/action | Start a security recommendation | +> | Microsoft.Security/locations/tasks/resolve/action | Resolve a security recommendation | +> | Microsoft.Security/locations/tasks/activate/action | Activate a security recommendation | +> | Microsoft.Security/locations/tasks/dismiss/action | Dismiss a security recommendation | +> | Microsoft.Security/mdeOnboardings/read | Get Microsoft Defender for Endpoint onboarding script | +> | Microsoft.Security/policies/read | Gets the security policy | +> | Microsoft.Security/policies/write | Updates the security policy | +> | Microsoft.Security/pricings/read | Gets the pricing settings for the scope | +> | Microsoft.Security/pricings/write | Updates the pricing settings for the scope | +> | Microsoft.Security/pricings/delete | Deletes the pricing settings for the scope | +> | Microsoft.Security/pricings/securityoperators/read | Gets the security operators for the scope | +> | Microsoft.Security/pricings/securityoperators/write | Updates the security operators for the scope | +> | Microsoft.Security/pricings/securityoperators/delete | Deletes the security operators for the scope | +> | Microsoft.Security/secureScoreControlDefinitions/read | Get secure score control definition | +> | Microsoft.Security/secureScoreControls/read | Get calculated secure score control for your subscription | +> | Microsoft.Security/secureScores/read | Get calculated secure score for your subscription | +> | Microsoft.Security/secureScores/secureScoreControls/read | Get calculated secure score control for your secure score calculation | +> | Microsoft.Security/securityConnectors/read | Gets the security connector | +> | Microsoft.Security/securityConnectors/write | Updates the security connector | +> | Microsoft.Security/securityConnectors/delete | Deletes the security connector | +> | Microsoft.Security/securityConnectors/devops/listAvailableAzureDevOpsOrgs/action | Returns a list of all Azure DevOps organizations accessible by the user token consumed by the connector. | +> | Microsoft.Security/securityConnectors/devops/write | Creates or updates a DevOps Configuration. | +> | Microsoft.Security/securityConnectors/devops/delete | Deletes a DevOps Connector. | +> | Microsoft.Security/securityConnectors/devops/read | Gets a DevOps Configuration. | +> | Microsoft.Security/securityConnectors/devops/read | List DevOps Configurations. | +> | Microsoft.Security/securityConnectors/devops/write | Updates a DevOps Configuration. | +> | Microsoft.Security/securityConnectors/devops/listAvailableGitHubOwners/action | Returns a list of all GitHub owners accessible by the user token consumed by the connector. | +> | Microsoft.Security/securityConnectors/devops/listAvailableGitLabGroups/action | Returns a list of all GitLab groups accessible by the user token consumed by the connector. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/write | Creates or updates monitored Azure DevOps organization details. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/delete | Deletes a monitored Azure DevOps organization. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/read | Returns a monitored Azure DevOps organization resource. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/read | Returns a list of Azure DevOps organizations onboarded to the connector. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/write | Updates monitored Azure DevOps organization details. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/listAvailableProjects/action | Returns a list of all Azure DevOps projects accessible by the user token consumed by the connector. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/write | Creates or updates a monitored Azure DevOps project resource. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/delete | Deletes a monitored Azure DevOps project resource. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/read | Returns a monitored Azure DevOps project resource. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/read | Returns a list of Azure DevOps projects onboarded to the connector. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/write | Updates a monitored Azure DevOps project resource. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/listAvailableRepos/action | Returns a list of all Azure DevOps repositories accessible by the user token consumed by the connector. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/repos/write | Creates or updates a monitored Azure DevOps repository resource. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/repos/delete | Deletes a monitored Azure DevOps repository resource. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/repos/read | Returns a monitored Azure DevOps repository resource. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/repos/read | Returns a list of Azure DevOps repositories onboarded to the connector. | +> | Microsoft.Security/securityConnectors/devops/azureDevOpsOrgs/projects/repos/write | Updates a monitored Azure DevOps repository resource. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/write | Creates or updates a monitored GitHub owner. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/delete | Deletes a monitored GitHub owner. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/read | Returns a monitored GitHub owner. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/read | Returns a list of GitHub owners onboarded to the connector. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/write | Updates a monitored GitHub owner. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/listAvailableRepos/action | Returns a list of all GitHub repositories accessible by the user token and app installation used by the connector. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/repos/write | Creates or updates a monitored GitHub repository. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/repos/delete | Deletes a monitored GitHub repository. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/repos/read | Returns a monitored GitHub repository. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/repos/read | Returns a list of GitHub repositories onboarded to the connector. | +> | Microsoft.Security/securityConnectors/devops/gitHubOwners/repos/write | Updates a monitored GitHub repository. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/write | Creates or updates monitored GitLab Group details. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/delete | Deletes a monitored GitLab Group. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/read | Returns a monitored GitLab Group resource for a given fully-qualified name. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/read | Returns a list of GitLab groups onboarded to the connector. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/write | Updates monitored GitLab Group details. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/listAvailableProjects/action | Gets a list of all GitLab projects that are directly owned by given group and accessible by the user token consumed by the connector. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/listSubgroups/action | Gets nested subgroups of given GitLab Group which are onboarded to the connector. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/listAvailableSubgroups/action | Gets all nested subgroups of given GitLab Group which are accessible by the user token consumed by the connector. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/projects/write | Creates or updates monitored GitLab Project details. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/projects/delete | Deletes a monitored GitLab Project. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/projects/read | Returns a monitored GitLab Project resource for a given fully-qualified group name and project name. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/projects/read | Gets a list of GitLab projects that are directly owned by given group and onboarded to the connector. | +> | Microsoft.Security/securityConnectors/devops/gitLabGroups/projects/write | Updates monitored GitLab Project details. | +> | Microsoft.Security/securityConnectors/devops/operationResults/read | Get devops long running operation result. | +> | Microsoft.Security/securityContacts/read | Gets the security contact | +> | Microsoft.Security/securityContacts/write | Updates the security contact | +> | Microsoft.Security/securityContacts/delete | Deletes the security contact | +> | Microsoft.Security/securitySolutions/read | Gets the security solutions | +> | Microsoft.Security/securitySolutions/write | Creates a new security solution or updates an existing one | +> | Microsoft.Security/securitySolutions/delete | Deletes a security solution | +> | Microsoft.Security/securitySolutionsReferenceData/read | Gets the security solutions reference data | +> | Microsoft.Security/securityStandards/read | Get the security standards | +> | Microsoft.Security/securityStandards/write | Create or update the security standard | +> | Microsoft.Security/securityStandards/delete | Deletes the security standard | +> | Microsoft.Security/securityStatuses/read | Gets the security health statuses for Azure resources | +> | Microsoft.Security/securityStatusesSummaries/read | Gets the security statuses summaries for the scope | +> | Microsoft.Security/sensitivitySettings/read | Gets tenant level sensitivity settings | +> | Microsoft.Security/sensitivitySettings/write | Updates tenant level sensitivity settings | +> | Microsoft.Security/serverVulnerabilityAssessments/read | Get server vulnerability assessments onboarding status on a given resource | +> | Microsoft.Security/serverVulnerabilityAssessments/write | Create or update a server vulnerability assessments solution on resource | +> | Microsoft.Security/serverVulnerabilityAssessments/delete | Remove a server vulnerability assessments solution from a resource | +> | Microsoft.Security/serverVulnerabilityAssessmentsSettings/read | Get server vulnerability assessments settings onboarding status for a given subscription | +> | Microsoft.Security/serverVulnerabilityAssessmentsSettings/write | Create or update server vulnerability assessments settings on a given subscription | +> | Microsoft.Security/serverVulnerabilityAssessmentsSettings/delete | Remove server vulnerability assessments settings from a given subscription | +> | Microsoft.Security/settings/read | Gets the settings for the scope | +> | Microsoft.Security/settings/write | Updates the settings for the scope | +> | Microsoft.Security/sqlVulnerabilityAssessments/baselineRules/action | Add a list of rules result to the baseline. | +> | Microsoft.Security/sqlVulnerabilityAssessments/baselineRules/read | Return the databases' baseline (all rules that were added to the baseline) or get a rule baseline results for the specified rule ID. | +> | Microsoft.Security/sqlVulnerabilityAssessments/baselineRules/write | Change the rule baseline result. | +> | Microsoft.Security/sqlVulnerabilityAssessments/baselineRules/delete | Remove the rule result from the baseline. | +> | Microsoft.Security/sqlVulnerabilityAssessments/scans/read | Return the list of vulnerability assessment scan records or get the scan record for the specified scan ID. | +> | Microsoft.Security/sqlVulnerabilityAssessments/scans/scanResults/read | Return the list of vulnerability assessment rule results or get the rule result for the specified rule ID. | +> | Microsoft.Security/standardAssignments/read | Get the standard assignments | +> | Microsoft.Security/standardAssignments/write | Create or update the standard assignment | +> | Microsoft.Security/standardAssignments/delete | Deletes the standard assignment | +> | Microsoft.Security/standards/read | Get the security standard | +> | Microsoft.Security/standards/write | Create or update the security standard | +> | Microsoft.Security/standards/delete | Deletes the security standard | +> | Microsoft.Security/tasks/read | Gets all available security recommendations | +> | Microsoft.Security/webApplicationFirewalls/read | Gets the web application firewalls | +> | Microsoft.Security/webApplicationFirewalls/write | Creates a new web application firewall or updates an existing one | +> | Microsoft.Security/webApplicationFirewalls/delete | Deletes a web application firewall | +> | Microsoft.Security/workspaceSettings/read | Gets the workspace settings | +> | Microsoft.Security/workspaceSettings/write | Updates the workspace settings | +> | Microsoft.Security/workspaceSettings/delete | Deletes the workspace settings | +> | Microsoft.Security/workspaceSettings/connect/action | Change workspace settings reconnection settings | ++## Microsoft.SecurityGraph ++Azure service: Microsoft Monitoring Insights ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.SecurityGraph/diagnosticsettings/write | Writing a diagnostic setting | +> | Microsoft.SecurityGraph/diagnosticsettings/read | Reading a diagnostic setting | +> | Microsoft.SecurityGraph/diagnosticsettings/delete | Deleting a diagnostic setting | +> | Microsoft.SecurityGraph/diagnosticsettingscategories/read | Reading a diagnostic setting categories | ++## Microsoft.SecurityInsights ++Azure service: [Microsoft Sentinel](/azure/sentinel/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.SecurityInsights/register/action | Registers the subscription to Azure Sentinel | +> | Microsoft.SecurityInsights/unregister/action | Unregisters the subscription from Azure Sentinel | +> | Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action | Check user authorization and license | +> | Microsoft.SecurityInsights/Aggregations/read | Gets aggregated information | +> | Microsoft.SecurityInsights/alertRules/read | Gets the alert rules | +> | Microsoft.SecurityInsights/alertRules/write | Updates alert rules | +> | Microsoft.SecurityInsights/alertRules/delete | Deletes alert rules | +> | Microsoft.SecurityInsights/alertRules/triggerRuleRun/action | Trigger on-demand rule run execution | +> | Microsoft.SecurityInsights/alertRules/actions/read | Gets the response actions of an alert rule | +> | Microsoft.SecurityInsights/alertRules/actions/write | Updates the response actions of an alert rule | +> | Microsoft.SecurityInsights/alertRules/actions/delete | Deletes the response actions of an alert rule | +> | Microsoft.SecurityInsights/automationRules/read | Gets an automation rule | +> | Microsoft.SecurityInsights/automationRules/write | Updates an automation rule | +> | Microsoft.SecurityInsights/automationRules/delete | Deletes an automation rule | +> | Microsoft.SecurityInsights/BillingStatistics/read | Read BillingStatistics | +> | Microsoft.SecurityInsights/Bookmarks/read | Gets bookmarks | +> | Microsoft.SecurityInsights/Bookmarks/write | Updates bookmarks | +> | Microsoft.SecurityInsights/Bookmarks/delete | Deletes bookmarks | +> | Microsoft.SecurityInsights/Bookmarks/expand/action | Gets related entities of an entity by a specific expansion | +> | Microsoft.SecurityInsights/bookmarks/relations/read | Gets a bookmark relation | +> | Microsoft.SecurityInsights/bookmarks/relations/write | Updates a bookmark relation | +> | Microsoft.SecurityInsights/bookmarks/relations/delete | Deletes a bookmark relation | +> | Microsoft.SecurityInsights/cases/read | Gets a case | +> | Microsoft.SecurityInsights/cases/write | Updates a case | +> | Microsoft.SecurityInsights/cases/delete | Deletes a case | +> | Microsoft.SecurityInsights/cases/comments/read | Gets the case comments | +> | Microsoft.SecurityInsights/cases/comments/write | Creates the case comments | +> | Microsoft.SecurityInsights/cases/investigations/read | Gets the case investigations | +> | Microsoft.SecurityInsights/cases/investigations/write | Updates the metadata of a case | +> | Microsoft.SecurityInsights/ConfidentialWatchlists/read | Gets Confidential Watchlists | +> | Microsoft.SecurityInsights/ConfidentialWatchlists/write | Creates Confidential Watchlists | +> | Microsoft.SecurityInsights/ConfidentialWatchlists/delete | Deletes Confidential Watchlists | +> | Microsoft.SecurityInsights/ContentPackages/read | Read available Content Packages. | +> | Microsoft.SecurityInsights/ContentPackages/write | Install or uninstall Content Packages. | +> | Microsoft.SecurityInsights/ContentTemplates/read | Read installed Content Templates. | +> | Microsoft.SecurityInsights/ContentTemplates/delete | Delete installed Content Templates. | +> | Microsoft.SecurityInsights/dataConnectors/read | Gets the data connectors | +> | Microsoft.SecurityInsights/dataConnectors/write | Updates a data connector | +> | Microsoft.SecurityInsights/dataConnectors/delete | Deletes a data connector | +> | Microsoft.SecurityInsights/enrichment/domain/whois/read | Get whois enrichment for a domain | +> | Microsoft.SecurityInsights/enrichment/ip/geodata/read | Get geodata enrichment for an IP | +> | Microsoft.SecurityInsights/entities/read | Gets the sentinel entities graph | +> | Microsoft.SecurityInsights/entities/gettimeline/action | Gets entity timeline for a specific range | +> | Microsoft.SecurityInsights/entities/getInsights/action | Gets entity Insights for a specific range | +> | Microsoft.SecurityInsights/entities/runPlaybook/action | Run playbook on entity | +> | Microsoft.SecurityInsights/entities/relations/read | Gets a relation between the entity and related resources | +> | Microsoft.SecurityInsights/entities/relations/write | Updates a relation between the entity and related resources | +> | Microsoft.SecurityInsights/entities/relations/delete | Deletes a relation between the entity and related resources | +> | Microsoft.SecurityInsights/entityQueries/read | Gets the investigation expansions for entities | +> | Microsoft.SecurityInsights/ExportConnections/read | Read ExportConnections | +> | Microsoft.SecurityInsights/ExportConnections/write | write ExportConnections | +> | Microsoft.SecurityInsights/ExportConnections/delete | Delete ExportConnections | +> | Microsoft.SecurityInsights/ExportConnections/ExportJobs/read | Read ExportJobs | +> | Microsoft.SecurityInsights/ExportConnections/ExportJobs/write | write ExportJobs | +> | Microsoft.SecurityInsights/ExportConnections/ExportJobs/delete | Delete ExportJobs | +> | Microsoft.SecurityInsights/fileimports/read | Reads File Import objects | +> | Microsoft.SecurityInsights/fileimports/write | Creates or updates a File Import | +> | Microsoft.SecurityInsights/fileimports/delete | Deletes a File Import | +> | Microsoft.SecurityInsights/hunts/read | Get Hunts | +> | Microsoft.SecurityInsights/hunts/write | Create Hunts | +> | Microsoft.SecurityInsights/hunts/delete | Deletes Hunts | +> | Microsoft.SecurityInsights/hunts/comments/read | Get Hunt Comments | +> | Microsoft.SecurityInsights/hunts/comments/write | Create Hunt Comments | +> | Microsoft.SecurityInsights/hunts/comments/delete | Deletes Hunt Comments | +> | Microsoft.SecurityInsights/hunts/relations/read | Get Hunt Relations | +> | Microsoft.SecurityInsights/hunts/relations/write | Create Hunt Relations | +> | Microsoft.SecurityInsights/hunts/relations/delete | Deletes Hunt Relations | +> | Microsoft.SecurityInsights/incidents/read | Gets an incident | +> | Microsoft.SecurityInsights/incidents/write | Updates an incident | +> | Microsoft.SecurityInsights/incidents/delete | Deletes an incident | +> | Microsoft.SecurityInsights/incidents/createTeam/action | Creates a Microsoft team to investigate the incident by sharing information and insights between participants | +> | Microsoft.SecurityInsights/incidents/runPlaybook/action | Run playbook on incident | +> | Microsoft.SecurityInsights/incidents/comments/read | Gets the incident comments | +> | Microsoft.SecurityInsights/incidents/comments/write | Creates a comment on the incident | +> | Microsoft.SecurityInsights/incidents/comments/delete | Deletes a comment on the incident | +> | Microsoft.SecurityInsights/incidents/relations/read | Gets a relation between the incident and related resources | +> | Microsoft.SecurityInsights/incidents/relations/write | Updates a relation between the incident and related resources | +> | Microsoft.SecurityInsights/incidents/relations/delete | Deletes a relation between the incident and related resources | +> | Microsoft.SecurityInsights/incidents/tasks/read | Gets a task on the incident | +> | Microsoft.SecurityInsights/incidents/tasks/write | Updates a task on the incident | +> | Microsoft.SecurityInsights/incidents/tasks/delete | Deletes a task on the incident | +> | Microsoft.SecurityInsights/Metadata/read | Read Metadata for Sentinel content. | +> | Microsoft.SecurityInsights/Metadata/write | Write Metadata for Sentinel content. | +> | Microsoft.SecurityInsights/Metadata/delete | Delete Metadata for Sentinel content. | +> | Microsoft.SecurityInsights/MitreCoverageRecords/read | Read Products Mitre Coverage | +> | Microsoft.SecurityInsights/officeConsents/read | Gets consents from Microsoft Office | +> | Microsoft.SecurityInsights/officeConsents/delete | Deletes consents from Microsoft Office | +> | Microsoft.SecurityInsights/onboardingStates/read | Gets an onboarding state | +> | Microsoft.SecurityInsights/onboardingStates/write | Updates an onboarding state | +> | Microsoft.SecurityInsights/onboardingStates/delete | Deletes an onboarding state | +> | Microsoft.SecurityInsights/operations/read | Gets operations | +> | Microsoft.SecurityInsights/securityMLAnalyticsSettings/read | Gets the analytics settings | +> | Microsoft.SecurityInsights/securityMLAnalyticsSettings/write | Update the analytics settings | +> | Microsoft.SecurityInsights/securityMLAnalyticsSettings/delete | Delete an analytics setting | +> | Microsoft.SecurityInsights/settings/read | Gets settings | +> | Microsoft.SecurityInsights/settings/write | Updates settings | +> | Microsoft.SecurityInsights/settings/delete | Deletes setting | +> | Microsoft.SecurityInsights/SourceControls/read | Read SourceControls | +> | Microsoft.SecurityInsights/SourceControls/write | write SourceControls | +> | Microsoft.SecurityInsights/SourceControls/delete | Delete SourceControls | +> | Microsoft.SecurityInsights/threatintelligence/read | Gets Threat Intelligence | +> | Microsoft.SecurityInsights/threatintelligence/write | Updates Threat Intelligence | +> | Microsoft.SecurityInsights/threatintelligence/delete | Deletes Threat Intelligence | +> | Microsoft.SecurityInsights/threatintelligence/query/action | Query Threat Intelligence | +> | Microsoft.SecurityInsights/threatintelligence/metrics/action | Collect Threat Intelligence Metrics | +> | Microsoft.SecurityInsights/threatintelligence/bulkDelete/action | Bulk Delete Threat Intelligence | +> | Microsoft.SecurityInsights/threatintelligence/bulkTag/action | Bulk Tags Threat Intelligence | +> | Microsoft.SecurityInsights/threatintelligence/createIndicator/action | Create Threat Intelligence Indicator | +> | Microsoft.SecurityInsights/threatintelligence/queryIndicators/action | Query Threat Intelligence Indicators | +> | Microsoft.SecurityInsights/threatintelligence/bulkactions/read | Reads TI Bulk Action objects | +> | Microsoft.SecurityInsights/threatintelligence/bulkactions/write | Creates or updates a TI Bulk Action | +> | Microsoft.SecurityInsights/threatintelligence/bulkactions/delete | Deletes a TI Bulk Action | +> | Microsoft.SecurityInsights/threatintelligence/bulkactions/query/action | Query Threat Intelligence STIX objects | +> | Microsoft.SecurityInsights/threatintelligence/bulkactions/count/action | Query Threat Intelligence STIX object count | +> | Microsoft.SecurityInsights/threatintelligence/indicators/write | Updates Threat Intelligence Indicators | +> | Microsoft.SecurityInsights/threatintelligence/indicators/delete | Deletes Threat Intelligence Indicators | +> | Microsoft.SecurityInsights/threatintelligence/indicators/query/action | Query Threat Intelligence Indicators | +> | Microsoft.SecurityInsights/threatintelligence/indicators/metrics/action | Get Threat Intelligence Indicator Metrics | +> | Microsoft.SecurityInsights/threatintelligence/indicators/bulkDelete/action | Bulk Delete Threat Intelligence Indicators | +> | Microsoft.SecurityInsights/threatintelligence/indicators/bulkTag/action | Bulk Tags Threat Intelligence Indicators | +> | Microsoft.SecurityInsights/threatintelligence/indicators/read | Gets Threat Intelligence Indicators | +> | Microsoft.SecurityInsights/threatintelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator | +> | Microsoft.SecurityInsights/threatintelligence/indicators/replaceTags/action | Replace Tags of Threat Intelligence Indicator | +> | Microsoft.SecurityInsights/threatintelligence/ingestionrulelist/read | Reads the set of TI Ingestion Rule objects | +> | Microsoft.SecurityInsights/threatintelligence/ingestionrulelist/write | Creates or updates a set of TI Ingestion Rules | +> | Microsoft.SecurityInsights/threatintelligence/metrics/read | Collect Threat Intelligence Metrics | +> | Microsoft.SecurityInsights/threatintelligence/threatactors/read | Reads TI Threat Actor objects | +> | Microsoft.SecurityInsights/threatintelligence/threatactors/write | Creates or updates a TI Threat Actor | +> | Microsoft.SecurityInsights/threatintelligence/threatactors/delete | Deletes a TI Threat Actor | +> | Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns/read | Gets the triggered analytics rule runs | +> | Microsoft.SecurityInsights/Watchlists/read | Gets Watchlists | +> | Microsoft.SecurityInsights/Watchlists/write | Create Watchlists | +> | Microsoft.SecurityInsights/Watchlists/delete | Deletes Watchlists | +> | Microsoft.SecurityInsights/WorkspaceManagerAssignments/read | Gets WorkspaceManager Assignments | +> | Microsoft.SecurityInsights/WorkspaceManagerAssignments/write | Creates WorkspaceManager Assignments | +> | Microsoft.SecurityInsights/WorkspaceManagerAssignments/delete | Deletes WorkspaceManager Assignments | +> | Microsoft.SecurityInsights/workspaceManagerAssignments/jobs/read | Gets WorkspaceManagerAssignments jobs | +> | Microsoft.SecurityInsights/workspaceManagerAssignments/jobs/write | Creates WorkspaceManagerAssignments jobs | +> | Microsoft.SecurityInsights/workspaceManagerAssignments/jobs/delete | Deletes WorkspaceManagerAssignments jobs | +> | Microsoft.SecurityInsights/WorkspaceManagerConfigurations/read | Gets WorkspaceManager Configurations | +> | Microsoft.SecurityInsights/WorkspaceManagerConfigurations/write | Creates WorkspaceManager Configurations | +> | Microsoft.SecurityInsights/WorkspaceManagerConfigurations/delete | Deletes WorkspaceManager Configurations | +> | Microsoft.SecurityInsights/WorkspaceManagerGroups/read | Gets WorkspaceManager Groups | +> | Microsoft.SecurityInsights/WorkspaceManagerGroups/write | Creates WorkspaceManager Groups | +> | Microsoft.SecurityInsights/WorkspaceManagerGroups/delete | Deletes WorkspaceManager Groups | +> | Microsoft.SecurityInsights/WorkspaceManagerMembers/read | Gets WorkspaceManager Members | +> | Microsoft.SecurityInsights/WorkspaceManagerMembers/write | Creates WorkspaceManager Members | +> | Microsoft.SecurityInsights/WorkspaceManagerMembers/delete | Deletes WorkspaceManager Members | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/storage.md | + + Title: Azure permissions for Storage - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Storage category. +++++ Last updated : 02/07/2024++++# Azure permissions for Storage ++This article lists the permissions for the Azure resource providers in the Storage category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.ClassicStorage ++Azure service: Classic deployment model storage ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ClassicStorage/register/action | Register to Classic Storage | +> | Microsoft.ClassicStorage/checkStorageAccountAvailability/action | Checks for the availability of a storage account. | +> | Microsoft.ClassicStorage/capabilities/read | Shows the capabilities | +> | Microsoft.ClassicStorage/checkStorageAccountAvailability/read | Get the availability of a storage account. | +> | Microsoft.ClassicStorage/disks/read | Returns the storage account disk. | +> | Microsoft.ClassicStorage/images/read | Returns the image. | +> | Microsoft.ClassicStorage/images/operationstatuses/read | Gets Image Operation Status. | +> | Microsoft.ClassicStorage/operations/read | Gets classic storage operations | +> | Microsoft.ClassicStorage/osImages/read | Returns the operating system image. | +> | Microsoft.ClassicStorage/osPlatformImages/read | Gets the operating system platform image. | +> | Microsoft.ClassicStorage/publicImages/read | Gets the public virtual machine image. | +> | Microsoft.ClassicStorage/quotas/read | Get the quota for the subscription. | +> | Microsoft.ClassicStorage/storageAccounts/read | Return the storage account with the given account. | +> | Microsoft.ClassicStorage/storageAccounts/write | Adds a new storage account. | +> | Microsoft.ClassicStorage/storageAccounts/delete | Delete the storage account. | +> | Microsoft.ClassicStorage/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. | +> | Microsoft.ClassicStorage/storageAccounts/regenerateKey/action | Regenerates the existing access keys for the storage account. | +> | Microsoft.ClassicStorage/storageAccounts/validateMigration/action | Validates migration of a storage account. | +> | Microsoft.ClassicStorage/storageAccounts/prepareMigration/action | Prepares migration of a storage account. | +> | Microsoft.ClassicStorage/storageAccounts/commitMigration/action | Commits migration of a storage account. | +> | Microsoft.ClassicStorage/storageAccounts/abortMigration/action | Aborts migration of a storage account. | +> | Microsoft.ClassicStorage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticSettings/write | Add or modify diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/blobServices/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics definitions. | +> | Microsoft.ClassicStorage/storageAccounts/disks/read | Returns the storage account disk. | +> | Microsoft.ClassicStorage/storageAccounts/disks/write | Adds a storage account disk. | +> | Microsoft.ClassicStorage/storageAccounts/disks/delete | Deletes a given storage account disk. | +> | Microsoft.ClassicStorage/storageAccounts/disks/operationStatuses/read | Reads the operation status for the resource. | +> | Microsoft.ClassicStorage/storageAccounts/fileServices/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/fileServices/providers/Microsoft.Insights/diagnosticSettings/write | Add or modify diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/fileServices/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics definitions. | +> | Microsoft.ClassicStorage/storageAccounts/images/read | Returns the storage account image. (Deprecated. Use 'Microsoft.ClassicStorage/storageAccounts/vmImages') | +> | Microsoft.ClassicStorage/storageAccounts/images/delete | Deletes a given storage account image. (Deprecated. Use 'Microsoft.ClassicStorage/storageAccounts/vmImages') | +> | Microsoft.ClassicStorage/storageAccounts/images/operationstatuses/read | Returns the storage account image operation status. | +> | Microsoft.ClassicStorage/storageAccounts/operationStatuses/read | Reads the operation status for the resource. | +> | Microsoft.ClassicStorage/storageAccounts/osImages/read | Returns the storage account operating system image. | +> | Microsoft.ClassicStorage/storageAccounts/osImages/write | Adds a given storage account operating system image. | +> | Microsoft.ClassicStorage/storageAccounts/osImages/delete | Deletes a given storage account operating system image. | +> | Microsoft.ClassicStorage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/write | Add or modify diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics definitions. | +> | Microsoft.ClassicStorage/storageAccounts/queueServices/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/queueServices/providers/Microsoft.Insights/diagnosticSettings/write | Add or modify diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/queueServices/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics definitions. | +> | Microsoft.ClassicStorage/storageAccounts/services/read | Get the available services. | +> | Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings/read | Get the diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings/write | Add or modify diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions/read | Gets the metrics definitions. | +> | Microsoft.ClassicStorage/storageAccounts/services/metrics/read | Gets the metrics. | +> | Microsoft.ClassicStorage/storageAccounts/tableServices/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/tableServices/providers/Microsoft.Insights/diagnosticSettings/write | Add or modify diagnostics settings. | +> | Microsoft.ClassicStorage/storageAccounts/tableServices/providers/Microsoft.Insights/metricDefinitions/read | Gets the metrics definitions. | +> | Microsoft.ClassicStorage/storageAccounts/vmImages/read | Returns the virtual machine image. | +> | Microsoft.ClassicStorage/storageAccounts/vmImages/write | Adds a given virtual machine image. | +> | Microsoft.ClassicStorage/storageAccounts/vmImages/delete | Deletes a given virtual machine image. | +> | Microsoft.ClassicStorage/storageAccounts/vmImages/operationstatuses/read | Gets a given virtual machine image operation status. | +> | Microsoft.ClassicStorage/vmImages/read | Lists virtual machine images. | ++## Microsoft.DataBox ++Azure service: [Azure Data Box](/azure/databox/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DataBox/register/action | Register Provider Microsoft.Databox | +> | Microsoft.DataBox/unregister/action | Un-Register Provider Microsoft.Databox | +> | Microsoft.DataBox/jobs/cancel/action | Cancels an order in progress. | +> | Microsoft.DataBox/jobs/bookShipmentPickUp/action | Allows to book a pick up for return shipments. | +> | Microsoft.DataBox/jobs/mitigate/action | This method helps in performing mitigation action on a job with a resolution code | +> | Microsoft.DataBox/jobs/markDevicesShipped/action | | +> | Microsoft.DataBox/jobs/read | List or get the Orders | +> | Microsoft.DataBox/jobs/delete | Delete the Orders | +> | Microsoft.DataBox/jobs/write | Create or update the Orders | +> | Microsoft.DataBox/jobs/listCredentials/action | Lists the unencrypted credentials related to the order. | +> | Microsoft.DataBox/jobs/eventGridFilters/write | Create or update the Event Grid Subscription Filter | +> | Microsoft.DataBox/jobs/eventGridFilters/read | List or get the Event Grid Subscription Filter | +> | Microsoft.DataBox/jobs/eventGridFilters/delete | Delete the Event Grid Subscription Filter | +> | Microsoft.DataBox/locations/validateInputs/action | This method does all type of validations. | +> | Microsoft.DataBox/locations/validateAddress/action | Validates the shipping address and provides alternate addresses if any. | +> | Microsoft.DataBox/locations/availableSkus/action | This method returns the list of available skus. | +> | Microsoft.DataBox/locations/regionConfiguration/action | This method returns the configurations for the region. | +> | Microsoft.DataBox/locations/availableSkus/read | List or get the Available Skus | +> | Microsoft.DataBox/locations/operationResults/read | List or get the Operation Results | +> | Microsoft.DataBox/operations/read | List or get the Operations | +> | Microsoft.DataBox/subscriptions/resourceGroups/moveResources/action | This method performs the resource move. | +> | Microsoft.DataBox/subscriptions/resourceGroups/validateMoveResources/action | This method validates whether resource move is allowed or not. | ++## Microsoft.DataShare ++Azure service: [Azure Data Share](/azure/data-share/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DataShare/register/action | Register the subscription for the Data Share Resource Provider. | +> | Microsoft.DataShare/unregister/action | Unregister the subscription for the Data Share Resource Provider. | +> | Microsoft.DataShare/accounts/read | Reads a Data Share Account. | +> | Microsoft.DataShare/accounts/write | Writes a Data Share Account. | +> | Microsoft.DataShare/accounts/delete | Deletes a Data Share Account. | +> | Microsoft.DataShare/accounts/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.DataShare/accounts/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.DataShare/accounts/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for account. | +> | Microsoft.DataShare/accounts/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for account. | +> | Microsoft.DataShare/accounts/shares/read | Reads a Data Share Share. | +> | Microsoft.DataShare/accounts/shares/write | Writes a Data Share Share. | +> | Microsoft.DataShare/accounts/shares/delete | Deletes a Data Share Share. | +> | Microsoft.DataShare/accounts/shares/listSynchronizations/action | Action For Data Share ListSynchronization. | +> | Microsoft.DataShare/accounts/shares/listSynchronizationDetails/action | Action For Data Share ListSynchronization details. | +> | Microsoft.DataShare/accounts/shares/dataSets/read | Reads a DataSet. | +> | Microsoft.DataShare/accounts/shares/dataSets/write | Create a Data Share DataSet. | +> | Microsoft.DataShare/accounts/shares/dataSets/delete | Deletes a Data Share DataSet. | +> | Microsoft.DataShare/accounts/shares/invitations/read | Reads a Data Share Invitation. | +> | Microsoft.DataShare/accounts/shares/invitations/write | Writes a Data Share Invitation. | +> | Microsoft.DataShare/accounts/shares/invitations/delete | Deletes a Data Share Invitation. | +> | Microsoft.DataShare/accounts/shares/operationResults/read | Reads a Data Share Share. | +> | Microsoft.DataShare/accounts/shares/providerShareSubscriptions/read | Reads a Data Share Provider ShareSubscription. | +> | Microsoft.DataShare/accounts/shares/providerShareSubscriptions/revoke/action | Revokes a Data Share Subscription. | +> | Microsoft.DataShare/accounts/shares/providerShareSubscriptions/reinstate/action | Reinstates a Data Share Subscription. | +> | Microsoft.DataShare/accounts/shares/synchronizationSettings/read | Reads a Data Share Synchronization Setting. | +> | Microsoft.DataShare/accounts/shares/synchronizationSettings/write | Writes a Data Share Synchronization Setting. | +> | Microsoft.DataShare/accounts/shares/synchronizationSettings/delete | Delete a Data Share Synchronization Setting. | +> | Microsoft.DataShare/accounts/shareSubscriptions/cancelSynchronization/action | Cancels a Data Share Synchronization. | +> | Microsoft.DataShare/accounts/shareSubscriptions/delete | Deletes a Data Share Share Subscription. | +> | Microsoft.DataShare/accounts/shareSubscriptions/listSourceShareSynchronizationSettings/action | List Data Share Source Share SynchronizationSettings. | +> | Microsoft.DataShare/accounts/shareSubscriptions/listSynchronizationDetails/action | List Data Share Synchronization Details. | +> | Microsoft.DataShare/accounts/shareSubscriptions/listSynchronizations/action | List Data Share Synchronizations. | +> | Microsoft.DataShare/accounts/shareSubscriptions/read | Reads a Data Share ShareSubscription. | +> | Microsoft.DataShare/accounts/shareSubscriptions/synchronize/action | Initialize a Data Share Synchronize operation. | +> | Microsoft.DataShare/accounts/shareSubscriptions/write | Writes a Data Share ShareSubscription. | +> | Microsoft.DataShare/accounts/shareSubscriptions/consumerSourceDataSets/read | Reads a Data Share Consumer Source DataSet. | +> | Microsoft.DataShare/accounts/shareSubscriptions/dataSetMappings/delete | Deletes a Data Share DataSetMapping. | +> | Microsoft.DataShare/accounts/shareSubscriptions/dataSetMappings/write | Write a Data Share DataSetMapping. | +> | Microsoft.DataShare/accounts/shareSubscriptions/dataSetMappings/read | Read a Data Share DataSetMapping. | +> | Microsoft.DataShare/accounts/shareSubscriptions/operationResults/read | Reads a Data Share ShareSubscription long running operation status. | +> | Microsoft.DataShare/accounts/shareSubscriptions/shareSubscriptionSynchronizations/read | Reads a Data Share Share Subscription Synchronization. | +> | Microsoft.DataShare/accounts/shareSubscriptions/synchronizationOperationResults/read | Reads a Data Share Synchronization Operation Result. | +> | Microsoft.DataShare/accounts/shareSubscriptions/triggers/read | Reads a Data Share Trigger. | +> | Microsoft.DataShare/accounts/shareSubscriptions/triggers/write | Write a Data Share Trigger. | +> | Microsoft.DataShare/accounts/shareSubscriptions/triggers/delete | Delete a Data Share Trigger. | +> | Microsoft.DataShare/listInvitations/read | Reads Invitations at a tenant level. | +> | Microsoft.DataShare/locations/rejectInvitation/action | Rejects a Data Share Invitation. | +> | Microsoft.DataShare/locations/consumerInvitations/read | Gets a Data Share Consumer Invitation. | +> | Microsoft.DataShare/locations/operationResults/read | Reads the locations Data Share is supported in. | +> | Microsoft.DataShare/operations/read | Reads all available operations in Data Share Resource Provider. | ++## Microsoft.ElasticSan ++Azure service: [Azure Elastic SAN](/azure/storage/elastic-san/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.ElasticSan/register/action | Registers the subscription for the ElasticSan resource provider and enables the creation of san accounts. | +> | Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action | | +> | Microsoft.ElasticSan/elasticSans/read | List ElasticSans by Resource Group | +> | Microsoft.ElasticSan/elasticSans/read | List ElasticSans by Subscription | +> | Microsoft.ElasticSan/elasticSans/delete | Delete ElasticSan | +> | Microsoft.ElasticSan/elasticSans/read | Get Elastic San | +> | Microsoft.ElasticSan/elasticSans/write | Create/Update Elastic San | +> | Microsoft.ElasticSan/elasticSans/privateEndpointConnectionProxies/write | | +> | Microsoft.ElasticSan/elasticSans/privateEndpointConnectionProxies/validate/action | | +> | Microsoft.ElasticSan/elasticSans/privateEndpointConnectionProxies/delete | | +> | Microsoft.ElasticSan/elasticSans/privateEndpointConnectionProxies/read | | +> | Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write | | +> | Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete | | +> | Microsoft.ElasticSan/elasticSans/privateEndpoints/move/action | | +> | Microsoft.ElasticSan/elasticSans/privateLinkResources/read | | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/read | List VolumeGroups by ElasticSan | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/delete | Delete Volume Group | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/read | Get Volume Group | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/write | Create/Update Volume Group | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/beginGetAccess/action | | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/read | | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/delete | Delete Volume Snapshot | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/write | | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/read | Get Volume Snapshot | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/delete | Delete Volume | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/read | List Volumes by Volume Group | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/write | Create/Update Volume | +> | Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/read | Get Volume | +> | Microsoft.ElasticSan/locations/asyncoperations/read | Polls the status of an asynchronous operation. | +> | Microsoft.ElasticSan/operations/read | List the operations supported by Microsoft.ElasticSan | +> | Microsoft.ElasticSan/skus/read | Get Sku | ++## Microsoft.NetApp ++Azure service: [Azure NetApp Files](/azure/azure-netapp-files/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.NetApp/register/action | Subscription Registration Action | +> | Microsoft.NetApp/unregister/action | Unregisters Subscription with Microsoft.NetApp resource provider | +> | Microsoft.NetApp/locations/read | Reads a location wide operation. | +> | Microsoft.NetApp/locations/checknameavailability/action | Check if resource name is available | +> | Microsoft.NetApp/locations/checkfilepathavailability/action | Check if file path is available | +> | Microsoft.NetApp/locations/checkquotaavailability/action | Check if a quota is available. | +> | Microsoft.NetApp/locations/queryNetworkSiblingSet/action | Query Network sibling set. | +> | Microsoft.NetApp/locations/updateNetworkSiblingSet/action | Query Network sibling set. | +> | Microsoft.NetApp/locations/operationresults/read | Reads an operation result resource. | +> | Microsoft.NetApp/locations/quotaLimits/read | Reads a Quotalimit resource type. | +> | Microsoft.NetApp/locations/regionInfo/read | Reads a regionInfo resource. | +> | Microsoft.NetApp/netAppAccounts/read | Reads an account resource. | +> | Microsoft.NetApp/netAppAccounts/write | Writes an account resource. | +> | Microsoft.NetApp/netAppAccounts/delete | Deletes an account resource. | +> | Microsoft.NetApp/netAppAccounts/renewCredentials/action | Renews MSI credentials of account, if account has MSI credentials that are due for renewal. | +> | Microsoft.NetApp/netAppAccounts/backupPolicies/read | Reads a backup policy resource. | +> | Microsoft.NetApp/netAppAccounts/backupPolicies/write | Writes a backup policy resource. | +> | Microsoft.NetApp/netAppAccounts/backupPolicies/delete | Deletes a backup policy resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/read | Reads a pool resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/write | Writes a pool resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/delete | Deletes a pool resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/providers/Microsoft.Insights/logDefinitions/read | Gets the log definitions for the resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Volume resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read | Reads a volume resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/write | Writes a volume resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/delete | Deletes a volume resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/revert/action | Revert volume to specific snapshot | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/resetCifsPassword/action | Reset cifs password from specific volume. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/breakReplication/action | Break volume replication relations | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/listReplications/action | A list of replications | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/reInitializeReplication/action | Attempts to re-initialize an uninitialized replication | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/authorizeReplication/action | Authorize the source volume replication | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/resyncReplication/action | Resync the replication on the destination volume | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/deleteReplication/action | Delete the replication on the destination volume | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/poolChange/action | Moves volume to another pool. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/relocate/action | Relocate volume to a new stamp. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/finalizeRelocation/action | Finalize relocation by cleaning up the old volume. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/revertRelocation/action | Revert the relocation and revert back to the old volume. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/breakFileLocks/action | Breaks file locks on a volume | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/populateAvailabilityZone/action | Populates logical availability zone for a volume in a zone aware region and storage. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/getGroupIdListForLdapUser/action | Get group Id list for a given user for an Ldap enabled volume | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/reestablishReplication/action | Re-establish a previously deleted replication between 2 volumes that have a common ad-hoc or policy-based snapshots | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/mountTargets/read | Reads a mount target resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Volume resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/replicationStatus/read | Reads the statuses of the Volume Replication. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/restoreStatus/read | Get the status of the restore for a volume | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/read | Reads a snapshot resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/write | Writes a snapshot resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/delete | Deletes a snapshot resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/restoreFiles/action | Restores files from a snapshot resource | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/subvolumes/read | Read a sub volume resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/subvolumes/write | Write a sub volume resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/subvolumes/delete | Delete a sub volume resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/subvolumes/getMetadata/action | Read sub volume metadata resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/volumeQuotaRules/read | Reads a Volume quota rule resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/volumeQuotaRules/write | Writes Volume quota rule resource. | +> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/volumeQuotaRules/delete | Deletes a Volume quota rule resource. | +> | Microsoft.NetApp/netAppAccounts/snapshotPolicies/read | Reads a snapshot policy resource. | +> | Microsoft.NetApp/netAppAccounts/snapshotPolicies/write | Writes a snapshot policy resource. | +> | Microsoft.NetApp/netAppAccounts/snapshotPolicies/delete | Deletes a snapshot policy resource. | +> | Microsoft.NetApp/netAppAccounts/snapshotPolicies/volumes/read | List volumes connected to snapshot policy | +> | Microsoft.NetApp/netAppAccounts/volumeGroups/read | Reads a volume group resource. | +> | Microsoft.NetApp/netAppAccounts/volumeGroups/write | Writes a volume group resource. | +> | Microsoft.NetApp/netAppAccounts/volumeGroups/delete | Deletes a volume group resource. | +> | Microsoft.NetApp/Operations/read | Reads an operation resources. | ++## Microsoft.Storage ++Azure service: [Storage](/azure/storage/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Storage/register/action | Registers the subscription for the storage resource provider and enables the creation of storage accounts. | +> | Microsoft.Storage/register/action | | +> | Microsoft.Storage/checknameavailability/read | Checks that account name is valid and is not in use. | +> | Microsoft.Storage/deletedAccounts/read | | +> | Microsoft.Storage/locations/deleteVirtualNetworkOrSubnets/action | Notifies Microsoft.Storage that virtual network or subnet is being deleted | +> | Microsoft.Storage/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action | | +> | Microsoft.Storage/locations/previewActions/action | | +> | Microsoft.Storage/locations/checknameavailability/read | Checks that account name is valid and is not in use. | +> | Microsoft.Storage/locations/usages/read | Returns the limit and the current usage count for resources in the specified subscription | +> | Microsoft.Storage/operations/read | | +> | Microsoft.Storage/operations/read | Polls the status of an asynchronous operation. | +> | Microsoft.Storage/resilienciesProgressions/read | | +> | Microsoft.Storage/skus/read | Lists the Skus supported by Microsoft.Storage. | +> | Microsoft.Storage/storageAccounts/updateAccountContainerHoldingPeriod/action | | +> | Microsoft.Storage/storageAccounts/updateInternalProperties/action | | +> | Microsoft.Storage/storageAccounts/consumerDataShare/action | | +> | Microsoft.Storage/storageAccounts/hnsonmigration/action | Customer is able to abort an ongoing Hns migration on the storage account | +> | Microsoft.Storage/storageAccounts/hnsonmigration/action | Customer is able to migrate to hns account type | +> | Microsoft.Storage/storageAccounts/networkSecurityPerimeterConfigurations/action | | +> | Microsoft.Storage/storageAccounts/restoreBlobRanges/action | Restore blob ranges to the state of the specified time | +> | Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connections | +> | Microsoft.Storage/storageAccounts/failover/action | Customer is able to control the failover in case of availability issues | +> | Microsoft.Storage/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. | +> | Microsoft.Storage/storageAccounts/regeneratekey/action | Regenerates the access keys for the specified storage account. | +> | Microsoft.Storage/storageAccounts/rotateKey/action | | +> | Microsoft.Storage/storageAccounts/revokeUserDelegationKeys/action | Revokes all the user delegation keys for the specified storage account. | +> | Microsoft.Storage/storageAccounts/joinPerimeter/action | Access check for joining Network Security Perimeter | +> | Microsoft.Storage/storageAccounts/delete | Deletes an existing storage account. | +> | Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. | +> | Microsoft.Storage/storageAccounts/listAccountSas/action | Returns the Account SAS token for the specified storage account. | +> | Microsoft.Storage/storageAccounts/listServiceSas/action | Returns the Service SAS token for the specified storage account. | +> | Microsoft.Storage/storageAccounts/write | Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. | +> | Microsoft.Storage/storageAccounts/accountLocks/deleteLock/action | | +> | Microsoft.Storage/storageAccounts/accountLocks/read | | +> | Microsoft.Storage/storageAccounts/accountLocks/write | | +> | Microsoft.Storage/storageAccounts/accountLocks/delete | | +> | Microsoft.Storage/storageAccounts/accountMigrations/read | | +> | Microsoft.Storage/storageAccounts/accountMigrations/write | Customer is able to update their storage account redundancy for increased resiliency | +> | Microsoft.Storage/storageAccounts/blobServices/read | List blob services | +> | Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the blob service | +> | Microsoft.Storage/storageAccounts/blobServices/write | Returns the result of put blob service properties | +> | Microsoft.Storage/storageAccounts/blobServices/read | Returns blob service properties or statistics | +> | Microsoft.Storage/storageAccounts/blobServices/containers/migrate/action | | +> | Microsoft.Storage/storageAccounts/blobServices/containers/write | Returns the result of patch blob container | +> | Microsoft.Storage/storageAccounts/blobServices/containers/delete | Returns the result of deleting a container | +> | Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns a container | +> | Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers | +> | Microsoft.Storage/storageAccounts/blobServices/containers/lease/action | Returns the result of leasing blob container | +> | Microsoft.Storage/storageAccounts/blobServices/containers/write | Returns the result of put blob container | +> | Microsoft.Storage/storageAccounts/blobServices/containers/clearLegalHold/action | Clear blob container legal hold | +> | Microsoft.Storage/storageAccounts/blobServices/containers/setLegalHold/action | Set blob container legal hold | +> | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/extend/action | Extend blob container immutability policy | +> | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete | Delete blob container immutability policy | +> | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write | Put blob container immutability policy | +> | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/lock/action | Lock blob container immutability policy | +> | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read | Get blob container immutability policy | +> | Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/logDefinitions/read | Gets the log definition for Blob | +> | Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/metricDefinitions/read | Get list of Microsoft Storage Metrics definitions. | +> | Microsoft.Storage/storageAccounts/consumerDataSharePolicies/read | | +> | Microsoft.Storage/storageAccounts/consumerDataSharePolicies/write | | +> | Microsoft.Storage/storageAccounts/dataSharePolicies/delete | | +> | Microsoft.Storage/storageAccounts/dataSharePolicies/read | | +> | Microsoft.Storage/storageAccounts/dataSharePolicies/write | | +> | Microsoft.Storage/storageAccounts/encryptionScopes/read | | +> | Microsoft.Storage/storageAccounts/encryptionScopes/write | | +> | Microsoft.Storage/storageAccounts/encryptionScopes/hoboConfigurations/read | | +> | Microsoft.Storage/storageAccounts/encryptionScopes/hoboConfigurations/write | | +> | Microsoft.Storage/storageAccounts/fileServices/read | List file services | +> | Microsoft.Storage/storageAccounts/fileServices/write | Put file service properties | +> | Microsoft.Storage/storageAccounts/fileServices/read | Get file service properties | +> | Microsoft.Storage/storageAccounts/fileServices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/fileServices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/fileServices/providers/Microsoft.Insights/logDefinitions/read | Gets the log definition for File | +> | Microsoft.Storage/storageAccounts/fileServices/providers/Microsoft.Insights/metricDefinitions/read | Get list of Microsoft Storage Metrics definitions. | +> | Microsoft.Storage/storageAccounts/fileServices/shares/delete | Delete file share | +> | Microsoft.Storage/storageAccounts/fileServices/shares/read | Get file share | +> | Microsoft.Storage/storageAccounts/fileServices/shares/lease/action | | +> | Microsoft.Storage/storageAccounts/fileServices/shares/read | List file shares | +> | Microsoft.Storage/storageAccounts/fileServices/shares/write | Create or update file share | +> | Microsoft.Storage/storageAccounts/fileServices/shares/restore/action | Restore file share | +> | Microsoft.Storage/storageAccounts/hoboConfigurations/read | | +> | Microsoft.Storage/storageAccounts/hoboConfigurations/write | | +> | Microsoft.Storage/storageAccounts/inventoryPolicies/delete | | +> | Microsoft.Storage/storageAccounts/inventoryPolicies/read | | +> | Microsoft.Storage/storageAccounts/inventoryPolicies/write | | +> | Microsoft.Storage/storageAccounts/localUsers/delete | Delete local user | +> | Microsoft.Storage/storageAccounts/localusers/regeneratePassword/action | | +> | Microsoft.Storage/storageAccounts/localusers/listKeys/action | List local user keys | +> | Microsoft.Storage/storageAccounts/localusers/read | List local users | +> | Microsoft.Storage/storageAccounts/localusers/read | Get local user | +> | Microsoft.Storage/storageAccounts/localusers/write | Create or update local user | +> | Microsoft.Storage/storageAccounts/managementPolicies/delete | Delete storage account management policies | +> | Microsoft.Storage/storageAccounts/managementPolicies/read | Get storage management account policies | +> | Microsoft.Storage/storageAccounts/managementPolicies/write | Put storage account management policies | +> | Microsoft.Storage/storageAccounts/networkSecurityPerimeterAssociationProxies/delete | | +> | Microsoft.Storage/storageAccounts/networkSecurityPerimeterAssociationProxies/read | | +> | Microsoft.Storage/storageAccounts/networkSecurityPerimeterAssociationProxies/write | | +> | Microsoft.Storage/storageAccounts/networkSecurityPerimeterConfigurations/read | | +> | Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete | Delete object replication policy | +> | Microsoft.Storage/storageAccounts/objectReplicationPolicies/read | Get object replication policy | +> | Microsoft.Storage/storageAccounts/objectReplicationPolicies/read | List object replication policies | +> | Microsoft.Storage/storageAccounts/objectReplicationPolicies/write | Create or update object replication policy | +> | Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | Create object replication restore point marker | +> | Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/read | Get Private Endpoint Connection Proxy | +> | Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action | Update storage account private endpoint properties | +> | Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxies | +> | Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/write | Put Private Endpoint Connection Proxies | +> | Microsoft.Storage/storageAccounts/privateEndpointConnections/read | List Private Endpoint Connections | +> | Microsoft.Storage/storageAccounts/privateEndpointConnections/delete | Delete Private Endpoint Connection | +> | Microsoft.Storage/storageAccounts/privateEndpointConnections/read | Get Private Endpoint Connection | +> | Microsoft.Storage/storageAccounts/privateEndpointConnections/write | Put Private Endpoint Connection | +> | Microsoft.Storage/storageAccounts/privateEndpoints/move/action | | +> | Microsoft.Storage/storageAccounts/privateLinkResources/read | Get StorageAccount groupids | +> | Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/metricDefinitions/read | Get list of Microsoft Storage Metrics definitions. | +> | Microsoft.Storage/storageAccounts/queueServices/read | | +> | Microsoft.Storage/storageAccounts/queueServices/write | | +> | Microsoft.Storage/storageAccounts/queueServices/read | Get Queue service properties | +> | Microsoft.Storage/storageAccounts/queueServices/read | Returns queue service properties or statistics. | +> | Microsoft.Storage/storageAccounts/queueServices/write | Returns the result of setting queue service properties | +> | Microsoft.Storage/storageAccounts/queueServices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/queueServices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/queueServices/providers/Microsoft.Insights/logDefinitions/read | Gets the log definition for Queue | +> | Microsoft.Storage/storageAccounts/queueServices/providers/Microsoft.Insights/metricDefinitions/read | Get list of Microsoft Storage Metrics definitions. | +> | Microsoft.Storage/storageAccounts/queueServices/queues/delete | | +> | Microsoft.Storage/storageAccounts/queueServices/queues/read | | +> | Microsoft.Storage/storageAccounts/queueServices/queues/write | | +> | Microsoft.Storage/storageAccounts/queueServices/queues/read | Returns a queue or a list of queues. | +> | Microsoft.Storage/storageAccounts/queueServices/queues/write | Returns the result of writing a queue | +> | Microsoft.Storage/storageAccounts/queueServices/queues/delete | Returns the result of deleting a queue | +> | Microsoft.Storage/storageAccounts/reports/read | | +> | Microsoft.Storage/storageAccounts/restorePoints/delete | Delete object replication restore point | +> | Microsoft.Storage/storageAccounts/restorePoints/read | Get object replication restore point | +> | Microsoft.Storage/storageAccounts/restorePoints/read | List object replication restore points | +> | Microsoft.Storage/storageAccounts/services/diagnosticSettings/write | Create/Update storage account diagnostic settings. | +> | Microsoft.Storage/storageAccounts/storageTaskAssignments/delete | | +> | Microsoft.Storage/storageAccounts/storageTaskAssignments/read | | +> | Microsoft.Storage/storageAccounts/storageTaskAssignments/write | | +> | Microsoft.Storage/storageAccounts/storageTaskAssignments/reports/read | | +> | Microsoft.Storage/storageAccounts/tableServices/read | | +> | Microsoft.Storage/storageAccounts/tableServices/read | Get Table service properties | +> | Microsoft.Storage/storageAccounts/tableServices/write | | +> | Microsoft.Storage/storageAccounts/tableServices/read | Get table service properties or statistics | +> | Microsoft.Storage/storageAccounts/tableServices/write | Set table service properties | +> | Microsoft.Storage/storageAccounts/tableServices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/tableServices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.Storage/storageAccounts/tableServices/providers/Microsoft.Insights/logDefinitions/read | Gets the log definition for Table | +> | Microsoft.Storage/storageAccounts/tableServices/providers/Microsoft.Insights/metricDefinitions/read | Get list of Microsoft Storage Metrics definitions. | +> | Microsoft.Storage/storageAccounts/tableServices/tables/delete | | +> | Microsoft.Storage/storageAccounts/tableServices/tables/read | | +> | Microsoft.Storage/storageAccounts/tableServices/tables/write | | +> | Microsoft.Storage/storageAccounts/tableServices/tables/read | Query tables | +> | Microsoft.Storage/storageAccounts/tableServices/tables/write | Create tables | +> | Microsoft.Storage/storageAccounts/tableServices/tables/delete | Delete tables | +> | Microsoft.Storage/storageTasks/delete | Deletes an existing storage task | +> | Microsoft.Storage/storageTasks/read | Gets the properties for the specified storage task | +> | Microsoft.Storage/storageTasks/promote/action | Promote specific version of storage task to current version | +> | Microsoft.Storage/storageTasks/write | Creates or updates storage task | +> | Microsoft.Storage/storageTasks/reports/read | List run statuses of a storage task | +> | Microsoft.Storage/storageTasks/storageTaskAssignments/read | List all storage task assignments of a storage task | +> | Microsoft.Storage/storageTasks/versions/read | List all versions of a storage task | +> | Microsoft.Storage/usages/read | Returns the limit and the current usage count for resources in the specified subscription | +> | **DataAction** | **Description** | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action | Returns the result of deleting a blob version | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action | | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | Returns the result of adding blob content | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action | Returns the list of blobs under an account with matching tags filter | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | Moves the blob from one path to another | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action | Changes ownership of the blob | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action | Modifies permissions of the blob | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action | Returns the result of the blob command | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action | | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read | Returns the result of reading blob tags | +> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | Returns the result of writing blob tags | +> | Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Sematics Privilege | +> | Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action | Write File Backup Sematics Privilege | +> | Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action | File Take Ownership Privilege | +> | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders | +> | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder | +> | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder | +> | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder | +> | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action | Get File Admin Privileges | +> | Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Returns a message | +> | Microsoft.Storage/storageAccounts/queueServices/queues/messages/write | Returns the result of writing a message | +> | Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete | Returns the result of deleting a message | +> | Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action | Returns the result of adding a message | +> | Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | Returns the result of processing a message | +> | Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | Query table entities | +> | Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Insert, merge, or replace table entities | +> | Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete | Delete table entities | +> | Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Insert table entities | +> | Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action | Merge or update table entities | ++## Microsoft.StorageCache ++Azure service: [Azure HPC Cache](/azure/hpc-cache/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.StorageCache/register/action | Registers the subscription for the storage cache resource provider and enables creation of Azure HPC Cache resources | +> | Microsoft.StorageCache/preflight/action | | +> | Microsoft.StorageCache/checkAmlFSSubnets/action | Validates the subnets for Amlfilesystem | +> | Microsoft.StorageCache/getRequiredAmlFSSubnetsSize/action | Calculate the number of ips needed | +> | Microsoft.StorageCache/unregister/action | Azure HPC Cache resource provider | +> | Microsoft.StorageCache/amlFilesystems/read | Gets the properties of an amlfilesystem | +> | Microsoft.StorageCache/amlFilesystems/write | Creates a new amlfilesystem, or updates an existing one | +> | Microsoft.StorageCache/amlFilesystems/delete | Deletes the amlfilesystem instance | +> | Microsoft.StorageCache/amlFilesystems/Archive/action | Archive the data in the amlfilesystem | +> | Microsoft.StorageCache/amlFilesystems/CancelArchive/action | Cancel archiving the amlfilesystem | +> | Microsoft.StorageCache/caches/write | Creates a new cache, or updates an existing one | +> | Microsoft.StorageCache/caches/read | Gets the properties of a cache | +> | Microsoft.StorageCache/caches/delete | Deletes the cache instance | +> | Microsoft.StorageCache/caches/Upgrade/action | Upgrades OS software for the cache | +> | Microsoft.StorageCache/caches/Start/action | Starts the cache | +> | Microsoft.StorageCache/caches/Stop/action | Stops the cache | +> | Microsoft.StorageCache/caches/debugInfo/action | Creates support information (GSI) or debug information for a cache. | +> | Microsoft.StorageCache/caches/spaceAllocation/action | | +> | Microsoft.StorageCache/caches/addPrimingJob/action | Adds a priming job to the cache | +> | Microsoft.StorageCache/caches/startPrimingJob/action | | +> | Microsoft.StorageCache/caches/removePrimingJob/action | Removes a primining job from the cache | +> | Microsoft.StorageCache/caches/stopPrimingJob/action | | +> | Microsoft.StorageCache/caches/pausePrimingJob/action | Pauses a running priming job in the cache | +> | Microsoft.StorageCache/caches/resumePrimingJob/action | Resumes a paused priming job in the cache | +> | Microsoft.StorageCache/caches/Flush/action | Flushes cached data to storage targets | +> | Microsoft.StorageCache/caches/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the Cache. | +> | Microsoft.StorageCache/caches/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the Cache. | +> | Microsoft.StorageCache/caches/providers/Microsoft.Insights/logDefinitions/read | Gets the log definitions for the StorageCache | +> | Microsoft.StorageCache/caches/providers/Microsoft.Insights/metricDefinitions/read | Reads Cache Metric Definitions. | +> | Microsoft.StorageCache/caches/storageTargets/write | Creates a new storage target in the cache, or updates an existing one | +> | Microsoft.StorageCache/caches/storageTargets/read | Gets properties of a storage target in the cache | +> | Microsoft.StorageCache/caches/storageTargets/delete | Deletes a cache storage target | +> | Microsoft.StorageCache/caches/storageTargets/dnsRefersh/action | Updates the storage target IP address from a custom DNS server or from an Azure Storage private endpoint | +> | Microsoft.StorageCache/caches/storageTargets/flush/action | | +> | Microsoft.StorageCache/caches/storageTargets/suspend/action | Disables client access to a cache's storage target. But doesn't permanently remove the storage target from the cache. | +> | Microsoft.StorageCache/caches/storageTargets/resume/action | Puts a suspended storage target back into service | +> | Microsoft.StorageCache/caches/storageTargets/invalidate/action | Marks all cached files from the cache's storage target as out of date. The next time a client requests these files, they will be fetched from the back-end storage system. | +> | Microsoft.StorageCache/caches/storageTargets/restoreDefaults/action | Restores the Cache's storage target's settings to their default values | +> | Microsoft.StorageCache/caches/storageTargetsLists/read | Lists the cache's storage targets | +> | Microsoft.StorageCache/locations/ascOperations/read | Gets the status of an asynchronous operation for the Azure HPC cache | +> | Microsoft.StorageCache/operations/read | Lists operations available for the Azure HPC Cache | +> | Microsoft.StorageCache/ResourceGroup/amlFilesystems/read | Lists existing amlfilesystem instances in the resource group | +> | Microsoft.StorageCache/ResourceGroup/caches/read | Lists existing cache instances in the resource group | +> | Microsoft.StorageCache/skus/read | Lists all valid SKUs for the cache | +> | Microsoft.StorageCache/Subscription/amlFilesystems/read | Lists existing amlfilesystems in the subscription | +> | Microsoft.StorageCache/Subscription/caches/read | Lists existing caches in the subscription | +> | Microsoft.StorageCache/usageModels/read | Lists available usage models for NFS storage targets in this cache | +> | Microsoft.StorageCache/usages/read | Lists the usage quota for cache or Amlfilesystem | ++## Microsoft.StorageSync ++Azure service: [Storage](/azure/storage/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.StorageSync/register/action | Registers the subscription for the Storage Sync Provider | +> | Microsoft.StorageSync/unregister/action | Unregisters the subscription for the Storage Sync Provider | +> | Microsoft.StorageSync/locations/checkNameAvailability/action | Checks that storage sync service name is valid and is not in use. | +> | Microsoft.StorageSync/locations/operationresults/read | Gets the result for an asynchronous operation | +> | Microsoft.StorageSync/locations/operations/read | Gets the status for an azure asynchronous operation | +> | Microsoft.StorageSync/locations/workflows/operations/read | Gets the status of an asynchronous operation | +> | Microsoft.StorageSync/operations/read | Gets a list of the Supported Operations | +> | Microsoft.StorageSync/storageSyncServices/read | Read any Storage Sync Services | +> | Microsoft.StorageSync/storageSyncServices/write | Create or Update any Storage Sync Services | +> | Microsoft.StorageSync/storageSyncServices/delete | Delete any Storage Sync Services | +> | Microsoft.StorageSync/storageSyncServices/privateEndpointConnectionProxies/validate/action | Validate any Private Endpoint ConnectionProxies | +> | Microsoft.StorageSync/storageSyncServices/privateEndpointConnectionProxies/read | Read any Private Endpoint ConnectionProxies | +> | Microsoft.StorageSync/storageSyncServices/privateEndpointConnectionProxies/write | Create or Update any Private Endpoint ConnectionProxies | +> | Microsoft.StorageSync/storageSyncServices/privateEndpointConnectionProxies/delete | Delete any Private Endpoint ConnectionProxies | +> | Microsoft.StorageSync/storageSyncServices/privateEndpointConnections/read | Read any Private Endpoint Connections | +> | Microsoft.StorageSync/storageSyncServices/privateEndpointConnections/write | Create or Update any Private Endpoint Connections | +> | Microsoft.StorageSync/storageSyncServices/privateEndpointConnections/delete | Delete any Private Endpoint Connections | +> | Microsoft.StorageSync/storageSyncServices/privateLinkResources/read | Read any Private Link Resources | +> | Microsoft.StorageSync/storageSyncServices/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Storage Sync Services | +> | Microsoft.StorageSync/storageSyncServices/registeredServers/read | Read any Registered Server | +> | Microsoft.StorageSync/storageSyncServices/registeredServers/write | Create or Update any Registered Server | +> | Microsoft.StorageSync/storageSyncServices/registeredServers/delete | Delete any Registered Server | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/read | Read any Sync Groups | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/write | Create or Update any Sync Groups | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/delete | Delete any Sync Groups | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/read | Read any Cloud Endpoints | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/write | Create or Update any Cloud Endpoints | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/delete | Delete any Cloud Endpoints | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/prebackup/action | Call this action before backup | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/postbackup/action | Call this action after backup | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/prerestore/action | Call this action before restore | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/postrestore/action | Call this action after restore | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/restoreheartbeat/action | Restore heartbeat | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/triggerChangeDetection/action | Call this action to trigger detection of changes on a cloud endpoint's file share | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/afssharemetadatacertificatepublickeys/read | Gets the public keys info for AfsShareMetadata certificate | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints/operationresults/read | Gets the status of an asynchronous backup/restore operation | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/serverEndpoints/read | Read any Server Endpoints | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/serverEndpoints/write | Create or Update any Server Endpoints | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/serverEndpoints/delete | Delete any Server Endpoints | +> | Microsoft.StorageSync/storageSyncServices/syncGroups/serverEndpoints/recallAction/action | Call this action to recall files to a server | +> | Microsoft.StorageSync/storageSyncServices/workflows/read | Read Workflows | +> | Microsoft.StorageSync/storageSyncServices/workflows/operationresults/read | Gets the status of an asynchronous operation | +> | Microsoft.StorageSync/storageSyncServices/workflows/operations/read | Gets the status of an asynchronous operation | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Web And Mobile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/permissions/web-and-mobile.md | + + Title: Azure permissions for Web and Mobile - Azure RBAC +description: Lists the permissions for the Azure resource providers in the Web and Mobile category. +++++ Last updated : 02/07/2024++++# Azure permissions for Web and Mobile ++This article lists the permissions for the Azure resource providers in the Web and Mobile category. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. Permission strings have the following format: `{Company}.{ProviderName}/{resourceType}/{action}` +++## Microsoft.AppPlatform ++Azure service: [Azure Spring Apps](/azure/spring-apps/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.AppPlatform/register/action | Register the subscription to the Microsoft.AppPlatform resource provider | +> | Microsoft.AppPlatform/unregister/action | Unregister the subscription from the Microsoft.AppPlatform resource provider | +> | Microsoft.AppPlatform/locations/checkNameAvailability/action | Check resource name availability | +> | Microsoft.AppPlatform/locations/operationResults/Spring/read | Read resource operation result | +> | Microsoft.AppPlatform/locations/operationStatus/operationId/read | Read resource operation status | +> | Microsoft.AppPlatform/operations/read | List available operations of Microsoft Azure Spring Apps | +> | Microsoft.AppPlatform/runtimeVersions/read | Get runtime versions of Microsoft Azure Spring Apps | +> | Microsoft.AppPlatform/skus/read | List available skus of Microsoft Azure Spring Apps | +> | Microsoft.AppPlatform/Spring/write | Create or Update a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/delete | Delete a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/read | Get Azure Spring Apps service instance(s) | +> | Microsoft.AppPlatform/Spring/listTestKeys/action | List test keys for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/regenerateTestKey/action | Regenerate test key for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/disableTestEndpoint/action | Disable test endpoint functionality for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/enableTestEndpoint/action | Enable test endpoint functionality for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/stop/action | Stop a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/start/action | Start a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/configServers/action | Validate the config server settings for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/enableApmGlobally/action | Enable APM globally for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/disableApmGlobally/action | Disable APM globally for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/listGloballyEnabledApms/action | List globally enabled APMs for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apiPortals/read | Get the API portal for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apiPortals/write | Create or update the API portal for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apiPortals/delete | Delete the API portal for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apiPortals/validateDomain/action | Validate the API portal domain for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apiPortals/domains/read | Get the API portal domain for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apiPortals/domains/write | Create or update the API portal domain for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apiPortals/domains/delete | Delete the API portal domain for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apms/read | Get the APM for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apms/write | Create or update the APM for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apms/delete | Delete the APM for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apms/listSecretKeys/action | List the secret keys for a specific Azure Spring Apps service instance APM | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/read | Get the Application Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/write | Create or update Application Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/delete | Delete Application Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/customizedAccelerators/read | Get the Customized Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/customizedAccelerators/write | Create or update Customized Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/customizedAccelerators/delete | Delete Customized Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/customizedAccelerators/validate/action | Validate Customized Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/predefinedAccelerators/read | Get the Predefined Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/predefinedAccelerators/disable/action | Disable Predefined Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationAccelerators/predefinedAccelerators/enable/action | Enable Predefined Accelerator for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationLiveViews/read | Get the Application Live View for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationLiveViews/write | Create or update Application Live View for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/applicationLiveViews/delete | Delete Application Live View for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apps/write | Create or update the application for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apps/delete | Delete the application for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apps/read | Get the applications for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apps/getResourceUploadUrl/action | Get the resource upload URL of a specific Microsoft Azure Spring Apps application | +> | Microsoft.AppPlatform/Spring/apps/validateDomain/action | Validate the custom domain for a specific application | +> | Microsoft.AppPlatform/Spring/apps/setActiveDeployments/action | Set active deployments for a specific Microsoft Azure Spring Apps application | +> | Microsoft.AppPlatform/Spring/apps/validate/action | Validate the container registry for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apps/bindings/write | Create or update the binding for a specific application | +> | Microsoft.AppPlatform/Spring/apps/bindings/delete | Delete the binding for a specific application | +> | Microsoft.AppPlatform/Spring/apps/bindings/read | Get the bindings for a specific application | +> | Microsoft.AppPlatform/Spring/apps/connectorProps/read | Get the service connectors for a specific application | +> | Microsoft.AppPlatform/Spring/apps/connectorProps/write | Create or update the service connector for a specific application | +> | Microsoft.AppPlatform/Spring/apps/connectorProps/delete | Delete the service connector for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/write | Create or update the deployment for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/delete | Delete the deployment for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/read | Get the deployments for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/start/action | Start the deployment for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/stop/action | Stop the deployment for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/restart/action | Restart the deployment for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/getLogFileUrl/action | Get the log file URL of a specific Microsoft Azure Spring Apps application deployment | +> | Microsoft.AppPlatform/Spring/apps/deployments/generateHeapDump/action | Generate heap dump for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/generateThreadDump/action | Generate thread dump for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/startJFR/action | Start JFR for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/enableRemoteDebugging/action | Enable remote debugging for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/disableRemoteDebugging/action | Disable remote debugging for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/getRemoteDebuggingConfig/action | Get remote debugging configuration for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/connectorProps/read | Get the service connectors for a specific deployment | +> | Microsoft.AppPlatform/Spring/apps/deployments/connectorProps/write | Create or update the service connector for a specific deployment | +> | Microsoft.AppPlatform/Spring/apps/deployments/connectorProps/delete | Delete the service connector for a specific deployment | +> | Microsoft.AppPlatform/Spring/apps/deployments/operationResults/read | Read resource operation result | +> | Microsoft.AppPlatform/Spring/apps/deployments/operationStatuses/read | Read resource operation Status | +> | Microsoft.AppPlatform/Spring/apps/deployments/skus/read | List available skus of an application deployment | +> | Microsoft.AppPlatform/Spring/apps/domains/write | Create or update the custom domain for a specific application | +> | Microsoft.AppPlatform/Spring/apps/domains/delete | Delete the custom domain for a specific application | +> | Microsoft.AppPlatform/Spring/apps/domains/read | Get the custom domains for a specific application | +> | Microsoft.AppPlatform/Spring/apps/operationResults/read | Read resource operation result | +> | Microsoft.AppPlatform/Spring/apps/operationStatuses/read | Read resource operation Status | +> | Microsoft.AppPlatform/Spring/buildpackBindings/read | Get the BuildpackBinding for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/read | Get the Build Services for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/getResourceUploadUrl/action | Get the Upload URL of a specific Microsoft Azure Spring Apps build | +> | Microsoft.AppPlatform/Spring/buildServices/write | Create or Update the Build Services for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/agentPools/read | Get the Agent Pools for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/agentPools/write | Create or update the Agent Pools for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/builders/read | Get the Builders for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/builders/write | Create or update the Builders for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/builders/delete | Delete the Builders for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/builders/listUsingDeployments/action | List deployments using the Builders for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/read | Get the BuildpackBinding for a specific Azure Spring Apps service instance Builder | +> | Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/write | Create or update the BuildpackBinding for a specific Azure Spring Apps service instance Builder | +> | Microsoft.AppPlatform/Spring/buildServices/builders/buildpackBindings/delete | Delete the BuildpackBinding for a specific Azure Spring Apps service instance Builder | +> | Microsoft.AppPlatform/Spring/buildServices/builds/read | Get the Builds for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/builds/write | Create or update the Builds for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/builds/delete | Delete the Builds for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/builds/results/read | Get the Build Results for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/builds/results/getLogFileUrl/action | Get the Log File URL of a specific Microsoft Azure Spring Apps build result | +> | Microsoft.AppPlatform/Spring/buildServices/supportedBuildpacks/read | Get the Supported Buildpacks for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/buildServices/supportedStacks/read | Get the Supported Stacks for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/certificates/write | Create or update the certificate for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/certificates/delete | Delete the certificate for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/certificates/read | Get the certificates for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/configServers/read | Get the config server for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/configServers/write | Create or update the config server for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/configServers/operationResults/read | Read resource operation result | +> | Microsoft.AppPlatform/Spring/configServers/operationStatuses/read | Read resource operation Status | +> | Microsoft.AppPlatform/Spring/configurationServices/read | Get the Application Configuration Services for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/configurationServices/write | Create or update the Application Configuration Service for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/configurationServices/delete | Delete the Application Configuration Service for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/configurationServices/validate/action | Validate the settings for a specific Application Configuration Service | +> | Microsoft.AppPlatform/Spring/configurationServices/validateResource/action | Validate the resource for a specific Application Configuration Service | +> | Microsoft.AppPlatform/Spring/containerRegistries/read | Get the container registry for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/containerRegistries/write | Create or update the container registry for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/containerRegistries/delete | Delete the container registry for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/deployments/read | Get the deployments for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/detectors/read | Get the detectors for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/devToolPortals/read | Get the Dev Tool Portal for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/devToolPortals/write | Create or update Dev Tool Portal for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/devToolPortals/delete | Delete Dev Tool Portal for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/read | Get the Spring Cloud Gateways for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/write | Create or update the Spring Cloud Gateway for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/delete | Delete the Spring Cloud Gateway for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/validateDomain/action | Validate the Spring Cloud Gateway domain for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/listEnvSecrets/action | List environment variables secret of the Spring Cloud Gateway for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/restart/action | Restart the Spring Cloud Gateway for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/domains/read | Get the Spring Cloud Gateways domain for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/domains/write | Create or update the Spring Cloud Gateway domain for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/domains/delete | Delete the Spring Cloud Gateway domain for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/routeConfigs/read | Get the Spring Cloud Gateway route config for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/routeConfigs/write | Create or update the Spring Cloud Gateway route config for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/gateways/routeConfigs/delete | Delete the Spring Cloud Gateway route config for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/monitoringSettings/read | Get the monitoring setting for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/monitoringSettings/write | Create or update the monitoring setting for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/operationResults/read | Read resource operation result | +> | Microsoft.AppPlatform/Spring/operationStatuses/read | Read resource operation Status | +> | Microsoft.AppPlatform/Spring/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/providers/Microsoft.Insights/diagnosticSettings/write | Create or update the diagnostic settings for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/providers/Microsoft.Insights/logDefinitions/read | Get definitions of logs from Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/providers/Microsoft.Insights/metricDefinitions/read | Get definitions of metrics from Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/serviceRegistries/read | Get the Service Registrys for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/serviceRegistries/write | Create or update the Service Registry for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/serviceRegistries/delete | Delete the Service Registry for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/storages/write | Create or update the storage for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/storages/delete | Delete the storage for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/storages/read | Get storage for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/supportedApmTypes/read | List the supported APM types for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/supportedServerVersions/read | List the supported server versions for a specific Azure Spring Apps service instance | +> | **DataAction** | **Description** | +> | Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/action | Read the streaming log of all subcomponents in Application Configuration Service from a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action | Remote debugging app instance for a specific application | +> | Microsoft.AppPlatform/Spring/apps/deployments/connect/action | Connect to an instance for a specific application | +> | Microsoft.AppPlatform/Spring/configService/read | Read the configuration content(for example, application.yaml) for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/configService/write | Write config server content for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/configService/delete | Delete config server content for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/eurekaService/read | Read the user app(s) registration information for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/eurekaService/write | Write the user app(s) registration information for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/eurekaService/delete | Delete the user app registration information for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/logstreamService/read | Read the streaming log of user app for a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/managedComponents/logstream/action | Read the streaming log of all managed components (e.g. Application Configuration Service, Spring Cloud Gateway) from a specific Azure Spring Apps service instance | +> | Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action | Read the streaming log of Spring Cloud Gateway from a specific Azure Spring Apps service instance | ++## Microsoft.CertificateRegistration ++Azure service: [App Service Certificates](/azure/app-service/configure-ssl-certificate#buy-and-import-app-service-certificate) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.CertificateRegistration/provisionGlobalAppServicePrincipalInUserTenant/Action | ProvisionAKSCluster service principal for service app principal | +> | Microsoft.CertificateRegistration/validateCertificateRegistrationInformation/Action | Validate certificate purchase object without submitting it | +> | Microsoft.CertificateRegistration/register/action | Register the Microsoft Certificates resource provider for the subscription | +> | Microsoft.CertificateRegistration/certificateOrders/Write | Add a new certificateOrder or update an existing one | +> | Microsoft.CertificateRegistration/certificateOrders/Delete | Delete an existing AppServiceCertificate | +> | Microsoft.CertificateRegistration/certificateOrders/Read | Get a CertificateOrder | +> | Microsoft.CertificateRegistration/certificateOrders/reissue/Action | Reissue an existing certificateorder | +> | Microsoft.CertificateRegistration/certificateOrders/renew/Action | Renew an existing certificateorder | +> | Microsoft.CertificateRegistration/certificateOrders/retrieveCertificateActions/Action | Retrieve the list of certificate actions | +> | Microsoft.CertificateRegistration/certificateOrders/retrieveContactInfo/Action | Retrieve certificate order contact information | +> | Microsoft.CertificateRegistration/certificateOrders/retrieveEmailHistory/Action | Retrieve certificate email history | +> | Microsoft.CertificateRegistration/certificateOrders/resendEmail/Action | Resend certificate email | +> | Microsoft.CertificateRegistration/certificateOrders/verifyDomainOwnership/Action | Verify domain ownership | +> | Microsoft.CertificateRegistration/certificateOrders/resendRequestEmails/Action | Resend domain verification ownership email containing steps on how to verify a domain for a given certificate order | +> | Microsoft.CertificateRegistration/certificateOrders/resendRequestEmails/Action | This method is used to obtain the site seal information for an issued certificate.<br>A site seal is a graphic that the certificate purchaser can embed on their web site to show their visitors information about their TLS/SSL certificate.<br>If a web site visitor clicks on the site seal image, a pop-up page is displayed that contains detailed information about the TLS/SSL certificate.<br>The site seal token is used to link the site seal graphic image to the appropriate certificate details pop-up page display when a user clicks on the site seal.<br>The site seal images are expected to be static images and hosted by the reseller, to minimize delays for customer page load times. | +> | Microsoft.CertificateRegistration/certificateOrders/certificates/Write | Add a new certificate or update an existing one | +> | Microsoft.CertificateRegistration/certificateOrders/certificates/Delete | Delete an existing certificate | +> | Microsoft.CertificateRegistration/certificateOrders/certificates/Read | Get the list of certificates | +> | Microsoft.CertificateRegistration/operations/Read | List all operations from app service certificate registration | ++## Microsoft.Communication ++Azure service: [Azure Communication Services](/azure/communication-services/overview) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Communication/Register/Action | Registers Microsoft.Communication resource provider | +> | Microsoft.Communication/Unregister/Action | Unregisters Microsoft.Communication resource provider | +> | Microsoft.Communication/CheckNameAvailability/action | Checks if a name is available | +> | Microsoft.Communication/CommunicationServices/Read | Reads communication services | +> | Microsoft.Communication/CommunicationServices/Write | Writes communication services | +> | Microsoft.Communication/CommunicationServices/Delete | Deletes communication services | +> | Microsoft.Communication/CommunicationServices/ListKeys/action | Reads the keys for a communication service | +> | Microsoft.Communication/CommunicationServices/RegenerateKey/action | Regenerates the primary or secondary key for a communication service | +> | Microsoft.Communication/CommunicationServices/LinkNotificationHub/action | Links an Azure Notification Hub to the communication service | +> | Microsoft.Communication/CommunicationServices/EventGridFilters/Read | Reads EventGrid filters on communication services | +> | Microsoft.Communication/CommunicationServices/EventGridFilters/Write | Writes EventGrid filters on communication services | +> | Microsoft.Communication/CommunicationServices/EventGridFilters/Delete | Removes an EventGrid filter on communication services | +> | Microsoft.Communication/EmailServices/read | Get the EmailService and its properties. | +> | Microsoft.Communication/EmailServices/write | Get the EmailService and its properties. | +> | Microsoft.Communication/EmailServices/delete | Operation to delete a EmailService. | +> | Microsoft.Communication/EmailServices/verifiedExchangeOnlineDomains/action | List Verified Domains from the exchange online tenant. | +> | Microsoft.Communication/EmailServices/Domains/read | Get the email Domain and its properties. | +> | Microsoft.Communication/EmailServices/Domains/write | Add a new Domain under the parent EmailService resource or update an existing Domain resource. | +> | Microsoft.Communication/EmailServices/Domains/delete | Operation to delete a Domain resource. | +> | Microsoft.Communication/EmailServices/Domains/InitiateVerification/action | Initiate verification of Dns record. | +> | Microsoft.Communication/EmailServices/Domains/CancelVerification/action | Cancel verification of Dns record. | +> | Microsoft.Communication/EmailServices/Domains/RevokeVerification/action | Revoke existing verified status of a Dns record. | +> | Microsoft.Communication/EmailServices/Domains/SenderUsernames/read | List all valid sender usernames for a domains resource. | +> | Microsoft.Communication/EmailServices/Domains/SenderUsernames/read | Get the email SenderUsername and its properties. | +> | Microsoft.Communication/EmailServices/Domains/SenderUsernames/write | Add a new SenderUsername under the parent Domain resource or update an existing SenderUsername resource. | +> | Microsoft.Communication/EmailServices/Domains/SenderUsernames/delete | Operation to delete a SenderUsername resource. | +> | Microsoft.Communication/EmailServices/Domains/SuppressionLists/read | List all suppression lists for a domains resource. | +> | Microsoft.Communication/EmailServices/Domains/SuppressionLists/read | Get the suppression list and its properties. | +> | Microsoft.Communication/EmailServices/Domains/SuppressionLists/write | Add a new suppression list under the parent Domain resource or update an existing suppression list. | +> | Microsoft.Communication/EmailServices/Domains/SuppressionLists/delete | Operation to delete a suppressio lists. | +> | Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/read | Get all the addresses in a suppression list. | +> | Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/read | Get all the addresses in a suppression list. | +> | Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/write | Add a new suppression list under the parent Domain resource or update an existing suppression list. | +> | Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/delete | Operation to delete an address from a suppression list. | +> | Microsoft.Communication/Locations/OperationStatuses/read | Reads the status of an async operation | +> | Microsoft.Communication/Locations/OperationStatuses/write | Writes the status of an async operation | +> | Microsoft.Communication/Operations/read | Reads operations | +> | Microsoft.Communication/RegisteredSubscriptions/read | Reads registered subscriptions | ++## Microsoft.DomainRegistration ++Azure service: [App Service](/azure/app-service/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.DomainRegistration/generateSsoRequest/Action | Generate a request for signing into domain control center. | +> | Microsoft.DomainRegistration/validateDomainRegistrationInformation/Action | Validate domain purchase object without submitting it | +> | Microsoft.DomainRegistration/checkDomainAvailability/Action | Check if a domain is available for purchase | +> | Microsoft.DomainRegistration/listDomainRecommendations/Action | Retrieve the list domain recommendations based on keywords | +> | Microsoft.DomainRegistration/register/action | Register the Microsoft Domains resource provider for the subscription | +> | Microsoft.DomainRegistration/domains/Read | Get the list of domains | +> | Microsoft.DomainRegistration/domains/Read | Get domain | +> | Microsoft.DomainRegistration/domains/Write | Add a new Domain or update an existing one | +> | Microsoft.DomainRegistration/domains/Delete | Delete an existing domain. | +> | Microsoft.DomainRegistration/domains/renew/Action | Renew an existing domain. | +> | Microsoft.DomainRegistration/domains/verifyRegistrantEmail/Action | Resends verification emails to the email address of registrant contact. | +> | Microsoft.DomainRegistration/domains/retrieveContactInfo/Action | Retrieve contact info for existing domain | +> | Microsoft.DomainRegistration/domains/Read | Transfer out a domain to another registrar. | +> | Microsoft.DomainRegistration/domains/domainownershipidentifiers/Read | List ownership identifiers | +> | Microsoft.DomainRegistration/domains/domainownershipidentifiers/Read | Get ownership identifier | +> | Microsoft.DomainRegistration/domains/domainownershipidentifiers/Write | Create or update identifier | +> | Microsoft.DomainRegistration/domains/domainownershipidentifiers/Delete | Delete ownership identifier | +> | Microsoft.DomainRegistration/domains/operationresults/Read | Get a domain operation | +> | Microsoft.DomainRegistration/operations/Read | List all operations from app service domain registration | +> | Microsoft.DomainRegistration/topLevelDomains/Read | Get toplevel domains | +> | Microsoft.DomainRegistration/topLevelDomains/Read | Get toplevel domain | +> | Microsoft.DomainRegistration/topLevelDomains/listAgreements/Action | List Agreement action | ++## Microsoft.Maps ++Azure service: [Azure Maps](/azure/azure-maps/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Maps/unregister/action | Unregister the Maps provider | +> | Microsoft.Maps/register/action | Register the provider | +> | Microsoft.Maps/accounts/write | Create or update a Maps Account. | +> | Microsoft.Maps/accounts/read | Get a Maps Account. | +> | Microsoft.Maps/accounts/delete | Delete a Maps Account. | +> | Microsoft.Maps/accounts/listKeys/action | List Maps Account keys. | +> | Microsoft.Maps/accounts/listSas/action | Creates new SAS tokens on Maps Account. | +> | Microsoft.Maps/accounts/regenerateKey/action | Generate new Maps Account primary or secondary key. | +> | Microsoft.Maps/accounts/creators/write | Create or update a Creator. | +> | Microsoft.Maps/accounts/creators/read | Get a Creator. | +> | Microsoft.Maps/accounts/creators/delete | Delete a Creator. | +> | Microsoft.Maps/accounts/eventGridFilters/delete | Delete an Event Grid filter. | +> | Microsoft.Maps/accounts/eventGridFilters/read | Get an Event Grid filter | +> | Microsoft.Maps/accounts/eventGridFilters/write | Create or update an Event Grid filter. | +> | Microsoft.Maps/accounts/privateEndpointConnectionProxies/validate/action | Validate a Private Endpoint Connection Proxy. | +> | Microsoft.Maps/accounts/privateEndpointConnectionProxies/read | Read a Private Endpoint Connection Proxy. | +> | Microsoft.Maps/accounts/privateEndpointConnectionProxies/write | Create or update a Private Endpoint Connection Proxy. | +> | Microsoft.Maps/accounts/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.Maps/accounts/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Maps/accounts/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Maps Accounts | +> | Microsoft.Maps/locations/operationStatuses/read | Read an Asyncronous Operation. | +> | Microsoft.Maps/operations/read | Read the provider operations | +> | Microsoft.Maps/resourceTypes/read | Read the provider resourceTypes | +> | **DataAction** | **Description** | +> | Microsoft.Maps/accounts/services/batch/action | Allows actions upon data for batch services. | +> | Microsoft.Maps/accounts/services/analytics/read | Allows reading of data for Analytics services. | +> | Microsoft.Maps/accounts/services/analytics/delete | Allows deleting of data for Analytic services. | +> | Microsoft.Maps/accounts/services/analytics/write | Allows writing of data for Analytic services. | +> | Microsoft.Maps/accounts/services/data/read | Allows reading of data for data upload services and Creator resource. | +> | Microsoft.Maps/accounts/services/data/delete | Allows deleting of data for data upload services and Creator resource. | +> | Microsoft.Maps/accounts/services/data/write | Allows writing or updating of data for data upload services and Creator resource. | +> | Microsoft.Maps/accounts/services/dataordering/read | Allows reading of data for DataOrdering services. | +> | Microsoft.Maps/accounts/services/dataordering/write | Allows writing of data for Data Ordering services. | +> | Microsoft.Maps/accounts/services/geolocation/read | Allows reading of data for Geolocation services. | +> | Microsoft.Maps/accounts/services/render/read | Allows reading of data for Render services. | +> | Microsoft.Maps/accounts/services/route/read | Allows reading of data for Route services. | +> | Microsoft.Maps/accounts/services/search/read | Allows reading of data for Search services. | +> | Microsoft.Maps/accounts/services/spatial/read | Allows reading of data for Spatial services. | +> | Microsoft.Maps/accounts/services/spatial/write | Allows writing of data for Spatial services, such as event publishing. | +> | Microsoft.Maps/accounts/services/timezone/read | Allows reading of data for Timezone services. | +> | Microsoft.Maps/accounts/services/traffic/read | Allows reading of data for Traffic services. | +> | Microsoft.Maps/accounts/services/turnbyturn/read | Allows reading of data for TurnByTurn services. | +> | Microsoft.Maps/accounts/services/weather/read | Allows reading of data for Weather services. | ++## Microsoft.Media ++Azure service: [Media Services](/azure/media-services/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Media/register/action | Registers the subscription for the Media Services resource provider and enables the creation of Media Services accounts | +> | Microsoft.Media/unregister/action | Unregisters the subscription for the Media Services resource provider | +> | Microsoft.Media/checknameavailability/action | Checks if a Media Services account name is available | +> | Microsoft.Media/locations/checkNameAvailability/action | Checks if a Media Services account name is available | +> | Microsoft.Media/locations/mediaServicesOperationResults/read | Read any Media Services Operation Result | +> | Microsoft.Media/locations/mediaServicesOperationStatuses/read | Read Any Media Service Operation Status | +> | Microsoft.Media/locations/videoAnalyzerOperationResults/read | Read any Video Analyzer Operation Result | +> | Microsoft.Media/locations/videoAnalyzerOperationStatuses/read | Read any Video Analyzer Operation Status | +> | Microsoft.Media/mediaservices/read | Read any Media Services Account | +> | Microsoft.Media/mediaservices/write | Create or Update any Media Services Account | +> | Microsoft.Media/mediaservices/delete | Delete any Media Services Account | +> | Microsoft.Media/mediaservices/regenerateKey/action | Regenerate a Media Services ACS key | +> | Microsoft.Media/mediaservices/listKeys/action | List the ACS keys for the Media Services account | +> | Microsoft.Media/mediaservices/syncStorageKeys/action | Synchronize the Storage Keys for an attached Azure Storage account | +> | Microsoft.Media/mediaservices/listEdgePolicies/action | List policies for an edge device. | +> | Microsoft.Media/mediaservices/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connections | +> | Microsoft.Media/mediaservices/accountfilters/read | Read any Account Filter | +> | Microsoft.Media/mediaservices/accountfilters/write | Create or Update any Account Filter | +> | Microsoft.Media/mediaservices/accountfilters/delete | Delete any Account Filter | +> | Microsoft.Media/mediaservices/assets/read | Read any Asset | +> | Microsoft.Media/mediaservices/assets/write | Create or Update any Asset | +> | Microsoft.Media/mediaservices/assets/delete | Delete any Asset | +> | Microsoft.Media/mediaservices/assets/listContainerSas/action | List Asset Container SAS URLs | +> | Microsoft.Media/mediaservices/assets/getEncryptionKey/action | Get Asset Encryption Key | +> | Microsoft.Media/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset | +> | Microsoft.Media/mediaservices/assets/assetfilters/read | Read any Asset Filter | +> | Microsoft.Media/mediaservices/assets/assetfilters/write | Create or Update any Asset Filter | +> | Microsoft.Media/mediaservices/assets/assetfilters/delete | Delete any Asset Filter | +> | Microsoft.Media/mediaservices/assets/assetTracks/read | Read any Asset Track | +> | Microsoft.Media/mediaservices/assets/assetTracks/write | Create or Update any Asset Track | +> | Microsoft.Media/mediaservices/assets/assetTracks/delete | Delete any Asset Track | +> | Microsoft.Media/mediaservices/assets/assetTracks/updateTrackData/action | Update the track data for Asset Track | +> | Microsoft.Media/mediaservices/assets/assetTracks/assetTracksOperationResults/read | Read any Asset Track Operation Result | +> | Microsoft.Media/mediaservices/assets/assetTracks/assetTracksOperationStatuses/read | Read any Asset Track Operation Result | +> | Microsoft.Media/mediaservices/contentKeyPolicies/read | Read any Content Key Policy | +> | Microsoft.Media/mediaservices/contentKeyPolicies/write | Create or Update any Content Key Policy | +> | Microsoft.Media/mediaservices/contentKeyPolicies/delete | Delete any Content Key Policy | +> | Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action | Get Policy Properties With Secrets | +> | Microsoft.Media/mediaservices/eventGridFilters/read | Read any Event Grid Filter | +> | Microsoft.Media/mediaservices/eventGridFilters/write | Create or Update any Event Grid Filter | +> | Microsoft.Media/mediaservices/eventGridFilters/delete | Delete any Event Grid Filter | +> | Microsoft.Media/mediaservices/liveEventOperations/read | Read any Live Event Operation | +> | Microsoft.Media/mediaservices/liveEvents/read | Read any Live Event | +> | Microsoft.Media/mediaservices/liveEvents/write | Create or Update any Live Event | +> | Microsoft.Media/mediaservices/liveEvents/delete | Delete any Live Event | +> | Microsoft.Media/mediaservices/liveEvents/start/action | Start any Live Event Operation | +> | Microsoft.Media/mediaservices/liveEvents/stop/action | Stop any Live Event Operation | +> | Microsoft.Media/mediaservices/liveEvents/reset/action | Reset any Live Event Operation | +> | Microsoft.Media/mediaservices/liveEvents/liveOutputs/read | Read any Live Output | +> | Microsoft.Media/mediaservices/liveEvents/liveOutputs/write | Create or Update any Live Output | +> | Microsoft.Media/mediaservices/liveEvents/liveOutputs/delete | Delete any Live Output | +> | Microsoft.Media/mediaservices/liveEvents/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.Media/mediaservices/liveEvents/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.Media/mediaservices/liveEvents/providers/Microsoft.Insights/metricDefinitions/read | Get a list of Media Services Live Event Metrics definitions. | +> | Microsoft.Media/mediaservices/liveOutputOperations/read | Read any Live Output Operation | +> | Microsoft.Media/mediaservices/privateEndpointConnectionOperations/read | Read any Private Endpoint Connection Operation | +> | Microsoft.Media/mediaservices/privateEndpointConnectionProxies/read | Read any Private Endpoint Connection Proxy | +> | Microsoft.Media/mediaservices/privateEndpointConnectionProxies/write | Create Private Endpoint Connection Proxy | +> | Microsoft.Media/mediaservices/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy | +> | Microsoft.Media/mediaservices/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxy | +> | Microsoft.Media/mediaservices/privateEndpointConnections/read | Read any Private Endpoint Connection | +> | Microsoft.Media/mediaservices/privateEndpointConnections/write | Create Private Endpoint Connection | +> | Microsoft.Media/mediaservices/privateEndpointConnections/delete | Delete Private Endpoint Connection | +> | Microsoft.Media/mediaservices/privateLinkResources/read | Read any Private Link Resource | +> | Microsoft.Media/mediaservices/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.Media/mediaservices/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.Media/mediaservices/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for a Media Services Account | +> | Microsoft.Media/mediaservices/providers/Microsoft.Insights/metricDefinitions/read | Get list of Media Services Metric definitions. | +> | Microsoft.Media/mediaservices/streamingEndpointOperations/read | Read any Streaming Endpoint Operation | +> | Microsoft.Media/mediaservices/streamingEndpoints/read | Read any Streaming Endpoint | +> | Microsoft.Media/mediaservices/streamingEndpoints/write | Create or Update any Streaming Endpoint | +> | Microsoft.Media/mediaservices/streamingEndpoints/delete | Delete any Streaming Endpoint | +> | Microsoft.Media/mediaservices/streamingEndpoints/start/action | Start any Streaming Endpoint Operation | +> | Microsoft.Media/mediaservices/streamingEndpoints/stop/action | Stop any Streaming Endpoint Operation | +> | Microsoft.Media/mediaservices/streamingEndpoints/scale/action | Scale any Streaming Endpoint Operation | +> | Microsoft.Media/mediaservices/streamingEndpoints/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource. | +> | Microsoft.Media/mediaservices/streamingEndpoints/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource. | +> | Microsoft.Media/mediaservices/streamingEndpoints/providers/Microsoft.Insights/metricDefinitions/read | Get list of Media Services Streaming Endpoint Metrics definitions. | +> | Microsoft.Media/mediaservices/streamingLocators/read | Read any Streaming Locator | +> | Microsoft.Media/mediaservices/streamingLocators/write | Create or Update any Streaming Locator | +> | Microsoft.Media/mediaservices/streamingLocators/delete | Delete any Streaming Locator | +> | Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action | List Content Keys | +> | Microsoft.Media/mediaservices/streamingLocators/listPaths/action | List Paths | +> | Microsoft.Media/mediaservices/streamingPolicies/read | Read any Streaming Policy | +> | Microsoft.Media/mediaservices/streamingPolicies/write | Create or Update any Streaming Policy | +> | Microsoft.Media/mediaservices/streamingPolicies/delete | Delete any Streaming Policy | +> | Microsoft.Media/mediaservices/transforms/read | Read any Transform | +> | Microsoft.Media/mediaservices/transforms/write | Create or Update any Transform | +> | Microsoft.Media/mediaservices/transforms/delete | Delete any Transform | +> | Microsoft.Media/mediaservices/transforms/jobs/read | Read any Job | +> | Microsoft.Media/mediaservices/transforms/jobs/write | Create or Update any Job | +> | Microsoft.Media/mediaservices/transforms/jobs/delete | Delete any Job | +> | Microsoft.Media/mediaservices/transforms/jobs/cancelJob/action | Cancel Job | +> | Microsoft.Media/operations/read | Get Available Operations | +> | Microsoft.Media/videoAnalyzers/read | Read a Video Analyzer Account | +> | Microsoft.Media/videoAnalyzers/write | Create or Update a Video Analyzer Account | +> | Microsoft.Media/videoAnalyzers/delete | Delete a Video Analyzer Account | +> | Microsoft.Media/videoAnalyzers/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connections | +> | Microsoft.Media/videoAnalyzers/accessPolicies/read | Read any Access Policy | +> | Microsoft.Media/videoAnalyzers/accessPolicies/write | Create or Update any Access Policy | +> | Microsoft.Media/videoAnalyzers/accessPolicies/delete | Delete any Access Policy | +> | Microsoft.Media/videoAnalyzers/edgeModules/read | Read any Edge Module | +> | Microsoft.Media/videoAnalyzers/edgeModules/write | Create or Update any Edge Module | +> | Microsoft.Media/videoAnalyzers/edgeModules/delete | Delete any Edge Module | +> | Microsoft.Media/videoAnalyzers/edgeModules/listProvisioningToken/action | Creates a new provisioning token.<br>A provisioning token allows for a single instance of Azure Video analyzer IoT edge module to be initialized and authorized to the cloud account.<br>The provisioning token itself is short lived and it is only used for the initial handshake between IoT edge module and the cloud.<br>After the initial handshake, the IoT edge module will agree on a set of authentication keys which will be auto-rotated as long as the module is able to periodically connect to the cloud.<br>A new provisioning token can be generated for the same IoT edge module in case the module state lost or reset | +> | Microsoft.Media/videoAnalyzers/livePipelines/read | Read any Live Pipeline | +> | Microsoft.Media/videoAnalyzers/livePipelines/write | Create or Update any Live Pipeline | +> | Microsoft.Media/videoAnalyzers/livePipelines/delete | Delete any Live Pipeline | +> | Microsoft.Media/videoAnalyzers/livePipelines/activate/action | Activate any Live Pipeline | +> | Microsoft.Media/videoAnalyzers/livePipelines/deactivate/action | Deactivate any Live Pipeline | +> | Microsoft.Media/videoAnalyzers/livePipelines/operationsStatus/read | Read any Live Pipeline operation status | +> | Microsoft.Media/videoAnalyzers/pipelineJobs/read | Read any Pipeline Job | +> | Microsoft.Media/videoAnalyzers/pipelineJobs/write | Create or Update any Pipeline Job | +> | Microsoft.Media/videoAnalyzers/pipelineJobs/delete | Delete any Pipeline Job | +> | Microsoft.Media/videoAnalyzers/pipelineJobs/cancel/action | Cancel any Pipeline Job | +> | Microsoft.Media/videoAnalyzers/pipelineJobs/operationsStatus/read | Read any Pipeline Job operation status | +> | Microsoft.Media/videoAnalyzers/pipelineTopologies/read | Read any Pipeline Topology | +> | Microsoft.Media/videoAnalyzers/pipelineTopologies/write | Create or Update any Pipeline Topology | +> | Microsoft.Media/videoAnalyzers/pipelineTopologies/delete | Delete any Pipeline Topology | +> | Microsoft.Media/videoAnalyzers/privateEndpointConnectionOperations/read | Read any Private Endpoint Connection Operation | +> | Microsoft.Media/videoAnalyzers/privateEndpointConnectionProxies/read | Read any Private Endpoint Connection Proxy | +> | Microsoft.Media/videoAnalyzers/privateEndpointConnectionProxies/write | Create Private Endpoint Connection Proxy | +> | Microsoft.Media/videoAnalyzers/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy | +> | Microsoft.Media/videoAnalyzers/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxy | +> | Microsoft.Media/videoAnalyzers/privateEndpointConnections/read | Read any Private Endpoint Connection | +> | Microsoft.Media/videoAnalyzers/privateEndpointConnections/write | Create Private Endpoint Connection | +> | Microsoft.Media/videoAnalyzers/privateEndpointConnections/delete | Delete Private Endpoint Connection | +> | Microsoft.Media/videoAnalyzers/privateLinkResources/read | Read any Private Link Resource | +> | Microsoft.Media/videoAnalyzers/videos/read | Read any Video | +> | Microsoft.Media/videoAnalyzers/videos/write | Create or Update any Video | +> | Microsoft.Media/videoAnalyzers/videos/delete | Delete any Video | +> | Microsoft.Media/videoAnalyzers/videos/listStreamingToken/action | Generates a streaming token which can be used for video playback | +> | Microsoft.Media/videoAnalyzers/videos/listContentToken/action | Generates a content token which can be used for video playback | ++## Microsoft.Search ++Azure service: [Azure Search](/azure/search/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.Search/register/action | Registers the subscription for the search resource provider and enables the creation of search services. | +> | Microsoft.Search/checkNameAvailability/action | Checks availability of the service name. | +> | Microsoft.Search/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/write | Check if the configuration of the Network Security Perimeter needs updating. | +> | Microsoft.Search/operations/read | Lists all of the available operations of the Microsoft.Search provider. | +> | Microsoft.Search/searchServices/write | Creates or updates the search service. | +> | Microsoft.Search/searchServices/read | Reads the search service. | +> | Microsoft.Search/searchServices/delete | Deletes the search service. | +> | Microsoft.Search/searchServices/start/action | Starts the search service. | +> | Microsoft.Search/searchServices/stop/action | Stops the search service. | +> | Microsoft.Search/searchServices/listAdminKeys/action | Reads the admin keys. | +> | Microsoft.Search/searchServices/regenerateAdminKey/action | Regenerates the admin key. | +> | Microsoft.Search/searchServices/listQueryKeys/action | Returns the list of query API keys for the given Azure Search service. | +> | Microsoft.Search/searchServices/createQueryKey/action | Creates the query key. | +> | Microsoft.Search/searchServices/privateEndpointConnectionsApproval/action | Approve Private Endpoint Connection | +> | Microsoft.Search/searchServices/dataSources/read | Return a data source or a list of data sources. | +> | Microsoft.Search/searchServices/dataSources/write | Create a data source or modify its properties. | +> | Microsoft.Search/searchServices/dataSources/delete | Delete a data source. | +> | Microsoft.Search/searchServices/debugSessions/read | Return a debug session or a list of debug sessions. | +> | Microsoft.Search/searchServices/debugSessions/write | Create a debug session or modify its properties. | +> | Microsoft.Search/searchServices/debugSessions/delete | Delete a debug session. | +> | Microsoft.Search/searchServices/debugSessions/execute/action | Use a debug session, get execution data, or evaluate expressions on it. | +> | Microsoft.Search/searchServices/deleteQueryKey/delete | Deletes the query key. | +> | Microsoft.Search/searchServices/diagnosticSettings/read | Gets the diganostic setting read for the resource | +> | Microsoft.Search/searchServices/diagnosticSettings/write | Creates or updates the diganostic setting for the resource | +> | Microsoft.Search/searchServices/indexers/read | Return an indexer or its status, or return a list of indexers or their statuses. | +> | Microsoft.Search/searchServices/indexers/write | Create an indexer, modify its properties, or manage its execution. | +> | Microsoft.Search/searchServices/indexers/delete | Delete an indexer. | +> | Microsoft.Search/searchServices/indexes/read | Return an index or its statistics, return a list of indexes or their statistics, or test the lexical analysis components of an index. | +> | Microsoft.Search/searchServices/indexes/write | Create an index or modify its properties. | +> | Microsoft.Search/searchServices/indexes/delete | Delete an index. | +> | Microsoft.Search/searchServices/logDefinitions/read | Gets the available logs for the search service | +> | Microsoft.Search/searchServices/metricDefinitions/read | Gets the available metrics for the search service | +> | Microsoft.Search/searchServices/networkSecurityPerimeterAssociationProxies/delete | Delete an association proxy to a Network Security Perimeter resource of Microsoft.Network provider. | +> | Microsoft.Search/searchServices/networkSecurityPerimeterAssociationProxies/read | Delete an association proxy to a Network Security Perimeter resource of Microsoft.Network provider. | +> | Microsoft.Search/searchServices/networkSecurityPerimeterAssociationProxies/write | Change the state of an association to a Network Security Perimeter resource of Microsoft.Network provider | +> | Microsoft.Search/searchServices/networkSecurityPerimeterConfigurations/read | Read the Network Security Perimeter configuration. | +> | Microsoft.Search/searchServices/networkSecurityPerimeterConfigurations/reconcile/action | Reconcile the Network Security Perimeter configuration with NRP's (Microsoft.Network Resource Provider) copy. | +> | Microsoft.Search/searchServices/privateEndpointConnectionProxies/validate/action | Validates a private endpoint connection create call from NRP side | +> | Microsoft.Search/searchServices/privateEndpointConnectionProxies/write | Creates a private endpoint connection proxy with the specified parameters or updates the properties or tags for the specified private endpoint connection proxy | +> | Microsoft.Search/searchServices/privateEndpointConnectionProxies/read | Returns the list of private endpoint connection proxies or gets the properties for the specified private endpoint connection proxy | +> | Microsoft.Search/searchServices/privateEndpointConnectionProxies/delete | Deletes an existing private endpoint connection proxy | +> | Microsoft.Search/searchServices/privateEndpointConnections/write | Creates a private endpoint connections with the specified parameters or updates the properties or tags for the specified private endpoint connections | +> | Microsoft.Search/searchServices/privateEndpointConnections/read | Returns the list of private endpoint connections or gets the properties for the specified private endpoint connections | +> | Microsoft.Search/searchServices/privateEndpointConnections/delete | Deletes an existing private endpoint connections | +> | Microsoft.Search/searchServices/sharedPrivateLinkResources/write | Creates a new shared private link resource with the specified parameters or updates the properties for the specified shared private link resource | +> | Microsoft.Search/searchServices/sharedPrivateLinkResources/read | Returns the list of shared private link resources or gets the properties for the specified shared private link resource | +> | Microsoft.Search/searchServices/sharedPrivateLinkResources/delete | Deletes an existing shared private link resource | +> | Microsoft.Search/searchServices/sharedPrivateLinkResources/operationStatuses/read | Get the details of a long running shared private link resource operation | +> | Microsoft.Search/searchServices/skillsets/read | Return a skillset or a list of skillsets. | +> | Microsoft.Search/searchServices/skillsets/write | Create a skillset or modify its properties. | +> | Microsoft.Search/searchServices/skillsets/delete | Delete a skillset. | +> | Microsoft.Search/searchServices/synonymMaps/read | Return a synonym map or a list of synonym maps. | +> | Microsoft.Search/searchServices/synonymMaps/write | Create a synonym map or modify its properties. | +> | Microsoft.Search/searchServices/synonymMaps/delete | Delete a synonym map. | +> | **DataAction** | **Description** | +> | Microsoft.Search/searchServices/indexes/documents/read | Read documents or suggested query terms from an index. | +> | Microsoft.Search/searchServices/indexes/documents/write | Upload documents to an index or modify existing documents. | +> | Microsoft.Search/searchServices/indexes/documents/delete | Delete documents from an index. | ++## Microsoft.SignalRService ++Azure service: [Azure SignalR Service](/azure/azure-signalr/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | Microsoft.SignalRService/register/action | Registers the 'Microsoft.SignalRService' resource provider with a subscription | +> | Microsoft.SignalRService/unregister/action | Unregisters the 'Microsoft.SignalRService' resource provider with a subscription | +> | Microsoft.SignalRService/locations/checknameavailability/action | Checks if a name is available for use with a new Microsoft.SignalRService resource | +> | Microsoft.SignalRService/locations/operationresults/signalr/read | Query the result of a location-based asynchronous operation | +> | Microsoft.SignalRService/locations/operationresults/webpubsub/read | Query the result of a location-based asynchronous operation | +> | Microsoft.SignalRService/locations/operationStatuses/signalr/read | Query the status of a location-based asynchronous operation | +> | Microsoft.SignalRService/locations/operationStatuses/webpubsub/read | Query the status of a location-based asynchronous operation | +> | Microsoft.SignalRService/locations/usages/read | Get the quota usages for Microsoft.SignalRService resource provider | +> | Microsoft.SignalRService/operationresults/read | Query the result of a provider-level asynchronous operation | +> | Microsoft.SignalRService/operations/read | List the operations for Microsoft.SignalRService resource provider | +> | Microsoft.SignalRService/operationStatuses/read | Query the status of a provider-level asynchronous operation | +> | Microsoft.SignalRService/SignalR/read | View the SignalR's settings and configurations in the management portal or through API | +> | Microsoft.SignalRService/SignalR/write | Modify the SignalR's settings and configurations in the management portal or through API | +> | Microsoft.SignalRService/SignalR/delete | Delete the SignalR resource | +> | Microsoft.SignalRService/SignalR/listkeys/action | View the value of SignalR access keys in the management portal or through API | +> | Microsoft.SignalRService/SignalR/regeneratekey/action | Change the value of SignalR access keys in the management portal or through API | +> | Microsoft.SignalRService/SignalR/restart/action | To restart a SignalR resource in the management portal or through API. There will be certain downtime | +> | Microsoft.SignalRService/SignalR/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connection | +> | Microsoft.SignalRService/SignalR/detectors/read | Read Detector | +> | Microsoft.SignalRService/SignalR/eventGridFilters/read | Get the properties of the specified event grid filter or lists all the event grid filters for the specified SignalR resource | +> | Microsoft.SignalRService/SignalR/eventGridFilters/write | Create or update an event grid filter for a SignalR resource with the specified parameters | +> | Microsoft.SignalRService/SignalR/eventGridFilters/delete | Delete an event grid filter from a SignalR resource | +> | Microsoft.SignalRService/SignalR/operationResults/read | | +> | Microsoft.SignalRService/SignalR/operationStatuses/read | | +> | Microsoft.SignalRService/SignalR/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action | | +> | Microsoft.SignalRService/SignalR/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxy | +> | Microsoft.SignalRService/SignalR/privateEndpointConnectionProxies/write | Write Private Endpoint Connection Proxy | +> | Microsoft.SignalRService/SignalR/privateEndpointConnectionProxies/read | Read Private Endpoint Connection Proxy | +> | Microsoft.SignalRService/SignalR/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy | +> | Microsoft.SignalRService/SignalR/privateEndpointConnections/write | Write Private Endpoint Connection | +> | Microsoft.SignalRService/SignalR/privateEndpointConnections/read | Read Private Endpoint Connection | +> | Microsoft.SignalRService/SignalR/privateEndpointConnections/delete | Delete Private Endpoint Connection | +> | Microsoft.SignalRService/SignalR/privateLinkResources/read | List Private Link Resources | +> | Microsoft.SignalRService/SignalR/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.SignalRService/SignalR/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.SignalRService/SignalR/providers/Microsoft.Insights/logDefinitions/read | Get the available logs of a SignalR resource | +> | Microsoft.SignalRService/SignalR/providers/Microsoft.Insights/metricDefinitions/read | Get the available metrics of a SignalR resource | +> | Microsoft.SignalRService/SignalR/replicas/read | View the SignalR replica's settings and configurations in the management portal or through API | +> | Microsoft.SignalRService/SignalR/replicas/write | Modify the SignalR replica's settings and configurations in the management portal or through API | +> | Microsoft.SignalRService/SignalR/replicas/delete | Delete the SignalR replica resource | +> | Microsoft.SignalRService/SignalR/replicas/operationResults/read | | +> | Microsoft.SignalRService/SignalR/replicas/operationStatuses/read | | +> | Microsoft.SignalRService/SignalR/replicas/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.SignalRService/SignalR/replicas/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.SignalRService/SignalR/replicas/providers/Microsoft.Insights/logDefinitions/read | Get the available logs of a SignalR replica resource | +> | Microsoft.SignalRService/SignalR/replicas/providers/Microsoft.Insights/metricDefinitions/read | Get the available metrics of a SignalR replica resource | +> | Microsoft.SignalRService/SignalR/replicas/skus/read | List the valid SKUs for an existing resource | +> | Microsoft.SignalRService/SignalR/sharedPrivateLinkResources/write | Write Shared Private Link Resource | +> | Microsoft.SignalRService/SignalR/sharedPrivateLinkResources/read | Read Shared Private Link Resource | +> | Microsoft.SignalRService/SignalR/sharedPrivateLinkResources/delete | Delete Shared Private Link Resource | +> | Microsoft.SignalRService/SignalR/skus/read | List the valid SKUs for an existing resource | +> | Microsoft.SignalRService/skus/read | List the valid SKUs for an existing resource | +> | Microsoft.SignalRService/WebPubSub/read | View the WebPubSub's settings and configurations in the management portal or through API | +> | Microsoft.SignalRService/WebPubSub/write | Modify the WebPubSub's settings and configurations in the management portal or through API | +> | Microsoft.SignalRService/WebPubSub/delete | Delete the WebPubSub resource | +> | Microsoft.SignalRService/WebPubSub/listkeys/action | View the value of WebPubSub access keys in the management portal or through API | +> | Microsoft.SignalRService/WebPubSub/regeneratekey/action | Change the value of WebPubSub access keys in the management portal or through API | +> | Microsoft.SignalRService/WebPubSub/restart/action | To restart a WebPubSub resource in the management portal or through API. There will be certain downtime | +> | Microsoft.SignalRService/WebPubSub/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connection | +> | Microsoft.SignalRService/WebPubSub/detectors/read | Read Detector | +> | Microsoft.SignalRService/WebPubSub/hubs/write | Write hub settings | +> | Microsoft.SignalRService/WebPubSub/hubs/read | Read hub settings | +> | Microsoft.SignalRService/WebPubSub/hubs/delete | Delete hub settings | +> | Microsoft.SignalRService/WebPubSub/operationResults/read | | +> | Microsoft.SignalRService/WebPubSub/operationStatuses/read | | +> | Microsoft.SignalRService/WebPubSub/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action | | +> | Microsoft.SignalRService/WebPubSub/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxy | +> | Microsoft.SignalRService/WebPubSub/privateEndpointConnectionProxies/write | Write Private Endpoint Connection Proxy | +> | Microsoft.SignalRService/WebPubSub/privateEndpointConnectionProxies/read | Read Private Endpoint Connection Proxy | +> | Microsoft.SignalRService/WebPubSub/privateEndpointConnectionProxies/delete | Delete Private Endpoint Connection Proxy | +> | Microsoft.SignalRService/WebPubSub/privateEndpointConnections/write | Write Private Endpoint Connection | +> | Microsoft.SignalRService/WebPubSub/privateEndpointConnections/read | Read Private Endpoint Connection | +> | Microsoft.SignalRService/WebPubSub/privateEndpointConnections/delete | Delete Private Endpoint Connection | +> | Microsoft.SignalRService/WebPubSub/privateLinkResources/read | List Private Link Resources | +> | Microsoft.SignalRService/WebPubSub/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.SignalRService/WebPubSub/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.SignalRService/WebPubSub/providers/Microsoft.Insights/logDefinitions/read | Get the available logs of a WebPubSub resource | +> | Microsoft.SignalRService/WebPubSub/providers/Microsoft.Insights/metricDefinitions/read | Get the available metrics of a WebPubSub resource | +> | Microsoft.SignalRService/WebPubSub/replicas/read | View the WebPubSub replica's settings and configurations in the management portal or through API | +> | Microsoft.SignalRService/WebPubSub/replicas/write | Modify the WebPubSub replica's settings and configurations in the management portal or through API | +> | Microsoft.SignalRService/WebPubSub/replicas/delete | Delete the WebPubSub replica resource | +> | Microsoft.SignalRService/WebPubSub/replicas/operationResults/read | | +> | Microsoft.SignalRService/WebPubSub/replicas/operationStatuses/read | | +> | Microsoft.SignalRService/WebPubSub/replicas/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | Microsoft.SignalRService/WebPubSub/replicas/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.SignalRService/WebPubSub/replicas/providers/Microsoft.Insights/logDefinitions/read | Get the available logs of a WebPubSub replica resource | +> | Microsoft.SignalRService/WebPubSub/replicas/providers/Microsoft.Insights/metricDefinitions/read | Get the available metrics of a WebPubSub replica resource | +> | Microsoft.SignalRService/WebPubSub/replicas/skus/read | List the valid SKUs for an existing resource | +> | Microsoft.SignalRService/WebPubSub/sharedPrivateLinkResources/write | Write Shared Private Link Resource | +> | Microsoft.SignalRService/WebPubSub/sharedPrivateLinkResources/read | Read Shared Private Link Resource | +> | Microsoft.SignalRService/WebPubSub/sharedPrivateLinkResources/delete | Delete Shared Private Link Resource | +> | Microsoft.SignalRService/WebPubSub/skus/read | List the valid SKUs for an existing resource | +> | **DataAction** | **Description** | +> | Microsoft.SignalRService/SignalR/auth/clientToken/action | Generate an AccessToken for client to connect to ASRS, the token will expire in 5 minutes by default | +> | Microsoft.SignalRService/SignalR/auth/accessKey/action | Generate an AccessKey for signing AccessTokens, the key will expire in 90 minutes by default | +> | Microsoft.SignalRService/SignalR/auth/accessToken/action | Generate an AccessToken for client to connect to ASRS, the token will expire in 5 minutes by default | +> | Microsoft.SignalRService/SignalR/clientConnection/send/action | Send messages directly to a client connection | +> | Microsoft.SignalRService/SignalR/clientConnection/read | Check client connection existence | +> | Microsoft.SignalRService/SignalR/clientConnection/write | Close client connection | +> | Microsoft.SignalRService/SignalR/group/send/action | Broadcast message to group | +> | Microsoft.SignalRService/SignalR/group/read | Check group existence or user existence in group | +> | Microsoft.SignalRService/SignalR/group/write | Join / Leave group | +> | Microsoft.SignalRService/SignalR/hub/send/action | Broadcast messages to all client connections in the hub | +> | Microsoft.SignalRService/SignalR/hub/write | Close all client connections in the hub | +> | Microsoft.SignalRService/SignalR/livetrace/read | Read live trace tool results | +> | Microsoft.SignalRService/SignalR/livetrace/write | Create live trace connections | +> | Microsoft.SignalRService/SignalR/serverConnection/write | Start a server connection | +> | Microsoft.SignalRService/SignalR/user/send/action | Send messages to user, who may consist of multiple client connections | +> | Microsoft.SignalRService/SignalR/user/read | Check user existence | +> | Microsoft.SignalRService/SignalR/user/write | Modify a user | +> | Microsoft.SignalRService/WebPubSub/auth/accessKey/action | Generate an AccessKey for signing AccessTokens, the key will expire in 90 minutes by default | +> | Microsoft.SignalRService/WebPubSub/auth/accessToken/action | Generate an AccessToken for client to connect to AWPS, the token will expire in 5 minutes by default | +> | Microsoft.SignalRService/WebPubSub/clientConnection/generateToken/action | Generate a JWT Token for client to connect to the service | +> | Microsoft.SignalRService/WebPubSub/clientConnection/send/action | Send messages directly to a client connection | +> | Microsoft.SignalRService/WebPubSub/clientConnection/read | Check client connection existence | +> | Microsoft.SignalRService/WebPubSub/clientConnection/write | Close client connection | +> | Microsoft.SignalRService/WebPubSub/group/send/action | Broadcast message to group | +> | Microsoft.SignalRService/WebPubSub/group/read | Check group existence or user existence in group | +> | Microsoft.SignalRService/WebPubSub/group/write | Join / Leave group | +> | Microsoft.SignalRService/WebPubSub/hub/send/action | Broadcast messages to all client connections in the hub | +> | Microsoft.SignalRService/WebPubSub/livetrace/read | Read live trace tool results | +> | Microsoft.SignalRService/WebPubSub/livetrace/write | Create live trace connections | +> | Microsoft.SignalRService/WebPubSub/user/send/action | Send messages to user, who may consist of multiple client connections | +> | Microsoft.SignalRService/WebPubSub/user/read | Check user existence | ++## microsoft.web ++Azure service: [App Service](/azure/app-service/), [Azure Functions](/azure/azure-functions/) ++> [!div class="mx-tableFixed"] +> | Action | Description | +> | | | +> | microsoft.web/unregister/action | Unregister Microsoft.Web resource provider for the subscription. | +> | microsoft.web/validate/action | Validate . | +> | microsoft.web/register/action | Register Microsoft.Web resource provider for the subscription. | +> | microsoft.web/verifyhostingenvironmentvnet/action | Verify Hosting Environment Vnet. | +> | microsoft.web/apimanagementaccounts/apiacls/read | Get Api Management Accounts Apiacls. | +> | microsoft.web/apimanagementaccounts/apis/read | Get Api Management Accounts APIs. | +> | microsoft.web/apimanagementaccounts/apis/delete | Delete Api Management Accounts APIs. | +> | microsoft.web/apimanagementaccounts/apis/write | Update Api Management Accounts APIs. | +> | microsoft.web/apimanagementaccounts/apis/apiacls/delete | Delete Api Management Accounts APIs Apiacls. | +> | microsoft.web/apimanagementaccounts/apis/apiacls/read | Get Api Management Accounts APIs Apiacls. | +> | microsoft.web/apimanagementaccounts/apis/apiacls/write | Update Api Management Accounts APIs Apiacls. | +> | microsoft.web/apimanagementaccounts/apis/connectionacls/read | Get Api Management Accounts APIs Connectionacls. | +> | microsoft.web/apimanagementaccounts/apis/connections/read | Get Api Management Accounts APIs Connections. | +> | microsoft.web/apimanagementaccounts/apis/connections/confirmconsentcode/action | Confirm Consent Code Api Management Accounts APIs Connections. | +> | microsoft.web/apimanagementaccounts/apis/connections/delete | Delete Api Management Accounts APIs Connections. | +> | microsoft.web/apimanagementaccounts/apis/connections/getconsentlinks/action | Get Consent Links for Api Management Accounts APIs Connections. | +> | microsoft.web/apimanagementaccounts/apis/connections/write | Update Api Management Accounts APIs Connections. | +> | microsoft.web/apimanagementaccounts/apis/connections/listconnectionkeys/action | List Connection Keys Api Management Accounts APIs Connections. | +> | microsoft.web/apimanagementaccounts/apis/connections/listsecrets/action | List Secrets Api Management Accounts APIs Connections. | +> | microsoft.web/apimanagementaccounts/apis/connections/connectionacls/delete | Delete Api Management Accounts APIs Connections Connectionacls. | +> | microsoft.web/apimanagementaccounts/apis/connections/connectionacls/read | Get Api Management Accounts APIs Connections Connectionacls. | +> | microsoft.web/apimanagementaccounts/apis/connections/connectionacls/write | Update Api Management Accounts APIs Connections Connectionacls. | +> | microsoft.web/apimanagementaccounts/apis/localizeddefinitions/delete | Delete Api Management Accounts APIs Localized Definitions. | +> | microsoft.web/apimanagementaccounts/apis/localizeddefinitions/read | Get Api Management Accounts APIs Localized Definitions. | +> | microsoft.web/apimanagementaccounts/apis/localizeddefinitions/write | Update Api Management Accounts APIs Localized Definitions. | +> | microsoft.web/apimanagementaccounts/connectionacls/read | Get Api Management Accounts Connectionacls. | +> | microsoft.web/availablestacks/read | Get Available Stacks. | +> | microsoft.web/billingmeters/read | Get list of billing meters. | +> | Microsoft.Web/certificates/Read | Get the list of certificates. | +> | Microsoft.Web/certificates/Write | Add a new certificate or update an existing one. | +> | Microsoft.Web/certificates/Delete | Delete an existing certificate. | +> | microsoft.web/certificates/operationresults/read | Get Certificates Operation Results. | +> | microsoft.web/checknameavailability/read | Check if resource name is available. | +> | microsoft.web/classicmobileservices/read | Get Classic Mobile Services. | +> | Microsoft.Web/connectionGateways/Read | Get the list of Connection Gateways. | +> | Microsoft.Web/connectionGateways/Write | Creates or updates a Connection Gateway. | +> | Microsoft.Web/connectionGateways/Delete | Deletes a Connection Gateway. | +> | Microsoft.Web/connectionGateways/Move/Action | Moves a Connection Gateway. | +> | Microsoft.Web/connectionGateways/Join/Action | Joins a Connection Gateway. | +> | Microsoft.Web/connectionGateways/Associate/Action | Associates with a Connection Gateway. | +> | Microsoft.Web/connectionGateways/ListStatus/Action | Lists status of a Connection Gateway. | +> | Microsoft.Web/connections/Read | Get the list of Connections. | +> | Microsoft.Web/connections/Write | Creates or updates a Connection. | +> | Microsoft.Web/connections/Delete | Deletes a Connection. | +> | Microsoft.Web/connections/Move/Action | Moves a Connection. | +> | Microsoft.Web/connections/Join/Action | Joins a Connection. | +> | microsoft.web/connections/confirmconsentcode/action | Confirm Connections Consent Code. | +> | microsoft.web/connections/listconsentlinks/action | List Consent Links for Connections. | +> | microsoft.web/connections/listConnectionKeys/action | Lists API Connections Keys. | +> | microsoft.web/connections/revokeConnectionKeys/action | Revokes API Connections Keys. | +> | microsoft.web/connections/dynamicInvoke/action | Dynamic Invoke a Connection. | +> | Microsoft.Web/connections/providers/Microsoft.Insights/metricDefinitions/Read | Gets the available metrics for API Connections | +> | Microsoft.Web/containerApps/read | Get the properties for a Container App | +> | Microsoft.Web/containerApps/write | Create a Container App or update an existing one | +> | Microsoft.Web/containerApps/delete | Delete a Container App | +> | Microsoft.Web/containerApps/listsecrets/action | List a Container App Secrets | +> | Microsoft.Web/containerApps/operationResults/read | Get the results of a Container App operation | +> | Microsoft.Web/containerApps/revisions/read | Get a Container App Revision | +> | Microsoft.Web/containerApps/revisions/activate/action | Activate a Container App Revision | +> | Microsoft.Web/containerApps/revisions/deactivate/action | Deactivate a Container App Revision | +> | Microsoft.Web/containerApps/revisions/deactivate/restart/action | Restart a Container App Revision | +> | Microsoft.Web/containerApps/sourcecontrols/read | Get a Container App Source Control | +> | Microsoft.Web/containerApps/sourcecontrols/write | Create or Update a Container App Source Control | +> | Microsoft.Web/containerApps/sourcecontrols/delete | Delete a Container App Source Control | +> | Microsoft.Web/customApis/Read | Get the list of Custom API. | +> | Microsoft.Web/customApis/Write | Creates or updates a Custom API. | +> | Microsoft.Web/customApis/Delete | Deletes a Custom API. | +> | Microsoft.Web/customApis/Move/Action | Moves a Custom API. | +> | Microsoft.Web/customApis/Join/Action | Joins a Custom API. | +> | Microsoft.Web/customApis/extractApiDefinitionFromWsdl/Action | Extracts API definition from a WSDL. | +> | Microsoft.Web/customApis/listWsdlInterfaces/Action | Lists WSDL interfaces for a Custom API. | +> | Microsoft.Web/customhostnameSites/Read | Get info about custom hostnames under subscription. | +> | Microsoft.Web/deletedSites/Read | Get the properties of a Deleted Web App | +> | microsoft.web/deploymentlocations/read | Get Deployment Locations. | +> | Microsoft.Web/freeTrialStaticWebApps/write | Creates or updates a free trial static web app. | +> | Microsoft.Web/freeTrialStaticWebApps/upgrade/action | Upgrades a free trial static web app. | +> | Microsoft.Web/freeTrialStaticWebApps/read | Lists free trial static web apps. | +> | Microsoft.Web/freeTrialStaticWebApps/delete | Deletes a free trial static web app. | +> | microsoft.web/functionappstacks/read | Get Function App Stacks. | +> | Microsoft.Web/geoRegions/Read | Get the list of Geo regions. | +> | Microsoft.Web/hostingEnvironments/Read | Get the properties of an App Service Environment | +> | Microsoft.Web/hostingEnvironments/Write | Create a new App Service Environment or update existing one | +> | Microsoft.Web/hostingEnvironments/Delete | Delete an App Service Environment | +> | Microsoft.Web/hostingEnvironments/Join/Action | Joins an App Service Environment | +> | Microsoft.Web/hostingEnvironments/reboot/Action | Reboot all machines in an App Service Environment | +> | Microsoft.Web/hostingEnvironments/upgrade/Action | Upgrades an App Service Environment | +> | Microsoft.Web/hostingEnvironments/testUpgradeAvailableNotification/Action | Send test upgrade notification for an App Service Environment | +> | Microsoft.Web/hostingEnvironments/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connections | +> | microsoft.web/hostingenvironments/resume/action | Resume Hosting Environments. | +> | microsoft.web/hostingenvironments/suspend/action | Suspend Hosting Environments. | +> | microsoft.web/hostingenvironments/capacities/read | Get Hosting Environments Capacities. | +> | microsoft.web/hostingenvironments/configurations/read | Get Hosting Environment Configurations. | +> | microsoft.web/hostingenvironments/configurations/write | Update Hosting Environment Configurations. | +> | Microsoft.Web/hostingEnvironments/configurations/networking/Read | Get networking configuration of an App Service Environment | +> | Microsoft.Web/hostingEnvironments/configurations/networking/Write | Update networking configuration of an App Service Environment. | +> | microsoft.web/hostingenvironments/detectors/read | Get Hosting Environments Detectors. | +> | microsoft.web/hostingenvironments/diagnostics/read | Get Hosting Environments Diagnostics. | +> | Microsoft.Web/hostingEnvironments/eventGridFilters/delete | Delete Event Grid Filter on hosting environment. | +> | Microsoft.Web/hostingEnvironments/eventGridFilters/read | Get Event Grid Filter on hosting environment. | +> | Microsoft.Web/hostingEnvironments/eventGridFilters/write | Put Event Grid Filter on hosting environment. | +> | microsoft.web/hostingenvironments/health/read | Get the health details of an App Service Environment. | +> | microsoft.web/hostingenvironments/inboundnetworkdependenciesendpoints/read | Get the network endpoints of all inbound dependencies. | +> | microsoft.web/hostingenvironments/metricdefinitions/read | Get Hosting Environments Metric Definitions. | +> | Microsoft.Web/hostingEnvironments/multiRolePools/Read | Get the properties of a FrontEnd Pool in an App Service Environment | +> | Microsoft.Web/hostingEnvironments/multiRolePools/Write | Create a new FrontEnd Pool in an App Service Environment or update an existing one | +> | microsoft.web/hostingenvironments/multirolepools/metricdefinitions/read | Get Hosting Environments MultiRole Pools Metric Definitions. | +> | microsoft.web/hostingenvironments/multirolepools/metrics/read | Get Hosting Environments MultiRole Pools Metrics. | +> | Microsoft.Web/hostingEnvironments/multiRolePools/providers/Microsoft.Insights/metricDefinitions/Read | Gets the available metrics for App Service Environment MultiRole | +> | microsoft.web/hostingenvironments/multirolepools/skus/read | Get Hosting Environments MultiRole Pools SKUs. | +> | microsoft.web/hostingenvironments/multirolepools/usages/read | Get Hosting Environments MultiRole Pools Usages. | +> | microsoft.web/hostingenvironments/operations/read | Get Hosting Environments Operations. | +> | microsoft.web/hostingenvironments/outboundnetworkdependenciesendpoints/read | Get the network endpoints of all outbound dependencies. | +> | Microsoft.Web/hostingEnvironments/privateEndpointConnectionProxies/Read | Read Private Endpoint Connection Proxies | +> | Microsoft.Web/hostingEnvironments/privateEndpointConnectionProxies/Write | Create or Update Private Endpoint Connection Proxies | +> | Microsoft.Web/hostingEnvironments/privateEndpointConnectionProxies/Delete | Delete Private Endpoint Connection Proxies | +> | Microsoft.Web/hostingEnvironments/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxies | +> | Microsoft.Web/hostingEnvironments/privateEndpointConnectionProxies/operations/Read | Read Private Endpoint Connection Proxy Operations | +> | Microsoft.Web/hostingEnvironments/privateEndpointConnections/Write | Approve or Reject a private endpoint connection. | +> | Microsoft.Web/hostingEnvironments/privateEndpointConnections/Read | Get a private endpoint connection or the list of private endpoint connections. | +> | Microsoft.Web/hostingEnvironments/privateEndpointConnections/Delete | Delete a private endpoint connection. | +> | Microsoft.Web/hostingEnvironments/privateLinkResources/Read | Get Private Link Resources. | +> | microsoft.web/hostingenvironments/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | microsoft.web/hostingenvironments/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | microsoft.web/hostingenvironments/providers/Microsoft.Insights/logDefinitions/read | Read hosting environments log definitions | +> | Microsoft.Web/hostingEnvironments/providers/Microsoft.Insights/metricDefinitions/Read | Gets the available metrics for App Service Environment | +> | microsoft.web/hostingenvironments/serverfarms/read | Get Hosting Environments App Service Plans. | +> | microsoft.web/hostingenvironments/sites/read | Get Hosting Environments Web Apps. | +> | microsoft.web/hostingenvironments/usages/read | Get Hosting Environments Usages. | +> | Microsoft.Web/hostingEnvironments/workerPools/Read | Get the properties of a Worker Pool in an App Service Environment | +> | Microsoft.Web/hostingEnvironments/workerPools/Write | Create a new Worker Pool in an App Service Environment or update an existing one | +> | microsoft.web/hostingenvironments/workerpools/metricdefinitions/read | Get Hosting Environments Workerpools Metric Definitions. | +> | microsoft.web/hostingenvironments/workerpools/metrics/read | Get Hosting Environments Workerpools Metrics. | +> | Microsoft.Web/hostingEnvironments/workerPools/providers/Microsoft.Insights/metricDefinitions/Read | Gets the available metrics for App Service Environment WorkerPool | +> | microsoft.web/hostingenvironments/workerpools/skus/read | Get Hosting Environments Workerpools SKUs. | +> | microsoft.web/hostingenvironments/workerpools/usages/read | Get Hosting Environments Workerpools Usages. | +> | microsoft.web/ishostingenvironmentnameavailable/read | Get if Hosting Environment Name is available. | +> | microsoft.web/ishostnameavailable/read | Check if Hostname is Available. | +> | microsoft.web/isusernameavailable/read | Check if Username is available. | +> | Microsoft.Web/kubeEnvironments/read | Get the properties of a Kubernetes Environment | +> | Microsoft.Web/kubeEnvironments/write | Create a Kubernetes Environment or update an existing one | +> | Microsoft.Web/kubeEnvironments/delete | Delete a Kubernetes Environment | +> | Microsoft.Web/kubeEnvironments/join/action | Joins a Kubernetes Environment | +> | Microsoft.Web/kubeEnvironments/operations/read | Get the operations for a Kubernetes Environment | +> | Microsoft.Web/listSitesAssignedToHostName/Read | Get names of sites assigned to hostname. | +> | Microsoft.Web/locations/GetNetworkPolicies/action | Read Network Intent Policies | +> | microsoft.web/locations/extractapidefinitionfromwsdl/action | Extract Api Definition from WSDL for Locations. | +> | microsoft.web/locations/listwsdlinterfaces/action | List WSDL Interfaces for Locations. | +> | microsoft.web/locations/deleteVirtualNetworkOrSubnets/action | Vnet or subnet deletion notification for Locations. | +> | microsoft.web/locations/validateDeleteVirtualNetworkOrSubnets/action | Validates deleting Vnet or subnet for Locations | +> | Microsoft.Web/locations/previewstaticsiteworkflowfile/action | Preview Static Site Workflow File | +> | microsoft.web/locations/apioperations/read | Get Locations API Operations. | +> | microsoft.web/locations/connectiongatewayinstallations/read | Get Locations Connection Gateway Installations. | +> | Microsoft.Web/locations/deletedSites/Read | Get the properties of a Deleted Web App at location | +> | microsoft.web/locations/functionappstacks/read | Get Function App Stacks for location. | +> | microsoft.web/locations/managedapis/read | Get Locations Managed APIs. | +> | Microsoft.Web/locations/managedapis/Join/Action | Joins a Managed API. | +> | microsoft.web/locations/managedapis/apioperations/read | Get Locations Managed API Operations. | +> | microsoft.web/locations/operationResults/read | Get Operations. | +> | microsoft.web/locations/operations/read | Get Operations. | +> | microsoft.web/locations/webappstacks/read | Get Web App Stacks for location. | +> | microsoft.web/operations/read | Get Operations. | +> | microsoft.web/publishingusers/read | Get Publishing Users. | +> | microsoft.web/publishingusers/write | Update Publishing Users. | +> | Microsoft.Web/recommendations/Read | Get the list of recommendations for subscriptions. | +> | microsoft.web/resourcehealthmetadata/read | Get Resource Health Metadata. | +> | Microsoft.Web/serverfarms/Read | Get the properties on an App Service Plan | +> | Microsoft.Web/serverfarms/Write | Create a new App Service Plan or update an existing one | +> | Microsoft.Web/serverfarms/Delete | Delete an existing App Service Plan | +> | Microsoft.Web/serverfarms/Join/Action | Joins an App Service Plan | +> | Microsoft.Web/serverfarms/restartSites/Action | Restart all Web Apps in an App Service Plan | +> | microsoft.web/serverfarms/capabilities/read | Get App Service Plans Capabilities. | +> | Microsoft.Web/serverfarms/eventGridFilters/delete | Delete Event Grid Filter on server farm. | +> | Microsoft.Web/serverfarms/eventGridFilters/read | Get Event Grid Filter on server farm. | +> | Microsoft.Web/serverfarms/eventGridFilters/write | Put Event Grid Filter on server farm. | +> | microsoft.web/serverfarms/firstpartyapps/keyvaultsettings/read | Get first party Azure Key vault referenced settings for App Service Plan. | +> | microsoft.web/serverfarms/firstpartyapps/keyvaultsettings/write | Create or Update first party Azure Key vault referenced settings for App Service Plan. | +> | microsoft.web/serverfarms/firstpartyapps/settings/delete | Delete App Service Plans First Party Apps Settings. | +> | microsoft.web/serverfarms/firstpartyapps/settings/read | Get App Service Plans First Party Apps Settings. | +> | microsoft.web/serverfarms/firstpartyapps/settings/write | Update App Service Plans First Party Apps Settings. | +> | microsoft.web/serverfarms/hybridconnectionnamespaces/relays/read | Get App Service Plans Hybrid Connection Namespaces Relays. | +> | microsoft.web/serverfarms/hybridconnectionnamespaces/relays/delete | Delete App Service Plans Hybrid Connection Namespaces Relays. | +> | microsoft.web/serverfarms/hybridconnectionnamespaces/relays/sites/read | Get App Service Plans Hybrid Connection Namespaces Relays Web Apps. | +> | microsoft.web/serverfarms/hybridconnectionplanlimits/read | Get App Service Plans Hybrid Connection Plan Limits. | +> | microsoft.web/serverfarms/hybridconnectionrelays/read | Get App Service Plans Hybrid Connection Relays. | +> | microsoft.web/serverfarms/metricdefinitions/read | Get App Service Plans Metric Definitions. | +> | microsoft.web/serverfarms/metrics/read | Get App Service Plans Metrics. | +> | microsoft.web/serverfarms/operationresults/read | Get App Service Plans Operation Results. | +> | microsoft.web/serverfarms/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | microsoft.web/serverfarms/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | Microsoft.Web/serverfarms/providers/Microsoft.Insights/metricDefinitions/Read | Gets the available metrics for App Service Plan | +> | Microsoft.Web/serverfarms/recommendations/Read | Get the list of recommendations for App Service Plan. | +> | microsoft.web/serverfarms/sites/read | Get App Service Plans Web Apps. | +> | microsoft.web/serverfarms/skus/read | Get App Service Plans SKUs. | +> | microsoft.web/serverfarms/usages/read | Get App Service Plans Usages. | +> | microsoft.web/serverfarms/virtualnetworkconnections/read | Get App Service Plans Virtual Network Connections. | +> | microsoft.web/serverfarms/virtualnetworkconnections/gateways/write | Update App Service Plans Virtual Network Connections Gateways. | +> | microsoft.web/serverfarms/virtualnetworkconnections/routes/delete | Delete App Service Plans Virtual Network Connections Routes. | +> | microsoft.web/serverfarms/virtualnetworkconnections/routes/read | Get App Service Plans Virtual Network Connections Routes. | +> | microsoft.web/serverfarms/virtualnetworkconnections/routes/write | Update App Service Plans Virtual Network Connections Routes. | +> | microsoft.web/serverfarms/workers/reboot/action | Reboot App Service Plans Workers. | +> | Microsoft.Web/sites/Read | Get the properties of a Web App | +> | Microsoft.Web/sites/Write | Create a new Web App or update an existing one | +> | Microsoft.Web/sites/Delete | Delete an existing Web App | +> | Microsoft.Web/sites/backup/Action | Create a new web app backup | +> | Microsoft.Web/sites/publishxml/Action | Get publishing profile xml for a Web App | +> | Microsoft.Web/sites/publish/Action | Publish a Web App | +> | Microsoft.Web/sites/restart/Action | Restart a Web App | +> | Microsoft.Web/sites/start/Action | Start a Web App | +> | Microsoft.Web/sites/startDevSession/Action | Start Limelight Session for a Web App | +> | Microsoft.Web/sites/stop/Action | Stop a Web App | +> | Microsoft.Web/sites/slotsswap/Action | Swap Web App deployment slots | +> | Microsoft.Web/sites/slotsdiffs/Action | Get differences in configuration between web app and slots | +> | Microsoft.Web/sites/applySlotConfig/Action | Apply web app slot configuration from target slot to the current web app | +> | Microsoft.Web/sites/resetSlotConfig/Action | Reset web app configuration | +> | Microsoft.Web/sites/PrivateEndpointConnectionsApproval/action | Approve Private Endpoint Connections | +> | microsoft.web/sites/deployWorkflowArtifacts/action | Create the artifacts in a Logic App. | +> | microsoft.web/sites/listworkflowsconnections/action | List logic app's connections by its ID in a Logic App. | +> | microsoft.web/sites/functions/action | Functions Web Apps. | +> | microsoft.web/sites/listsyncfunctiontriggerstatus/action | List Sync Function Trigger Status. | +> | microsoft.web/sites/networktrace/action | Network Trace Web Apps. | +> | microsoft.web/sites/newpassword/action | Newpassword Web Apps. | +> | microsoft.web/sites/sync/action | Sync Web Apps. | +> | microsoft.web/sites/migratemysql/action | Migrate MySQL Web Apps. | +> | microsoft.web/sites/recover/action | Recover Web Apps. | +> | microsoft.web/sites/restoresnapshot/action | Restore Web Apps Snapshots. | +> | microsoft.web/sites/restorefromdeletedapp/action | Restore Web Apps From Deleted App. | +> | microsoft.web/sites/syncfunctiontriggers/action | Sync Function Triggers. | +> | microsoft.web/sites/backups/action | Discovers an existing app backup that can be restored from a blob in Azure storage. | +> | microsoft.web/sites/containerlogs/action | Get Zipped Container Logs for Web App. | +> | microsoft.web/sites/restorefrombackupblob/action | Restore Web App From Backup Blob. | +> | microsoft.web/sites/listbackups/action | List Web App backups. | +> | microsoft.web/sites/slotcopy/action | Copy content from deployment slot. | +> | microsoft.web/sites/analyzecustomhostname/read | Analyze Custom Hostname. | +> | microsoft.web/sites/backup/read | Get Web Apps Backup. | +> | microsoft.web/sites/backup/write | Update Web Apps Backup. | +> | Microsoft.Web/sites/backups/Read | Get the properties of a web app's backup | +> | microsoft.web/sites/backups/list/action | List Web Apps Backups. | +> | microsoft.web/sites/backups/restore/action | Restore Web Apps Backups. | +> | microsoft.web/sites/backups/delete | Delete Web Apps Backups. | +> | microsoft.web/sites/backups/write | Update Web Apps Backups. | +> | Microsoft.Web/sites/basicPublishingCredentialsPolicies/Read | List which publishing methods are allowed for a Web App | +> | Microsoft.Web/sites/basicPublishingCredentialsPolicies/Write | List which publishing methods are allowed for a Web App | +> | Microsoft.Web/sites/basicPublishingCredentialsPolicies/ftp/Read | Get whether FTP publishing credentials are allowed for a Web App | +> | Microsoft.Web/sites/basicPublishingCredentialsPolicies/ftp/Write | Update whether FTP publishing credentials are allowed for a Web App | +> | Microsoft.Web/sites/basicPublishingCredentialsPolicies/scm/Read | Get whether SCM publishing credentials are allowed for a Web App | +> | Microsoft.Web/sites/basicPublishingCredentialsPolicies/scm/Write | Update whether SCM publishing credentials are allowed for a Web App | +> | Microsoft.Web/sites/config/Read | Get Web App configuration settings | +> | Microsoft.Web/sites/config/list/Action | List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings | +> | Microsoft.Web/sites/config/Write | Update Web App's configuration settings | +> | microsoft.web/sites/config/delete | Delete Web Apps Config. | +> | microsoft.web/sites/config/appsettings/read | Get Web App settings. | +> | microsoft.web/sites/config/snapshots/read | Get Web Apps Config Snapshots. | +> | microsoft.web/sites/config/snapshots/listsecrets/action | Web Apps List Secrets From Snapshot. | +> | microsoft.web/sites/config/web/appsettings/read | Get Web App Single App setting. | +> | microsoft.web/sites/config/web/appsettings/write | Create or Update Web App Single App setting | +> | microsoft.web/sites/config/web/appsettings/delete | Delete Web Apps App Setting | +> | microsoft.web/sites/config/web/connectionstrings/read | Get Web App single connectionstring | +> | microsoft.web/sites/config/web/connectionstrings/write | Get Web App single App setting. | +> | microsoft.web/sites/config/web/connectionstrings/delete | Delete Web App single connection string | +> | microsoft.web/sites/containerlogs/download/action | Download Web Apps Container Logs. | +> | microsoft.web/sites/continuouswebjobs/delete | Delete Web Apps Continuous Web Jobs. | +> | microsoft.web/sites/continuouswebjobs/read | Get Web Apps Continuous Web Jobs. | +> | microsoft.web/sites/continuouswebjobs/start/action | Start Web Apps Continuous Web Jobs. | +> | microsoft.web/sites/continuouswebjobs/stop/action | Stop Web Apps Continuous Web Jobs. | +> | microsoft.web/sites/deployments/delete | Delete Web Apps Deployments. | +> | microsoft.web/sites/deployments/read | Get Web Apps Deployments. | +> | microsoft.web/sites/deployments/write | Update Web Apps Deployments. | +> | microsoft.web/sites/deployments/log/read | Get Web Apps Deployments Log. | +> | microsoft.web/sites/detectors/read | Get Web Apps Detectors. | +> | microsoft.web/sites/diagnostics/read | Get Web Apps Diagnostics Categories. | +> | microsoft.web/sites/diagnostics/analyses/read | Get Web Apps Diagnostics Analysis. | +> | microsoft.web/sites/diagnostics/analyses/execute/Action | Run Web Apps Diagnostics Analysis. | +> | microsoft.web/sites/diagnostics/aspnetcore/read | Get Web Apps Diagnostics for ASP.NET Core app. | +> | microsoft.web/sites/diagnostics/autoheal/read | Get Web Apps Diagnostics Autoheal. | +> | microsoft.web/sites/diagnostics/deployment/read | Get Web Apps Diagnostics Deployment. | +> | microsoft.web/sites/diagnostics/deployments/read | Get Web Apps Diagnostics Deployments. | +> | microsoft.web/sites/diagnostics/detectors/read | Get Web Apps Diagnostics Detector. | +> | microsoft.web/sites/diagnostics/detectors/execute/Action | Run Web Apps Diagnostics Detector. | +> | microsoft.web/sites/diagnostics/failedrequestsperuri/read | Get Web Apps Diagnostics Failed Requests Per Uri. | +> | microsoft.web/sites/diagnostics/frebanalysis/read | Get Web Apps Diagnostics FREB Analysis. | +> | microsoft.web/sites/diagnostics/loganalyzer/read | Get Web Apps Diagnostics Log Analyzer. | +> | microsoft.web/sites/diagnostics/runtimeavailability/read | Get Web Apps Diagnostics Runtime Availability. | +> | microsoft.web/sites/diagnostics/servicehealth/read | Get Web Apps Diagnostics Service Health. | +> | microsoft.web/sites/diagnostics/sitecpuanalysis/read | Get Web Apps Diagnostics Site CPU Analysis. | +> | microsoft.web/sites/diagnostics/sitecrashes/read | Get Web Apps Diagnostics Site Crashes. | +> | microsoft.web/sites/diagnostics/sitelatency/read | Get Web Apps Diagnostics Site Latency. | +> | microsoft.web/sites/diagnostics/sitememoryanalysis/read | Get Web Apps Diagnostics Site Memory Analysis. | +> | microsoft.web/sites/diagnostics/siterestartsettingupdate/read | Get Web Apps Diagnostics Site Restart Setting Update. | +> | microsoft.web/sites/diagnostics/siterestartuserinitiated/read | Get Web Apps Diagnostics Site Restart User Initiated. | +> | microsoft.web/sites/diagnostics/siteswap/read | Get Web Apps Diagnostics Site Swap. | +> | microsoft.web/sites/diagnostics/threadcount/read | Get Web Apps Diagnostics Thread Count. | +> | microsoft.web/sites/diagnostics/workeravailability/read | Get Web Apps Diagnostics Workeravailability. | +> | microsoft.web/sites/diagnostics/workerprocessrecycle/read | Get Web Apps Diagnostics Worker Process Recycle. | +> | microsoft.web/sites/domainownershipidentifiers/read | Get Web Apps Domain Ownership Identifiers. | +> | microsoft.web/sites/domainownershipidentifiers/write | Update Web Apps Domain Ownership Identifiers. | +> | microsoft.web/sites/domainownershipidentifiers/delete | Delete Web Apps Domain Ownership Identifiers. | +> | Microsoft.Web/sites/eventGridFilters/delete | Delete Event Grid Filter on web app. | +> | Microsoft.Web/sites/eventGridFilters/read | Get Event Grid Filter on web app. | +> | Microsoft.Web/sites/eventGridFilters/write | Put Event Grid Filter on web app. | +> | microsoft.web/sites/extensions/delete | Delete Web Apps Site Extensions. | +> | microsoft.web/sites/extensions/read | Get Web Apps Site Extensions. | +> | microsoft.web/sites/extensions/write | Update Web Apps Site Extensions. | +> | microsoft.web/sites/extensions/api/action | Invoke App Service Extensions APIs. | +> | microsoft.web/sites/functions/delete | Delete Web Apps Functions. | +> | microsoft.web/sites/functions/listsecrets/action | List Function secrets. | +> | microsoft.web/sites/functions/listkeys/action | List Function keys. | +> | microsoft.web/sites/functions/read | Get Web Apps Functions. | +> | microsoft.web/sites/functions/write | Update Web Apps Functions. | +> | microsoft.web/sites/functions/keys/write | Update Function keys. | +> | microsoft.web/sites/functions/keys/delete | Delete Function keys. | +> | microsoft.web/sites/functions/masterkey/read | Get Web Apps Functions Masterkey. | +> | microsoft.web/sites/functions/token/read | Get Web Apps Functions Token. | +> | microsoft.web/sites/host/listkeys/action | List Functions Host keys. | +> | microsoft.web/sites/host/sync/action | Sync Function Triggers. | +> | microsoft.web/sites/host/listsyncstatus/action | List Sync Function Triggers Status. | +> | microsoft.web/sites/host/functionkeys/write | Update Functions Host Function keys. | +> | microsoft.web/sites/host/functionkeys/delete | Delete Functions Host Function keys. | +> | microsoft.web/sites/host/systemkeys/write | Update Functions Host System keys. | +> | microsoft.web/sites/host/systemkeys/delete | Delete Functions Host System keys. | +> | microsoft.web/sites/hostnamebindings/delete | Delete Web Apps Hostname Bindings. | +> | microsoft.web/sites/hostnamebindings/read | Get Web Apps Hostname Bindings. | +> | microsoft.web/sites/hostnamebindings/write | Update Web Apps Hostname Bindings. | +> | Microsoft.Web/sites/hostruntime/host/action | Perform Function App runtime action like sync triggers, add functions, invoke functions, delete functions etc. | +> | microsoft.web/sites/hostruntime/functions/keys/read | Get Web Apps Hostruntime Functions Keys. | +> | microsoft.web/sites/hostruntime/host/read | Get Web Apps Hostruntime Host. | +> | Microsoft.Web/sites/hostruntime/host/_master/read | Get Function App's master key for admin operations | +> | microsoft.web/sites/hostruntime/webhooks/api/workflows/runs/read | List Web Apps Hostruntime Workflow Runs. | +> | microsoft.web/sites/hostruntime/webhooks/api/workflows/triggers/read | List Web Apps Hostruntime Workflow Triggers. | +> | microsoft.web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | Get Web Apps Hostruntime Workflow Trigger Uri. | +> | microsoft.web/sites/hostruntime/webhooks/api/workflows/triggers/run/action | Run Web Apps Hostruntime Workflow Trigger. | +> | microsoft.web/sites/hybridconnection/delete | Delete Web Apps Hybrid Connection. | +> | microsoft.web/sites/hybridconnection/read | Get Web Apps Hybrid Connection. | +> | microsoft.web/sites/hybridconnection/write | Update Web Apps Hybrid Connection. | +> | microsoft.web/sites/hybridconnectionnamespaces/relays/delete | Delete Web Apps Hybrid Connection Namespaces Relays. | +> | microsoft.web/sites/hybridconnectionnamespaces/relays/listkeys/action | List Keys Web Apps Hybrid Connection Namespaces Relays. | +> | microsoft.web/sites/hybridconnectionnamespaces/relays/write | Update Web Apps Hybrid Connection Namespaces Relays. | +> | microsoft.web/sites/hybridconnectionnamespaces/relays/read | Get Web Apps Hybrid Connection Namespaces Relays. | +> | microsoft.web/sites/hybridconnectionrelays/read | Get Web Apps Hybrid Connection Relays. | +> | microsoft.web/sites/instances/read | Get Web Apps Instances. | +> | microsoft.web/sites/instances/deployments/read | Get Web Apps Instances Deployments. | +> | microsoft.web/sites/instances/deployments/delete | Delete Web Apps Instances Deployments. | +> | microsoft.web/sites/instances/extensions/read | Get Web Apps Instances Extensions. | +> | microsoft.web/sites/instances/extensions/log/read | Get Web Apps Instances Extensions Log. | +> | microsoft.web/sites/instances/extensions/processes/read | Get Web Apps Instances Extensions Processes. | +> | microsoft.web/sites/instances/processes/delete | Delete Web Apps Instances Processes. | +> | microsoft.web/sites/instances/processes/read | Get Web Apps Instances Processes. | +> | microsoft.web/sites/instances/processes/modules/read | Get Web Apps Instances Processes Modules. | +> | microsoft.web/sites/instances/processes/threads/read | Get Web Apps Instances Processes Threads. | +> | microsoft.web/sites/metricdefinitions/read | Get Web Apps Metric Definitions. | +> | microsoft.web/sites/metrics/read | Get Web Apps Metrics. | +> | microsoft.web/sites/metricsdefinitions/read | Get Web Apps Metrics Definitions. | +> | microsoft.web/sites/migratemysql/read | Get Web Apps Migrate MySQL. | +> | microsoft.web/sites/networkConfig/read | Get App Service Network Configuration. | +> | microsoft.web/sites/networkConfig/write | Update App Service Network Configuration. | +> | microsoft.web/sites/networkConfig/delete | Delete App Service Network Configuration. | +> | microsoft.web/sites/networkfeatures/read | Get Web App Features. | +> | microsoft.web/sites/networktraces/operationresults/read | Get Web Apps Network Trace Operation Results. | +> | microsoft.web/sites/operationresults/read | Get Web Apps Operation Results. | +> | microsoft.web/sites/operations/read | Get Web Apps Operations. | +> | microsoft.web/sites/perfcounters/read | Get Web Apps Performance Counters. | +> | microsoft.web/sites/premieraddons/delete | Delete Web Apps Premier Addons. | +> | microsoft.web/sites/premieraddons/read | Get Web Apps Premier Addons. | +> | microsoft.web/sites/premieraddons/write | Update Web Apps Premier Addons. | +> | microsoft.web/sites/privateaccess/read | Get data around private site access enablement and authorized Virtual Networks that can access the site. | +> | Microsoft.Web/sites/privateEndpointConnectionProxies/Read | Read Private Endpoint Connection Proxies | +> | Microsoft.Web/sites/privateEndpointConnectionProxies/Write | Create or Update Private Endpoint Connection Proxies | +> | Microsoft.Web/sites/privateEndpointConnectionProxies/Delete | Delete Private Endpoint Connection Proxies | +> | Microsoft.Web/sites/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxies | +> | Microsoft.Web/sites/privateEndpointConnectionProxies/operations/Read | Read Private Endpoint Connection Proxy Operations | +> | Microsoft.Web/sites/privateEndpointConnections/Write | Approve or Reject a private endpoint connection. | +> | Microsoft.Web/sites/privateEndpointConnections/Read | Get a Private Endpoint Connection or the list of Private Endpoint Connections. | +> | Microsoft.Web/sites/privateEndpointConnections/Delete | Delete a Private Endpoint Connection. | +> | Microsoft.Web/sites/privateLinkResources/Read | Get Private Link Resources. | +> | microsoft.web/sites/processes/read | Get Web Apps Processes. | +> | microsoft.web/sites/processes/modules/read | Get Web Apps Processes Modules. | +> | microsoft.web/sites/processes/threads/read | Get Web Apps Processes Threads. | +> | microsoft.web/sites/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | microsoft.web/sites/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | microsoft.web/sites/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Web App | +> | Microsoft.Web/sites/providers/Microsoft.Insights/metricDefinitions/Read | Gets the available metrics for Web App | +> | microsoft.web/sites/publiccertificates/delete | Delete Web Apps Public Certificates. | +> | microsoft.web/sites/publiccertificates/read | Get Web Apps Public Certificates. | +> | microsoft.web/sites/publiccertificates/write | Update Web Apps Public Certificates. | +> | microsoft.web/sites/publishxml/read | Get Web Apps Publishing XML. | +> | microsoft.web/sites/recommendationhistory/read | Get Web Apps Recommendation History. | +> | Microsoft.Web/sites/recommendations/Read | Get the list of recommendations for web app. | +> | microsoft.web/sites/recommendations/disable/action | Disable Web Apps Recommendations. | +> | microsoft.web/sites/resourcehealthmetadata/read | Get Web Apps Resource Health Metadata. | +> | microsoft.web/sites/restore/read | Get Web Apps Restore. | +> | microsoft.web/sites/restore/write | Restore Web Apps. | +> | microsoft.web/sites/siteextensions/delete | Delete Web Apps Site Extensions. | +> | microsoft.web/sites/siteextensions/read | Get Web Apps Site Extensions. | +> | microsoft.web/sites/siteextensions/write | Update Web Apps Site Extensions. | +> | Microsoft.Web/sites/slots/Write | Create a new Web App Slot or update an existing one | +> | Microsoft.Web/sites/slots/Delete | Delete an existing Web App Slot | +> | Microsoft.Web/sites/slots/backup/Action | Create new Web App Slot backup. | +> | Microsoft.Web/sites/slots/publishxml/Action | Get publishing profile xml for Web App Slot | +> | Microsoft.Web/sites/slots/publish/Action | Publish a Web App Slot | +> | Microsoft.Web/sites/slots/restart/Action | Restart a Web App Slot | +> | Microsoft.Web/sites/slots/start/Action | Start a Web App Slot | +> | Microsoft.Web/sites/slots/startDevSession/Action | Start Limelight Session for Web App Slot | +> | Microsoft.Web/sites/slots/stop/Action | Stop a Web App Slot | +> | Microsoft.Web/sites/slots/slotsswap/Action | Swap Web App deployment slots | +> | Microsoft.Web/sites/slots/slotsdiffs/Action | Get differences in configuration between web app and slots | +> | Microsoft.Web/sites/slots/applySlotConfig/Action | Apply web app slot configuration from target slot to the current slot. | +> | Microsoft.Web/sites/slots/resetSlotConfig/Action | Reset web app slot configuration | +> | Microsoft.Web/sites/slots/Read | Get the properties of a Web App deployment slot | +> | microsoft.web/sites/slots/deployWorkflowArtifacts/action | Create the artifacts in a deployment slot in a Logic App. | +> | microsoft.web/sites/slots/listworkflowsconnections/action | List logic app's connections by its ID in a deployment slot in a Logic App. | +> | microsoft.web/sites/slots/listsyncfunctiontriggerstatus/action | List Sync Function Trigger Status for deployment slot. | +> | microsoft.web/sites/slots/newpassword/action | Newpassword Web Apps Slots. | +> | microsoft.web/sites/slots/sync/action | Sync Web Apps Slots. | +> | microsoft.web/sites/slots/syncfunctiontriggers/action | Sync Function Triggers for deployment slot. | +> | microsoft.web/sites/slots/networktrace/action | Network Trace Web Apps Slots. | +> | microsoft.web/sites/slots/recover/action | Recover Web Apps Slots. | +> | microsoft.web/sites/slots/restoresnapshot/action | Restore Web Apps Slots Snapshots. | +> | microsoft.web/sites/slots/restorefromdeletedapp/action | Restore Web App Slots From Deleted App. | +> | microsoft.web/sites/slots/backups/action | Discover Web Apps Slots Backups. | +> | microsoft.web/sites/slots/containerlogs/action | Get Zipped Container Logs for Web App Slot. | +> | microsoft.web/sites/slots/restorefrombackupblob/action | Restore Web Apps Slot From Backup Blob. | +> | microsoft.web/sites/slots/listbackups/action | List Web App Slot backups. | +> | microsoft.web/sites/slots/slotcopy/action | Copy content from one deployment slot to another. | +> | microsoft.web/sites/slots/analyzecustomhostname/read | Get Web Apps Slots Analyze Custom Hostname. | +> | microsoft.web/sites/slots/backup/write | Update Web Apps Slots Backup. | +> | microsoft.web/sites/slots/backup/read | Get Web Apps Slots Backup. | +> | Microsoft.Web/sites/slots/backups/Read | Get the properties of a web app slots' backup | +> | microsoft.web/sites/slots/backups/list/action | List Web Apps Slots Backups. | +> | microsoft.web/sites/slots/backups/restore/action | Restore Web Apps Slots Backups. | +> | microsoft.web/sites/slots/backups/delete | Delete Web Apps Slots Backups. | +> | Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/Read | List which publishing credentials are allowed for a Web App Slot | +> | Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/Write | List which publishing credentials are allowed for a Web App Slot | +> | Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/ftp/Read | Get whether FTP publishing credentials are allowed for a Web App Slot | +> | Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/ftp/Write | Update whether FTP publishing credentials are allowed for a Web App Slot | +> | Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/scm/Read | Get whether SCM publishing credentials are allowed for a Web App Slot | +> | Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/scm/Write | Update whether SCM publishing credentials are allowed for a Web App Slot | +> | Microsoft.Web/sites/slots/config/Read | Get Web App Slot's configuration settings | +> | Microsoft.Web/sites/slots/config/list/Action | List Web App Slot's security sensitive settings, such as publishing credentials, app settings and connection strings | +> | Microsoft.Web/sites/slots/config/Write | Update Web App Slot's configuration settings | +> | microsoft.web/sites/slots/config/delete | Delete Web Apps Slots Config. | +> | microsoft.web/sites/slots/config/validateupgradepath/action | Validate upgrade path for Web App. | +> | microsoft.web/sites/slots/config/validateupgradepath/action | Validate upgrade path for Web App Slot. | +> | microsoft.web/sites/slots/config/appsettings/read | Get Web App Slot settings. | +> | microsoft.web/sites/slots/config/appsettings/read | Get Web App Slot's single App setting. | +> | microsoft.web/sites/slots/config/appsettings/write | Create or Update Web App Slot's Single App setting | +> | microsoft.web/sites/slots/config/snapshots/read | Get Web App Slots Config Snapshots. | +> | microsoft.web/sites/slots/config/snapshots/listsecrets/action | Web Apps List Slot Secrets From Snapshot. | +> | microsoft.web/sites/slots/config/web/appsettings/delete | Delete Web App Slot's App Setting | +> | microsoft.web/sites/slots/config/web/connectionstrings/read | Get Web App Slot's single connection string | +> | microsoft.web/sites/slots/config/web/connectionstrings/write | Create or Update Web App Slot's single sonnection string | +> | microsoft.web/sites/slots/config/web/connectionstrings/delete | Delete Web App slot's single connection string | +> | microsoft.web/sites/slots/containerlogs/download/action | Download Web Apps Slots Container Logs. | +> | microsoft.web/sites/slots/continuouswebjobs/delete | Delete Web Apps Slots Continuous Web Jobs. | +> | microsoft.web/sites/slots/continuouswebjobs/read | Get Web Apps Slots Continuous Web Jobs. | +> | microsoft.web/sites/slots/continuouswebjobs/start/action | Start Web Apps Slots Continuous Web Jobs. | +> | microsoft.web/sites/slots/continuouswebjobs/stop/action | Stop Web Apps Slots Continuous Web Jobs. | +> | microsoft.web/sites/slots/deployments/delete | Delete Web Apps Slots Deployments. | +> | microsoft.web/sites/slots/deployments/read | Get Web Apps Slots Deployments. | +> | microsoft.web/sites/slots/deployments/write | Update Web Apps Slots Deployments. | +> | microsoft.web/sites/slots/deployments/log/read | Get Web Apps Slots Deployments Log. | +> | microsoft.web/sites/slots/detectors/read | Get Web Apps Slots Detectors. | +> | microsoft.web/sites/slots/diagnostics/read | Get Web Apps Slots Diagnostics. | +> | microsoft.web/sites/slots/diagnostics/analyses/read | Get Web Apps Slots Diagnostics Analysis. | +> | microsoft.web/sites/slots/diagnostics/analyses/execute/Action | Run Web Apps Slots Diagnostics Analysis. | +> | microsoft.web/sites/slots/diagnostics/aspnetcore/read | Get Web Apps Slots Diagnostics for ASP.NET Core app. | +> | microsoft.web/sites/slots/diagnostics/autoheal/read | Get Web Apps Slots Diagnostics Autoheal. | +> | microsoft.web/sites/slots/diagnostics/deployment/read | Get Web Apps Slots Diagnostics Deployment. | +> | microsoft.web/sites/slots/diagnostics/deployments/read | Get Web Apps Slots Diagnostics Deployments. | +> | microsoft.web/sites/slots/diagnostics/detectors/read | Get Web Apps Slots Diagnostics Detector. | +> | microsoft.web/sites/slots/diagnostics/detectors/execute/Action | Run Web Apps Slots Diagnostics Detector. | +> | microsoft.web/sites/slots/diagnostics/frebanalysis/read | Get Web Apps Slots Diagnostics FREB Analysis. | +> | microsoft.web/sites/slots/diagnostics/loganalyzer/read | Get Web Apps Slots Diagnostics Log Analyzer. | +> | microsoft.web/sites/slots/diagnostics/runtimeavailability/read | Get Web Apps Slots Diagnostics Runtime Availability. | +> | microsoft.web/sites/slots/diagnostics/servicehealth/read | Get Web Apps Slots Diagnostics Service Health. | +> | microsoft.web/sites/slots/diagnostics/sitecpuanalysis/read | Get Web Apps Slots Diagnostics Site CPU Analysis. | +> | microsoft.web/sites/slots/diagnostics/sitecrashes/read | Get Web Apps Slots Diagnostics Site Crashes. | +> | microsoft.web/sites/slots/diagnostics/sitelatency/read | Get Web Apps Slots Diagnostics Site Latency. | +> | microsoft.web/sites/slots/diagnostics/sitememoryanalysis/read | Get Web Apps Slots Diagnostics Site Memory Analysis. | +> | microsoft.web/sites/slots/diagnostics/siterestartsettingupdate/read | Get Web Apps Slots Diagnostics Site Restart Setting Update. | +> | microsoft.web/sites/slots/diagnostics/siterestartuserinitiated/read | Get Web Apps Slots Diagnostics Site Restart User Initiated. | +> | microsoft.web/sites/slots/diagnostics/siteswap/read | Get Web Apps Slots Diagnostics Site Swap. | +> | microsoft.web/sites/slots/diagnostics/threadcount/read | Get Web Apps Slots Diagnostics Thread Count. | +> | microsoft.web/sites/slots/diagnostics/workeravailability/read | Get Web Apps Slots Diagnostics Workeravailability. | +> | microsoft.web/sites/slots/diagnostics/workerprocessrecycle/read | Get Web Apps Slots Diagnostics Worker Process Recycle. | +> | microsoft.web/sites/slots/domainownershipidentifiers/read | Get Web Apps Slots Domain Ownership Identifiers. | +> | microsoft.web/sites/slots/domainownershipidentifiers/write | Update Web App Slots Domain Ownership Identifiers. | +> | microsoft.web/sites/slots/domainownershipidentifiers/delete | Delete Web App Slots Domain Ownership Identifiers. | +> | microsoft.web/sites/slots/extensions/read | Get Web Apps Slots Extensions. | +> | microsoft.web/sites/slots/extensions/write | Update Web Apps Slots Extensions. | +> | microsoft.web/sites/slots/extensions/api/action | Invoke App Service Slots Extensions APIs. | +> | microsoft.web/sites/slots/functions/listkeys/action | List Function keys. | +> | microsoft.web/sites/slots/functions/read | Get Web Apps Slots Functions. | +> | microsoft.web/sites/slots/functions/listsecrets/action | List Secrets Web Apps Slots Functions. | +> | microsoft.web/sites/slots/functions/keys/write | Update Function keys. | +> | microsoft.web/sites/slots/functions/keys/delete | Delete Function keys. | +> | microsoft.web/sites/slots/host/listkeys/action | List Functions Host keys. | +> | microsoft.web/sites/slots/host/sync/action | Sync Function Triggers. | +> | microsoft.web/sites/slots/host/functionkeys/write | Update Functions Host Function keys. | +> | microsoft.web/sites/slots/host/functionkeys/delete | Delete Functions Host Function keys. | +> | microsoft.web/sites/slots/host/systemkeys/write | Update Functions Host System keys. | +> | microsoft.web/sites/slots/host/systemkeys/delete | Delete Functions Host System keys. | +> | microsoft.web/sites/slots/hostnamebindings/delete | Delete Web Apps Slots Hostname Bindings. | +> | microsoft.web/sites/slots/hostnamebindings/read | Get Web Apps Slots Hostname Bindings. | +> | microsoft.web/sites/slots/hostnamebindings/write | Update Web Apps Slots Hostname Bindings. | +> | microsoft.web/sites/slots/hybridconnection/delete | Delete Web Apps Slots Hybrid Connection. | +> | microsoft.web/sites/slots/hybridconnection/read | Get Web Apps Slots Hybrid Connection. | +> | microsoft.web/sites/slots/hybridconnection/write | Update Web Apps Slots Hybrid Connection. | +> | microsoft.web/sites/slots/hybridconnectionnamespaces/relays/delete | Delete Web Apps Slots Hybrid Connection Namespaces Relays. | +> | microsoft.web/sites/slots/hybridconnectionnamespaces/relays/write | Update Web Apps Slots Hybrid Connection Namespaces Relays. | +> | microsoft.web/sites/slots/hybridconnectionrelays/read | Get Web Apps Slots Hybrid Connection Relays. | +> | microsoft.web/sites/slots/instances/read | Get Web Apps Slots Instances. | +> | microsoft.web/sites/slots/instances/deployments/read | Get Web Apps Slots Instances Deployments. | +> | microsoft.web/sites/slots/instances/processes/read | Get Web Apps Slots Instances Processes. | +> | microsoft.web/sites/slots/instances/processes/delete | Delete Web Apps Slots Instances Processes. | +> | microsoft.web/sites/slots/metricdefinitions/read | Get Web Apps Slots Metric Definitions. | +> | microsoft.web/sites/slots/metrics/read | Get Web Apps Slots Metrics. | +> | microsoft.web/sites/slots/migratemysql/read | Get Web Apps Slots Migrate MySQL. | +> | microsoft.web/sites/slots/networkConfig/read | Get App Service Slots Network Configuration. | +> | microsoft.web/sites/slots/networkConfig/write | Update App Service Slots Network Configuration. | +> | microsoft.web/sites/slots/networkConfig/delete | Delete App Service Slots Network Configuration. | +> | microsoft.web/sites/slots/networkfeatures/read | Get Web App Slot Features. | +> | microsoft.web/sites/slots/networktraces/operationresults/read | Get Web Apps Slots Network Trace Operation Results. | +> | microsoft.web/sites/slots/operationresults/read | Get Web Apps Slots Operation Results. | +> | microsoft.web/sites/slots/operations/read | Get Web Apps Slots Operations. | +> | microsoft.web/sites/slots/perfcounters/read | Get Web Apps Slots Performance Counters. | +> | microsoft.web/sites/slots/phplogging/read | Get Web Apps Slots Phplogging. | +> | microsoft.web/sites/slots/premieraddons/delete | Delete Web Apps Slots Premier Addons. | +> | microsoft.web/sites/slots/premieraddons/read | Get Web Apps Slots Premier Addons. | +> | microsoft.web/sites/slots/premieraddons/write | Update Web Apps Slots Premier Addons. | +> | microsoft.web/sites/slots/privateaccess/read | Get data around private site access enablement and authorized Virtual Networks that can access the site. | +> | microsoft.web/sites/slots/processes/read | Get Web Apps Slots Processes. | +> | microsoft.web/sites/slots/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the resource | +> | microsoft.web/sites/slots/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the resource | +> | microsoft.web/sites/slots/providers/Microsoft.Insights/logDefinitions/read | Gets the available logs for Web App slots | +> | Microsoft.Web/sites/slots/providers/Microsoft.Insights/metricDefinitions/Read | Gets the available metrics for Web App Slot | +> | microsoft.web/sites/slots/publiccertificates/read | Get Web Apps Slots Public Certificates. | +> | microsoft.web/sites/slots/publiccertificates/write | Create or Update Web Apps Slots Public Certificates. | +> | microsoft.web/sites/slots/publiccertificates/delete | Delete Web Apps Slots Public Certificates. | +> | microsoft.web/sites/slots/resourcehealthmetadata/read | Get Web Apps Slots Resource Health Metadata. | +> | microsoft.web/sites/slots/restore/read | Get Web Apps Slots Restore. | +> | microsoft.web/sites/slots/restore/write | Restore Web Apps Slots. | +> | microsoft.web/sites/slots/siteextensions/delete | Delete Web Apps Slots Site Extensions. | +> | microsoft.web/sites/slots/siteextensions/read | Get Web Apps Slots Site Extensions. | +> | microsoft.web/sites/slots/siteextensions/write | Update Web Apps Slots Site Extensions. | +> | microsoft.web/sites/slots/snapshots/read | Get Web Apps Slots Snapshots. | +> | Microsoft.Web/sites/slots/sourcecontrols/Read | Get Web App Slot's source control configuration settings | +> | Microsoft.Web/sites/slots/sourcecontrols/Write | Update Web App Slot's source control configuration settings | +> | Microsoft.Web/sites/slots/sourcecontrols/Delete | Delete Web App Slot's source control configuration settings | +> | microsoft.web/sites/slots/triggeredwebjobs/delete | Delete Web Apps Slots Triggered WebJobs. | +> | microsoft.web/sites/slots/triggeredwebjobs/read | Get Web Apps Slots Triggered WebJobs. | +> | microsoft.web/sites/slots/triggeredwebjobs/run/action | Run Web Apps Slots Triggered WebJobs. | +> | microsoft.web/sites/slots/usages/read | Get Web Apps Slots Usages. | +> | microsoft.web/sites/slots/virtualnetworkconnections/delete | Delete Web Apps Slots Virtual Network Connections. | +> | microsoft.web/sites/slots/virtualnetworkconnections/read | Get Web Apps Slots Virtual Network Connections. | +> | microsoft.web/sites/slots/virtualnetworkconnections/write | Update Web Apps Slots Virtual Network Connections. | +> | microsoft.web/sites/slots/virtualnetworkconnections/gateways/write | Update Web Apps Slots Virtual Network Connections Gateways. | +> | microsoft.web/sites/slots/webjobs/read | Get Web Apps Slots WebJobs. | +> | microsoft.web/sites/slots/workflows/read | List the workflows in a deployment slot in a Logic App. | +> | microsoft.web/sites/slots/workflowsconfiguration/read | Get logic app's configuration information by its ID in a deployment slot in a Logic App. | +> | microsoft.web/sites/snapshots/read | Get Web Apps Snapshots. | +> | Microsoft.Web/sites/sourcecontrols/Read | Get Web App's source control configuration settings | +> | Microsoft.Web/sites/sourcecontrols/Write | Update Web App's source control configuration settings | +> | Microsoft.Web/sites/sourcecontrols/Delete | Delete Web App's source control configuration settings | +> | microsoft.web/sites/triggeredwebjobs/delete | Delete Web Apps Triggered WebJobs. | +> | microsoft.web/sites/triggeredwebjobs/read | Get Web Apps Triggered WebJobs. | +> | microsoft.web/sites/triggeredwebjobs/run/action | Run Web Apps Triggered WebJobs. | +> | microsoft.web/sites/triggeredwebjobs/history/read | Get Web Apps Triggered WebJobs History. | +> | microsoft.web/sites/usages/read | Get Web Apps Usages. | +> | microsoft.web/sites/virtualnetworkconnections/delete | Delete Web Apps Virtual Network Connections. | +> | microsoft.web/sites/virtualnetworkconnections/read | Get Web Apps Virtual Network Connections. | +> | microsoft.web/sites/virtualnetworkconnections/write | Update Web Apps Virtual Network Connections. | +> | microsoft.web/sites/virtualnetworkconnections/gateways/read | Get Web Apps Virtual Network Connections Gateways. | +> | microsoft.web/sites/virtualnetworkconnections/gateways/write | Update Web Apps Virtual Network Connections Gateways. | +> | microsoft.web/sites/webjobs/read | Get Web Apps WebJobs. | +> | microsoft.web/sites/workflows/read | List the workflows in a Logic App. | +> | microsoft.web/sites/workflowsconfiguration/read | Get logic app's configuration information by its ID in a Logic App. | +> | microsoft.web/skus/read | Get SKUs. | +> | microsoft.web/sourcecontrols/read | Get Source Controls. | +> | microsoft.web/sourcecontrols/write | Update Source Controls. | +> | Microsoft.Web/staticSites/Read | Get the properties of a Static Site | +> | Microsoft.Web/staticSites/Write | Create a new Static Site or update an existing one | +> | Microsoft.Web/staticSites/Delete | Delete an existing Static Site | +> | Microsoft.Web/staticSites/validateCustomDomainOwnership/action | Validate the custom domain ownership for a static site | +> | Microsoft.Web/staticSites/createinvitation/action | Creates invitiation link for static site user for a set of roles | +> | Microsoft.Web/staticSites/listConfiguredRoles/action | Lists the roles configured for the static site. | +> | Microsoft.Web/staticSites/listfunctionappsettings/Action | List function app settings for a Static Site | +> | Microsoft.Web/staticSites/listappsettings/Action | List app settings for a Static Site | +> | Microsoft.Web/staticSites/detach/Action | Detach a Static Site from the currently linked repository | +> | Microsoft.Web/staticSites/getuser/Action | Get a user's information for a Static Site | +> | Microsoft.Web/staticSites/listsecrets/action | List the secrets for a Static Site | +> | Microsoft.Web/staticSites/resetapikey/Action | Reset the api key for a Static Site | +> | Microsoft.Web/staticSites/zipdeploy/action | Deploy a Static Site from zipped content | +> | Microsoft.Web/staticSites/showDatabaseConnections/action | Show details for Database Connections for a Static Site | +> | Microsoft.Web/staticSites/authproviders/listusers/Action | List the users for a Static Site | +> | Microsoft.Web/staticSites/authproviders/users/Delete | Delete a user for a Static Site | +> | Microsoft.Web/staticSites/authproviders/users/Write | Update a user for a Static Site | +> | Microsoft.Web/staticSites/build/Read | Get a build for a Static Site | +> | Microsoft.Web/staticSites/build/Delete | Delete a build for a Static Site | +> | Microsoft.Web/staticSites/builds/listfunctionappsettings/Action | List function app settings for a Static Site Build | +> | Microsoft.Web/staticSites/builds/listappsettings/Action | List app settings for a Static Site Build | +> | Microsoft.Web/staticSites/builds/zipdeploy/action | Deploy a Static Site Build from zipped content | +> | Microsoft.Web/staticSites/builds/showDatabaseConnections/action | Show details for Database Connections for a Static Site Build | +> | Microsoft.Web/staticSites/builds/config/Write | Create or update app settings for a Static Site Build | +> | Microsoft.Web/staticSites/builds/databaseConnections/Delete | Delete a Database Connection from a Static Site Build | +> | Microsoft.Web/staticSites/builds/databaseConnections/Read | Get Static Site Build Database Connections | +> | Microsoft.Web/staticSites/builds/databaseConnections/Write | Create or Update a Database Connection with a Static Site Build | +> | Microsoft.Web/staticSites/builds/databaseConnections/show/action | Show details for a Database Connection for a Static Site Build | +> | Microsoft.Web/staticSites/builds/functions/Read | List the functions for a Static Site Build | +> | Microsoft.Web/staticSites/builds/linkedBackends/validate/action | Validate a Linked Backend for a Static Site Build | +> | Microsoft.Web/staticSites/builds/linkedBackends/Delete | Unlink a Backend from a Static Site Build | +> | Microsoft.Web/staticSites/builds/linkedBackends/Read | Get Static Site Build Linked Backends | +> | Microsoft.Web/staticSites/builds/linkedBackends/Write | Register a Linked Backend with a Static Site Build | +> | Microsoft.Web/staticSites/builds/userProvidedFunctionApps/Delete | Detach a User Provided Function App from a Static Site Build | +> | Microsoft.Web/staticSites/builds/userProvidedFunctionApps/Read | Get Static Site Build User Provided Function Apps | +> | Microsoft.Web/staticSites/builds/userProvidedFunctionApps/Write | Register a User Provided Function App with a Static Site Build | +> | Microsoft.Web/staticSites/config/Write | Create or update app settings for a Static Site | +> | Microsoft.Web/staticSites/customdomains/Write | Create a custom domain for a Static Site | +> | Microsoft.Web/staticSites/customdomains/Delete | Delete a custom domain for a Static Site | +> | Microsoft.Web/staticSites/customdomains/Read | List the custom domains for a Static Site | +> | Microsoft.Web/staticSites/customdomains/validate/Action | Validate a custom domain can be added to a Static Site | +> | Microsoft.Web/staticSites/databaseConnections/Delete | Delete a Database Connection from a Static Site | +> | Microsoft.Web/staticSites/databaseConnections/Read | Get Static Site Database Connection | +> | Microsoft.Web/staticSites/databaseConnections/Write | Create or Update a Database Connection with a Static Site | +> | Microsoft.Web/staticSites/databaseConnections/show/action | Show details for a Database Connection for a Static Site | +> | Microsoft.Web/staticSites/functions/Read | List the functions for a Static Site | +> | Microsoft.Web/staticSites/linkedBackends/validate/action | Validate a Linked Backend for a Static Site | +> | Microsoft.Web/staticSites/linkedBackends/Delete | Unlink a Backend from a Static Site | +> | Microsoft.Web/staticSites/linkedBackends/Read | Get Static Site Linked Backends | +> | Microsoft.Web/staticSites/linkedBackends/Write | Register a Linked Backend with a Static Site | +> | Microsoft.Web/staticSites/privateEndpointConnectionProxies/validate/action | Validate Private Endpoint Connection Proxies for a Static Site | +> | Microsoft.Web/staticSites/privateEndpointConnectionProxies/Write | Create or Update Private Endpoint Connection Proxies for a Static Site | +> | Microsoft.Web/staticSites/privateEndpointConnectionProxies/Delete | Delete Private Endpoint Connection Proxies for a Static Site | +> | Microsoft.Web/staticSites/privateEndpointConnectionProxies/Read | Get Private Endpoint Connection Proxies for a Static Site | +> | Microsoft.Web/staticSites/privateEndpointConnectionProxies/operations/Read | Read Private Endpoint Connection Proxy Operations for a Static Site | +> | Microsoft.Web/staticSites/privateEndpointConnections/Write | Approve or Reject Private Endpoint Connection for a Static Site | +> | Microsoft.Web/staticSites/privateEndpointConnections/Read | Get a private endpoint connection or the list of private endpoint connections for a static site | +> | Microsoft.Web/staticSites/privateEndpointConnections/Delete | Delete a Private Endpoint Connection for a Static Site | +> | Microsoft.Web/staticSites/privateLinkResources/Read | Get Private Link Resources | +> | Microsoft.Web/staticSites/providers/Microsoft.Insights/metricDefinitions/Read | Gets the available metrics for Static Site | +> | Microsoft.Web/staticSites/userProvidedFunctionApps/Delete | Detach a User Provided Function App from a Static Site | +> | Microsoft.Web/staticSites/userProvidedFunctionApps/Read | Get Static Site User Provided Function Apps | +> | Microsoft.Web/staticSites/userProvidedFunctionApps/Write | Register a User Provided Function App with a Static Site | +> | microsoft.web/webappstacks/read | Get Web App Stacks. | +> | Microsoft.Web/workerApps/read | Get the properties for a Worker App | +> | Microsoft.Web/workerApps/write | Create a Worker App or update an existing one | +> | Microsoft.Web/workerApps/delete | Delete a Worker App | +> | Microsoft.Web/workerApps/operationResults/read | Get the results of a Worker App operation | ++## Next steps ++- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types) |
role-based-access-control | Resource Provider Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/resource-provider-operations.md | Title: Azure resource provider operations -description: Lists the operations for Azure resource providers. -+ Title: Azure permissions - Azure RBAC +description: Lists the permissions for Azure resource providers. Last updated 02/07/2024 -# Azure resource provider operations --This section lists the operations for Azure resource providers, which are used in built-in roles. You can use these operations in your own [Azure custom roles](custom-roles.md) to provide granular access control to resources in Azure. The resource provider operations are always evolving. To get the latest operations, use [Get-AzProviderOperation](/powershell/module/az.resources/get-azprovideroperation) or [az provider operation list](/cli/azure/provider/operation#az-provider-operation-list). --Click the resource provider name in the following table to see the list of operations. --## All --| General | -| | -| [Microsoft.Addons](#microsoftaddons) | -| [Microsoft.Marketplace](#microsoftmarketplace) | -| [Microsoft.MarketplaceOrdering](#microsoftmarketplaceordering) | -| [Microsoft.Quota](#microsoftquota) | -| [Microsoft.ResourceHealth](#microsoftresourcehealth) | -| [Microsoft.Support](#microsoftsupport) | -| **Compute** | -| [microsoft.app](#microsoftapp) | -| [Microsoft.ClassicCompute](#microsoftclassiccompute) | -| [Microsoft.Compute](#microsoftcompute) | -| [Microsoft.ServiceFabric](#microsoftservicefabric) | -| **Networking** | -| [Microsoft.Cdn](#microsoftcdn) | -| [Microsoft.ClassicNetwork](#microsoftclassicnetwork) | -| [Microsoft.HybridConnectivity](#microsofthybridconnectivity) | -| [Microsoft.MobileNetwork](#microsoftmobilenetwork) | -| [Microsoft.Network](#microsoftnetwork) | -| **Storage** | -| [Microsoft.ClassicStorage](#microsoftclassicstorage) | -| [Microsoft.DataBox](#microsoftdatabox) | -| [Microsoft.DataShare](#microsoftdatashare) | -| [Microsoft.ElasticSan](#microsoftelasticsan) | -| [Microsoft.NetApp](#microsoftnetapp) | -| [Microsoft.Storage](#microsoftstorage) | -| [Microsoft.StorageCache](#microsoftstoragecache) | -| [Microsoft.StorageSync](#microsoftstoragesync) | -| **Web** | -| [Microsoft.AppPlatform](#microsoftappplatform) | -| [Microsoft.CertificateRegistration](#microsoftcertificateregistration) | -| [Microsoft.Communication](#microsoftcommunication) | -| [Microsoft.DomainRegistration](#microsoftdomainregistration) | -| [Microsoft.Maps](#microsoftmaps) | -| [Microsoft.Media](#microsoftmedia) | -| [Microsoft.Search](#microsoftsearch) | -| [Microsoft.SignalRService](#microsoftsignalrservice) | -| [microsoft.web](#microsoftweb) | -| **Containers** | -| [Microsoft.ContainerInstance](#microsoftcontainerinstance) | -| [Microsoft.ContainerRegistry](#microsoftcontainerregistry) | -| [Microsoft.ContainerService](#microsoftcontainerservice) | -| [Microsoft.RedHatOpenShift](#microsoftredhatopenshift) | -| **Databases** | -| [Microsoft.Cache](#microsoftcache) | -| [Microsoft.DataFactory](#microsoftdatafactory) | -| [Microsoft.DataMigration](#microsoftdatamigration) | -| [Microsoft.DBforMariaDB](#microsoftdbformariadb) | -| [Microsoft.DBforMySQL](#microsoftdbformysql) | -| [Microsoft.DBforPostgreSQL](#microsoftdbforpostgresql) | -| [Microsoft.DocumentDB](#microsoftdocumentdb) | -| [Microsoft.Sql](#microsoftsql) | -| [Microsoft.SqlVirtualMachine](#microsoftsqlvirtualmachine) | -| **Analytics** | -| [Microsoft.AnalysisServices](#microsoftanalysisservices) | -| [Microsoft.Databricks](#microsoftdatabricks) | -| [Microsoft.DataLakeAnalytics](#microsoftdatalakeanalytics) | -| [Microsoft.DataLakeStore](#microsoftdatalakestore) | -| [Microsoft.EventHub](#microsofteventhub) | -| [Microsoft.HDInsight](#microsofthdinsight) | -| [Microsoft.Kusto](#microsoftkusto) | -| [Microsoft.PowerBIDedicated](#microsoftpowerbidedicated) | -| [Microsoft.StreamAnalytics](#microsoftstreamanalytics) | -| [Microsoft.Synapse](#microsoftsynapse) | -| **AI + machine learning** | -| [Microsoft.BotService](#microsoftbotservice) | -| [Microsoft.CognitiveServices](#microsoftcognitiveservices) | -| [Microsoft.MachineLearning](#microsoftmachinelearning) | -| [Microsoft.MachineLearningServices](#microsoftmachinelearningservices) | -| **Internet of things** | -| [Microsoft.Devices](#microsoftdevices) | -| [Microsoft.DeviceUpdate](#microsoftdeviceupdate) | -| [Microsoft.IoTCentral](#microsoftiotcentral) | -| [Microsoft.IoTSecurity](#microsoftiotsecurity) | -| [Microsoft.NotificationHubs](#microsoftnotificationhubs) | -| [Microsoft.TimeSeriesInsights](#microsofttimeseriesinsights) | -| **Mixed reality** | -| [Microsoft.MixedReality](#microsoftmixedreality) | -| **Integration** | -| [Microsoft.ApiManagement](#microsoftapimanagement) | -| [Microsoft.AppConfiguration](#microsoftappconfiguration) | -| [Microsoft.AVS](#microsoftavs) | -| [Microsoft.AzureStack](#microsoftazurestack) | -| [Microsoft.AzureStackHCI](#microsoftazurestackhci) | -| [Microsoft.DataBoxEdge](#microsoftdataboxedge) | -| [Microsoft.DataCatalog](#microsoftdatacatalog) | -| [Microsoft.EventGrid](#microsofteventgrid) | -| [Microsoft.HealthcareApis](#microsofthealthcareapis) | -| [Microsoft.Logic](#microsoftlogic) | -| [Microsoft.Relay](#microsoftrelay) | -| [Microsoft.ServiceBus](#microsoftservicebus) | -| **Identity** | -| [Microsoft.AAD](#microsoftaad) | -| [microsoft.aadiam](#microsoftaadiam) | -| [Microsoft.ADHybridHealthService](#microsoftadhybridhealthservice) | -| [Microsoft.AzureActiveDirectory](#microsoftazureactivedirectory) | -| [Microsoft.ManagedIdentity](#microsoftmanagedidentity) | -| **Security** | -| [Microsoft.AppComplianceAutomation](#microsoftappcomplianceautomation) | -| [Microsoft.KeyVault](#microsoftkeyvault) | -| [Microsoft.Security](#microsoftsecurity) | -| [Microsoft.SecurityGraph](#microsoftsecuritygraph) | -| [Microsoft.SecurityInsights](#microsoftsecurityinsights) | -| **DevOps** | -| [Microsoft.DevTestLab](#microsoftdevtestlab) | -| [Microsoft.LabServices](#microsoftlabservices) | -| [Microsoft.SecurityDevOps](#microsoftsecuritydevops) | -| [Microsoft.VisualStudio](#microsoftvisualstudio) | -| **Migration** | -| [Microsoft.Migrate](#microsoftmigrate) | -| [Microsoft.OffAzure](#microsoftoffazure) | -| **Monitor** | -| [Microsoft.AlertsManagement](#microsoftalertsmanagement) | -| [Microsoft.Insights](#microsoftinsights) | -| [Microsoft.Monitor](#microsoftmonitor) | -| [Microsoft.OperationalInsights](#microsoftoperationalinsights) | -| [Microsoft.OperationsManagement](#microsoftoperationsmanagement) | -| **Management and governance** | -| [Microsoft.Advisor](#microsoftadvisor) | -| [Microsoft.Authorization](#microsoftauthorization) | -| [Microsoft.Automation](#microsoftautomation) | -| [Microsoft.Batch](#microsoftbatch) | -| [Microsoft.Billing](#microsoftbilling) | -| [Microsoft.Blueprint](#microsoftblueprint) | -| [Microsoft.Capacity](#microsoftcapacity) | -| [Microsoft.Commerce](#microsoftcommerce) | -| [Microsoft.Consumption](#microsoftconsumption) | -| [Microsoft.CostManagement](#microsoftcostmanagement) | -| [Microsoft.DataProtection](#microsoftdataprotection) | -| [Microsoft.Features](#microsoftfeatures) | -| [Microsoft.GuestConfiguration](#microsoftguestconfiguration) | -| [Microsoft.HybridCompute](#microsofthybridcompute) | -| [Microsoft.Kubernetes](#microsoftkubernetes) | -| [Microsoft.KubernetesConfiguration](#microsoftkubernetesconfiguration) | -| [Microsoft.ManagedServices](#microsoftmanagedservices) | -| [Microsoft.Management](#microsoftmanagement) | -| [Microsoft.PolicyInsights](#microsoftpolicyinsights) | -| [Microsoft.Portal](#microsoftportal) | -| [Microsoft.Purview](#microsoftpurview) | -| [Microsoft.RecoveryServices](#microsoftrecoveryservices) | -| [Microsoft.ResourceGraph](#microsoftresourcegraph) | -| [Microsoft.Resources](#microsoftresources) | -| [Microsoft.Solutions](#microsoftsolutions) | -| [Microsoft.Subscription](#microsoftsubscription) | -| **Intune** | -| [Microsoft.Intune](#microsoftintune) | -| **Virtual desktop infrastructure** | -| [Microsoft.DesktopVirtualization](#microsoftdesktopvirtualization) | -| **Other** | -| [Microsoft.Chaos](#microsoftchaos) | -| [Microsoft.Dashboard](#microsoftdashboard) | -| [Microsoft.DigitalTwins](#microsoftdigitaltwins) | -| [Microsoft.LoadTestService](#microsoftloadtestservice) | -| [Microsoft.ServicesHub](#microsoftserviceshub) | +# Azure permissions +This article lists the permissions for Azure resource providers, which are used in built-in roles. You can use these permissions in your own [Azure custom roles](/azure/role-based-access-control/custom-roles) to provide granular access control to resources in Azure. The permissions are always evolving. To get the latest permissions, use [Get-AzProviderOperation](/powershell/module/az.resources/get-azprovideroperation) or [az provider operation list](/cli/azure/provider/operation#az-provider-operation-list). ++Click the resource provider name in the following list to see the list of permissions. ++<a name='microsoftresourcehealth'></a> +<a name='microsoftsupport'></a> ## General +- [Microsoft.Addons](./permissions/general.md#microsoftaddons) +- [Microsoft.Marketplace](./permissions/general.md#microsoftmarketplace) +- [Microsoft.MarketplaceOrdering](./permissions/general.md#microsoftmarketplaceordering) +- [Microsoft.Quota](./permissions/general.md#microsoftquota) +- [Microsoft.ResourceHealth](./permissions/general.md#microsoftresourcehealth) +- [Microsoft.Support](./permissions/general.md#microsoftsupport) ## Compute +- [microsoft.app](./permissions/compute.md#microsoftapp) +- [Microsoft.ClassicCompute](./permissions/compute.md#microsoftclassiccompute) +- [Microsoft.Compute](./permissions/compute.md#microsoftcompute) +- [Microsoft.DesktopVirtualization](./permissions/compute.md#microsoftdesktopvirtualization) +- [Microsoft.ServiceFabric](./permissions/compute.md#microsoftservicefabric) -## Networking +<a name='microsoftnetwork'></a> +## Networking -## Storage +- [Microsoft.Cdn](./permissions/networking.md#microsoftcdn) +- [Microsoft.ClassicNetwork](./permissions/networking.md#microsoftclassicnetwork) +- [Microsoft.MobileNetwork](./permissions/networking.md#microsoftmobilenetwork) +- [Microsoft.Network](./permissions/networking.md#microsoftnetwork) +<a name='microsoftdatashare'></a> +<a name='microsoftelasticsan'></a> +<a name='microsoftnetapp'></a> +<a name='microsoftstorage'></a> -## Web +## Storage +- [Microsoft.ClassicStorage](./permissions/storage.md#microsoftclassicstorage) +- [Microsoft.DataBox](./permissions/storage.md#microsoftdatabox) +- [Microsoft.DataShare](./permissions/storage.md#microsoftdatashare) +- [Microsoft.ElasticSan](./permissions/storage.md#microsoftelasticsan) +- [Microsoft.NetApp](./permissions/storage.md#microsoftnetapp) +- [Microsoft.Storage](./permissions/storage.md#microsoftstorage) +- [Microsoft.StorageCache](./permissions/storage.md#microsoftstoragecache) +- [Microsoft.StorageSync](./permissions/storage.md#microsoftstoragesync) ++<a name='microsoftsearch'></a> +<a name='microsoftweb'></a> ++## Web and Mobile ++- [Microsoft.AppPlatform](./permissions/web-and-mobile.md#microsoftappplatform) +- [Microsoft.CertificateRegistration](./permissions/web-and-mobile.md#microsoftcertificateregistration) +- [Microsoft.Communication](./permissions/web-and-mobile.md#microsoftcommunication) +- [Microsoft.DomainRegistration](./permissions/web-and-mobile.md#microsoftdomainregistration) +- [Microsoft.Maps](./permissions/web-and-mobile.md#microsoftmaps) +- [Microsoft.Media](./permissions/web-and-mobile.md#microsoftmedia) +- [Microsoft.Search](./permissions/web-and-mobile.md#microsoftsearch) +- [Microsoft.SignalRService](./permissions/web-and-mobile.md#microsoftsignalrservice) +- [microsoft.web](./permissions/web-and-mobile.md#microsoftweb) ++<a name='microsoftcontainerinstance'></a> +<a name='microsoftcontainerregistry'></a> +<a name='microsoftcontainerservice'></a> +<a name='microsoftkubernetes'></a> ## Containers +- [Microsoft.ContainerInstance](./permissions/containers.md#microsoftcontainerinstance) +- [Microsoft.ContainerRegistry](./permissions/containers.md#microsoftcontainerregistry) +- [Microsoft.ContainerService](./permissions/containers.md#microsoftcontainerservice) +- [Microsoft.Kubernetes](./permissions/containers.md#microsoftkubernetes) +- [Microsoft.KubernetesConfiguration](./permissions/containers.md#microsoftkubernetesconfiguration) +- [Microsoft.RedHatOpenShift](./permissions/containers.md#microsoftredhatopenshift) ++<a name='microsoftdatafactory'></a> +<a name='microsoftdocumentdb'></a> ## Databases +- [Microsoft.Cache](./permissions/databases.md#microsoftcache) +- [Microsoft.DataFactory](./permissions/databases.md#microsoftdatafactory) +- [Microsoft.DataMigration](./permissions/databases.md#microsoftdatamigration) +- [Microsoft.DBforMariaDB](./permissions/databases.md#microsoftdbformariadb) +- [Microsoft.DBforMySQL](./permissions/databases.md#microsoftdbformysql) +- [Microsoft.DBforPostgreSQL](./permissions/databases.md#microsoftdbforpostgresql) +- [Microsoft.DocumentDB](./permissions/databases.md#microsoftdocumentdb) +- [Microsoft.Sql](./permissions/databases.md#microsoftsql) +- [Microsoft.SqlVirtualMachine](./permissions/databases.md#microsoftsqlvirtualmachine) ## Analytics +- [Microsoft.AnalysisServices](./permissions/analytics.md#microsoftanalysisservices) +- [Microsoft.Databricks](./permissions/analytics.md#microsoftdatabricks) +- [Microsoft.DataLakeAnalytics](./permissions/analytics.md#microsoftdatalakeanalytics) +- [Microsoft.DataLakeStore](./permissions/analytics.md#microsoftdatalakestore) +- [Microsoft.EventHub](./permissions/analytics.md#microsofteventhub) +- [Microsoft.HDInsight](./permissions/analytics.md#microsofthdinsight) +- [Microsoft.Kusto](./permissions/analytics.md#microsoftkusto) +- [Microsoft.PowerBIDedicated](./permissions/analytics.md#microsoftpowerbidedicated) +- [Microsoft.StreamAnalytics](./permissions/analytics.md#microsoftstreamanalytics) +- [Microsoft.Synapse](./permissions/analytics.md#microsoftsynapse) ## AI + machine learning +- [Microsoft.BotService](./permissions/ai-machine-learning.md#microsoftbotservice) +- [Microsoft.CognitiveServices](./permissions/ai-machine-learning.md#microsoftcognitiveservices) +- [Microsoft.MachineLearning](./permissions/ai-machine-learning.md#microsoftmachinelearning) +- [Microsoft.MachineLearningServices](./permissions/ai-machine-learning.md#microsoftmachinelearningservices) -## Internet of things +## Internet of Things +- [Microsoft.DataBoxEdge](./permissions/internet-of-things.md#microsoftdataboxedge) +- [Microsoft.Devices](./permissions/internet-of-things.md#microsoftdevices) +- [Microsoft.DeviceUpdate](./permissions/internet-of-things.md#microsoftdeviceupdate) +- [Microsoft.DigitalTwins](./permissions/internet-of-things.md#microsoftdigitaltwins) +- [Microsoft.IoTCentral](./permissions/internet-of-things.md#microsoftiotcentral) +- [Microsoft.IoTSecurity](./permissions/internet-of-things.md#microsoftiotsecurity) +- [Microsoft.NotificationHubs](./permissions/internet-of-things.md#microsoftnotificationhubs) +- [Microsoft.TimeSeriesInsights](./permissions/internet-of-things.md#microsofttimeseriesinsights) ## Mixed reality +- [Microsoft.MixedReality](./permissions/mixed-reality.md#microsoftmixedreality) ++<a name='microsoftapimanagement'></a> ## Integration +- [Microsoft.ApiManagement](./permissions/integration.md#microsoftapimanagement) +- [Microsoft.AppConfiguration](./permissions/integration.md#microsoftappconfiguration) +- [Microsoft.AVS](./permissions/integration.md#microsoftavs) +- [Microsoft.DataCatalog](./permissions/integration.md#microsoftdatacatalog) +- [Microsoft.EventGrid](./permissions/integration.md#microsofteventgrid) +- [Microsoft.HealthcareApis](./permissions/integration.md#microsofthealthcareapis) +- [Microsoft.Logic](./permissions/integration.md#microsoftlogic) +- [Microsoft.Relay](./permissions/integration.md#microsoftrelay) +- [Microsoft.ServiceBus](./permissions/integration.md#microsoftservicebus) +- [Microsoft.ServicesHub](./permissions/integration.md#microsoftserviceshub) ## Identity +- [Microsoft.AAD](./permissions/identity.md#microsoftaad) +- [microsoft.aadiam](./permissions/identity.md#microsoftaadiam) +- [Microsoft.ADHybridHealthService](./permissions/identity.md#microsoftadhybridhealthservice) +- [Microsoft.AzureActiveDirectory](./permissions/identity.md#microsoftazureactivedirectory) +- [Microsoft.ManagedIdentity](./permissions/identity.md#microsoftmanagedidentity) ++<a name='microsoftsecurityinsights'></a> ## Security +- [Microsoft.AppComplianceAutomation](./permissions/security.md#microsoftappcomplianceautomation) +- [Microsoft.KeyVault](./permissions/security.md#microsoftkeyvault) +- [Microsoft.Security](./permissions/security.md#microsoftsecurity) +- [Microsoft.SecurityGraph](./permissions/security.md#microsoftsecuritygraph) +- [Microsoft.SecurityInsights](./permissions/security.md#microsoftsecurityinsights) ## DevOps +- [Microsoft.Chaos](./permissions/devops.md#microsoftchaos) +- [Microsoft.DevTestLab](./permissions/devops.md#microsoftdevtestlab) +- [Microsoft.LabServices](./permissions/devops.md#microsoftlabservices) +- [Microsoft.LoadTestService](./permissions/devops.md#microsoftloadtestservice) +- [Microsoft.SecurityDevOps](./permissions/devops.md#microsoftsecuritydevops) +- [Microsoft.VisualStudio](./permissions/devops.md#microsoftvisualstudio) ## Migration +- [Microsoft.Migrate](./permissions/migration.md#microsoftmigrate) +- [Microsoft.OffAzure](./permissions/migration.md#microsoftoffazure) -## Monitor ---## Management and governance +<a name='microsoftoperationalinsights'></a> --## Intune -+## Monitor -## Virtual desktop infrastructure +- [Microsoft.AlertsManagement](./permissions/monitor.md#microsoftalertsmanagement) +- [Microsoft.Dashboard](./permissions/monitor.md#microsoftdashboard) +- [Microsoft.Insights](./permissions/monitor.md#microsoftinsights) +- [Microsoft.Monitor](./permissions/monitor.md#microsoftmonitor) +- [Microsoft.OperationalInsights](./permissions/monitor.md#microsoftoperationalinsights) +- [Microsoft.OperationsManagement](./permissions/monitor.md#microsoftoperationsmanagement) +<a name='microsoftauthorization'></a> +<a name='microsoftautomation'></a> +<a name='microsoftcostmanagement'></a> +<a name='microsoftpolicyinsights'></a> -## Other +## Management and governance +- [Microsoft.Advisor](./permissions/management-and-governance.md#microsoftadvisor) +- [Microsoft.Authorization](./permissions/management-and-governance.md#microsoftauthorization) +- [Microsoft.Automation](./permissions/management-and-governance.md#microsoftautomation) +- [Microsoft.Batch](./permissions/management-and-governance.md#microsoftbatch) +- [Microsoft.Billing](./permissions/management-and-governance.md#microsoftbilling) +- [Microsoft.Blueprint](./permissions/management-and-governance.md#microsoftblueprint) +- [Microsoft.Capacity](./permissions/management-and-governance.md#microsoftcapacity) +- [Microsoft.Commerce](./permissions/management-and-governance.md#microsoftcommerce) +- [Microsoft.Consumption](./permissions/management-and-governance.md#microsoftconsumption) +- [Microsoft.CostManagement](./permissions/management-and-governance.md#microsoftcostmanagement) +- [Microsoft.DataProtection](./permissions/management-and-governance.md#microsoftdataprotection) +- [Microsoft.Features](./permissions/management-and-governance.md#microsoftfeatures) +- [Microsoft.GuestConfiguration](./permissions/management-and-governance.md#microsoftguestconfiguration) +- [Microsoft.Intune](./permissions/management-and-governance.md#microsoftintune) +- [Microsoft.ManagedServices](./permissions/management-and-governance.md#microsoftmanagedservices) +- [Microsoft.Management](./permissions/management-and-governance.md#microsoftmanagement) +- [Microsoft.PolicyInsights](./permissions/management-and-governance.md#microsoftpolicyinsights) +- [Microsoft.Portal](./permissions/management-and-governance.md#microsoftportal) +- [Microsoft.Purview](./permissions/management-and-governance.md#microsoftpurview) +- [Microsoft.RecoveryServices](./permissions/management-and-governance.md#microsoftrecoveryservices) +- [Microsoft.ResourceGraph](./permissions/management-and-governance.md#microsoftresourcegraph) +- [Microsoft.Resources](./permissions/management-and-governance.md#microsoftresources) +- [Microsoft.Solutions](./permissions/management-and-governance.md#microsoftsolutions) +- [Microsoft.Subscription](./permissions/management-and-governance.md#microsoftsubscription) ++## Hybrid + multicloud ++- [Microsoft.AzureStack](./permissions/hybrid-multicloud.md#microsoftazurestack) +- [Microsoft.AzureStackHCI](./permissions/hybrid-multicloud.md#microsoftazurestackhci) +- [Microsoft.HybridCompute](./permissions/hybrid-multicloud.md#microsofthybridcompute) +- [Microsoft.HybridConnectivity](./permissions/hybrid-multicloud.md#microsofthybridconnectivity) ## Next steps -- [Match resource provider to service](../azure-resource-manager/management/azure-services-resource-providers.md)-- [Azure built-in roles](built-in-roles.md)+- [Match resource provider to service](/azure/azure-resource-manager/management/azure-services-resource-providers) +- [Azure built-in roles](/azure/role-based-access-control/built-in-roles) - [Cloud Adoption Framework: Resource access management in Azure](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) |
search | Cognitive Search Quickstart Blob | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-quickstart-blob.md | Before you begin, have the following prerequisites in place: + Azure Storage account with Blob Storage. > [!NOTE]-> This quickstart uses [Azure AI services](https://azure.microsoft.com/services/cognitive-services/) for the AI. Because the workload is so small, Azure AI services is tapped behind the scenes for free processing for up to 20 transactions. You can complete this exercise without having to create an Azure AI multi-service resource. +> This quickstart uses [Azure AI services](https://azure.microsoft.com/services/cognitive-services/) for the AI transformations. Because the workload is so small, Azure AI services is tapped behind the scenes for free processing for up to 20 transactions. You can complete this exercise without having to create an Azure AI multi-service resource. ## Set up your data In the following steps, set up a blob container in Azure Storage to store heterogeneous content files. -1. [Download sample data](https://1drv.ms/f/s!As7Oy81M_gVPa-LCb5lC_3hbS-4) consisting of a small file set of different types. Unzip the files. +1. [Download sample data](https://github.com/Azure-Samples/azure-search-sample-data/tree/main/ai-enrichment-mixed-media) consisting of a small file set of different types. 1. Sign in to the [Azure portal](https://portal.azure.com/) with your Azure account. When you're working in your own subscription, it's a good idea at the end of a p You can find and manage resources in the portal, using the **All resources** or **Resource groups** link in the left-navigation pane. -If you use a free service, remember that you're limited to three indexes, indexers, and data sources. You can delete individual items in the portal to stay under the limit. +If you used a free service, remember that you're limited to three indexes, indexers, and data sources. You can delete individual items in the portal to stay under the limit. ## Next steps |
search | Cognitive Search Skill Azure Openai Embedding | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-skill-azure-openai-embedding.md | Last updated 12/21/2023 The **Azure OpenAI Embedding** skill connects to a deployed embedding model on your [Azure OpenAI](/azure/ai-services/openai/overview) resource to generate embeddings. +The [Import and vectorize data](search-get-started-portal-import-vectors.md) uses the **Azure OpenAI Embedding** skill to vectorize content. You can run the wizard and review the generated skillset to see how the wizard builds it. + > [!NOTE] > This skill is bound to Azure OpenAI and is charged at the existing [Azure OpenAI pay-as-you go price](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/#pricing). > Microsoft.Skills.Text.AzureOpenAIEmbeddingSkill ## Data limits -The maximum size of a text input should be 8,000 tokens. If input exceeds the maximum allowed, the model throws an invalid request error. For more information, see the [tokens](/azure/ai-services/openai/overview#tokens) key concept in the Azure OpenAI documentation. +The maximum size of a text input should be 8,000 tokens. If input exceeds the maximum allowed, the model throws an invalid request error. For more information, see the [tokens](/azure/ai-services/openai/overview#tokens) key concept in the Azure OpenAI documentation. Consider using the [Text Split skill](cognitive-search-skill-textsplit.md) if you need data chunking. ## Skill parameters Parameters are case-sensitive. | Inputs | Description | ||-|-| `resourceUri` | The URI where a valid Azure OpenAI model is deployed. The model should be an embedding model, such as text-embedding-ada-002. See the [List of Azure OpenAI models](/azure/ai-services/openai/concepts/models) for supported models. | -| `apiKey` | The secret key pertaining to a valid Azure OpenAI `resourceUri.` If you provide a key, leave `authIdentity` empty. If you set both the `apiKey` and `authIdentity`, the `apiKey` is used on the connection. | -| `deploymentId` | The name of the deployed Azure OpenAI embedding model.| +| `resourceUri` | The URI of a model provider, such as an Azure OpenAI resource or an OpenAI URL. | +| `apiKey` | The secret key used to access the model. If you provide a key, leave `authIdentity` empty. If you set both the `apiKey` and `authIdentity`, the `apiKey` is used on the connection. | +| `deploymentId` | The name of the deployed Azure OpenAI embedding model. The model should be an embedding model, such as text-embedding-ada-002. See the [List of Azure OpenAI models](/azure/ai-services/openai/concepts/models) for supported models.| | `authIdentity` | A user-managed identity used by the search service for connecting to Azure OpenAI. You can use either a [system or user managed identity](search-howto-managed-identities-data-sources.md). To use a system manged identity, leave `apiKey` and `authIdentity` blank. The system-managed identity is used automatically. A managed identity must have [Cognitive Services OpenAI User](/azure/ai-services/openai/how-to/role-based-access-control#azure-openai-roles) permissions to send text to Azure OpenAI. | ## Skill inputs | Input | Description | |--|-|-| `text` | The input text to be vectorized.| +| `text` | The input text to be vectorized. If you're using data chunking, the source might be `/document/pages/*`. | ## Skill outputs For the given input text, a vectorized embedding output is produced. } ``` -The output resides in memory. To send this output to a field in the search index, you must define an [outputFieldMapping](cognitive-search-output-field-mapping.md) that maps the vectorized embedding output (which is an array) to the single index field which is of Collection(Edm.Single) type. Following the example above and assuming the index field in which you want to store the results of the vectorized embedding output is called **embeddingindexfield**, the outputFieldMapping to include in the definition of the indexer would look like the following: +The output resides in memory. To send this output to a field in the search index, you must define an [outputFieldMapping](cognitive-search-output-field-mapping.md) that maps the vectorized embedding output (which is an array) to a [vector field](vector-search-how-to-create-index.md). Assuming the skill output resides in the document's **embedding** node, and **content_vector** is the field in the search index, the outputFieldMapping in indexer should look like: ```json "outputFieldMappings": [ { "sourceFieldName": "/document/embedding/*",- "targetFieldName": "embeddingindexfield" + "targetFieldName": "content_vector" } ] ``` |
search | Cognitive Search Skill Pii Detection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-skill-pii-detection.md | Microsoft.Skills.Text.PIIDetectionSkill ## Data limits -The maximum size of a record should be 50,000 characters as measured by [`String.Length`](/dotnet/api/system.string.length). If you need to chunk your data before sending it to the skill, consider using the [Text Split skill](cognitive-search-skill-textsplit.md). If you do use a text split skill, set the page length to 5000 for the best performance. +The maximum size of a record should be 50,000 characters as measured by [`String.Length`](/dotnet/api/system.string.length). You can use [Text Split skill](cognitive-search-skill-textsplit.md) for data chunking. Set the page length to 5000 for the best results. ## Skill parameters Parameters are case-sensitive and all are optional. | Parameter name | Description | |--|-|-| `defaultLanguageCode` | (Optional) The language code to apply to documents that don't specify language explicitly. If the default language code is not specified, English (en) will be used as the default language code. <br/> See the [full list of supported languages](../ai-services/language-service/personally-identifiable-information/language-support.md). | -| `minimumPrecision` | A value between 0.0 and 1.0. If the confidence score (in the `piiEntities` output) is lower than the set `minimumPrecision` value, the entity is not returned or masked. The default is 0.0. | -| `maskingMode` | A parameter that provides various ways to mask the personal information detected in the input text. The following options are supported: <ul><li>`"none"` (default): No masking occurs and the `maskedText` output will not be returned. </li><li> `"replace"`: Replaces the detected entities with the character given in the `maskingCharacter` parameter. The character will be repeated to the length of the detected entity so that the offsets will correctly correspond to both the input text and the output `maskedText`.</li></ul> <br/> When this skill was in public preview, the `maskingMode` option `redact` was also supported, which allowed removing the detected entities entirely without replacement. The `redact` option has since been deprecated and are longer be supported. | -| `maskingCharacter` | The character used to mask the text if the `maskingMode` parameter is set to `replace`. The following option is supported: `*` (default). This parameter can only be `null` if `maskingMode` is not set to `replace`. <br/><br/> When this skill was in public preview, there was support for the `maskingCharacter` options, `X` and `#`. Both `X` and `#` options have since been deprecated and are longer be supported. | -| `domain` | (Optional) A string value, if specified, will set the domain to include only a subset of the entity categories. Possible values include: `"phi"` (detect confidential health information only), `"none"`. | -| `piiCategories` | (Optional) If you want to specify which entities will be detected and returned, use this optional parameter (defined as a list of strings) with the appropriate entity categories. This parameter can also let you detect entities that aren't enabled by default for your document language. See [Supported Personally Identifiable Information entity categories](../ai-services/language-service/personally-identifiable-information/concepts/entity-categories.md) for the full list. | -| `modelVersion` | (Optional) Specifies the [version of the model](../ai-services/language-service/concepts/model-lifecycle.md) to use when calling personally identifiable information detection. It will default to the most recent version when not specified. We recommend you do not specify this value unless it's necessary. | +| `defaultLanguageCode` | (Optional) The language code to apply to documents that don't specify language explicitly. If the default language code isn't specified, English (en) is the default language code. <br/> See the [full list of supported languages](../ai-services/language-service/personally-identifiable-information/language-support.md). | +| `minimumPrecision` | A value between 0.0 and 1.0. If the confidence score (in the `piiEntities` output) is lower than the set `minimumPrecision` value, the entity isn't returned or masked. The default is 0.0. | +| `maskingMode` | A parameter that provides various ways to mask the personal information detected in the input text. The following options are supported: <ul><li>`"none"` (default): No masking occurs and the `maskedText` output isn't returned. </li><li> `"replace"`: Replaces the detected entities with the character given in the `maskingCharacter` parameter. The character is repeated to the length of the detected entity so that the offsets will correctly correspond to both the input text and the output `maskedText`.</li></ul> | +| `maskingCharacter` | The character used to mask the text if the `maskingMode` parameter is set to `replace`. The following option is supported: `*` (default). This parameter can only be `null` if `maskingMode` isn't set to `replace`. | +| `domain` | (Optional) A string value, if specified, sets the domain to a subset of the entity categories. Possible values include: `"phi"` (detect confidential health information only), `"none"`. | +| `piiCategories` | (Optional) If you want to specify which entities are detected and returned, use this optional parameter (defined as a list of strings) with the appropriate entity categories. This parameter can also let you detect entities that aren't enabled by default for your document language. See [Supported Personally Identifiable Information entity categories](../ai-services/language-service/personally-identifiable-information/concepts/entity-categories.md) for the full list. | +| `modelVersion` | (Optional) Specifies the [version of the model](../ai-services/language-service/concepts/model-lifecycle.md) to use when calling personally identifiable information detection. It defaults to the most recent version when not specified. We recommend you don't specify this value unless it's necessary. | ## Skill inputs | Input name | Description | ||-|-| `languageCode` | A string indicating the language of the records. If this parameter is not specified, the default language code will be used to analyze the records. <br/>See the [full list of supported languages](../ai-services/language-service/personally-identifiable-information/language-support.md). | +| `languageCode` | A string indicating the language of the records. If this parameter isn't specified, the default language code is used to analyze the records. <br/>See the [full list of supported languages](../ai-services/language-service/personally-identifiable-information/language-support.md). | | `text` | The text to analyze. | ## Skill outputs Parameters are case-sensitive and all are optional. | Output name | Description | ||-| | `piiEntities` | An array of complex types that contains the following fields: <ul><li>`"text"` (The actual personally identifiable information as extracted)</li> <li>`"type"`</li><li>`"subType"`</li><li>`"score"` (Higher value means it's more likely to be a real entity)</li><li>`"offset"` (into the input text)</li><li>`"length"`</li></ul> </br> See [Supported Personally Identifiable Information entity categories](../ai-services/language-service/personally-identifiable-information/concepts/entity-categories.md) for the full list. |-| `maskedText` | If `maskingMode` is set to a value other than `none`, this output will be the string result of the masking performed on the input text as described by the selected `maskingMode`. If `maskingMode` is set to `none`, this output will not be present. | +| `maskedText` | This output varies depending `maskingMode`. If `maskingMode` is `replace`, output is the string result of the masking performed over the input text, as described by the `maskingMode`. If `maskingMode` is `none`, there's no output. | ## Sample definition Parameters are case-sensitive and all are optional. } ``` -The offsets returned for entities in the output of this skill are directly returned from the [Language Service APIs](../ai-services/language-service/overview.md), which means if you are using them to index into the original string, you should use the [StringInfo](/dotnet/api/system.globalization.stringinfo) class in .NET in order to extract the correct content. For more information, see [Multilingual and emoji support in Language service features](../ai-services/language-service/concepts/multilingual-emoji-support.md). +The offsets returned for entities in the output of this skill are directly returned from the [Language Service APIs](../ai-services/language-service/overview.md), which means if you're using them to index into the original string, you should use the [StringInfo](/dotnet/api/system.globalization.stringinfo) class in .NET in order to extract the correct content. For more information, see [Multilingual and emoji support in Language service features](../ai-services/language-service/concepts/multilingual-emoji-support.md). ## Errors and warnings If the language code for the document is unsupported, a warning is returned and no entities are extracted. If your text is empty, a warning is returned.-If your text is larger than 50,000 characters, only the first 50,000 characters will be analyzed and a warning will be issued. +If your text is larger than 50,000 characters, only the first 50,000 characters are analyzed and a warning is issued. If the skill returns a warning, the output `maskedText` may be empty, which can impact any downstream skills that expect the output. For this reason, be sure to investigate all warnings related to missing output when writing your skillset definition. |
search | Cognitive Search Skill Shaper | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-skill-shaper.md | -The **Shaper** skill consolidates several inputs into a [complex type](search-howto-complex-data-types.md) that can be referenced later in the enrichment pipeline. The **Shaper** skill allows you to essentially create a structure, define the name of the members of that structure, and assign values to each member. Examples of consolidated fields useful in search scenarios include combining a first and last name into a single structure, city and state into a single structure, or name and birthdate into a single structure to establish unique identity. +The **Shaper** skill is used to reshape or modify the structure of the [in-memory enrichment tree](cognitive-search-working-with-skillsets.md#enrichment-tree) created by a skillset. If skill outputs can't be mapped directly to search fields, you can add a **Shaper** skill to create the data shape you need for your search index or knowledge store. -Additionally, the **Shaper** skill illustrated in [scenario 3](#nested-complex-types) adds an optional *sourceContext* property to the input. The *source* and *sourceContext* properties are mutually exclusive. If the input is at the context of the skill, simply use *source*. If the input is at a *different* context than the skill context, use the *sourceContext*. The *sourceContext* requires you to define a nested input with the specific element being addressed as the source. +Primary use-cases for this skill include: -The output name is always "output". Internally, the pipeline can map a different name, such as "analyzedText" as shown in the examples below, but the **Shaper** skill itself returns "output" in the response. This might be important if you are debugging enriched documents and notice the naming discrepancy, or if you build a custom skill and are structuring the response yourself. ++ You're populating a knowledge store. The physical structure of the tables and objects of a knowledge store are defined through projections. A **Shaper** skill adds granularity by creating data shapes that can be pushed to the projections.+++ You want to map multiple skill outputs into a single structure in your search index, usually a [complex type](search-howto-complex-data-types.md), as described in [scenario 1](#scenario-1-complex-types). +++ Skills produce multiple outputs, but you want to combine into a single field (it doesn't have to be a complex type), as described in [scenario 2](#scenario-2-input-consolidation). For example, combining titles and authors into a single field.+++ Skills produce multiple outputs with child elements, and you want to combine them. This use-case is illustrated in [scenario 3](#nested-complex-types).++The output name of a **Shaper** skill is always "output". Internally, the pipeline can map a different name, such as "analyzedText" as shown in the examples below, but the **Shaper** skill itself returns "output" in the response. This might be important if you are debugging enriched documents and notice the naming discrepancy, or if you build a custom skill and are structuring the response yourself. > [!NOTE] > This skill isn't bound to Azure AI services. It is non-billable and has no Azure AI services key requirement. An incoming JSON document providing usable input for this **Shaper** skill could } ``` - ### Skill output The **Shaper** skill generates a new element called *analyzedText* with the combined elements of *text* and *sentiment*. This output conforms to the index schema. It will be imported and indexed in an Azure AI Search index. The **Shaper** skill generates a new element called *analyzedText* with the comb ## Scenario 2: input consolidation -In another example, imagine that at different stages of pipeline processing, you have extracted the title of a book, and chapter titles on different pages of the book. You could now create a single structure composed of these various inputs. +In another example, imagine that at different stages of pipeline processing, you have extracted the title of a book, and chapter titles on different pages of the book. You could now create a single structure composed of these various outputs. The **Shaper** skill definition for this scenario might look like the following example: In this case, the **Shaper** flattens all chapter titles to create a single arra ## Scenario 3: input consolidation from nested contexts -Imagine you have the title, chapters, and contents of a book and have run entity recognition and key phrases on the contents and now need to aggregate results from the different skills into a single shape with the chapter name, entities, and key phrases. +Imagine you have chapter titles and chapter numbers of a book and have run entity recognition and key phrases on the contents and now need to aggregate results from the different skills into a single shape with the chapter name, entities, and key phrases. ++This example adds an optional `sourceContext` property to the "chapterTitles" input. The `source` and `sourceContext` properties are mutually exclusive. If the input is at the context of the skill, you can use `source`. If the input is at a *different* context than the skill context, use `sourceContext`. The `sourceContext` requires you to define a nested input, where each input has a `source` that identifies the specific element used to populate the named node. The **Shaper** skill definition for this scenario might look like the following example: |
search | Hybrid Search How To Query | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/hybrid-search-how-to-query.md | -Hybrid search consists of keyword queries and vector queries in a single search request. +Hybrid search combines one or more keyword queries with vector queries in a single search request. The response includes the top results ordered by search score. Both vector queries and free text queries are assigned an initial search score from their respective scoring or similarity algorithms. Those scores are merged using [Reciprocal Rank Fusion (RRF)](hybrid-search-ranking.md) to return a single ranked result set. The response includes the top results ordered by search score. Both vector queri + A search index containing vector and non-vector fields. See [Create an index](search-how-to-create-search-index.md) and [Add vector fields to a search index](vector-search-how-to-create-index.md). -+ Use [**Search Post REST API version 2023-11-01**](/rest/api/searchservice/documents/search-post), Search Explorer in the Azure portal, or packages in the Azure SDKs that have been updated to use this feature. ++ Use [**Search Post REST API version 2023-11-01**](/rest/api/searchservice/documents/search-post) or **REST API 2023-10-01-preview**, Search Explorer in the Azure portal, or packages in the Azure SDKs that have been updated to use this feature. + (Optional) If you want to also use [semantic ranking](semantic-search-overview.md) and vector search together, your search service must be Basic tier or higher, with [semantic ranking enabled](semantic-how-to-enable-disable.md). |
search | Query Lucene Syntax | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/query-lucene-syntax.md | The following example helps illustrate the differences. Suppose that there's a s For example, to find documents containing `motel` or `hotel`, specify `/[mh]otel/`. Regular expression searches are matched against single words. -Some tools and languages impose other escape character requirements. For JSON, strings that include a forward slash are escaped with a backward slash: `microsoft.com/azure/` becomes `search=/.*microsoft.com\/azure\/.*/` where `search=/.* <string-placeholder>.*/` sets up the regular expression, and `microsoft.com\/azure\/` is the string with an escaped forward slash. +Some tools and languages impose extra escape character requirements beyond the [escape rules](#escaping-special-characters) imposed by Azure AI Search. For JSON, strings that include a forward slash are escaped with a backward slash: `microsoft.com/azure/` becomes `search=/.*microsoft.com\/azure\/.*/` where `search=/.* <string-placeholder>.*/` sets up the regular expression, and `microsoft.com\/azure\/` is the string with an escaped forward slash. Two common symbols in regex queries are `.` and `*`. A `.` matches any one character and a `*` matches the previous character zero or more times. For example, `/be./` matches the terms `bee` and `bet` while `/be*/` would match `be`, `bee`, and `beee` but not `bet`. Together, `.*` allow you to match any series of characters so `/be.*/` would match any term that starts with `be` such as `better`. +If you get syntax errors in your regular expression, review the [escape rules](#escaping-special-characters) for special characters. You might also try a different client to confirm whether the problem is tool-specific. + ## <a name="bkmk_wildcard"></a> Wildcard search You can use generally recognized syntax for multiple (`*`) or single (`?`) character wildcard searches. Full Lucene syntax supports prefix, infix, and suffix matching. |
search | Search Add Autocomplete Suggestions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-add-autocomplete-suggestions.md | -Search-as-you-type is a common technique for improving query productivity. In Azure AI Search, this experience is supported through *autocomplete*, which finishes a term or phrase based on partial input (completing "micro" with "microsoft"). A second user experience is *suggestions*, or a short list of matching documents (returning book titles with an ID so that you can link to a detail page about that book). Both autocomplete and suggestions are predicated on a match in the index. The service won't offer queries that return zero results. +Search-as-you-type is a common technique for improving query productivity. In Azure AI Search, this experience is supported through *autocomplete*, which finishes a term or phrase based on partial input (completing "micro" with "microchip", "microscope", "microsoft", and any other micro matches). A second user experience is *suggestions*, or a short list of matching documents (returning book titles with an ID so that you can link to a detail page about that book). Both autocomplete and suggestions are predicated on a match in the index. The service won't offer autocompleted queries or suggestions that return zero results. To implement these experiences in Azure AI Search: -+ Add a `suggester` to an index schema ++ Add a `suggester` to an index schema. + Build a query that calls the [Autocomplete](/rest/api/searchservice/autocomplete) or [Suggestions](/rest/api/searchservice/suggestions) API on the request. + Add a UI control to handle search-as-you-type interactions in your client app. We recommend using an existing JavaScript library for this purpose. -In Azure AI Search, autocompleted queries and suggested results are retrieved from the search index, from selected fields that you have registered with a suggester. A suggester is part of the index, and it specifies which fields will provide content that either completes a query, suggests a result, or does both. When the index is created and loaded, a suggester data structure is created internally to store prefixes used for matching on partial queries. For suggestions, choosing suitable fields that are unique, or at least not repetitive, is essential to the experience. For more information, see [Create a suggester](index-add-suggesters.md). +In Azure AI Search, autocompleted queries and suggested results are retrieved from the search index, from selected fields that you register with a suggester. A suggester is part of the index, and it specifies which fields provide content that either completes a query, suggests a result, or does both. When the index is created and loaded, a suggester data structure is created internally to store prefixes used for matching on partial queries. For suggestions, choosing suitable fields that are unique, or at least not repetitive, is essential to the experience. For more information, see [Create a suggester](index-add-suggesters.md). The remainder of this article is focused on queries and client code. It uses JavaScript and C# to illustrate key points. REST API examples are used to concisely present each operation. For end-to-end code samples, see [Next steps](#next-steps). POST /indexes/myxboxgames/docs/autocomplete?search&api-version=2020-06-30 The "suggesterName" gives you the suggester-aware fields used to complete terms or suggestions. For suggestions in particular, the field list should be composed of those that offer clear choices among matching results. On a site that sells computer games, the field might be the game title. -The "search" parameter provides the partial query, where characters are fed to the query request through the jQuery Autocomplete control. In the above example, "minecraf" is a static illustration of what the control might have passed in. +The "search" parameter provides the partial query, where characters are fed to the query request through the jQuery Autocomplete control. In the above example, "minecraf" is a static illustration of what the control might pass in. -The APIs do not impose minimum length requirements on the partial query; it can be as little as one character. However, jQuery Autocomplete provides a minimum length. A minimum of two or three characters is typical. +The APIs don't impose minimum length requirements on the partial query; it can be as little as one character. However, jQuery Autocomplete provides a minimum length. A minimum of two or three characters is typical. -Matches are on the beginning of a term anywhere in the input string. Given "the quick brown fox", both autocomplete and suggestions will match on partial versions of "the", "quick", "brown", or "fox" but not on partial infix terms like "rown" or "ox". Furthermore, each match sets the scope for downstream expansions. A partial query of "quick br" will match on "quick brown" or "quick bread", but neither "brown" or "bread" by themselves would be match unless "quick" precedes them. +Matches are on the beginning of a term anywhere in the input string. Given "the quick brown fox", both autocomplete and suggestions match on partial versions of "the", "quick", "brown", or "fox" but not on partial infix terms like "rown" or "ox". Furthermore, each match sets the scope for downstream expansions. A partial query of "quick br" will match on "quick brown" or "quick bread", but neither "brown" or "bread" by themselves would be a match unless "quick" precedes them. ### APIs for search-as-you-type Responses are shaped by the parameters on the request: + For Suggestions, set [$select](/rest/api/searchservice/suggestions#query-parameters) to return fields containing unique or differentiating values, such as names and description. Avoid fields that contain duplicate values (such as a category or city). -The following additional parameters apply to both autocomplete and suggestions, but are perhaps more necessary for suggestions, especially when a suggester includes multiple fields. +The following parameters apply to both autocomplete and suggestions, but are more applicable to suggestions, especially when a suggester includes multiple fields. | Parameter | Usage | |--|-| The following additional parameters apply to both autocomplete and suggestions, ## Add user interaction code -Auto-filling a query term or dropping down a list of matching links requires user interaction code, typically JavaScript, that can consume requests from external sources, such as autocomplete or suggestion queries against an Azure Search Cognitive index. +Autofilling a query term or dropping down a list of matching links requires user interaction code, typically JavaScript, that can consume requests from external sources, such as autocomplete or suggestion queries against an Azure Search Cognitive index. -Although you could write this code natively, it's much easier to use functions from existing JavaScript library, such as one of the following. +Although you could write this code natively, it's easier to use functions from existing JavaScript library, such as one of the following. + [Autocomplete widget (jQuery UI)](https://jqueryui.com/autocomplete/) appears in the Suggestion code snippet. You can create a search box, and then reference it in a JavaScript function that uses the Autocomplete widget. Properties on the widget set the source (an autocomplete or suggestions function), minimum length of input characters before action is taken, and positioning. source: "/home/suggest?highlights=true&fuzzy=true&", ### Suggest function -If you are using C# and an MVC application, **HomeController.cs** file under the Controllers directory is where you might create a class for suggested results. In .NET, a Suggest function is based on the [SuggestAsync method](/dotnet/api/azure.search.documents.searchclient.suggestasync). For more information about the .NET SDK, see [How to use Azure AI Search from a .NET Application](search-howto-dotnet-sdk.md). +If you're using C# and an MVC application, **HomeController.cs** file under the Controllers directory is where you might create a class for suggested results. In .NET, a Suggest function is based on the [SuggestAsync method](/dotnet/api/azure.search.documents.searchclient.suggestasync). For more information about the .NET SDK, see [How to use Azure AI Search from a .NET Application](search-howto-dotnet-sdk.md). The `InitSearch` method creates an authenticated HTTP index client to the Azure AI Search service. Properties on the [SuggestOptions](/dotnet/api/azure.search.documents.suggestoptions) class determine which fields are searched and returned in the results, the number of matches, and whether fuzzy matching is used. -For autocomplete, fuzzy matching is limited to one edit distance (one omitted or misplaced character). Note that fuzzy matching in autocomplete queries can sometimes produce unexpected results depending on index size and how it's sharded. For more information, see [partition and sharding concepts](search-capacity-planning.md#concepts-search-units-replicas-partitions-shards). +For autocomplete, fuzzy matching is limited to one edit distance (one omitted or misplaced character). Fuzzy matching in autocomplete queries can sometimes produce unexpected results depending on index size and how it's sharded. For more information, see [partition and sharding concepts](search-capacity-planning.md#concepts-search-units-replicas-partitions-shards). ```csharp public async Task<ActionResult> SuggestAsync(bool highlights, bool fuzzy, string term) |
search | Search Api Preview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-api-preview.md | Preview features are removed from this list if they're retired or transition to |Feature | Category | Description | Availability | |||-||-| [**Integrated vectorization**](vector-search-integrated-vectorization.md) | Index, skillset, queries | Skills-driven data chunking and vectorization during indexing, and text-to-vector conversion during query execution. | [Create or Update Index (preview)](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2023-10-01-preview&preserve-view=true) for `vectorizer`, [Create or Update Skillset (preview)](/rest/api/searchservice/skillsets/create-or-update?view=rest-searchservice-2023-10-01-preview&preserve-view=true) for `SplitSkill`, and [Search POST (preview)](/rest/api/searchservice/documents/search-post?view=rest-searchservice-2023-10-01-preview&preserve-view=true) for `vectorQueries`, 2023-10-01-Preview or later. | -| **Import and vectorize data** | Azure portal | A wizard that creates a full indexing pipeline that includes data chunking and vectorization. The wizard creates all of the objects and configuration settings. | Available on all search services, in all regions. | +| [**Integrated vectorization**](vector-search-integrated-vectorization.md) | Index, skillset, queries | Skills-driven data chunking and vectorization during indexing, and text-to-vector conversion during query execution. | [Create or Update Index (preview)](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2023-10-01-preview&preserve-view=true) for `vectorizer`, [Create or Update Skillset (preview)](/rest/api/searchservice/skillsets/create-or-update?view=rest-searchservice-2023-10-01-preview&preserve-view=true) for AzureOpenAIEmbedding skill and the data chunking properties of the Text Split skill, and [Search POST (preview)](/rest/api/searchservice/documents/search-post?view=rest-searchservice-2023-10-01-preview&preserve-view=true) for `vectorQueries`, 2023-10-01-Preview or later. | +| [**Import and vectorize data**](search-get-started-portal-import-vectors.md) | Azure portal | A wizard that creates a full indexing pipeline that includes data chunking and vectorization. The wizard creates all of the objects and configuration settings. | Available on all search services, in all regions. | +| [**AzureOpenAIEmbedding skill**](cognitive-search-skill-azure-openai-embedding.md) | AI enrichment (skills) | A new skill type that calls Azure OpenAI embedding model to generate embeddings during queries and indexing. | [Create or Update Skillset (preview)](/rest/api/searchservice/preview-api/create-or-update-skillset), 2023-10-01-Preview or later. Also available in the portal through the [Import and vectorize data wizard](search-get-started-portal-import-vectors.md). | +| [**Text Split skill**](cognitive-search-skill-textsplit.md) | AI enrichment (skills) | Text Split has two new chunking-related properties in preview: `maximumPagesToTake`, `pageOverlapLength`. | [Create or Update Skillset (preview)](/rest/api/searchservice/preview-api/create-or-update-skillset), 2023-10-01-Preview or later. Also available in the portal through the [Import and vectorize data wizard](search-get-started-portal-import-vectors.md). | +| [**Index projections**](index-projections-concept-intro.md) | AI enrichment (skills) | A component of a skillset definition that defines the shape of a secondary index, supporting a one-to-many index pattern, where content from an enrichment pipeline can target multiple indexes.| [Create or Update Skillset (preview)](/rest/api/searchservice/preview-api/create-or-update-skillset), 2023-10-01-Preview or later. Also available in the portal through the [Import and vectorize data wizard](search-get-started-portal-import-vectors.md). | | [**Azure Files indexer**](search-file-storage-integration.md) | Indexer data source | New data source for indexer-based indexing from [Azure Files](https://azure.microsoft.com/services/storage/files/) | [Create or Update Data Source (preview)](/rest/api/searchservice/preview-api/create-or-update-data-source), 2021-04-30-Preview or later. | | [**SharePoint Indexer**](search-howto-index-sharepoint-online.md) | Indexer data source | New data source for indexer-based indexing of SharePoint content. | [Sign up](https://aka.ms/azure-cognitive-search/indexer-preview) to enable the feature. Use [Create or Update Data Source (preview)](/rest/api/searchservice/preview-api/create-or-update-data-source), 2020-06-30-Preview or later, or the Azure portal. | | [**MySQL indexer**](search-howto-index-mysql.md) | Indexer data source | New data source for indexer-based indexing of Azure MySQL data sources.| [Sign up](https://aka.ms/azure-cognitive-search/indexer-preview) to enable the feature. Use [Create or Update Data Source (preview)](/rest/api/searchservice/preview-api/create-or-update-data-source), 2020-06-30-Preview or later, [.NET SDK 11.2.1](/dotnet/api/azure.search.documents.indexes.models.searchindexerdatasourcetype.mysql), and Azure portal. | Preview features are removed from this list if they're retired or transition to | [**Azure Cosmos DB for Apache Gremlin indexer**](search-howto-index-cosmosdb.md) | Indexer data source | New data source for indexer-based indexing through the Apache Gremlin APIs in Azure Cosmos DB. | [Sign up](https://aka.ms/azure-cognitive-search/indexer-preview) to enable the feature. Use [Create or Update Data Source (preview)](/rest/api/searchservice/preview-api/create-or-update-data-source), 2020-06-30-Preview or later.| | [**Native blob soft delete**](search-howto-index-changed-deleted-blobs.md) | Indexer data source | Applies to the Azure Blob Storage indexer. Recognizes blobs that are in a soft-deleted state, and removes the corresponding search document during indexing. | [Create or Update Data Source (preview)](/rest/api/searchservice/preview-api/create-or-update-data-source), 2020-06-30-Preview or later. | | [**Reset Documents**](search-howto-run-reset-indexers.md) | Indexer | Reprocesses individually selected search documents in indexer workloads. | [Reset Documents (preview)](/rest/api/searchservice/preview-api/reset-documents), 2020-06-30-Preview or later. |-| [**speller**](cognitive-search-aml-skill.md) | Query | Optional spelling correction on query term inputs for simple, full, and semantic queries. | [Search Documents (preview)](/rest/api/searchservice/preview-api/search-documents), 2020-06-30-Preview or later, and Search Explorer (portal). | +| [**speller**](speller-how-to-add.md) | Query | Optional spelling correction on query term inputs for simple, full, and semantic queries. | [Search Documents (preview)](/rest/api/searchservice/preview-api/search-documents), 2020-06-30-Preview or later, and Search Explorer (portal). | | [**Normalizers**](search-normalizers.md) | Query | Normalizers provide simple text preprocessing: consistent casing, accent removal, and ASCII folding, without invoking the full text analysis chain.| [Search Documents (preview)](/rest/api/searchservice/preview-api/search-documents), 2020-06-30-Preview or later.| | [**featuresMode parameter**](/rest/api/searchservice/preview-api/search-documents#query-parameters) | Relevance (scoring) | Relevance score expansion to include details: per field similarity score, per field term frequency, and per field number of unique tokens matched. You can consume these data points in [custom scoring solutions](https://github.com/Azure-Samples/search-ranking-tutorial). | [Search Documents (preview)](/rest/api/searchservice/preview-api/search-documents), 2019-05-06-Preview or later.| | [**Azure Machine Learning (AML) skill**](cognitive-search-aml-skill.md) | AI enrichment (skills) | A new skill type to integrate an inferencing endpoint from Azure Machine Learning. | [Create or Update Skillset (preview)](/rest/api/searchservice/preview-api/create-or-update-skillset), 2019-05-06-Preview or later. Also available in the portal, in skillset design, assuming Azure AI Search and Azure Machine Learning services are deployed in the same subscription. | | [**Incremental enrichment**](cognitive-search-incremental-indexing-conceptual.md) | AI enrichment (skills) | Adds caching to an enrichment pipeline, allowing you to reuse existing output if a targeted modification, such as an update to a skillset or another object, doesn't change the content. Caching applies only to enriched documents produced by a skillset.| [Create or Update Indexer (preview)](/rest/api/searchservice/preview-api/create-or-update-indexer), API versions 2021-04-30-Preview, 2020-06-30-Preview, or 2019-05-06-Preview. | | [**moreLikeThis**](search-more-like-this.md) | Query | Finds documents that are relevant to a specific document. This feature has been in earlier previews. | [Search Documents (preview)](/rest/api/searchservice/preview-api/search-documents) calls, in all supported API versions: 2023-10-10-Preview, 2023-07-01-Preview, 2021-04-30-Preview, 2020-06-30-Preview, 2019-05-06-Preview, 2016-09-01-Preview, 2017-11-11-Preview. | +## Preview features in Azure SDKs ++Each Azure SDK team releases beta packages on their own timeline. Check the change log for mentions of new features in beta packages: +++ [Change log for Azure SDK for .NET](https://github.com/Azure/azure-sdk-for-net/blob/Azure.Search.Documents_11.5.0-beta.5/sdk/search/Azure.Search.Documents/CHANGELOG.md)++ [Change log for Azure SDK for Java](https://github.com/Azure/azure-sdk-for-jav)++ [Change log for Azure SDK for JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/%40azure/search-documents_11.3.3/sdk/search/search-documents/CHANGELOG.md)++ [Change log for Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python/blob/azure-search-documents_11.3.0/sdk/search/azure-search-documents/CHANGELOG.md).+ ## Using preview features Experimental features are available through the preview REST API first, followed by Azure portal, and then the Azure SDKs. The following statements apply to preview features: + Preview features might undergo breaking changes if a redesign is required. + Sometimes preview features don't make it into a GA release. -## Preview feature support in Azure SDKs --Each Azure SDK team releases beta packages on their own timeline. Check the change log for mentions of new features in beta packages: --+ [Change log for Azure SDK for .NET](https://github.com/Azure/azure-sdk-for-net/blob/Azure.Search.Documents_11.5.0-beta.5/sdk/search/Azure.Search.Documents/CHANGELOG.md) -+ [Change log for Azure SDK for Java](https://github.com/Azure/azure-sdk-for-jav) -+ [Change log for Azure SDK for JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/%40azure/search-documents_11.3.3/sdk/search/search-documents/CHANGELOG.md) -+ [Change log for Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python/blob/azure-search-documents_11.3.0/sdk/search/azure-search-documents/CHANGELOG.md). - ## How to call a preview REST API Preview REST APIs are accessed through the api-version parameter on the URI. Older previews are still operational but become stale over time and aren't updated with new features or bug fixes. |
search | Search Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-explorer.md | Before you begin, have the following prerequisites in place: :::image type="content" source="media/search-explorer/search-explorer-tab.png" alt-text="Screenshot of the Search explorer tab." border="true"::: -1. To specify query parameters and an API version, switch to **JSON view**. The examples in this article assume JSON view throughout. You can paste JSON examples from this article into the text area. +## Query two ways ++There are two approaches for querying in Search explorer. +++ The default search bar accepts an empty query or free text query with booleans. For example, `seattle condo +parking`.+++ JSON view supports parameterized queries. Filters, orderby, select, count, searchFields, and all other parameters must be set in JSON view.++ Switch to **JSON view** for parameterized queries. The examples in this article assume JSON view throughout. You can paste JSON examples from this article into the text area. :::image type="content" source="media/search-explorer/search-explorer-json-view.png" alt-text="Screenshot of the JSON view selector." border="true"::: -## Unspecified query +## Run an unspecified query In Search explorer, POST requests are formulated internally using the [Search POST REST API](/rest/api/searchservice/documents/search-post?view=rest-searchservice-2023-10-01-preview&preserve-view=true), with responses returned as verbose JSON documents. Equivalent syntax for an empty search is `*` or `"search": "*"`. Free-form queries, with or without operators, are useful for simulating user-defined queries sent from a custom app to Azure AI Search. Only those fields attributed as "searchable" in the index definition are scanned for matches. +You don't need JSON view for a free text query, but we provide it in JSON for consistency with other examples in this article. + Notice that when you provide search criteria, such as query terms or expressions, search rank comes into play. The following example illustrates a free text search. The "@search.score" is a relevance score computed for the match using the [default scoring algorithm](index-ranking-similarity.md#default-scoring-algorithm). ```json |
search | Search Filters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-filters.md | POST https://[service name].search.windows.net/indexes/hotels/docs/search?api-ve ``` ```csharp- parameters = - new SearchParameters() - { - Filter = "Rooms/any(room: room/BaseRate lt 150.0)", - Select = new[] { "HotelId", "HotelName", "Rooms/Description" ,"Rooms/BaseRate"} - }; -- var results = searchIndexClient.Documents.Search("*", parameters); +options = new SearchOptions() +{ + Filter = "Rating gt 4", + OrderBy = { "Rating desc" } +}; ``` ## Filter patterns The following examples illustrate several usage patterns for filter scenarios. F In the REST API, filterable is *on* by default for simple fields. Filterable fields increase index size; be sure to set `"filterable": false` for fields that you don't plan to actually use in a filter. For more information about settings for field definitions, see [Create Index](/rest/api/searchservice/create-index). -In the .NET SDK, the filterable is *off* by default. You can make a field filterable by setting the [IsFilterable property](/dotnet/api/azure.search.documents.indexes.models.searchfield.isfilterable) of the corresponding [SearchField](/dotnet/api/azure.search.documents.indexes.models.searchfield) object to `true`. In the next example, the attribute is set on the `BaseRate` property of a model class that maps to the index definition. +In the .NET SDK, the filterable is *off* by default. You can make a field filterable by setting the [IsFilterable property](/dotnet/api/azure.search.documents.indexes.models.searchfield.isfilterable) of the corresponding [SearchField](/dotnet/api/azure.search.documents.indexes.models.searchfield) object to `true`. In the next example, the attribute is set on the `Rating` property of a model class that maps to the index definition. ```csharp-[IsFilterable, IsSortable, IsFacetable] -public double? BaseRate { get; set; } +[SearchField(IsFilterable = true, IsSortable = true, IsFacetable = true)] +public double? Rating { get; set; } ``` ### Making an existing field filterable |
search | Search Get Started Semantic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-get-started-semantic.md | This quickstart walks you through the index and query modifications that invoke + Azure AI Search, at Basic tier or higher, with [semantic ranking enabled](semantic-how-to-enable-disable.md). -+ An API key and search service endpoint: -- Sign in to the [Azure portal](https://portal.azure.com) and [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices). ++ An API key and search service endpoint. Sign in to the [Azure portal](https://portal.azure.com) and [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices). In **Overview**, copy the URL and save it to Notepad for a later step. An example endpoint might look like `https://mydemo.search.windows.net`. |
search | Search Get Started Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-get-started-terraform.md | +ai-usage: ai-assisted # Quickstart: Deploy Azure AI Search service using Terraform |
search | Search Get Started Text | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-get-started-text.md | This quickstart has [steps](#create-load-and-query-an-index) for the following S + An Azure AI Search service. [Create a service](search-create-service-portal.md) if you don't have one. You can use a free tier for this quickstart. -+ An API key and service endpoint: -- Sign in to the [Azure portal](https://portal.azure.com) and [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices). ++ An API key and service endpoint. Sign in to the [Azure portal](https://portal.azure.com) and [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices). In **Overview**, copy the URL and save it to Notepad for a later step. An example endpoint might look like `https://mydemo.search.windows.net`. |
search | Search Indexer Howto Access Private | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-indexer-howto-access-private.md | When you complete the steps in this section, you have a shared private link that 1. On the **Shared Private Access** page, select **+ Add Shared Private Access**. -1. Select either **Connect to an Azure resource in my directory** or **Connect to an Azure resource by resource ID or alias**. +1. Select either **Connect to an Azure resource in my directory** or **Connect to an Azure resource by resource ID**. 1. If you select the first option (recommended), the portal helps you pick the appropriate Azure resource and fills in other properties, such as the group ID of the resource and the resource type. A `202 Accepted` response is returned on success. The process of creating an out ## 2 - Approve the private endpoint connection -Approval of the private endpoint connection is granted on the Azure PaaS side. It might be automatic if the service consumer has Azure role-based access control (RBAC) permissions on the service provider resource. Otherwise, manual approval is required. For details, see [Manage Azure private endpoints](/azure/private-link/manage-private-endpoint). +Approval of the private endpoint connection is granted on the Azure PaaS side. It might be automatic if the service consumer has a role assignment on the service provider resource. Otherwise, manual approval is required. For details, see [Manage Azure private endpoints](/azure/private-link/manage-private-endpoint). This section assumes manual approval and the portal for this step, but you can also use the REST APIs of the Azure PaaS resource. [Private Endpoint Connections (Storage Resource Provider)](/rest/api/storagerp/privateendpointconnections) and [Private Endpoint Connections (Cosmos DB Resource Provider)](/rest/api/cosmos-db-resource-provider/2023-03-15/private-endpoint-connections) are two examples. |
search | Semantic How To Query Request | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/semantic-how-to-query-request.md | In this step, add parameters to the query request. To be successful, your query :::image type="content" source="./media/semantic-search-overview/semantic-portal-json-query.png" alt-text="Screenshot showing JSON query syntax in the Azure portal." border="true"::: + Here's some JSON text that you can paste into the view: ++ ```json + { + "queryType": "semantic", + "search": "historic hotel with good food", + "semanticConfiguration": "my-semantic-config", + "answers": "extractive|count-3", + "captions": "extractive|highlight-true", + "highlightPreTag": "<strong>", + "highlightPostTag": "</strong>", + "select": "HotelId,HotelName,Description,Category", + "count": true + } + ``` + ### [**REST API**](#tab/rest-query) Use [Search Documents](/rest/api/searchservice/documents/search-post) to formulate the request. |
search | Vector Search How To Chunk Documents | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/vector-search-how-to-chunk-documents.md | When it comes to chunking data, think about these factors: If you have large documents, you must insert a chunking step into indexing and query workflows that breaks up large text. When using [integrated vectorization (preview)](vector-search-integrated-vectorization.md), a default chunking strategy using the [text split skill](./cognitive-search-skill-textsplit.md) is applied. You can also apply a custom chunking strategy using a [custom skill](cognitive-search-custom-skill-web-api.md). Some libraries that provide chunking include: -+ [LangChain](https://python.langchain.com/en/latest/https://docsupdatetracker.net/index.html) -+ [Semantic Kernel](https://github.com/microsoft/semantic-kernel) ++ [LangChain Text Splitters](https://python.langchain.com/docs/modules/data_connection/document_transformers/)++ [Semantic Kernel TextChunker](/dotnet/api/microsoft.semantickernel.text.textchunker) Most libraries provide common chunking techniques for fixed size, variable size, or a combination. You can also specify an overlap that duplicates a small amount of content in each chunk for context preservation. ## Chunking examples -The following examples demonstrate how chunking strategies are applied to [NASA's Earth at Night e-book](https://github.com/Azure-Samples/azure-search-sample-data/blob/main/nasa-e-book/earth_at_night_508.pdf): +The following examples demonstrate how chunking strategies are applied to [NASA's Earth at Night e-book](https://github.com/Azure-Samples/azure-search-sample-data/blob/main/nasa-e-book/earth_at_night_508.pdf) PDF file: -+ [Text Split skill (preview](cognitive-search-skill-textsplit.md) -+ [LangChain](https://python.langchain.com/en/latest/https://docsupdatetracker.net/index.html) -+ [Semantic Kernel](https://github.com/microsoft/semantic-kernel) -+ [custom skill](cognitive-search-custom-skill-scale.md) ++ [Text Split skill (preview](#text-split-skill-example)++ [LangChain](#langchain-data-chunking-example)++ [Custom skill](cognitive-search-custom-skill-scale.md) -### Text Split skill (preview) +### Text Split skill example -This section documents the built-in data chunking using a skills-driven approach and [Text Split skill parameters](cognitive-search-skill-textsplit.md#skill-parameters). +Integrated data chunking through [Text Split skill](cognitive-search-skill-textsplit.md) is in public preview. Use a preview REST API or an Azure SDK beta package for this scenario. +This section describes the built-in data chunking using a skills-driven approach and [Text Split skill parameters](cognitive-search-skill-textsplit.md#skill-parameters). ++A sample notebook for this example can be found on the [azure-search-vector-samples](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/data-chunking/textsplit-data-chunking-example.ipynb) repository. Set `textSplitMode` to break up content into smaller chunks: - + `pages` (default). Chunks are made up of multiple sentences. - + `sentences`. Chunks are made up of single sentences. What constitutes a "sentence" is language dependent. In English, standard sentence ending punctuation such as `.` or `!` is used. The language is controlled by the `defaultLanguageCode` parameter. ++ `pages` (default). Chunks are made up of multiple sentences.++ `sentences`. Chunks are made up of single sentences. What constitutes a "sentence" is language dependent. In English, standard sentence ending punctuation such as `.` or `!` is used. The language is controlled by the `defaultLanguageCode` parameter. The `pages` parameter adds extra parameters: The optimal choice of parameters depends on how the chunks will be used. For mos |--|--|--| | `pages` | 2000 | 500 | -### LangChain +### LangChain data chunking example LangChain provides document loaders and text splitters. This example shows you how to load a PDF, get token counts, and set up a text splitter. Getting token counts helps you make an informed decision on chunk sizing. +A sample notebook for this example can be found on the [azure-search-vector-samples](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/data-chunking/langchain-data-chunking-example.ipynb) repository. + ```python from langchain_community.document_loaders import PyPDFLoader pages = loader.load() print(len(pages)) ```+ Output indicates 200 documents or pages in the PDF. To get an estimated token count for these pages, use TikToken. |
service-bus-messaging | Authenticate Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/authenticate-application.md | Title: Authenticate an application to access Azure Service Bus entities description: This article provides information about authenticating an application with Microsoft Entra ID to access Azure Service Bus entities (queues, topics, etc.) Previously updated : 02/24/2023 Last updated : 02/23/2024 # Authenticate and authorize an application with Microsoft Entra ID to access Azure Service Bus entities -Azure Service Bus supports using Microsoft Entra ID to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. A key advantage of using Microsoft Entra ID with Azure Service Bus is that you don't need to store your credentials in the code anymore. Instead, you can request an OAuth 2.0 access token from the Microsoft identity platform. If the authentication succeeds, Microsoft Entra ID returns an access token to the application, and the application can then use the access token to authorize request to Service Bus resources. +Azure Service Bus supports using Microsoft Entra ID to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which can be a user, group, application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). A key advantage of using Microsoft Entra ID with Azure Service Bus is that you don't need to store your credentials in the code anymore. Instead, you can request an OAuth 2.0 access token from the Microsoft identity platform. If the authentication succeeds, Microsoft Entra ID returns an access token to the application, and the application can then use the access token to authorize request to Service Bus resources. > [!IMPORTANT] > You can disable local or SAS key authentication for a Service Bus namespace and allow only Microsoft Entra authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md). Native applications and web applications that make requests to Service Bus can a Microsoft Entra authorizes access rights to secured resources through [Azure RBAC](../role-based-access-control/overview.md). Azure Service Bus defines a set of Azure built-in roles that encompass common sets of permissions used to access Service Bus entities and you can also define custom roles for accessing the data. -When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, or the Service Bus namespace. A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). +When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, or the Service Bus namespace. A Microsoft Entra security principal can be a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). For Azure Service Bus, the management of namespaces and all related resources through the Azure portal and the Azure resource management API is already protected using the Azure RBAC model. Azure provides the following built-in roles for authorizing access to a Service Bus namespace: -- [Azure Service Bus Data Owner](../role-based-access-control/built-in-roles.md#azure-service-bus-data-owner): Enables data access to Service Bus namespace and its entities (queues, topics, subscriptions, and filters)+- [Azure Service Bus Data Owner](../role-based-access-control/built-in-roles.md#azure-service-bus-data-owner): Use this role to give full access to the Service Bus resources. - [Azure Service Bus Data Sender](../role-based-access-control/built-in-roles.md#azure-service-bus-data-sender): Use this role to give the send access to Service Bus namespace and its entities. - [Azure Service Bus Data Receiver](../role-based-access-control/built-in-roles.md#azure-service-bus-data-receiver): Use this role to give receiving access to Service Bus namespace and its entities. For more information about how built-in roles are defined, see [Understand role ## Authenticate from an application-A key advantage of using Microsoft Entra ID with Service Bus is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Microsoft Entra authenticates the security principal (a user, a group, or service principal) running the application. If authentication succeeds, Microsoft Entra ID returns the access token to the application, and the application can then use the access token to authorize requests to Azure Service Bus. +A key advantage of using Microsoft Entra ID with Service Bus is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Microsoft Entra authenticates the security principal (a user, a group, a service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)) running the application. If authentication succeeds, Microsoft Entra ID returns the access token to the application, and the application can then use the access token to authorize requests to Azure Service Bus. Following sections shows you how to configure your native application or web application for authentication with Microsoft identity platform 2.0. For more information about Microsoft identity platform 2.0, see [Microsoft identity platform (v2.0) overview](../active-directory/develop/v2-overview.md). For an overview of the OAuth 2.0 code grant flow, see [Authorize access to Microsoft Entra web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md). -<a name='register-your-application-with-an-azure-ad-tenant'></a> - ### Register your application with a Microsoft Entra tenant The first step in using Microsoft Entra ID to authorize Service Bus entities is registering your client application with a Microsoft Entra tenant from the [Azure portal](https://portal.azure.com/). When you register your client application, you supply information about the application to AD. Microsoft Entra ID then provides a client ID (also called an application ID) that you can use to associate your application with Microsoft Entra runtime. To learn more about the client ID, see [Application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md). |
service-bus-messaging | Jms Developer Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/jms-developer-guide.md | Last updated 05/02/2023 This guide contains detailed information to help you succeed in communicating with Azure Service Bus using the Java Message Service (JMS) 2.0 API. -As a Java developer, if you're new to Azure Service Bus, please consider reading the below articles. +As a Java developer, if you're new to Azure Service Bus, consider reading the following articles. | Getting started | Concepts | |-|-|-| <ul> <li> [What is Azure Service Bus](service-bus-messaging-overview.md) </li> <li> [Queues, Topics and Subscriptions](service-bus-queues-topics-subscriptions.md) </li> </ul> | <ul> <li> [Azure Service Bus - Premium tier](service-bus-premium-messaging.md) </li> </ul> | +| <ul> <li> [What is Azure Service Bus](service-bus-messaging-overview.md) </li> <li> [Queues, Topics, and Subscriptions](service-bus-queues-topics-subscriptions.md) </li> </ul> | <ul> <li> [Azure Service Bus - Premium tier](service-bus-premium-messaging.md) </li> </ul> | ## Java Message Service (JMS) Programming model -The Java Message Service API programming model is as shown below - +The Java Message Service API programming model is as shown in the following sections: > [!NOTE] > The below building blocks are available to communicate with the JMS application. ### Connection factory The connection factory object is used by the client to connect with the JMS provider. The connection factory encapsulates a set of connection configuration parameters that are defined by the administrator. -Each connection factory is an instance of `ConnectionFactory`, `QueueConnectionFactory` or `TopicConnectionFactory` interface. +Each connection factory is an instance of `ConnectionFactory`, `QueueConnectionFactory`, or `TopicConnectionFactory` interface. -To simplify connecting with Azure Service Bus, these interfaces are implemented through `ServiceBusJmsConnectionFactory`, `ServiceBusJmsQueueConnectionFactory` and `ServiceBusJmsTopicConnectionFactory` respectively. +To simplify connecting with Azure Service Bus, these interfaces are implemented through `ServiceBusJmsConnectionFactory`, `ServiceBusJmsQueueConnectionFactory`, or `ServiceBusJmsTopicConnectionFactory` respectively. > [!IMPORTANT] > Java applications leveraging JMS 2.0 API can connect to Azure Service Bus using the connection string, or using a `TokenCredential` for leveraging Microsoft Entra backed authentication. When using Microsoft Entra backed authentication, ensure to [assign roles and permissions](service-bus-managed-service-identity.md#azure-built-in-roles-for-azure-service-bus) to the identity as needed. ConnectionFactory factory = new ServiceBusJmsConnectionFactory(tokenCredential, # [Service Principal](#tab/service-principal-backed-authentication) -Create a [service principal](authenticate-application.md#register-your-application-with-an-azure-ad-tenant) on Azure, and use this identity to create a `TokenCredential`. +Create a [service principal](authenticate-application.md#register-your-application-with-a-microsoft-entra-tenant) on Azure, and use this identity to create a `TokenCredential`. ```java TokenCredential tokenCredential = new ClientSecretCredentialBuilder() Destinations map to entities in Azure Service Bus - queues (in point to point sc ### Connections -A connection encapsulates a virtual connection with a JMS provider. With Azure Service Bus, this represents a stateful connection between the application and Azure Service Bus over AMQP. +A connection encapsulates a virtual connection with a JMS provider. With Azure Service Bus, it represents a stateful connection between the application and Azure Service Bus over AMQP. -A connection is created from the connection factory as shown below. +A connection is created from the connection factory as shown in the following example: ```java Connection connection = factory.createConnection(); Connection connection = factory.createConnection(); A session is a single-threaded context for producing and consuming messages. It can be utilized to create messages, message producers and consumers, but it also provides a transactional context to allow grouping of sends and receives into an atomic unit of work. -A session can be created from the connection object as shown below. +A session can be created from the connection object as shown in the following example: ```java Session session = connection.createSession(false, Session.CLIENT_ACKNOWLEDGE); When the mode isn't specified, the **JMSContext.AUTO_ACKNOWLEDGE** is picked by A message producer is an object that is created using a JMSContext or a Session and used for sending messages to a destination. -It can be created either as a stand-alone object as below - +It can be created either as a stand-alone object as shown in the following example: ```java JMSProducer producer = context.createProducer(); ``` -or created at runtime when a message is needed to be sent. +Or created at runtime when a message is needed to be sent. ```java context.createProducer().send(destination, message); context.createProducer().send(destination, message); ### JMS message consumers -A message consumer is an object that is created by a JMSContext or a Session and used for receiving messages sent to a destination. It can be created as shown below - +A message consumer is an object that is created by a JMSContext or a Session and used for receiving messages sent to a destination. It can be created as shown in this example: ```java JMSConsumer consumer = context.createConsumer(dest); Message m = consumer.receive(1000); // time out after one second. #### Asynchronous receives with JMS message listeners -A message listener is an object that is used for asynchronous handling of messages on a destination. It implements the `MessageListener` interface which contains the `onMessage` method where the specific business logic must live. +A message listener is an object that is used for asynchronous handling of messages on a destination. It implements the `MessageListener` interface, which contains the `onMessage` method where the specific business logic must live. A message listener object must be instantiated and registered against a specific message consumer using the `setMessageListener` method. consumer.setMessageListener(myListener); ### Consuming from topics -[JMS Message Consumers](#jms-message-consumers) are created against a [destination](#jms-destination) which may be a queue or a topic. +[JMS Message Consumers](#jms-message-consumers) are created against a [destination](#jms-destination), which can be a queue or a topic. Consumers on queues are simply client side objects that live in the context of the Session (and Connection) between the client application and Azure Service Bus. Consumers on topics, however, have 2 parts - * A **client side object** that lives in the context of the Session(or JMSContext), and, * A **subscription** that is an entity on Azure Service Bus. -The subscriptions are documented [here](java-message-service-20-entities.md#java-message-service-jms-subscriptions) and can be one of the below - +The subscriptions are documented [here](java-message-service-20-entities.md#java-message-service-jms-subscriptions) and can be one of the following ones: * Shared durable subscriptions * Shared non-durable subscriptions * Unshared durable subscriptions The subscriptions are documented [here](java-message-service-20-entities.md#java The JMS API provides a `QueueBrowser` object that allows the application to browse the messages in the queue and display the header values for each message. -A Queue Browser can be created using the JMSContext as below. +A Queue Browser can be created using the JMSContext as in the following example: ```java QueueBrowser browser = context.createBrowser(queue); This developer guide showcased how Java client applications using Java Message S ## Next steps -For more information on Azure Service Bus and details about Java Message Service (JMS) entities, check out the links below - +For more information on Azure Service Bus and details about Java Message Service (JMS) entities, check out the following articles: * [Service Bus - Queues, Topics, and Subscriptions](service-bus-queues-topics-subscriptions.md) * [Service Bus - Java Message Service entities](service-bus-queues-topics-subscriptions.md#java-message-service-jms-20-entities) * [AMQP 1.0 support in Azure Service Bus](service-bus-amqp-overview.md) |
service-bus-messaging | Message Sessions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/message-sessions.md | Title: Azure Service Bus message sessions | Microsoft Docs description: This article explains how to use sessions to enable joint and ordered handling of unbounded sequences of related messages. Previously updated : 02/14/2023 Last updated : 02/23/2024 # Message sessions For samples, use links in the [Next steps](#next-steps) section. ### Session features -Sessions provide concurrent de-multiplexing of interleaved message streams while preserving and guaranteeing ordered delivery. +Sessions provide concurrent demultiplexing of interleaved message streams while preserving and guaranteeing ordered delivery. -![A diagram showing how the Sessions feature preserves ordered delivery.][1] -A session receiver is created by a client accepting a session. When the session is accepted and held by a client, the client holds an exclusive lock on all messages with that session's **session ID** in the queue or subscription. It will also hold exclusive locks on all messages with the **session ID** that will arrive later. +A session receiver is created by a client accepting a session. When the session is accepted and held by a client, the client holds an exclusive lock on all messages with that session's **session ID** in the queue or subscription. It holds exclusive locks on all messages with the **session ID** that arrive later. The lock is released when you call close methods on the receiver or when the lock expires. There are methods on the receiver to renew the locks as well. Instead, you can use the automatic lock renewal feature where you can specify the time duration for which you want to keep getting the lock renewed. The session lock should be treated like an exclusive lock on a file, meaning that the application should close the session as soon as it no longer needs it and/or doesn't expect any further messages. -When multiple concurrent receivers pull from the queue, the messages belonging to a particular session are dispatched to the specific receiver that currently holds the lock for that session. With that operation, an interleaved message stream in one queue or subscription is cleanly de-multiplexed to different receivers and those receivers can also live on different client machines, since the lock management happens service-side, inside Service Bus. +When multiple concurrent receivers pull from the queue, the messages belonging to a particular session are dispatched to the specific receiver that currently holds the lock for that session. With that operation, an interleaved message stream in one queue or subscription is cleanly demultiplexed to different receivers and those receivers can also live on different client machines, since the lock management happens service-side, inside Service Bus. The previous illustration shows three concurrent session receivers. One Session with `SessionId` = 4 has no active, owning client, which means that no messages are delivered from this specific session. A session acts in many ways like a sub queue. The session state facility enables an application-defined annotation of a messag From the Service Bus perspective, the message session state is an opaque binary object that can hold data of the size of one message, which is 256 KB for Service Bus Standard, and 100 MB for Service Bus Premium. The processing state relative to a session can be held inside the session state, or the session state can point to some storage location or database record that holds such information. -The methods for managing session state, SetState and GetState, can be found on the session receiver object. A session that had previously no session state returns a null reference for GetState. The previously set session state can be cleared by passing null to the SetState method on the receiver. +The methods for managing session state, `SetState` and `GetState`, can be found on the session receiver object. A session that had previously no session state returns a null reference for `GetState`. The previously set session state can be cleared by passing null to the `SetState` method on the receiver. Session state remains as long as it isn't cleared up (returning **null**), even if all messages in a session are consumed. So, the messages are processed in this order: message 2, message 3, and message If messages just need to be retrieved in order, you don't need to use sessions. If messages need to be processed in order, use sessions. The same session ID should be set on messages that belong together, which could be message 1, 4, and 8 in a set, and 2, 3, and 6 in another set. ## Message expiration-For session-enabled queues or topics' subscriptions, messages are locked at the session level. If the TTL for any of the messages expires, all messages related to that session are either dropped or dead-lettered based on the dead-lettering enabled on messaging expiration setting on the entity. In other words, if there's a single message in the session that has passed the TTL, all the messages in the session are expired. The messages expire only if there's an active listener. For more information, see [Message expiration](message-expiration.md). +For session-enabled queues or topics' subscriptions, messages are locked at the session level. If the time-to-live (TTL) for any of the messages expires, all messages related to that session are either dropped or dead-lettered based on the dead-lettering enabled on messaging expiration setting on the entity. In other words, if there's a single message in the session that has passed the TTL, all the messages in the session are expired. The messages expire only if there's an active listener. For more information, see [Message expiration](message-expiration.md). ## Next steps You can enable message sessions while creating a queue using Azure portal, PowerShell, CLI, Resource Manager template, .NET, Java, Python, and JavaScript. For more information, see [Enable message sessions](enable-message-sessions.md). Try the samples in the language of your choice to explore Azure Service Bus feat - [Continually read through all available sessions](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/servicebus/service-bus/samples/v7/javascript/advanced/sessionRoundRobin.js) - [Use session state](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/servicebus/service-bus/samples/v7/javascript/advanced/sessionState.js) -## Additional Resources +## Related articles -- [A blog post describing techniques for re-ordering messages that arrive out of order](https://particular.net/blog/you-dont-need-ordered-delivery)+- [A blog post describing techniques for reordering messages that arrive out of order](https://particular.net/blog/you-dont-need-ordered-delivery) -[1]: ./media/message-sessions/sessions.png + |
service-bus-messaging | Message Transfers Locks Settlement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/message-transfers-locks-settlement.md | Title: Azure Service Bus message transfers, locks, and settlement description: This article provides an overview of Azure Service Bus message transfers, locks, and settlement operations. Previously updated : 12/06/2022 Last updated : 02/22/2024 ms.devlang: csharp -When a client sends a message, it usually wants to know whether the message has been properly transferred to and accepted by the broker or whether some sort of error occurred. This positive or negative acknowledgment settles the understanding of both the client and broker about the transfer state of the message. Therefore, it's referred to as a *settlement*. +When a client sends a message, it usually wants to know whether the message is properly transferred to and accepted by the broker or whether some sort of error occurred. This positive or negative acknowledgment settles the understanding of both the client and broker about the transfer state of the message. Therefore, it's referred to as a *settlement*. -Likewise, when the broker transfers a message to a client, the broker and client want to establish an understanding of whether the message has been successfully processed and can therefore be removed, or whether the message delivery or processing failed, and thus the message might have to be delivered again. +Likewise, when the broker transfers a message to a client, the broker and client want to establish an understanding of whether the message is successfully processed and can therefore be removed, or whether the message delivery or processing failed, and thus the message might have to be delivered again. ## Settling send operations Using any of the supported Service Bus API clients, send operations into Service Bus are always explicitly settled, meaning that the API operation waits for an acceptance result from Service Bus to arrive, and then completes the send operation. -If the message is rejected by Service Bus, the rejection contains an error indicator and text with a **tracking-id** in it. The rejection also includes information about whether the operation can be retried with any expectation of success. In the client, this information is turned into an exception and raised to the caller of the send operation. If the message has been accepted, the operation silently completes. +If the message is rejected by Service Bus, the rejection contains an error indicator and text with a **tracking-id** in it. The rejection also includes information about whether the operation can be retried with any expectation of success. In the client, this information is turned into an exception and raised to the caller of the send operation. If the message is accepted, the operation silently completes. Advanced Messaging Queuing Protocol (AMQP) is the only protocol supported for .NET Standard, Java, JavaScript, Python, and Go clients. For [.NET Framework clients](service-bus-amqp-dotnet.md), you can use Service Bus Messaging Protocol (SBMP) or AMQP. When you use the AMQP protocol, message transfers and settlements are pipelined and asynchronous. We recommend that you use the asynchronous programming model API variants. The strategy for handling the outcome of send operations can have immediate and If the application produces bursts of messages, illustrated here with a plain loop, and were to await the completion of each send operation before sending the next message, synchronous or asynchronous API shapes alike, sending 10 messages only completes after 10 sequential full round trips for settlement. -With an assumed 70-millisecond TCP roundtrip latency distance from an on-premises site to Service Bus and giving just 10 ms for Service Bus to accept and store each message, the following loop takes up at least 8 seconds, not counting payload transfer time or potential route congestion effects: +With an assumed 70-millisecond Transmission Control Protocol (TCP) roundtrip latency distance from an on-premises site to Service Bus and giving just 10 ms for Service Bus to accept and store each message, the following loop takes up at least 8 seconds, not counting payload transfer time or potential route congestion effects: ```csharp for (int i = 0; i < 100; i++) for (int i = 0; i < 100; i++) await Task.WhenAll(tasks); ``` -It's important to note that all asynchronous programming models use some form of memory-based, hidden work queue that holds pending operations. When the send API returns, the send task is queued up in that work queue, but the protocol gesture only commences once it's the task's turn to run. For code that tends to push bursts of messages and where reliability is a concern, care should be taken that not too many messages are put "in flight" at once, because all sent messages take up memory until they have factually been put onto the wire. +It's important to note that all asynchronous programming models use some form of memory-based, hidden work queue that holds pending operations. When the send API returns, the send task is queued up in that work queue, but the protocol gesture only commences once it's the task's turn to run. For code that tends to push bursts of messages and where reliability is a concern, care should be taken that not too many messages are put "in flight" at once, because all sent messages take up memory until they're put onto the wire. -Semaphores, as shown in the following code snippet in C#, are synchronization objects that enable such application-level throttling when needed. This use of a semaphore allows for at most 10 messages to be in flight at once. One of the 10 available semaphore locks is taken before the send and it's released as the send completes. The 11th pass through the loop waits until at least one of the prior sends has completed, and then makes its lock available: +Semaphores, as shown in the following code snippet in C#, are synchronization objects that enable such application-level throttling when needed. This use of a semaphore allows for at most 10 messages to be in flight at once. One of the 10 available semaphore locks is taken before the send and it's released as the send completes. The 11th pass through the loop waits until at least one of the prior send operations completes, and then makes its lock available: ```csharp var semaphore = new SemaphoreSlim(10); For receive operations, the Service Bus API clients enable two different explici ### ReceiveAndDelete -The [Receive-and-Delete](/dotnet/api/azure.messaging.servicebus.servicebusreceivemode) mode tells the broker to consider all messages it sends to the receiving client as settled when sent. That means that the message is considered consumed as soon as the broker has put it onto the wire. If the message transfer fails, the message is lost. +The [Receive-and-Delete](/dotnet/api/azure.messaging.servicebus.servicebusreceivemode) mode tells the broker to consider all messages it sends to the receiving client as settled when sent. That means that the message is considered consumed as soon as the broker puts it onto the wire. If the message transfer fails, the message is lost. The upside of this mode is that the receiver doesn't need to take further action on the message and is also not slowed by waiting for the outcome of the settlement. If the data contained in the individual messages have low value and/or are only meaningful for a very short time, this mode is a reasonable choice. The upside of this mode is that the receiver doesn't need to take further action The [Peek-Lock](/dotnet/api/azure.messaging.servicebus.servicebusreceivemode) mode tells the broker that the receiving client wants to settle received messages explicitly. The message is made available for the receiver to process, while held under an exclusive lock in the service so that other, competing receivers can't see it. The duration of the lock is initially defined at the queue or subscription level and can be extended by the client owning the lock, via the [RenewMessageLockAsync](/dotnet/api/azure.messaging.servicebus.servicebusreceiver.renewmessagelockasync) operation. For details about renewing locks, see the [Renew locks](#renew-locks) section in this article. -When a message is locked, other clients receiving from the same queue or subscription can take on locks and retrieve the next available messages not under active lock. When the lock on a message is explicitly released or when the lock expires, the message pops back up at or near the front of the retrieval order for redelivery. +When a message is locked, other clients receiving from the same queue or subscription can take on locks and retrieve the next available messages not under active lock. When the lock on a message is explicitly released or when the lock expires, the message is placed at or near the front of the retrieval order for redelivery. When the message is repeatedly released by receivers or they let the lock elapse for a defined number of times ([Max Delivery Count](service-bus-dead-letter-queues.md#maximum-delivery-count)), the message is automatically removed from the queue or subscription and placed into the associated dead-letter queue. If a receiving client fails to process a message and knows that redelivering the A special case of settlement is deferral, which is discussed in a [separate article](message-deferral.md). -The `Complete`, `DeadLetter`, or `RenewLock` operations may fail due to network issues, if the held lock has expired, or there are other service-side conditions that prevent settlement. In one of the latter cases, the service sends a negative acknowledgment that surfaces as an exception in the API clients. If the reason is a broken network connection, the lock is dropped since Service Bus doesn't support recovery of existing AMQP links on a different connection. +The `Complete`, `DeadLetter`, or `RenewLock` operations might fail due to network issues, if the held lock has expired, or there are other service-side conditions that prevent settlement. In one of the latter cases, the service sends a negative acknowledgment that surfaces as an exception in the API clients. If the reason is a broken network connection, the lock is dropped since Service Bus doesn't support recovery of existing AMQP links on a different connection. -If `Complete` fails, which occurs typically at the very end of message handling and in some cases after minutes of processing work, the receiving application can decide whether it preserves the state of the work and ignores the same message when it's delivered a second time, or whether it tosses out the work result and retries as the message is redelivered. +If `Complete` fails, which occurs typically at the very end of message handling and in some cases after minutes of processing work, the receiving application can decide whether to preserve the state of the work and ignore the same message when it's delivered a second time, or whether to toss out the work result and retries as the message is redelivered. The typical mechanism for identifying duplicate message deliveries is by checking the message-id, which can and should be set by the sender to a unique value, possibly aligned with an identifier from the originating process. A job scheduler would likely set the message-id to the identifier of the job it's trying to assign to a worker with the given worker, and the worker would ignore the second occurrence of the job assignment if that job is already done. The typical mechanism for identifying duplicate message deliveries is by checkin ## Renew locks The default value for the lock duration is **1 minute**. You can specify a different value for the lock duration at the queue or subscription level. The client owning the lock can renew the message lock by using methods on the receiver object. Instead, you can use the automatic lock-renewal feature where you can specify the time duration for which you want to keep getting the lock renewed. -It's best to set the lock duration to something higher than your normal processing time, so you don't have to renew the lock. The maximum value is 5 minutes, so you need to renew the lock if you want to have this longer. Having a longer lock duration than needed has some implications as well. For example, when your client stops working, the message will only become available again after the lock duration has passed. +It's best to set the lock duration to something higher than your normal processing time, so you don't have to renew the lock. The maximum value is 5 minutes, so you need to renew the lock if you want to have it longer. Having a longer lock duration than needed has some implications as well. For example, when your client stops working, the message will only become available again after the lock duration has passed. ## Next steps - A special case of settlement is deferral. See the [Message deferral](message-deferral.md) for details. |
service-bus-messaging | Service Bus Authentication And Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-authentication-and-authorization.md | Title: Azure Service Bus authentication and authorization | Microsoft Docs description: Authenticate apps to Service Bus with Shared Access Signature (SAS) authentication. Previously updated : 02/17/2023 Last updated : 02/23/2024 # Service Bus authentication and authorization This article gives you details on using these two types of security mechanisms. <a name='azure-active-directory'></a> ## Microsoft Entra ID-Microsoft Entra integration with Service Bus provides role-based access control (RBAC) to Service Bus resources. You can use Azure RBAC to grant permissions to a security principal, which may be a user, a group, or an application service principal. Microsoft Entra authenticates the security principal and returns an OAuth 2.0 token. This token can be used to authorize a request to access a Service Bus resource (queue, topic, and so on). +Microsoft Entra integration with Service Bus provides role-based access control (RBAC) to Service Bus resources. You can use Azure RBAC to grant permissions to a security principal, which can be a user, a group, an application service principal, or a managed identity. Microsoft Entra authenticates the security principal and returns an OAuth 2.0 token. This token can be used to authorize a request to access a Service Bus resource (queue, topic, and so on). For more information about authenticating with Microsoft Entra ID, see the following articles: |
service-bus-messaging | Service Bus Filter Examples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-filter-examples.md | Title: Set subscriptions filters in Azure Service Bus | Microsoft Docs description: This article provides examples for defining filters and actions on Azure Service Bus topic subscriptions. Previously updated : 02/28/2023 Last updated : 02/23/2024 ms.devlang: csharp sys.correlationid like 'abc-%' > [!NOTE] > - For a list of system properties, see [Messages, payloads, and serialization](service-bus-messages-payloads.md). -> - Use system property names from [Microsoft.Azure.ServiceBus.Message](/dotnet/api/microsoft.azure.servicebus.message#properties) in your filters even when you use [ServiceBusMessage](/dotnet/api/azure.messaging.servicebus.servicebusmessage) from the new [Azure.Messaging.ServiceBus](/dotnet/api/azure.messaging.servicebus) namespace to send and receive messages. -> - `Subject` from [Azure.Messaging.ServiceBus.ServiceBusMessage](/dotnet/api/azure.messaging.servicebus.servicebusmessage) maps to `Label` in [Microsoft.Azure.ServiceBus.Message](/dotnet/api/microsoft.azure.servicebus.message#properties). +> - Use system property names from [Azure.Messaging.ServiceBus.ServiceBusMessage](/dotnet/api/azure.messaging.servicebus.servicebusmessage) in your filters. +> - `Subject` from [Azure.Messaging.ServiceBus.ServiceBusMessage](/dotnet/api/azure.messaging.servicebus.servicebusmessage) maps to `Label` in the deprecated [Microsoft.Azure.ServiceBus.Message](/dotnet/api/microsoft.azure.servicebus.message#properties). ## Filter on message properties-Here are the examples of using application or user properties in a filter. You can access application properties set by using [Azure.Messaging.ServiceBus.ServiceBusMessage.ApplicationProperties](/dotnet/api/azure.messaging.servicebus.servicebusmessage.applicationproperties)) (latest) or user properties set by [Microsoft.Azure.ServiceBus.Message.UserProperty](/dotnet/api/microsoft.azure.servicebus.message.userproperties) (deprecated) using the syntax: `user.property-name` or just `property-name`. +Here are the examples of using application or user properties in a filter. You can access application properties set by using [Azure.Messaging.ServiceBus.ServiceBusMessage.ApplicationProperties](/dotnet/api/azure.messaging.servicebus.servicebusmessage.applicationproperties)) (latest) or user properties set by [Microsoft.Azure.ServiceBus.ServiceBusMessage](/dotnet/api/azure.messaging.servicebus.servicebusmessage) (deprecated) using the syntax: `user.property-name` or just `property-name`. ```csharp MessageProperty = 'A' |
service-bus-messaging | Service Bus Messaging Exceptions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-messaging-exceptions.md | Title: Azure Service Bus - messaging exceptions (deprecated) | Microsoft Docs description: This article provides a list of Azure Service Bus messaging exceptions from the deprecated packages and suggested actions to taken when the exception occurs. Previously updated : 02/17/2023 Last updated : 02/23/2024 # Service Bus messaging exceptions (deprecated) |
service-bus-messaging | Service Bus Messaging Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-messaging-overview.md | Title: Introduction to Azure Service Bus, an enterprise message broker description: This article provides a high-level overview of Azure Service Bus, a fully managed enterprise integration serverless message broker. Previously updated : 02/24/2023 Last updated : 02/23/2024 # What is Azure Service Bus? -Azure Service Bus is a fully managed enterprise message broker with message queues and publish-subscribe topics (in a namespace). Service Bus is used to decouple applications and services from each other, providing the following benefits: +Azure Service Bus is a fully managed enterprise message broker with message queues and publish-subscribe topics. Service Bus is used to decouple applications and services from each other, providing the following benefits: - Load-balancing work across competing workers - Safely routing and transferring data and control across service and application boundaries This section discusses basic concepts of Service Bus. ### Queues Messages are sent to and received from **queues**. Queues store messages until the receiving application is available to receive and process them. -![Queue](./media/service-bus-messaging-overview/about-service-bus-queue.png) -Messages in queues are ordered and timestamped on arrival. Once the broker accepts the message, the message is always held durably in triple-redundant storage, spread across availability zones if the namespace is zone-enabled. Service Bus keeps messages in memory or volatile storage until they've been reported by the client as accepted. +Messages in queues are ordered and timestamped on arrival. Once the broker accepts the message, the message is always held durably in triple-redundant storage, spread across availability zones if the namespace is zone-enabled. Service Bus keeps messages in memory or volatile storage until client reports them as accepted. Messages are delivered in **pull** mode, only delivering messages when requested. Unlike the busy-polling model of some other cloud queues, the pull operation can be long-lived and only complete once a message is available. Messages are delivered in **pull** mode, only delivering messages when requested ### Topics -You can also use **topics** to send and receive messages. While a queue is often used for point-to-point communication, topics are useful in publish/subscribe scenarios. +You can also use **topics** to send and receive messages. While a queue is often used for point-to-point communication, topics are useful in publish-subscribe scenarios. -![Topic](./media/service-bus-messaging-overview/about-service-bus-topic.png) Topics can have multiple, independent subscriptions, which attach to the topic and otherwise work exactly like queues from the receiver side. A subscriber to a topic can receive a copy of each message sent to that topic. Subscriptions are named entities. Subscriptions are durable by default, but can be configured to expire and then be automatically deleted. Via the Java Message Service (JMS) API, Service Bus Premium also allows you to create volatile subscriptions that exist for the duration of the connection. You can define rules on a subscription. A subscription rule has a **filter** to ### Namespaces-A namespace is a container for all messaging components (queues and topics). Multiple queues and topics can be in a single namespace, and namespaces often serve as application containers. +A namespace is a container for all messaging components (queues and topics). A namespace can have one or more queues and topics and it often serves as an application container. -A namespace can be compared to a server in the terminology of other brokers, but the concepts aren't directly equivalent. A Service Bus namespace is your own capacity slice of a large cluster made up of dozens of all-active virtual machines. It may optionally span three [Azure availability zones](../availability-zones/az-overview.md). So, you get all the availability and robustness benefits of running the message broker at enormous scale. And, you don't need to worry about underlying complexities. Service Bus is serverless messaging. +A namespace can be compared to a server in the terminology of other brokers, but the concepts aren't directly equivalent. A Service Bus namespace is your own capacity slice of a large cluster made up of dozens of all-active virtual machines. It optionally spans three [Azure availability zones](../availability-zones/az-overview.md). So, you get all the availability and robustness benefits of running the message broker at enormous scale. And, you don't need to worry about underlying complexities. Service Bus is serverless messaging. ## Advanced features Service Bus also has advanced features that enable you to solve more complex mes ### Message sessions -To realize a first-in, first-out (**FIFO**) guarantee in processing messages in Service Bus queue or subscriptions, use sessions. Sessions can also be used in implementing request-response patterns. The **request-response pattern** enables the sender application to send a request and provides a way for the receiver to correctly send a response back to the sender application. For more information, see [Message sessions](message-sessions.md) +To realize a first-in, first-out (**FIFO**) guarantee in processing messages in Service Bus queues or subscriptions, use sessions. Sessions can also be used in implementing request-response patterns. The **request-response pattern** enables the sender application to send a request and provides a way for the receiver to correctly send a response back to the sender application. For more information, see [Message sessions](message-sessions.md). ### Auto-forwarding A transaction groups two or more operations together into an execution scope. Se ### Filters and actions -Subscribers can define which messages they want to receive from a topic. These messages are specified in the form of one or more named subscription rules. Each rule consists of a **filter condition** that selects particular messages, and **optionally** contains an **action** that annotates the selected message. For each matching rule condition, the subscription produces a copy of the message, which may be differently annotated for each matching rule. For more information, see [Topic filters and actions](topic-filters.md). +Subscribers can define which messages they want to receive from a topic. These messages are specified in the form of one or more named subscription rules. Each rule consists of a **filter condition** that selects particular messages, and **optionally** contains an **action** that annotates the selected message. For each matching rule condition, the subscription produces a copy of the message, which can be differently annotated for each matching rule. For more information, see [Topic filters and actions](topic-filters.md). ### Auto-delete on idle |
service-bus-messaging | Service Bus Troubleshooting Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-troubleshooting-guide.md | Title: Troubleshooting guide for Azure Service Bus | Microsoft Docs description: Learn about troubleshooting tips and recommendations for a few issues that you see when using Azure Service Bus. Previously updated : 08/29/2022 Last updated : 02/23/2024 # Troubleshooting guide for Azure Service Bus Depending on the host environment and network, a connectivity issue might presen To troubleshoot: - Verify that the connection string or fully qualified domain name that you specified when creating the client is correct. For information on how to acquire a connection string, see [Get a Service Bus connection string](service-bus-dotnet-get-started-with-queues.md?tabs=connection-string#get-the-connection-string).-- Check the firewall and port permissions in your hosting environment. Check that the AMQP ports 5671 and 5672 are open and that the endpoint is allowed through the firewall.+- Check the firewall and port permissions in your hosting environment. Check that the Advanced Message Queuing Protocol (AMQP) ports 5671 and 5672 are open and that the endpoint is allowed through the firewall. - Try using the Web Socket transport option, which connects using port 443. For details, see [configure the transport](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/servicebus/Azure.Messaging.ServiceBus/samples/Sample13_AdvancedConfiguration.md#configuring-the-transport). - See if your network is blocking specific IP addresses. For details, see [What IP addresses do I need to allow?](/azure/service-bus-messaging/service-bus-faq#what-ip-addresses-do-i-need-to-add-to-allowlist-) - If applicable, verify the proxy configuration. For details, see: [Configuring the transport](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/servicebus/Azure.Messaging.ServiceBus/samples/Sample13_AdvancedConfiguration.md#configuring-the-transport) This error can occur when an intercepting proxy is used. To verify, We recommend ### Socket exhaustion errors Applications should prefer treating the Service Bus types as singletons, creating and using a single instance through the lifetime of the application. Each new [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) created results in a new AMQP connection, which uses a socket. The [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) type manages the connection for all types created from that instance. Each [ServiceBusReceiver][ServiceBusReceiver], [ServiceBusSessionReceiver][ServiceBusSessionReceiver], [ServiceBusSender](/dotnet/api/azure.messaging.servicebus.servicebussender), and [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor) manages its own AMQP link for the associated Service Bus entity. When you use [ServiceBusSessionProcessor](/dotnet/api/azure.messaging.servicebus.servicebussessionprocessor), multiple AMQP links are established depending on the number of sessions that are being processed concurrently. -The clients are safe to cache when idle; they'll ensure efficient management of network, CPU, and memory use, minimizing their impact during periods of inactivity. It's also important that either `CloseAsync` or `DisposeAsync` be called when a client is no longer needed to ensure that network resources are properly cleaned up. +The clients are safe to cache when idle; they ensure efficient management of network, CPU, and memory use, minimizing their impact during periods of inactivity. It's also important that either `CloseAsync` or `DisposeAsync` is called when a client is no longer needed to ensure that network resources are properly cleaned up. ### Adding components to the connection string doesn't work-The current generation of the Service Bus client library supports connection strings only in the form published by the Azure portal. These are intended to provide basic location and shared key information only. Configuring behavior of the clients is done through its options. +The current generation of the Service Bus client library supports connection strings only in the form published by the Azure portal. The connection strings are intended to provide basic location and shared key information only. Configuring behavior of the clients is done through its options. Previous generations of the Service Bus clients allowed for some behavior to be configured by adding key/value components to a connection string. These components are no longer recognized and have no effect on client behavior. The library creates the following spans: `ServiceBusRuleManager.DeleteRule` `ServiceBusRuleManager.GetRules` -Most of the spans are self-explanatory and are started and stopped during the operation that bears its name. The span that ties the others together is `Message`. The way that the message is traced is via the `Diagnostic-Id` that is set in the [ServiceBusMessage.ApplicationProperties](/dotnet/api/azure.messaging.servicebus.servicebusmessage.applicationproperties) property by the library during send and schedule operations. In Application Insights, `Message` spans will be displayed as linking out to the various other spans that were used to interact with the message, for example, the `ServiceBusReceiver.Receive` span, the `ServiceBusSender.Send` span, and the `ServiceBusReceiver.Complete` span would all be linked from the `Message` span. Here's an example of what this looks like in Application Insights: +Most of the spans are self-explanatory and are started and stopped during the operation that bears its name. The span that ties the others together is `Message`. The way that the message is traced is via the `Diagnostic-Id` that is set in the [ServiceBusMessage.ApplicationProperties](/dotnet/api/azure.messaging.servicebus.servicebusmessage.applicationproperties) property by the library during send and schedule operations. In Application Insights, `Message` spans are displayed as linking out to the various other spans that were used to interact with the message, for example, the `ServiceBusReceiver.Receive` span, the `ServiceBusSender.Send` span, and the `ServiceBusReceiver.Complete` span would all be linked from the `Message` span. Here's an example of what this looks like in Application Insights: :::image type="content" source="./media/service-bus-troubleshooting-guide/distributed-trace-example.png" alt-text="Image showing a sample distributed trace."::: In the above screenshot, you see the end-to-end transaction that can be viewed i When an app sends a batch to a partition-enabled entity, all messages included in a single send operation must have the same `PartitionKey`. If your entity is session-enabled, the same requirement holds true for the `SessionId` property. In order to send messages with different `PartitionKey` or `SessionId` values, group the messages in separate [`ServiceBusMessageBatch`][ServiceBusMessageBatch] instances or include them in separate calls to the [SendMessagesAsync][SendMessages] overload that takes a set of `ServiceBusMessage` instances. ### Batch fails to send-A message batch is either [`ServiceBusMessageBatch`][ServiceBusMessageBatch] containing two or more messages, or a call to [SendMessagesAsync][SendMessages] where two or more messages are passed in. The service doesn't allow a message batch to exceed 1 MB. This behavior is true whether or not the [Premium large message support](service-bus-premium-messaging.md#large-messages-support) feature is enabled. If you intend to send a message greater than 1 MB, it must be sent individually rather than grouped with other messages. Unfortunately, the [ServiceBusMessageBatch][ServiceBusMessageBatch] type doesn't currently support validating that a batch doesn't contain any messages greater than 1 MB as the size is constrained by the service and might change. So, if you intend to use the premium large message support feature, you'll need to ensure you send messages over 1 MB individually. +A message batch is either [`ServiceBusMessageBatch`][ServiceBusMessageBatch] containing two or more messages, or a call to [SendMessagesAsync][SendMessages] where two or more messages are passed in. The service doesn't allow a message batch to exceed 1 MB. This behavior is true whether or not the [Premium large message support](service-bus-premium-messaging.md#large-messages-support) feature is enabled. If you intend to send a message greater than 1 MB, it must be sent individually rather than grouped with other messages. Unfortunately, the [ServiceBusMessageBatch][ServiceBusMessageBatch] type doesn't currently support validating that a batch doesn't contain any messages greater than 1 MB as the size is constrained by the service and might change. So, if you intend to use the premium large message support feature, ensure that you send messages over 1 MB individually. ## Troubleshoot receiver issues ### Number of messages returned doesn't match number requested in batch receive-When attempting to do a batch receive operation, that is, passing a `maxMessages` value of two or greater to the [ReceiveMessagesAsync](/dotnet/api/azure.messaging.servicebus.servicebusreceiver.receivemessagesasync) method, you aren't guaranteed to receive the number of messages requested, even if the queue or subscription has that many messages available at that time, and even if the entire configured `maxWaitTime` hasn't yet elapsed. To maximize throughput and avoid lock expiration, once the first message comes over the wire, the receiver will wait an additional 20 milliseconds for any additional messages before dispatching the messages for processing. The `maxWaitTime` controls how long the receiver will wait to receive the *first* message - subsequent messages will be waited for 20 milliseconds. Therefore, your application shouldn't assume that all messages available will be received in one call. +When attempting to do a batch receive operation, that is, passing a `maxMessages` value of two or greater to the [ReceiveMessagesAsync](/dotnet/api/azure.messaging.servicebus.servicebusreceiver.receivemessagesasync) method, you aren't guaranteed to receive the number of messages requested, even if the queue or subscription has that many messages available at that time, and even if the entire configured `maxWaitTime` hasn't yet elapsed. To maximize throughput and avoid lock expiration, once the first message comes over the wire, the receiver waits an additional 20 milliseconds for any additional messages before dispatching the messages for processing. The `maxWaitTime` controls how long the receiver waits to receive the *first* message - subsequent messages are waited for 20 milliseconds. Therefore, your application shouldn't assume that all messages available are received in one call. ### Message or session lock is lost before lock expiration time-The Service Bus service leverages the AMQP protocol, which is stateful. Due to the nature of the protocol, if the link that connects the client and the service is detached after a message is received, but before the message is settled, the message isn't able to be settled on reconnecting the link. Links can be detached due to a short-term transient network failure, a network outage, or due to the service enforced 10-minute idle timeout. The reconnection of the link happens automatically as a part of any operation that requires the link, that is, settling or receiving messages. In this situation, you receive a `ServiceBusException` with `Reason` of `MessageLockLost` or `SessionLockLost` even if the lock expiration time hasn't yet passed. +The Service Bus service uses the AMQP protocol, which is stateful. Due to the nature of the protocol, if the link that connects the client and the service is detached after a message is received, but before the message is settled, the message isn't able to be settled on reconnecting the link. Links can be detached due to a short-term transient network failure, a network outage, or due to the service enforced 10-minute idle timeout. The reconnection of the link happens automatically as a part of any operation that requires the link, that is, settling or receiving messages. In this situation, you receive a `ServiceBusException` with `Reason` of `MessageLockLost` or `SessionLockLost` even if the lock expiration time hasn't yet passed. ### How to browse scheduled or deferred messages Scheduled and deferred messages are included when peeking messages. They can be identified by the [ServiceBusReceivedMessage.State](/dotnet/api/azure.messaging.servicebus.servicebusreceivedmessage.state) property. Once you have the [SequenceNumber](/dotnet/api/azure.messaging.servicebus.servicebusreceivedmessage.sequencenumber) of a deferred message, you can receive it with a lock via the [ReceiveDeferredMessagesAsync](/dotnet/api/azure.messaging.servicebus.servicebusreceiver.receivedeferredmessagesasync) method. -When working with topics, you can't peek scheduled messages on the subscription, as the messages remain in the topic until the scheduled enqueue time. As a workaround, you can construct a [ServiceBusReceiver][ServiceBusReceiver] passing in the topic name in order to peek such messages. Note that no other operations with the receiver will work when using a topic name. +When working with topics, you can't peek scheduled messages on the subscription, as the messages remain in the topic until the scheduled enqueue time. As a workaround, you can construct a [ServiceBusReceiver][ServiceBusReceiver] passing in the topic name in order to peek such messages. No other operations with the receiver work when using a topic name. ### How to browse session messages across all sessions-You can use a regular [ServiceBusReceiver][ServiceBusReceiver] to peek across all sessions. To peek for a specific session you can use the [ServiceBusSessionReceiver][ServiceBusSessionReceiver], but you'll need to obtain a session lock. +You can use a regular [ServiceBusReceiver][ServiceBusReceiver] to peek across all sessions. To peek for a specific session you can use the [ServiceBusSessionReceiver][ServiceBusSessionReceiver], but you need to obtain a session lock. ### NotSupportedException thrown when accessing message body This issue occurs most often in interop scenarios when receiving a message sent from a different library that uses a different AMQP message body format. If you're interacting with these types of messages, see the [AMQP message body sample][MessageBody] to learn how to access the message body. This issue occurs most often in interop scenarios when receiving a message sent Autolock renewal relies on the system time to determine when to renew a lock for a message or session. If your system time isn't accurate, for example, your clock is slow, then lock renewal might not happen before the lock is lost. Ensure that your system time is accurate if autolock renewal isn't working. ### Processor appears to hang or have latency issues when using high concurrency-This is often caused by thread starvation, particularly when using the session processor and using a very high value for [MaxConcurrentSessions][MaxConcurrentSessions], relative to the number of cores on the machine. The first thing to check would be to make sure you aren't doing sync-over-async in any of your event handlers. Sync-over-async is an easy way to cause deadlocks and thread starvation. Even if you aren't doing sync over async, any pure sync code in your handlers could contribute to thread starvation. If you've determined that this isn't the issue, for example, because you have pure async code, you can try increasing your [TryTimeout][TryTimeout]. This will relieve pressure on the thread pool by reducing the number of context switches and timeouts that occur when using the session processor in particular. The default value for [TryTimeout][TryTimeout] is 60 seconds, but it can be set all the way up to 1 hour. We recommend testing with the `TryTimeout` set to 5 minutes as a starting point and iterate from there. If none of these suggestions work, you simply need to scale out to multiple hosts, reducing the concurrency in your application, but running the application on multiple hosts to achieve the desired overall concurrency. +This behavior is often caused by thread starvation, particularly when using the session processor and using a very high value for [MaxConcurrentSessions][MaxConcurrentSessions], relative to the number of cores on the machine. The first thing to check would be to make sure you aren't doing sync-over-async in any of your event handlers. Sync-over-async is an easy way to cause deadlocks and thread starvation. Even if you aren't doing sync over async, any pure sync code in your handlers could contribute to thread starvation. If you've determined that isn't the issue, for example, because you have pure async code, you can try increasing your [TryTimeout][TryTimeout]. It relieves pressure on the thread pool by reducing the number of context switches and timeouts that occur when using the session processor in particular. The default value for [TryTimeout][TryTimeout] is 60 seconds, but it can be set all the way up to 1 hour. We recommend testing with the `TryTimeout` set to 5 minutes as a starting point and iterate from there. If none of these suggestions work, you simply need to scale out to multiple hosts, reducing the concurrency in your application, but running the application on multiple hosts to achieve the desired overall concurrency. Further reading: - [Debug thread pool starvation][DebugThreadPoolStarvation] Further reading: ### Session processor takes too long to switch sessions -This can be configured using the [SessionIdleTimeout][SessionIdleTimeout], which tells the processor how long to wait to receive a message from a session, before giving up and moving to another one. This is useful if you have many sparsely populated sessions, where each session only has a few messages. If you expect that each session will have many messages that trickle in, setting this too low can be counter productive, as it will result in unnecessary closing of the session. +This can be configured using the [SessionIdleTimeout][SessionIdleTimeout], which tells the processor how long to wait to receive a message from a session, before giving up and moving to another one. It's useful if you have many sparsely populated sessions, where each session only has a few messages. If you expect that each session will have many messages that trickle in, setting it too low can be counter productive, as it results in unnecessary closing of the session. ### Processor stops immediately -This is often observed for demo or testing scenarios. `StartProcessingAsync` returns immediately after the processor has started. Calling this method won't block and keep your application alive while the processor is running, so you'll need some other mechanism to do so. For demos or testing, it's sufficient to just add a `Console.ReadKey()` call after you start the processor. For production scenarios, you'll likely want to use some sort of framework integration like [BackgroundService][BackgroundService] to provide convenient application lifecycle hooks that can be used for starting and disposing the processor. +This is often observed for demo or testing scenarios. `StartProcessingAsync` returns immediately after the processor has started. Calling this method won't block and keep your application alive while the processor is running, so you need some other mechanism to do so. For demos or testing, it's sufficient to just add a `Console.ReadKey()` call after you start the processor. For production scenarios, you'll likely want to use some sort of framework integration like [BackgroundService][BackgroundService] to provide convenient application lifecycle hooks that can be used for starting and disposing the processor. ## Troubleshoot transactions A transaction times out after a [period of time][TransactionTimeout], so it's im This is by design. Consider the following scenario - you're attempting to complete a message within a transaction, but there's some transient error that occurs, for example, `ServiceBusException` with a `Reason` of `ServiceCommunicationProblem`. Suppose the request does actually make it to the service. If the client were to retry, the service would see two complete requests. The first complete won't be finalized until the transaction is committed. The second complete isn't able to even be evaluated before the first complete finishes. The transaction on the client is waiting for the complete to finish. This creates a deadlock where the service is waiting for the client to complete the transaction, but the client is waiting for the service to acknowledge the second complete operation. The transaction will eventually time out after 2 minutes, but this is a bad user experience. For this reason, we don't retry operations within a transaction. -### Transactions across entities are not working +### Transactions across entities aren't working -In order to perform transactions that involve multiple entities, you'll need to set the `ServiceBusClientOptions.EnableCrossEntityTransactions` property to `true`. For details, see the [Transactions across entities][CrossEntityTransactions] sample. +In order to perform transactions that involve multiple entities, you need to set the `ServiceBusClientOptions.EnableCrossEntityTransactions` property to `true`. For details, see the [Transactions across entities][CrossEntityTransactions] sample. ## Quotas Service Bus Error: Unauthorized access. 'Send' claim\(s\) are required to perfor The identity doesn't have permissions to access the Service Bus topic. ### Resolution-To resolve this error, install the [Microsoft.Azure.Services.AppAuthentication](https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication/) library. For more information, see [Local development authentication](/dotnet/api/overview/azure/service-to-service-authentication#local-development-authentication). +To resolve this error, install the [Microsoft.Azure.Services.AppAuthentication](https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication/) library. For more information, see [Local development authentication](/dotnet/api/overview/azure/service-to-service-authentication#local-development-authentication). To learn how to assign permissions to roles, see [Authenticate a managed identity with Microsoft Entra ID to access Azure Service Bus resources](service-bus-managed-service-identity.md). |
service-bus-messaging | Topic Filters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/topic-filters.md | Title: Azure Service Bus topic filters | Microsoft Docs description: This article explains how subscribers can define which messages they want to receive from a topic by specifying filters. Previously updated : 02/28/2023 Last updated : 02/23/2024 # Topic filters and actions Subscribers can define which messages they want to receive from a topic. These m All rules **without actions** are combined using an `OR` condition and result in a **single message** on the subscription even if you have multiple matching rules. -Each rule **with an action** produces a copy of the message. This message will have a property called `RuleName` where the value is the name of the matching rule. The action may add or update properties, or delete properties from the original message to produce a message on the subscription. +Each rule **with an action** produces a copy of the message. This message will have a property called `RuleName` where the value is the name of the matching rule. The action can add or update properties, or delete properties from the original message to produce a message on the subscription. Consider the following scenario: Service Bus supports three types of filters: The following sections provide details about these filters. ### SQL filters-A **SqlFilter** holds a SQL-like conditional expression that's evaluated in the broker against the arriving messages' user-defined properties and system properties. All system properties must be prefixed with `sys.` in the conditional expression. The [SQL-language subset for filter conditions](service-bus-messaging-sql-filter.md) tests for the existence of properties (`EXISTS`), null-values (`IS NULL`), logical `NOT`/`AND`/`OR`, relational operators, simple numeric arithmetic, and simple text pattern matching with `LIKE`. +A **SqlFilter** holds a SQL-like conditional expression that will be evaluated in the broker against the arriving messages' user-defined properties and system properties. All system properties must be prefixed with `sys.` in the conditional expression. The [SQL-language subset for filter conditions](service-bus-messaging-sql-filter.md) tests for the existence of properties (`EXISTS`), null-values (`IS NULL`), logical `NOT`/`AND`/`OR`, relational operators, simple numeric arithmetic, and simple text pattern matching with `LIKE`. Here's a .NET example for defining a SQL filter: |
storage | Storage Quickstart Blobs Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-quickstart-blobs-python.md | +zone_pivot_groups: azure-blob-storage-quickstart-options # Quickstart: Azure Blob Storage client library for Python -Get started with the Azure Blob Storage client library for Python to manage blobs and containers. Follow these steps to install the package and try out example code for basic tasks in an interactive console app. ++> [!NOTE] +> The **Build from scratch** option walks you step by step through the process of creating a new project, installing packages, writing the code, and running a basic console app. This approach is recommended if you want to understand all the details involved in creating an app that connects to Azure Blob Storage. If you prefer to automate deployment tasks and start with a completed project, choose [Start with a template](storage-quickstart-blobs-python.md?pivots=blob-storage-quickstart-template). ++++> [!NOTE] +> The **Start with a template** option uses the Azure Developer CLI to automate deployment tasks and starts you off with a completed project. This approach is recommended if you want to explore the code as quickly as possible without going through the setup tasks. If you prefer step by step instructions to build the app, choose [Build from scratch](storage-quickstart-blobs-python.md?pivots=blob-storage-quickstart-scratch). +++Get started with the Azure Blob Storage client library for Python to manage blobs and containers. +++In this article, you follow steps to install the package and try out example code for basic tasks. ++++In this article, you use the [Azure Developer CLI](/azure/developer/azure-developer-cli/overview) to deploy Azure resources and run a completed console app with just a few commands. + [API reference documentation](/python/api/azure-storage-blob) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/storage/azure-storage-blob) | [Package (PyPi)](https://pypi.org/project/azure-storage-blob/) | [Samples](../common/storage-samples-python.md?toc=/azure/storage/blobs/toc.json#blob-samples) + This video shows you how to start using the Azure Blob Storage client library for Python. > [!VIDEO f663a554-96ca-4bc3-b3b1-48376a7efbdf] The steps in the video are also described in the following sections. + ## Prerequisites + - Azure account with an active subscription - [create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) - Azure Storage account - [create a storage account](../common/storage-account-create.md) - [Python](https://www.python.org/downloads/) 3.8+ +++- Azure subscription - [create one for free](https://azure.microsoft.com/free/) +- [Python](https://www.python.org/downloads/) 3.8+ +- [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) ++ ## Setting up + This section walks you through preparing a project to work with the Azure Blob Storage client library for Python. ### Create the project From the project directory, follow steps to create the basic structure of the ap 1. Open a new text file in your code editor. 1. Add `import` statements, create the structure for the program, and include basic exception handling, as shown below. 1. Save the new file as *blob_quickstart.py* in the *blob-quickstart* directory.+ :::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/app-framework-qs.py"::: +++With [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) installed, you can create a storage account and run the sample code with just a few commands. You can run the project in your local development environment, or in a [DevContainer](https://code.visualstudio.com/docs/devcontainers/containers). ++### Initialize the Azure Developer CLI template and deploy resources ++From an empty directory, follow these steps to initialize the `azd` template, provision Azure resources, and get started with the code: ++- Clone the quickstart repository assets from GitHub and initialize the template locally: ++ ```console + azd init --template blob-storage-quickstart-python + ``` ++ You'll be prompted for the following information: ++ - **Environment name**: This value is used as a prefix for all Azure resources created by Azure Developer CLI. The name must be unique across all Azure subscriptions and must be between 3 and 24 characters long. The name can contain numbers and lowercase letters only. ++- Log in to Azure: ++ ```console + azd auth login + ``` +- Provision and deploy the resources to Azure: ++ ```console + azd up + ``` ++ You'll be prompted for the following information: ++ - **Subscription**: The Azure subscription that your resources are deployed to. + - **Location**: The Azure region where your resources are deployed. ++ The deployment might take a few minutes to complete. The output from the `azd up` command includes the name of the newly created storage account, which you'll need later to run the code. ++## Run the sample code ++At this point, the resources are deployed to Azure and the code is ready to run. Follow these steps to update the name of the storage account in the code and run the sample console app: ++- **Update the storage account name**: In the local directory, edit the file named **blob_quickstart.py**. Find the `<storage-account-name>` placeholder and replace it with the actual name of the storage account created by the `azd up` command. Save the changes. +- **Run the project**: Execute the following command to run the app: `python blob_quickstart.py`. +- **Observe the output**: This app creates a test file in your local *data* folder and uploads it to a container in the storage account. The example then lists the blobs in the container and downloads the file with a new name so that you can compare the old and new files. ++To learn more about how the sample code works, see [Code examples](#code-examples). ++When you're finished testing the code, see the [Clean up resources](#clean-up-resources) section to delete the resources created by the `azd up` command. ++ ## Object model Azure Blob Storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn't adhere to a particular data model or definition, such as text or binary data. Blob storage offers three types of resources: These example code snippets show you how to do the following tasks with the Azur - [Download blobs](#download-blobs) - [Delete a container](#delete-a-container) ++> [!NOTE] +> The Azure Developer CLI template includes a file with sample code already in place. The following examples provide detail for each part of the sample code. The template implements the recommended passwordless authentication method, as described in the [Authenticate to Azure](#authenticate-to-azure-and-authorize-access-to-blob-data) section. The connection string method is shown as an alternative, but isn't used in the template and isn't recommended for production code. ++ ### Authenticate to Azure and authorize access to blob data [!INCLUDE [storage-quickstart-passwordless-auth-intro](../../../includes/storage-quickstart-passwordless-auth-intro.md)] blob_service_client = BlobServiceClient.from_connection_string(connect_str) ### Create a container -Decide on a name for the new container. The code below appends a UUID value to the container name to ensure that it's unique. +Create a new container in your storage account by calling the [create_container](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient#azure-storage-blob-blobserviceclient-create-container) method on the `blob_service_client` object. In this example, the code appends a GUID value to the container name to ensure that it's unique. -> [!IMPORTANT] -> Container names must be lowercase. For more information about naming containers and blobs, see [Naming and Referencing Containers, Blobs, and Metadata](/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata). --Call the [create_container](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient#create-container-name--metadata-none--public-access-none-kwargs-) method to actually create the container in your storage account. Add this code to the end of the `try` block: + :::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_CreateContainer"::: To learn more about creating a container, and to explore more code samples, see [Create a blob container with Python](storage-blob-container-create-python.md). +> [!IMPORTANT] +> Container names must be lowercase. For more information about naming containers and blobs, see [Naming and Referencing Containers, Blobs, and Metadata](/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata). + ### Upload blobs to a container -The following code snippet: +Upload a blob to a container using [upload_blob](/python/api/azure-storage-blob/azure.storage.blob.blobclient#azure-storage-blob-blobclient-upload-blob). The example code creates a text file in the local *data* directory to upload to the container. -1. Creates a local directory to hold data files. -1. Creates a text file in the local directory. -1. Gets a reference to a [BlobClient](/python/api/azure-storage-blob/azure.storage.blob.blobclient) object by calling the [get_blob_client](/python/api/azure-storage-blob/azure.storage.blob.containerclient#get-blob-client-blob--snapshot-none-) method on the [BlobServiceClient](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient) from the [Create a container](#create-a-container) section. -1. Uploads the local text file to the blob by calling the [upload_blob](/python/api/azure-storage-blob/azure.storage.blob.blobclient#upload-blob-data--blob-type--blobtype-blockblobblockblob-length-none--metadata-none-kwargs-) method. Add this code to the end of the `try` block: + :::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_UploadBlobs"::: To learn more about uploading blobs, and to explore more code samples, see [Upload a blob with Python](storage-blob-upload-python.md). ### List the blobs in a container -List the blobs in the container by calling the [list_blobs](/python/api/azure-storage-blob/azure.storage.blob.containerclient#list-blobs-name-starts-with-none--include-none-kwargs-) method. In this case, only one blob has been added to the container, so the listing operation returns just that one blob. +List the blobs in the container by calling the [list_blobs](/python/api/azure-storage-blob/azure.storage.blob.containerclient#azure-storage-blob-containerclient-list-blobs) method. In this case, only one blob has been added to the container, so the listing operation returns just that one blob. + Add this code to the end of the `try` block: + :::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_ListBlobs"::: To learn more about listing blobs, and to explore more code samples, see [List blobs with Python](storage-blobs-list-python.md). ### Download blobs -Download the previously created blob by calling the [download_blob](/python/api/azure-storage-blob/azure.storage.blob.blobclient#download-blob-offset-none--length-none-kwargs-) method. The example code adds a suffix of "DOWNLOAD" to the file name so that you can see both files in local file system. +Download the previously created blob by calling the [download_blob](/python/api/azure-storage-blob/azure.storage.blob.containerclient#azure-storage-blob-containerclient-download-blob) method. The example code adds a suffix of "DOWNLOAD" to the file name so that you can see both files in local file system. + Add this code to the end of the `try` block: + :::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_DownloadBlobs"::: To learn more about downloading blobs, and to explore more code samples, see [Download a blob with Python](storage-blob-download-python.md). ### Delete a container -The following code cleans up the resources the app created by removing the entire container using the [ΓÇïdelete_container](/python/api/azure-storage-blob/azure.storage.blob.containerclient#delete-containerkwargs-) method. You can also delete the local files, if you like. +The following code cleans up the resources the app created by removing the entire container using the [ΓÇïdelete_container](/python/api/azure-storage-blob/azure.storage.blob.containerclient#azure-storage-blob-containerclient-delete-container) method. You can also delete the local files, if you like. The app pauses for user input by calling `input()` before it deletes the blob, container, and local files. Verify that the resources were created correctly before they're deleted. + Add this code to the end of the `try` block: + :::code language="python" source="~/azure-storage-snippets/blobs/quickstarts/python/blob-quickstart.py" id="Snippet_CleanUp"::: To learn more about deleting a container, and to explore more code samples, see [Delete and restore a blob container with Python](storage-blob-container-delete-python.md). + ## Run the code This app creates a test file in your local folder and uploads it to Azure Blob Storage. The example then lists the blobs in the container, and downloads the file with a new name. You can compare the old and new files. Done Before you begin the cleanup process, check your *data* folder for the two files. You can compare them and observe that they're identical. + ## Clean up resources + After you've verified the files and finished testing, press the **Enter** key to delete the test files along with the container you created in the storage account. You can also use [Azure CLI](storage-quickstart-blobs-cli.md#clean-up-resources) to delete resources. +++When you're done with the quickstart, you can clean up the resources you created by running the following command: ++```console +azd down +``` ++You'll be prompted to confirm the deletion of the resources. Enter `y` to confirm. ++ ## Next steps In this quickstart, you learned how to upload, download, and list blobs using Python. |
storage | Storage Quickstart Static Website Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-quickstart-static-website-terraform.md | +ai-usage: ai-assisted # Quickstart: Deploy a static website on Azure Storage using Terraform |
storage | Storage Files Identity Ad Ds Mount File Share | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-ad-ds-mount-file-share.md | If you run into issues, see [Unable to mount Azure file shares with AD credentia ## Mount the file share from a non-domain-joined VM or a VM joined to a different AD domain -Non-domain-joined VMs or VMs that are joined to a different AD domain than the storage account can access Azure file shares if they have unimpeded network connectivity to the domain controllers and provide explicit credentials. The user accessing the file share must have an identity and credentials in the AD domain that the storage account is joined to. +Non-domain-joined VMs or VMs that are joined to a different AD domain than the storage account can access Azure file shares if they have unimpeded network connectivity to the domain controllers and provide explicit credentials (username and password). The user accessing the file share must have an identity and credentials in the AD domain that the storage account is joined to. To mount a file share from a non-domain-joined VM, use the notation **username@domainFQDN**, where **domainFQDN** is the fully qualified domain name. This will allow the client to contact the domain controller to request and receive Kerberos tickets. You can get the value of **domainFQDN** by running `(Get-ADDomain).Dnsroot` in Active Directory PowerShell. |
storage | Storage Files Identity Auth Domain Services Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-auth-domain-services-enable.md | net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> ## Mount the file share from a non-domain-joined VM or a VM joined to a different AD domain -Non-domain-joined VMs or VMs that are joined to a different domain than the storage account can access Azure file shares using Microsoft Entra Domain Services authentication only if the VM has unimpeded network connectivity to the domain controllers for Microsoft Entra Domain Services, which are located in Azure. This usually requires setting up a site-to-site or point-to-site VPN. The user accessing the file share must have an identity and credentials (a Microsoft Entra identity synced from Microsoft Entra ID to Microsoft Entra Domain Services) in the Microsoft Entra Domain Services managed domain. +Non-domain-joined VMs or VMs that are joined to a different domain than the storage account can access Azure file shares using Microsoft Entra Domain Services authentication only if the VM has unimpeded network connectivity to the domain controllers for Microsoft Entra Domain Services, which are located in Azure. This usually requires setting up a site-to-site or point-to-site VPN. The user accessing the file share must have an identity (a Microsoft Entra identity synced from Microsoft Entra ID to Microsoft Entra Domain Services) in the Microsoft Entra Domain Services managed domain, and must provide explicit credentials (username and password). To mount a file share from a non-domain-joined VM, the user must either: -- Provide explicit credentials such as **DOMAINNAME\username** where **DOMAINNAME** is the Microsoft Entra Domain Services domain and **username** is the identityΓÇÖs user name in Microsoft Entra Domain Services, or+- Provide credentials such as **DOMAINNAME\username** where **DOMAINNAME** is the Microsoft Entra Domain Services domain and **username** is the identityΓÇÖs user name in Microsoft Entra Domain Services, or - Use the notation **username@domainFQDN**, where **domainFQDN** is the fully qualified domain name. Using one of these approaches will allow the client to contact the domain controller in the Microsoft Entra Domain Services domain to request and receive Kerberos tickets. |
stream-analytics | Quick Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/quick-create-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Stream Analytics job using Terraform |
traffic-manager | Quickstart Create Traffic Manager Profile Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/quickstart-create-traffic-manager-profile-terraform.md | +ai-usage: ai-assisted # Quickstart: Create an Azure Traffic Manager profile using Terraform |
virtual-desktop | App Attach Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/app-attach-overview.md | Any disaster recovery plans for Azure Virtual Desktop must include replicating t Azure Files has limits on the number of open handles per root directory, directory, and file. When using MSIX app attach or app attach, VHDX or CimFS disk images are mounted using the computer account of the session host, meaning one handle is opened per session host per disk image, rather than per user. For more information on the limits and sizing guidance, see [Azure Files scalability and performance targets](../storage/files/storage-files-scale-targets.md#file-scale-targets) and [Azure Files sizing guidance for Azure Virtual Desktop](../storage/files/storage-files-scale-targets.md#azure-files-sizing-guidance-for-azure-virtual-desktop). +## MSIX and Appx package certificates ++All MSIX and Appx packages require a valid code signing certificate. To use these packages with app attach, you need to ensure the whole certificate chain is trusted on your session hosts. A code signing certificate has the object identifier `1.3.6.1.5.5.7.3.3`. You can get a code signing certificate for your packages from: ++- A public certificate authority (CA). ++- An internal enterprise or standalone certificate authority, such as [Active Directory Certificate Services](/windows-server/identity/ad-cs/active-directory-certificate-services-overview). You need to export the code signing certificate, including its private key. ++- A tool such as the PowerShell cmdlet [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate) that generates a self-signed certificate. You should only use self-signed certificates in a test environment. For more information on creating a self-signed certificate for MSIX and Appx packages, see [Create a certificate for package signing](/windows/msix/package/create-certificate-package-signing). ++Once you've obtained a certificate, you need to digitally sign your MSIX or Appx packages with the certificate. You can use the [MSIX Packaging Tool](/windows/msix/packaging-tool/tool-overview) to sign your packages when you create an MSIX package. For more information, see [Create an MSIX package from any desktop installer](/windows/msix/packaging-tool/create-app-package). ++To ensure the certificate is trusted on your session hosts, you need your session hosts to trust the whole certificate chain. How you do this depends on where you got the certificate from and how you manage your session hosts and the identity provider you use. The following table provides some guidance on how to ensure the certificate is trusted on your session hosts: ++- **Public CA**: certificates from a public CA are trusted by default in Windows and Windows Server. ++- **Internal Enterprise CA**: ++ - For session hosts joined to Active Directory, with AD CS configured as the internal enterprise CA, are trusted by default and stored in the configuration naming context of Active Directory Domain Services. When AD CS is a configured as a standalone CA, you need to configure Group Policy to distribute the root and intermediate certificates to session hosts. For more information, see [Distribute certificates to Windows devices by using Group Policy](/windows-server/identity/ad-cs/distribute-certificates-group-policy/). ++ - For session hosts joined to Microsoft Entra ID, you can use Microsoft Intune to distribute the root and intermediate certificates to session hosts. For more information, see [Trusted root certificate profiles for Microsoft Intune](/mem/intune/protect/certificates-trusted-root). ++ - For session hosts using Microsoft Entra hybrid join, you can use either of the previous methods, depending on your requirements. ++- **Self-signed**: install the trusted root to the **Trusted Root Certification Authorities** store on each session host. We don't recommend distributing this certificate using Group Policy or Intune as it should only be used for testing. ++> [!IMPORTANT] +> You should timestamp your package so that its validity can outlast your certificate's expiration date. Otherwise, once the certificate has expired, you need to update the package with a new valid certificate and once again ensure it's trusted on your session hosts. + ## Next steps Learn how to [Add and manage app attach applications in Azure Virtual Desktop](app-attach-setup.md). |
virtual-desktop | Drain Mode | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/drain-mode.md | Title: How to use drain mode to isolate session hosts - Azure Virtual Desktop -description: How to use drain mode to isolate session hosts to perform maintenance in Azure Virtual Desktop. ----+ Title: Drain session hosts for maintenance in Azure Virtual Desktop +description: Learn how to enable drain mode to isolate session hosts for maintenance in Azure Virtual Desktop. Previously updated : 02/09/2024-++ Last updated : 02/23/2024 -# Use drain mode to isolate session hosts and apply patches +# Drain session hosts for maintenance in Azure Virtual Desktop ++Drain mode enables you to isolate a session host when you want to perform maintenance without disruption to service. When a session host is set to drain, it won't accept new user sessions. Any new connections will be redirected to the next available session host. Existing connections to the session host will remain active until the user signs out or an administrator ends the session. Once there aren't any sessions remaining on the session host, you can perform the maintenance you need. Administrators can still remotely connect to the server directly without going through the Azure Virtual Desktop service. -Drain mode isolates a session host when you want to apply patches and do maintenance without disrupting user sessions. When isolated, the session host won't accept new user sessions. Any new connections will be redirected to the next available session host. Existing connections in the session host will keep working until the user signs out or the administrator ends the session. When the session host is in drain mode, admins can also remotely connect to the server without going through the Azure Virtual Desktop service. You can apply this setting to both pooled and personal desktops. +This article shows you how to drain session hosts using the Azure portal or Azure PowerShell. ## Prerequisites -If you're using either the Azure portal or PowerShell method, you'll need the following things: +To drain session hosts, you need: - A host pool with at least one session host.+ - An Azure account assigned the [Desktop Virtualization Session Host Operator](rbac.md#desktop-virtualization-session-host-operator) role.-- If you want to use Azure PowerShell locally, see [Use Azure CLI and Azure PowerShell with Azure Virtual Desktop](cli-powershell.md) to make sure you have the [Az.DesktopVirtualization](/powershell/module/az.desktopvirtualization) PowerShell module installed. Alternatively, use the [Azure Cloud Shell](../cloud-shell/overview.md). +- If you want to use Azure PowerShell locally, see [Use Azure CLI and Azure PowerShell with Azure Virtual Desktop](cli-powershell.md) to make sure you have the [Az.DesktopVirtualization](/powershell/module/az.desktopvirtualization) PowerShell module installed. Alternatively, use the [Azure Cloud Shell](../cloud-shell/overview.md). -## Enable drain mode +## Enable and disable drain mode for a session host -Here's how to enable drain mode using the Azure portal and PowerShell. +Here's how to enable and disable drain mode for a session host using the Azure portal and PowerShell. -### [Portal](#tab/portal) +### [Azure portal](#tab/portal) -To turn on drain mode in the Azure portal: +To enable drain mode for a session host and block new sessions in the Azure portal: 1. Sign in to the [Azure portal](https://portal.azure.com). -1. Enter **Azure Virtual Desktop** into the search bar. +1. In the search bar, type *Azure Virtual Desktop* and select the matching service entry. -1. Under **Services**, select **Azure Virtual Desktop**. +1. From the Azure Virtual Desktop overview page, select **Host pools**. -1. At the Azure Virtual Desktop page, go the menu on the left side of the window and select **Host pools**. +1. Select the host pool that contains the session host you want to drain, then select **Session hosts**. -1. Select the host pool you want to isolate. +1. Check the box next to the session host you want to enable drain mode, then select **Turn drain mode on**. -1. In the navigation menu, select **Session hosts**. +1. When you're ready to allow new connections to the session host, check the box next to the session host you want to disable drain mode, then select **Turn drain mode off**. -1. Next, select the hosts you want to turn on drain mode for, then select **Turn drain mode on**. +### [Azure PowerShell](#tab/powershell) -1. To turn off drain mode, select the host pools that have drain mode turned on, then select **Turn drain mode off**. +You can set drain mode in PowerShell with the *AllowNewSessions* parameter, which is part of the [Update-AzWvdSessionhost](/powershell/module/az.desktopvirtualization/update-azwvdsessionhost) command. You'll need to run these commands for every session host for which you want to enable and disable drain. -### [PowerShell](#tab/powershell) --You can set drain mode in PowerShell with the *AllowNewSessions* parameter, which is part of the [Update-AzWvdSessionhost](/powershell/module/az.desktopvirtualization/update-azwvdsessionhost) command. +> [!IMPORTANT] +> In the following examples, you'll need to change the `<placeholder>` values for your own. [!INCLUDE [include-cloud-shell-local-powershell](includes/include-cloud-shell-local-powershell.md)] -2. Run this cmdlet to enable drain mode: --```powershell -$params = @{ - ResourceGroupName = "<resourceGroupName>" - HostPoolName = "<hostpoolname>" - Name = "<hostname>" - AllowNewSession = $False -} +2. To enable drain for a session host and block new sessions, run the following command: -Update-AzWvdSessionHost @params -``` + ```powershell + $params = @{ + ResourceGroupName = '<ResourceGroupName>' + HostPoolName = '<HostPoolName>' + Name = '<SessionHostName>' + AllowNewSession = $False + } -3. Run this cmdlet to disable drain mode: + Update-AzWvdSessionHost @params + ``` -```powershell -$params = @{ - ResourceGroupName = "<resourceGroupName>" - HostPoolName = "<hostpoolname>" - Name = "<hostname>" - AllowNewSession = $True -} +3. To disable drain for a session host and allow new sessions, run the following command: -Update-AzWvdSessionHost @params -``` + ```powershell + $params = @{ + ResourceGroupName = '<ResourceGroupName>' + HostPoolName = '<HostPoolName>' + Name = '<SessionHostName>' + AllowNewSession = $True + } ->[!IMPORTANT] ->You'll need to run this command for every session host you're applying the setting to. + Update-AzWvdSessionHost @params + ``` --## Next steps --If you want to learn more about the Azure portal for Azure Virtual Desktop, check out [our tutorials](create-host-pools-azure-marketplace.md). If you're already familiar with the basics, check out some of the other features you can use with the Azure portal, such as [MSIX app attach](app-attach-azure-portal.md) and [Azure Advisor](../advisor/advisor-overview.md). --If you're using the PowerShell method and want to see what else the module can do, check out [Set up the PowerShell module for Azure Virtual Desktop](powershell-module.md) and our [PowerShell reference](/powershell/module/az.desktopvirtualization/). |
virtual-machines | Dcasv5 Dcadsv5 Series | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/dcasv5-dcadsv5-series.md | This series supports Standard SSD, Standard HDD, and Premium SSD disk types. Bil ## Next steps > [!div class="nextstepaction"]-> [Confidential virtual machine options on AMD processors](../confidential-computing/virtual-machine-solutions.md) +> [Confidential virtual machine options on AMD processors](../confidential-computing/virtual-machine-options.md) |
virtual-machines | Dcesv5 Dcedsv5 Series | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/dcesv5-dcedsv5-series.md | These VMs have native support for [confidential disk encryption](disk-encryption The DCesv5 offer a balance of memory to vCPU performance that is suitable most production workloads. With up to 96 vCPUs, 384 GiB of RAM, and support for remote disk storage. If you require a local disk, please consider DCedsv5-series. These VMs work well for many general computing workloads, e-commerce systems, web front ends, desktop virtualization solutions, sensitive databases, other enterprise applications and more. -This series supports Standard SSD, Standard HDD, and Premium SSD disk types. Billing for disk storage and VMs is separate. To estimate your costs, use the [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/). This series currently supports the confidential tagged images Windows Server 2022, Windows 11, and Ubuntu 22.04 LTS. +This series supports Standard SSD, Standard HDD, and Premium SSD disk types. Billing for disk storage and VMs is separate. To estimate your costs, use the [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/). ### DCesv5-series specifications |
virtual-machines | Ecasv5 Ecadsv5 Series | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ecasv5-ecadsv5-series.md | This series supports Standard SSD, Standard HDD, and Premium SSD disk types. Bil ## Next steps > [!div class="nextstepaction"]-> [Confidential virtual machine options on AMD processors](../confidential-computing/virtual-machine-solutions.md) +> [Confidential virtual machine options on AMD processors](../confidential-computing/virtual-machine-options.md) |
virtual-machines | Ecesv5 Ecedsv5 Series | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ecesv5-ecedsv5-series.md | These VMs have native support for [confidential disk encryption](disk-encryption The ECesv5 VMs offer even higher memory to vCPU ratio and an all new VM size with up to 128 vCPUs and 768 GiB of RAM. If you require a local disk, please consider ECedsv5-series. These VMs are ideal for memory intensive applications, large relational database servers, business intelligence applications, and critical applications that process sensitive and regulated data. -This series supports Standard SSD, Standard HDD, and Premium SSD disk types. Billing for disk storage and VMs is separate. To estimate your costs, use the [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/). This series currently supports the confidential tagged images Windows Server 2022, Windows 11, and Ubuntu 22.04 LTS. +This series supports Standard SSD, Standard HDD, and Premium SSD disk types. Billing for disk storage and VMs is separate. To estimate your costs, use the [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/). ### ECesv5-series specifications |
virtual-machines | Quick Cluster Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-cluster-create-terraform.md | +ai-usage: ai-assisted # Quickstart: Create a Linux VM cluster in Azure using Terraform |
virtual-machines | Quick Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-create-terraform.md | +ai-usage: ai-assisted # Quickstart: Use Terraform to create a Linux VM |
virtual-machines | Quick Cluster Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/quick-cluster-create-terraform.md | +ai-usage: ai-assisted # Quickstart: Create a Windows VM cluster in Azure using Terraform |
virtual-machines | Quick Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/quick-create-terraform.md | +ai-usage: ai-assisted # Quickstart: Use Terraform to create a Windows VM |
virtual-network-manager | Create Virtual Network Manager Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network-manager/create-virtual-network-manager-terraform.md | content_well_notification: - AI-contribution zone_pivot_groups: azure-virtual-network-manager-quickstart-options +ai-usage: ai-assisted # Quickstart: Create a mesh network topology with Azure Virtual Network Manager using Terraform |