├── README.md ├── Entra ID Roles and Azure Roles.xlsx ├── List-AllEntraIDRolesGraph.ps1 ├── Audit-AzureADRoleMembers.ps1 ├── Entra-GetRBACChanges.txt ├── Audit-AzureADPIMRoleSettings.ps1 ├── EntraApplicationIDs.json ├── EntraIDRoles.json └── AzureRoles.json /README.md: -------------------------------------------------------------------------------- 1 | # Entra ID 2 | Automation around Entra ID 3 | -------------------------------------------------------------------------------- /Entra ID Roles and Azure Roles.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kaidja/EntraID/HEAD/Entra ID Roles and Azure Roles.xlsx -------------------------------------------------------------------------------- /List-AllEntraIDRolesGraph.ps1: -------------------------------------------------------------------------------- 1 | $Scopes = @( 2 | "RoleManagementPolicy.Read.AzureADGroup" 3 | ) 4 | 5 | Connect-MgGraph -Scopes $Scopes 6 | 7 | $Roles = Get-MgRoleManagementDirectoryRoleDefinition 8 | $Roles | Select-Object -Property DisplayName, Id, Description | 9 | ConvertTo-Json | Out-File C:\Temp\EntraRoles.json 10 | 11 | Get-MgRoleManagementDirectoryRoleDefinition | Measure-Object 12 | -------------------------------------------------------------------------------- /Audit-AzureADRoleMembers.ps1: -------------------------------------------------------------------------------- 1 | #Connect to Azure 2 | Connect-AzureAD 3 | 4 | $AuditData = @() 5 | 6 | #Get the Azure AD Directory Roles 7 | $AzureADRoles = Get-AzureADDirectoryRole 8 | foreach($Role in $AzureADRoles){ 9 | 10 | #Get specific Azure AD Role members 11 | $GroupMembers = Get-AzureADDirectoryRoleMember -ObjectId $Role.ObjectId 12 | 13 | foreach($Member in $GroupMembers){ 14 | #Check the member type 15 | If($Member.ObjectType -eq "ServicePrincipal"){ 16 | 17 | $ObjectType = "ServicePrincipal" 18 | } 19 | Else{ 20 | $ObjectType = "User" 21 | } 22 | 23 | $UserProperties = @{ 24 | AzureADRole = $Role.DisplayName 25 | ObjectType = $ObjectType 26 | DisplayName = $Member.DisplayName 27 | 28 | } 29 | #Create PowerShell object and save the information 30 | $Object = New-Object -TypeName PSObject -Property $UserProperties 31 | $AuditData += $Object 32 | } 33 | } 34 | 35 | #Print out the data 36 | $AuditData 37 | -------------------------------------------------------------------------------- /Entra-GetRBACChanges.txt: -------------------------------------------------------------------------------- 1 | // Read the Azure Resource Roles from Github 2 | let AZRoleID = externaldata(Name:string, Id:guid ) 3 | [ 4 | @"https://raw.githubusercontent.com/Kaidja/AzureActiveDirectory/main/AzureRoles.json" 5 | ] 6 | with(format="multijson"); 7 | 8 | // Define the CIEM APP ID. Take the value from your Azure AD 9 | let CIEMAPPID = "DEFINE YOUR OWN VALUE HERE"; 10 | 11 | AzureActivity 12 | | extend Action = (parse_json(Authorization)).action 13 | // Take out only write actions 14 | | where Action == "Microsoft.Authorization/roleAssignments/write" 15 | // Filter based on the APP ID 16 | | where Caller == CIEMAPPID 17 | // Start only 18 | | where ActivityStatusValue == "Start" 19 | // Get the Subscription ID 20 | | extend SubscriptionID = (parse_json(Properties)).subscriptionId 21 | // Get the RequestBody 22 | | extend RequestBody = parse_json(tostring(parse_json(Properties).requestbody)) 23 | | extend Scope = RequestBody.properties.scope 24 | | extend RoleDefinitionId = RequestBody.properties.roleDefinitionId 25 | | extend Id = tostring(split(RequestBody.properties.roleDefinitionId,"/")[6]) 26 | // Join the Azure Resource Roles tables to get the real Role Name 27 | | join kind = inner( 28 | AZRoleID 29 | | extend Id = tostring(Id) 30 | ) on Id 31 | // Print out the results 32 | | project TimeGenerated,Caller,Action,Scope,Name,Id,RoleDefinitionId 33 | -------------------------------------------------------------------------------- /Audit-AzureADPIMRoleSettings.ps1: -------------------------------------------------------------------------------- 1 | #Install AzureADPreview PowerShell Module 2 | Install-module AzureADPreview -Force -Verbose 3 | 4 | #Connect Azure AD 5 | Connect-AzureAD 6 | 7 | #Audit file location. It creates a CSV file 8 | $AuditFileLocation = "C:\AADAudit.csv" 9 | #Get Azure AD Tenant ID 10 | $AzureADTenantDID = (Get-AzureADTenantDetail).ObjectId 11 | 12 | #Azure AD Role names and IDs on my GitHub account 13 | $URL = "https://raw.githubusercontent.com/Kaidja/AzureActiveDirectory/main/AzureADRoles.json" 14 | #Convert Azure AD Roles from JSON 15 | $AADGitHubRoles = (Invoke-WebRequest -Uri $URL -UseBasicParsing).Content | ConvertFrom-Json 16 | 17 | #Process the AD roles and gather the data for each role 18 | foreach($AADRole in $AADGitHubRoles){ 19 | 20 | Write-Output -InputObject "---- Processing $($AADRole.DisplayName)" 21 | 22 | #Define the query filter 23 | $Filter = "ResourceId eq '$($AzureADTenantDID)' and RoleDefinitionId eq '$($AADRole.ID)'" 24 | $PIMADRoleSettings = Get-AzureADMSPrivilegedRoleSetting -ProviderId 'aadRoles' -Filter $Filter 25 | 26 | #Get the PIM role settings 27 | $ExpirationRule = $PIMADRoleSettings.UserMemberSettings[0].Setting | ConvertFrom-Json 28 | $MfaRule = $PIMADRoleSettings.UserMemberSettings[1].Setting | ConvertFrom-Json 29 | $JustificationRule = $PIMADRoleSettings.UserMemberSettings[2].Setting | ConvertFrom-Json 30 | $TicketingRule = $PIMADRoleSettings.UserMemberSettings[3].Setting | ConvertFrom-Json 31 | $ApprovalRule = $PIMADRoleSettings.UserMemberSettings[4].Setting | ConvertFrom-Json 32 | 33 | #Build object for each role 34 | $PIMProperties = $null 35 | $PIMProperties = [ORDERED]@{ 36 | RoleID = $AADRole.Id 37 | RoleName = $AADRole.DisplayName 38 | PermanentAssignment = $ExpirationRule.permanentAssignment 39 | MaximumGrantPeriodInMinutes = $ExpirationRule.maximumGrantPeriodInMinutes 40 | MfaRequired = $MfaRule.mfaRequired 41 | Required = $JustificationRule.required 42 | TicketingRequired = $TicketingRule.ticketingRequired 43 | } 44 | 45 | #Add Approvals, if exist 46 | $i = 1 47 | foreach($Approval in $ApprovalRule.Approvers){ 48 | 49 | $PIMProperties += @{ 50 | "Approval $i" = $Approval.DisplayName 51 | } 52 | 53 | $i++ 54 | } 55 | 56 | $Object = New-Object -TypeName PSObject -Property $PIMProperties 57 | #Convert to CSV 58 | $Object | ConvertTo-Csv -OutVariable ExportData -NoTypeInformation -Delimiter ";" | Out-Null 59 | #Export Role settings to a CSV file 60 | $ExportData[1..($ExportData.count - 1)] | ForEach-Object { Add-Content -Value $PSItem -Path $AuditFileLocation } 61 | 62 | } 63 | -------------------------------------------------------------------------------- /EntraApplicationIDs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ApplicationName": "ACOM Azure Website", 4 | "ApplicationIDs": ["23523755-3a2b-41ca-9315-f81f3f566a95"] 5 | }, 6 | { 7 | "ApplicationName": "ADIbizaUX", 8 | "ApplicationIDs": ["74658136-14ec-4630-ad9b-26e160ff0fc6"] 9 | }, 10 | { 11 | "ApplicationName": "AEM-DualAuth", 12 | "ApplicationIDs": ["69893ee3-dd10-4b1c-832d-4870354be3d8"] 13 | }, 14 | { 15 | "ApplicationName": "App Service", 16 | "ApplicationIDs": ["7ab7862c-4c57-491e-8a45-d52a7e023983"] 17 | }, 18 | { 19 | "ApplicationName": "ASM Campaign Servicing", 20 | "ApplicationIDs": ["0cb7b9ec-5336-483b-bc31-b15b5788de71"] 21 | }, 22 | { 23 | "ApplicationName": "Azure Advanced Threat Protection", 24 | "ApplicationIDs": ["7b7531ad-5926-4f2d-8a1d-38495ad33e17"] 25 | }, 26 | { 27 | "ApplicationName": "Azure Data Lake", 28 | "ApplicationIDs": ["e9f49c6b-5ce5-44c8-925d-015017e9f7ad"] 29 | }, 30 | { 31 | "ApplicationName": "Azure Lab Services Portal", 32 | "ApplicationIDs": ["835b2a73-6e10-4aa5-a979-21dfda45231c"] 33 | }, 34 | { 35 | "ApplicationName": "Azure Portal", 36 | "ApplicationIDs": ["c44b4083-3bb0-49c1-b47d-974e53cbdf3c"] 37 | }, 38 | { 39 | "ApplicationName": "Azure SQL Database", 40 | "ApplicationIDs": ["022907d3-0f1b-48f7-badc-1ba6abab6d66"] 41 | }, 42 | { 43 | "ApplicationName": "AzureSupportCenter", 44 | "ApplicationIDs": ["37182072-3c9c-4f6a-a4b3-b3f91cacffce"] 45 | }, 46 | { 47 | "ApplicationName": "Bing", 48 | "ApplicationIDs": ["9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7"] 49 | }, 50 | { 51 | "ApplicationName": "ContactsInferencingEmailProcessor", 52 | "ApplicationIDs": ["20a11fe0-faa8-4df5-baf2-f965f8f9972e"] 53 | }, 54 | { 55 | "ApplicationName": "CPIM Service", 56 | "ApplicationIDs": ["bb2a2e3a-c5e7-4f0a-88e0-8e01fd3fc1f4"] 57 | }, 58 | { 59 | "ApplicationName": "CRM Power BI Integration", 60 | "ApplicationIDs": ["e64aa8bc-8eb4-40e2-898b-cf261a25954f"] 61 | }, 62 | { 63 | "ApplicationName": "Dataverse", 64 | "ApplicationIDs": ["00000007-0000-0000-c000-000000000000"] 65 | }, 66 | { 67 | "ApplicationName": "Enterprise Roaming and Backup", 68 | "ApplicationIDs": ["60c8bde5-3167-4f92-8fdb-059f6176dc0f"] 69 | }, 70 | { 71 | "ApplicationName": "Exchange Admin Center", 72 | "ApplicationIDs": ["497effe9-df71-4043-a8bb-14cf78c4b63b"] 73 | }, 74 | { 75 | "ApplicationName": "FindTime", 76 | "ApplicationIDs": ["f5eaa862-7f08-448c-9c4e-f4047d4d4521"] 77 | }, 78 | { 79 | "ApplicationName": "Focused Inbox", 80 | "ApplicationIDs": ["b669c6ea-1adf-453f-b8bc-6d526592b419"] 81 | }, 82 | { 83 | "ApplicationName": "GroupsRemoteApiRestClient", 84 | "ApplicationIDs": ["c35cb2ba-f88b-4d15-aa9d-37bd443522e1"] 85 | }, 86 | { 87 | "ApplicationName": "HxService", 88 | "ApplicationIDs": ["d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0"] 89 | }, 90 | { 91 | "ApplicationName": "IAM Supportability", 92 | "ApplicationIDs": ["a57aca87-cbc0-4f3c-8b9e-dc095fdc8978"] 93 | }, 94 | { 95 | "ApplicationName": "IrisSelectionFrontDoor", 96 | "ApplicationIDs": ["16aeb910-ce68-41d1-9ac3-9e1673ac9575"] 97 | }, 98 | { 99 | "ApplicationName": "MCAPI Authorization Prod", 100 | "ApplicationIDs": ["d73f4b35-55c9-48c7-8b10-651f6f2acb2e"] 101 | }, 102 | { 103 | "ApplicationName": "Media Analysis and Transformation Service", 104 | "ApplicationIDs": [ 105 | "944f0bd1-117b-4b1c-af26-804ed95e767e", 106 | "0cd196ee-71bf-4fd6-a57c-b491ffd4fb1e" 107 | ] 108 | }, 109 | { 110 | "ApplicationName": "Microsoft 365 Security and Compliance Center", 111 | "ApplicationIDs": ["80ccca67-54bd-44ab-8625-4b79c4dc7775"] 112 | }, 113 | { 114 | "ApplicationName": "Microsoft 365 Support Service", 115 | "ApplicationIDs": ["ee272b19-4411-433f-8f28-5c13cb6fd407"] 116 | }, 117 | { 118 | "ApplicationName": "Microsoft App Access Panel", 119 | "ApplicationIDs": ["0000000c-0000-0000-c000-000000000000"] 120 | }, 121 | { 122 | "ApplicationName": "Microsoft Approval Management", 123 | "ApplicationIDs": [ 124 | "65d91a3d-ab74-42e6-8a2f-0add61688c74", 125 | "38049638-cc2c-4cde-abe4-4479d721ed44" 126 | ] 127 | }, 128 | { 129 | "ApplicationName": "Microsoft Authentication Broker", 130 | "ApplicationIDs": ["29d9ed98-a469-4536-ade2-f981bc1d605e"] 131 | }, 132 | { 133 | "ApplicationName": "Microsoft Azure CLI", 134 | "ApplicationIDs": ["04b07795-8ddb-461a-bbee-02f9e1bf7b46"] 135 | }, 136 | { 137 | "ApplicationName": "Microsoft Azure PowerShell", 138 | "ApplicationIDs": ["1950a258-227b-4e31-a9cf-717495945fc2"] 139 | }, 140 | { 141 | "ApplicationName": "MicrosoftAzureActiveAuthn", 142 | "ApplicationIDs": ["0000001a-0000-0000-c000-000000000000"] 143 | }, 144 | { 145 | "ApplicationName": "Microsoft Bing Search", 146 | "ApplicationIDs": ["cf36b471-5b44-428c-9ce7-313bf84528de"] 147 | }, 148 | { 149 | "ApplicationName": "Microsoft Bing Search for Microsoft Edge", 150 | "ApplicationIDs": ["2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8"] 151 | }, 152 | { 153 | "ApplicationName": "Microsoft Bing Default Search Engine", 154 | "ApplicationIDs": ["1786c5ed-9644-47b2-8aa0-7201292175b6"] 155 | }, 156 | { 157 | "ApplicationName": "Microsoft Defender for Cloud Apps", 158 | "ApplicationIDs": ["3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7"] 159 | }, 160 | { 161 | "ApplicationName": "Microsoft Defender for Identity (formerly Radius Aad Syncer)", 162 | "ApplicationIDs": ["60ca1954-583c-4d1f-86de-39d835f3e452"] 163 | }, 164 | { 165 | "ApplicationName": "Microsoft Docs", 166 | "ApplicationIDs": ["18fbca16-2224-45f6-85b0-f7bf2b39b3f3"] 167 | }, 168 | { 169 | "ApplicationName": "Microsoft Dynamics ERP", 170 | "ApplicationIDs": ["00000015-0000-0000-c000-000000000000"] 171 | }, 172 | { 173 | "ApplicationName": "Microsoft Edge Insider Addons Prod", 174 | "ApplicationIDs": ["6253bca8-faf2-4587-8f2f-b056d80998a7"] 175 | }, 176 | { 177 | "ApplicationName": "Microsoft Exchange ForwardSync", 178 | "ApplicationIDs": ["99b904fd-a1fe-455c-b86c-2f9fb1da7687"] 179 | }, 180 | { 181 | "ApplicationName": "Microsoft Exchange Online Protection", 182 | "ApplicationIDs": ["00000007-0000-0ff1-ce00-000000000000"] 183 | }, 184 | { 185 | "ApplicationName": "Microsoft Exchange ProtectedServiceHost", 186 | "ApplicationIDs": ["51be292c-a17e-4f17-9a7e-4b661fb16dd2"] 187 | }, 188 | { 189 | "ApplicationName": "Microsoft Exchange REST API Based Powershell", 190 | "ApplicationIDs": ["fb78d390-0c51-40cd-8e17-fdbfab77341b"] 191 | }, 192 | { 193 | "ApplicationName": "Microsoft Exchange Web Services", 194 | "ApplicationIDs": ["47629505-c2b6-4a80-adb1-9b3a3d233b7b"] 195 | }, 196 | { 197 | "ApplicationName": "Microsoft Forms", 198 | "ApplicationIDs": ["c9a559d2-7aab-4f13-a6ed-e7e9c52aec87"] 199 | }, 200 | { 201 | "ApplicationName": "Microsoft Graph", 202 | "ApplicationIDs": ["00000003-0000-0000-c000-000000000000"] 203 | }, 204 | { 205 | "ApplicationName": "Microsoft Intune Web Company Portal", 206 | "ApplicationIDs": ["74bcdadc-2fdc-4bb3-8459-76d06952a0e9"] 207 | }, 208 | { 209 | "ApplicationName": "Microsoft Intune Windows Agent", 210 | "ApplicationIDs": ["fc0f3af4-6835-4174-b806-f7db311fd2f3"] 211 | }, 212 | { 213 | "ApplicationName": "Microsoft Office", 214 | "ApplicationIDs": ["d3590ed6-52b3-4102-aeff-aad2292ab01c"] 215 | }, 216 | { 217 | "ApplicationName": "Microsoft Office 365 Portal", 218 | "ApplicationIDs": ["00000006-0000-0ff1-ce00-000000000000"] 219 | }, 220 | { 221 | "ApplicationName": "Microsoft Office Web Apps Service", 222 | "ApplicationIDs": ["67e3df25-268a-4324-a550-0de1c7f97287"] 223 | }, 224 | { 225 | "ApplicationName": "Microsoft Online Syndication Partner Portal", 226 | "ApplicationIDs": ["d176f6e7-38e5-40c9-8a78-3998aab820e7"] 227 | }, 228 | { 229 | "ApplicationName": "Microsoft password reset service", 230 | "ApplicationIDs": ["93625bc8-bfe2-437a-97e0-3d0060024faa"] 231 | }, 232 | { 233 | "ApplicationName": "Microsoft Power BI", 234 | "ApplicationIDs": ["871c010f-5e61-4fb1-83ac-98610a7e9110"] 235 | }, 236 | { 237 | "ApplicationName": "Microsoft Storefronts", 238 | "ApplicationIDs": ["28b567f6-162c-4f54-99a0-6887f387bbcc"] 239 | }, 240 | { 241 | "ApplicationName": "Microsoft Stream Portal", 242 | "ApplicationIDs": ["cf53fce8-def6-4aeb-8d30-b158e7b1cf83"] 243 | }, 244 | { 245 | "ApplicationName": "Microsoft Substrate Management", 246 | "ApplicationIDs": ["98db8bd6-0cc0-4e67-9de5-f187f1cd1b41"] 247 | }, 248 | { 249 | "ApplicationName": "Microsoft Support", 250 | "ApplicationIDs": ["fdf9885b-dd37-42bf-82e5-c3129ef5a302"] 251 | }, 252 | { 253 | "ApplicationName": "Microsoft Teams", 254 | "ApplicationIDs": ["1fec8e78-bce4-4aaf-ab1b-5451cc387264"] 255 | }, 256 | { 257 | "ApplicationName": "Microsoft Teams Services", 258 | "ApplicationIDs": ["cc15fd57-2c6c-4117-a88c-83b1d56b4bbe"] 259 | }, 260 | { 261 | "ApplicationName": "Microsoft Teams Web Client", 262 | "ApplicationIDs": ["5e3ce6c0-2b1f-4285-8d4b-75ee78787346"] 263 | }, 264 | { 265 | "ApplicationName": "Microsoft Whiteboard Services", 266 | "ApplicationIDs": ["95de633a-083e-42f5-b444-a4295d8e9314"] 267 | }, 268 | { 269 | "ApplicationName": "O365 SkypeSpaces Ingestion Service", 270 | "ApplicationIDs": ["dfe74da8-9279-44ec-8fb2-2aed9e1c73d0"] 271 | }, 272 | { 273 | "ApplicationName": "O365 Suite UX", 274 | "ApplicationIDs": ["4345a7b9-9a63-4910-a426-35363201d503"] 275 | }, 276 | { 277 | "ApplicationName": "Office 365 Exchange Online", 278 | "ApplicationIDs": ["00000002-0000-0ff1-ce00-000000000000"] 279 | }, 280 | { 281 | "ApplicationName": "Office 365 Management", 282 | "ApplicationIDs": ["00b41c95-dab0-4487-9791-b9d2c32c80f2"] 283 | }, 284 | { 285 | "ApplicationName": "Office 365 Search Service", 286 | "ApplicationIDs": ["66a88757-258c-4c72-893c-3e8bed4d6899"] 287 | }, 288 | { 289 | "ApplicationName": "Office 365 SharePoint Online", 290 | "ApplicationIDs": ["00000003-0000-0ff1-ce00-000000000000"] 291 | }, 292 | { 293 | "ApplicationName": "Office Delve", 294 | "ApplicationIDs": ["94c63fef-13a3-47bc-8074-75af8c65887a"] 295 | }, 296 | { 297 | "ApplicationName": "Office Online Add-in SSO", 298 | "ApplicationIDs": ["93d53678-613d-4013-afc1-62e9e444a0a5"] 299 | }, 300 | { 301 | "ApplicationName": "Office Online Client Microsoft Entra ID- Augmentation Loop", 302 | "ApplicationIDs": ["2abdc806-e091-4495-9b10-b04d93c3f040"] 303 | }, 304 | { 305 | "ApplicationName": "Office Online Client Microsoft Entra ID- Loki", 306 | "ApplicationIDs": ["b23dd4db-9142-4734-867f-3577f640ad0c"] 307 | }, 308 | { 309 | "ApplicationName": "Office Online Client Microsoft Entra ID- Maker", 310 | "ApplicationIDs": ["17d5e35f-655b-4fb0-8ae6-86356e9a49f5"] 311 | }, 312 | { 313 | "ApplicationName": "Office Online Client MSA- Loki", 314 | "ApplicationIDs": ["b6e69c34-5f1f-4c34-8cdf-7fea120b8670"] 315 | }, 316 | { 317 | "ApplicationName": "Office Online Core SSO", 318 | "ApplicationIDs": ["243c63a3-247d-41c5-9d83-7788c43f1c43"] 319 | }, 320 | { 321 | "ApplicationName": "Office Online Search", 322 | "ApplicationIDs": ["a9b49b65-0a12-430b-9540-c80b3332c127"] 323 | }, 324 | { 325 | "ApplicationName": "Office.com", 326 | "ApplicationIDs": ["4b233688-031c-404b-9a80-a4f3f2351f90"] 327 | }, 328 | { 329 | "ApplicationName": "Office365 Shell WCSS-Client", 330 | "ApplicationIDs": ["89bee1f7-5e6e-4d8a-9f3d-ecd601259da7"] 331 | }, 332 | { 333 | "ApplicationName": "OfficeClientService", 334 | "ApplicationIDs": ["0f698dd4-f011-4d23-a33e-b36416dcb1e6"] 335 | }, 336 | { 337 | "ApplicationName": "OfficeHome", 338 | "ApplicationIDs": ["4765445b-32c6-49b0-83e6-1d93765276ca"] 339 | }, 340 | { 341 | "ApplicationName": "OfficeShredderWacClient", 342 | "ApplicationIDs": ["4d5c2d63-cf83-4365-853c-925fd1a64357"] 343 | }, 344 | { 345 | "ApplicationName": "OMSOctopiPROD", 346 | "ApplicationIDs": ["62256cef-54c0-4cb4-bcac-4c67989bdc40"] 347 | }, 348 | { 349 | "ApplicationName": "OneDrive SyncEngine", 350 | "ApplicationIDs": ["ab9b8c07-8f02-4f72-87fa-80105867a763"] 351 | }, 352 | { 353 | "ApplicationName": "OneNote", 354 | "ApplicationIDs": ["2d4d3d8e-2be3-4bef-9f87-7875a61c29de"] 355 | }, 356 | { 357 | "ApplicationName": "Outlook Mobile", 358 | "ApplicationIDs": ["27922004-5251-4030-b22d-91ecd9a37ea4"] 359 | }, 360 | { 361 | "ApplicationName": "Partner Customer Delegated Admin Offline Processor", 362 | "ApplicationIDs": ["a3475900-ccec-4a69-98f5-a65cd5dc5306"] 363 | }, 364 | { 365 | "ApplicationName": "Password Breach Authenticator", 366 | "ApplicationIDs": ["bdd48c81-3a58-4ea9-849c-ebea7f6b6360"] 367 | }, 368 | { 369 | "ApplicationName": "PeoplePredictions", 370 | "ApplicationIDs": ["35d54a08-36c9-4847-9018-93934c62740c"] 371 | }, 372 | { 373 | "ApplicationName": "Power BI Service", 374 | "ApplicationIDs": ["00000009-0000-0000-c000-000000000000"] 375 | }, 376 | { 377 | "ApplicationName": "Scheduling", 378 | "ApplicationIDs": ["ae8e128e-080f-4086-b0e3-4c19301ada69"] 379 | }, 380 | { 381 | "ApplicationName": "SharedWithMe", 382 | "ApplicationIDs": ["ffcb16e8-f789-467c-8ce9-f826a080d987"] 383 | }, 384 | { 385 | "ApplicationName": "SharePoint Online Web Client Extensibility", 386 | "ApplicationIDs": ["08e18876-6177-487e-b8b5-cf950c1e598c"] 387 | }, 388 | { 389 | "ApplicationName": "Signup", 390 | "ApplicationIDs": ["b4bddae8-ab25-483e-8670-df09b9f1d0ea"] 391 | }, 392 | { 393 | "ApplicationName": "Skype for Business Online", 394 | "ApplicationIDs": ["00000004-0000-0ff1-ce00-000000000000"] 395 | }, 396 | { 397 | "ApplicationName": "SpoolsProvisioning", 398 | "ApplicationIDs": ["61109738-7d2b-4a0b-9fe3-660b1ff83505"] 399 | }, 400 | { 401 | "ApplicationName": "Sticky Notes API", 402 | "ApplicationIDs": ["91ca2ca5-3b3e-41dd-ab65-809fa3dffffa"] 403 | }, 404 | { 405 | "ApplicationName": "Substrate Context Service", 406 | "ApplicationIDs": ["13937bba-652e-4c46-b222-3003f4d1ff97"] 407 | }, 408 | { 409 | "ApplicationName": "SubstrateDirectoryEventProcessor", 410 | "ApplicationIDs": ["26abc9a8-24f0-4b11-8234-e86ede698878"] 411 | }, 412 | { 413 | "ApplicationName": "Substrate Search Settings Management Service", 414 | "ApplicationIDs": ["a970bac6-63fe-4ec5-8884-8536862c42d4"] 415 | }, 416 | { 417 | "ApplicationName": "Sway", 418 | "ApplicationIDs": ["905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba"] 419 | }, 420 | { 421 | "ApplicationName": "Transcript Ingestion", 422 | "ApplicationIDs": ["97cb1f73-50df-47d1-8fb0-0271f2728514"] 423 | }, 424 | { 425 | "ApplicationName": "Universal Store Native Client", 426 | "ApplicationIDs": ["268761a2-03f3-40df-8a8b-c3db24145b6b"] 427 | }, 428 | { 429 | "ApplicationName": "Viva Engage (formerly Yammer)", 430 | "ApplicationIDs": ["00000005-0000-0ff1-ce00-000000000000"] 431 | }, 432 | { 433 | "ApplicationName": "WeveEngine", 434 | "ApplicationIDs": ["3c896ded-22c5-450f-91f6-3d1ef0848f6e"] 435 | }, 436 | { 437 | "ApplicationName": "Windows Azure Active Directory", 438 | "ApplicationIDs": ["00000002-0000-0000-c000-000000000000"] 439 | }, 440 | { 441 | "ApplicationName": "Windows Azure Security Resource Provider", 442 | "ApplicationIDs": ["8edd93e1-2103-40b4-bd70-6e34e586362d"] 443 | }, 444 | { 445 | "ApplicationName": "Windows Azure Service Management API", 446 | "ApplicationIDs": ["797f4846-ba00-4fd7-ba43-dac1f8f63013"] 447 | }, 448 | { 449 | "ApplicationName": "WindowsDefenderATP Portal", 450 | "ApplicationIDs": ["a3b79187-70b2-4139-83f9-6016c58cd27b"] 451 | }, 452 | { 453 | "ApplicationName": "Windows Search", 454 | "ApplicationIDs": ["26a7ee05-5602-4d76-a7ba-eae8b7b67941"] 455 | }, 456 | { 457 | "ApplicationName": "Windows Spotlight", 458 | "ApplicationIDs": ["1b3c667f-cde3-4090-b60b-3d2abd0117f0"] 459 | }, 460 | { 461 | "ApplicationName": "Windows Store for Business", 462 | "ApplicationIDs": ["45a330b1-b1ec-4cc1-9161-9f03992aa49f"] 463 | }, 464 | { 465 | "ApplicationName": "Yammer Web", 466 | "ApplicationIDs": ["c1c74fed-04c9-4704-80dc-9f79a2e515cb"] 467 | }, 468 | { 469 | "ApplicationName": "Yammer Web Embed", 470 | "ApplicationIDs": ["e1ef36fd-b883-4dbf-97f0-9ece4b576fc6"] 471 | } 472 | ] 473 | -------------------------------------------------------------------------------- /EntraIDRoles.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "DisplayName": "Global Administrator", 4 | "Id": "62e90394-69f5-4237-9190-012177145e10", 5 | "Description": "Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities." 6 | }, 7 | { 8 | "DisplayName": "Guest User", 9 | "Id": "10dae51f-b6af-4016-8d66-8c2a99b929b3", 10 | "Description": "Default role for guest users. Can read a limited set of directory information." 11 | }, 12 | { 13 | "DisplayName": "Restricted Guest User", 14 | "Id": "2af84b1e-32c8-42b7-82bc-daa82404023b", 15 | "Description": "Restricted role for guest users. Can read a limited set of directory information." 16 | }, 17 | { 18 | "DisplayName": "Guest Inviter", 19 | "Id": "95e79109-95c0-4d8e-aee3-d01accf2d47b", 20 | "Description": "Can invite guest users independent of the 'members can invite guests' setting." 21 | }, 22 | { 23 | "DisplayName": "User Administrator", 24 | "Id": "fe930be7-5e62-47db-91af-98c3a49a38b1", 25 | "Description": "Can manage all aspects of users and groups, including resetting passwords for limited admins." 26 | }, 27 | { 28 | "DisplayName": "Helpdesk Administrator", 29 | "Id": "729827e3-9c14-49f7-bb1b-9608f156bbb8", 30 | "Description": "Can reset passwords for non-administrators and Helpdesk Administrators." 31 | }, 32 | { 33 | "DisplayName": "Service Support Administrator", 34 | "Id": "f023fd81-a637-4b56-95fd-791ac0226033", 35 | "Description": "Can read service health information and manage support tickets." 36 | }, 37 | { 38 | "DisplayName": "Billing Administrator", 39 | "Id": "b0f54661-2d74-4c50-afa3-1ec803f12efe", 40 | "Description": "Can perform common billing related tasks like updating payment information." 41 | }, 42 | { 43 | "DisplayName": "User", 44 | "Id": "a0b1b346-4d3e-4e8b-98f8-753987be4970", 45 | "Description": "Default role for member users. Can read all and write a limited set of directory information." 46 | }, 47 | { 48 | "DisplayName": "Partner Tier1 Support", 49 | "Id": "4ba39ca4-527c-499a-b93d-d9b492c50246", 50 | "Description": "Do not use - not intended for general use." 51 | }, 52 | { 53 | "DisplayName": "Partner Tier2 Support", 54 | "Id": "e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8", 55 | "Description": "Do not use - not intended for general use." 56 | }, 57 | { 58 | "DisplayName": "Directory Readers", 59 | "Id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", 60 | "Description": "Can read basic directory information. Commonly used to grant directory read access to applications and guests." 61 | }, 62 | { 63 | "DisplayName": "Directory Writers", 64 | "Id": "9360feb5-f418-4baa-8175-e2a00bac4301", 65 | "Description": "Can read and write basic directory information. For granting access to applications, not intended for users." 66 | }, 67 | { 68 | "DisplayName": "Exchange Administrator", 69 | "Id": "29232cdf-9323-42fd-ade2-1d097af3e4de", 70 | "Description": "Can manage all aspects of the Exchange product." 71 | }, 72 | { 73 | "DisplayName": "SharePoint Administrator", 74 | "Id": "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", 75 | "Description": "Can manage all aspects of the SharePoint service." 76 | }, 77 | { 78 | "DisplayName": "Skype for Business Administrator", 79 | "Id": "75941009-915a-4869-abe7-691bff18279e", 80 | "Description": "Can manage all aspects of the Skype for Business product." 81 | }, 82 | { 83 | "DisplayName": "Device Users", 84 | "Id": "d405c6df-0af8-4e3b-95e4-4d06e542189e", 85 | "Description": "Deprecated - Do Not Use." 86 | }, 87 | { 88 | "DisplayName": "Azure AD Joined Device Local Administrator", 89 | "Id": "9f06204d-73c1-4d4c-880a-6edb90606fd8", 90 | "Description": "Users assigned to this role are added to the local administrators group on Microsoft Entra joined devices." 91 | }, 92 | { 93 | "DisplayName": "Device Join", 94 | "Id": "9c094953-4995-41c8-84c8-3ebb9b32c93f", 95 | "Description": "Deprecated - Do Not Use." 96 | }, 97 | { 98 | "DisplayName": "Workplace Device Join", 99 | "Id": "c34f683f-4d5a-4403-affd-6615e00e3a7f", 100 | "Description": "Deprecated - Do Not Use." 101 | }, 102 | { 103 | "DisplayName": "Compliance Administrator", 104 | "Id": "17315797-102d-40b4-93e0-432062caca18", 105 | "Description": "Can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365." 106 | }, 107 | { 108 | "DisplayName": "Directory Synchronization Accounts", 109 | "Id": "d29b2b05-8046-44ba-8758-1e26182fcf32", 110 | "Description": "Only used by Microsoft Entra Connect service." 111 | }, 112 | { 113 | "DisplayName": "Device Managers", 114 | "Id": "2b499bcd-da44-4968-8aec-78e1674fa64d", 115 | "Description": "Deprecated - Do Not Use." 116 | }, 117 | { 118 | "DisplayName": "Application Administrator", 119 | "Id": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", 120 | "Description": "Can create and manage all aspects of app registrations and enterprise apps." 121 | }, 122 | { 123 | "DisplayName": "Application Developer", 124 | "Id": "cf1c38e5-3621-4004-a7cb-879624dced7c", 125 | "Description": "Can create application registrations independent of the 'Users can register applications' setting." 126 | }, 127 | { 128 | "DisplayName": "Security Reader", 129 | "Id": "5d6b6bb7-de71-4623-b4af-96380a352509", 130 | "Description": "Can read security information and reports in Microsoft Entra ID and Office 365." 131 | }, 132 | { 133 | "DisplayName": "Security Administrator", 134 | "Id": "194ae4cb-b126-40b2-bd5b-6091b380977d", 135 | "Description": "Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365." 136 | }, 137 | { 138 | "DisplayName": "Privileged Role Administrator", 139 | "Id": "e8611ab8-c189-46e8-94e1-60213ab1f814", 140 | "Description": "Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management." 141 | }, 142 | { 143 | "DisplayName": "Intune Administrator", 144 | "Id": "3a2c62db-5318-420d-8d74-23affee5d9d5", 145 | "Description": "Can manage all aspects of the Intune product." 146 | }, 147 | { 148 | "DisplayName": "Cloud Application Administrator", 149 | "Id": "158c047a-c907-4556-b7ef-446551a6b5f7", 150 | "Description": "Can create and manage all aspects of app registrations and enterprise apps except App Proxy." 151 | }, 152 | { 153 | "DisplayName": "Customer LockBox Access Approver", 154 | "Id": "5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91", 155 | "Description": "Can approve Microsoft support requests to access customer organizational data." 156 | }, 157 | { 158 | "DisplayName": "Dynamics 365 Administrator", 159 | "Id": "44367163-eba1-44c3-98af-f5787879f96a", 160 | "Description": "Can manage all aspects of the Dynamics 365 product." 161 | }, 162 | { 163 | "DisplayName": "Fabric Administrator", 164 | "Id": "a9ea8996-122f-4c74-9520-8edcd192826c", 165 | "Description": "Manages all aspects of Microsoft Fabric." 166 | }, 167 | { 168 | "DisplayName": "Conditional Access Administrator", 169 | "Id": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9", 170 | "Description": "Can manage Conditional Access capabilities." 171 | }, 172 | { 173 | "DisplayName": "Reports Reader", 174 | "Id": "4a5d8f65-41da-4de4-8968-e035b65339cf", 175 | "Description": "Can read sign-in and audit reports." 176 | }, 177 | { 178 | "DisplayName": "Message Center Reader", 179 | "Id": "790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b", 180 | "Description": "Can read messages and updates for their organization in Office 365 Message Center only." 181 | }, 182 | { 183 | "DisplayName": "Azure Information Protection Administrator", 184 | "Id": "7495fdc4-34c4-4d15-a289-98788ce399fd", 185 | "Description": "Can manage all aspects of the Azure Information Protection product." 186 | }, 187 | { 188 | "DisplayName": "Desktop Analytics Administrator", 189 | "Id": "38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4", 190 | "Description": "Can access and manage Desktop management tools and services." 191 | }, 192 | { 193 | "DisplayName": "License Administrator", 194 | "Id": "4d6ac14f-3453-41d0-bef9-a3e0c569773a", 195 | "Description": "Can manage product licenses on users and groups." 196 | }, 197 | { 198 | "DisplayName": "Cloud Device Administrator", 199 | "Id": "7698a772-787b-4ac8-901f-60d6b08affd2", 200 | "Description": "Limited access to manage devices in Microsoft Entra ID." 201 | }, 202 | { 203 | "DisplayName": "Authentication Administrator", 204 | "Id": "c4e39bd9-1100-46d3-8c65-fb160da0071f", 205 | "Description": "Can access to view, set and reset authentication method information for any non-admin user." 206 | }, 207 | { 208 | "DisplayName": "Privileged Authentication Administrator", 209 | "Id": "7be44c8a-adaf-4e2a-84d6-ab2649e08a13", 210 | "Description": "Can access to view, set and reset authentication method information for any user (admin or non-admin)." 211 | }, 212 | { 213 | "DisplayName": "Teams Communications Administrator", 214 | "Id": "baf37b3a-610e-45da-9e62-d9d1e5e8914b", 215 | "Description": "Can manage calling and meetings features within the Microsoft Teams service." 216 | }, 217 | { 218 | "DisplayName": "Teams Communications Support Engineer", 219 | "Id": "f70938a0-fc10-4177-9e90-2178f8765737", 220 | "Description": "Can troubleshoot communications issues within Teams using advanced tools." 221 | }, 222 | { 223 | "DisplayName": "Teams Communications Support Specialist", 224 | "Id": "fcf91098-03e3-41a9-b5ba-6f0ec8188a12", 225 | "Description": "Can troubleshoot communications issues within Teams using basic tools." 226 | }, 227 | { 228 | "DisplayName": "Teams Administrator", 229 | "Id": "69091246-20e8-4a56-aa4d-066075b2a7a8", 230 | "Description": "Can manage the Microsoft Teams service." 231 | }, 232 | { 233 | "DisplayName": "Insights Administrator", 234 | "Id": "eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c", 235 | "Description": "Has administrative access in the Microsoft 365 Insights app." 236 | }, 237 | { 238 | "DisplayName": "Message Center Privacy Reader", 239 | "Id": "ac16e43d-7b2d-40e0-ac05-243ff356ab5b", 240 | "Description": "Can read security messages and updates in Office 365 Message Center only." 241 | }, 242 | { 243 | "DisplayName": "External ID User Flow Administrator", 244 | "Id": "6e591065-9bad-43ed-90f3-e9424366d2f0", 245 | "Description": "Can create and manage all aspects of user flows." 246 | }, 247 | { 248 | "DisplayName": "External ID User Flow Attribute Administrator", 249 | "Id": "0f971eea-41eb-4569-a71e-57bb8a3eff1e", 250 | "Description": "Can create and manage the attribute schema available to all user flows." 251 | }, 252 | { 253 | "DisplayName": "B2C IEF Keyset Administrator", 254 | "Id": "aaf43236-0c0d-4d5f-883a-6955382ac081", 255 | "Description": "Can manage secrets for federation and encryption in the Identity Experience Framework (IEF)." 256 | }, 257 | { 258 | "DisplayName": "B2C IEF Policy Administrator", 259 | "Id": "3edaf663-341e-4475-9f94-5c398ef6c070", 260 | "Description": "Can create and manage trust framework policies in the Identity Experience Framework (IEF)." 261 | }, 262 | { 263 | "DisplayName": "External Identity Provider Administrator", 264 | "Id": "be2f45a1-457d-42af-a067-6ec1fa63bc45", 265 | "Description": "Can configure identity providers for use in direct federation." 266 | }, 267 | { 268 | "DisplayName": "Compliance Data Administrator", 269 | "Id": "e6d1a23a-da11-4be4-9570-befc86d067a7", 270 | "Description": "Creates and manages compliance content." 271 | }, 272 | { 273 | "DisplayName": "Security Operator", 274 | "Id": "5f2222b1-57c3-48ba-8ad5-d4759f1fde6f", 275 | "Description": "Creates and manages security events." 276 | }, 277 | { 278 | "DisplayName": "Kaizala Administrator", 279 | "Id": "74ef975b-6605-40af-a5d2-b9539d836353", 280 | "Description": "Can manage settings for Microsoft Kaizala." 281 | }, 282 | { 283 | "DisplayName": "Global Reader", 284 | "Id": "f2ef992c-3afb-46b9-b7cf-a126ee74c451", 285 | "Description": "Can read everything that a Global Administrator can, but not update anything." 286 | }, 287 | { 288 | "DisplayName": "Search Administrator", 289 | "Id": "0964bb5e-9bdb-4d7b-ac29-58e794862a40", 290 | "Description": "Can create and manage all aspects of Microsoft Search settings." 291 | }, 292 | { 293 | "DisplayName": "Search Editor", 294 | "Id": "8835291a-918c-4fd7-a9ce-faa49f0cf7d9", 295 | "Description": "Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan." 296 | }, 297 | { 298 | "DisplayName": "Password Administrator", 299 | "Id": "966707d0-3269-4727-9be2-8c3a10f19b9d", 300 | "Description": "Can reset passwords for non-administrators and Password Administrators." 301 | }, 302 | { 303 | "DisplayName": "Printer Administrator", 304 | "Id": "644ef478-e28f-4e28-b9dc-3fdde9aa0b1f", 305 | "Description": "Can manage all aspects of printers and printer connectors." 306 | }, 307 | { 308 | "DisplayName": "Printer Technician", 309 | "Id": "e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477", 310 | "Description": "Can register and unregister printers and update printer status." 311 | }, 312 | { 313 | "DisplayName": "Authentication Policy Administrator", 314 | "Id": "0526716b-113d-4c15-b2c8-68e3c22b9f80", 315 | "Description": "Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials." 316 | }, 317 | { 318 | "DisplayName": "Groups Administrator", 319 | "Id": "fdd7a751-b60b-444a-984c-02652fe8fa1c", 320 | "Description": "Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports." 321 | }, 322 | { 323 | "DisplayName": "Power Platform Administrator", 324 | "Id": "11648597-926c-4cf3-9c36-bcebb0ba8dcc", 325 | "Description": "Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Microsoft Flow." 326 | }, 327 | { 328 | "DisplayName": "Azure DevOps Administrator", 329 | "Id": "e3973bdf-4987-49ae-837a-ba8e231c7286", 330 | "Description": "Can manage Azure DevOps organization policy and settings." 331 | }, 332 | { 333 | "DisplayName": "Hybrid Identity Administrator", 334 | "Id": "8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2", 335 | "Description": "Can manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, and federation settings." 336 | }, 337 | { 338 | "DisplayName": "Office Apps Administrator", 339 | "Id": "2b745bdf-0803-4d80-aa65-822c4493daac", 340 | "Description": "Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices." 341 | }, 342 | { 343 | "DisplayName": "Network Administrator", 344 | "Id": "d37c8bed-0711-4417-ba38-b4abe66ce4c2", 345 | "Description": "Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications." 346 | }, 347 | { 348 | "DisplayName": "Insights Business Leader", 349 | "Id": "31e939ad-9672-4796-9c2e-873181342d2d", 350 | "Description": "Can view and share dashboards and insights via the M365 Insights app." 351 | }, 352 | { 353 | "DisplayName": "Teams Devices Administrator", 354 | "Id": "3d762c5a-1b6c-493f-843e-55a3b42923d4", 355 | "Description": "Can perform management related tasks on Teams certified devices." 356 | }, 357 | { 358 | "DisplayName": "Attack Simulation Administrator", 359 | "Id": "c430b396-e693-46cc-96f3-db01bf8bb62a", 360 | "Description": "Can create and manage all aspects of attack simulation campaigns." 361 | }, 362 | { 363 | "DisplayName": "Attack Payload Author", 364 | "Id": "9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f", 365 | "Description": "Can create attack payloads that an administrator can initiate later." 366 | }, 367 | { 368 | "DisplayName": "Usage Summary Reports Reader", 369 | "Id": "75934031-6c7e-415a-99d7-48dbd49e875e", 370 | "Description": "Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score." 371 | }, 372 | { 373 | "DisplayName": "Knowledge Administrator", 374 | "Id": "b5a8dcf3-09d5-43a9-a639-8e29ef291470", 375 | "Description": "Can configure knowledge, learning, and other intelligent features." 376 | }, 377 | { 378 | "DisplayName": "Knowledge Manager", 379 | "Id": "744ec460-397e-42ad-a462-8b3f9747a02c", 380 | "Description": "Has access to topic management dashboard and can manage content." 381 | }, 382 | { 383 | "DisplayName": "Domain Name Administrator", 384 | "Id": "8329153b-31d0-4727-b945-745eb3bc5f31", 385 | "Description": "Can manage domain names in cloud and on-premises." 386 | }, 387 | { 388 | "DisplayName": "AI Administrator", 389 | "Id": "d2562ede-74db-457e-a7b6-544e236ebb61", 390 | "Description": "Manage all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365." 391 | }, 392 | { 393 | "DisplayName": "Attribute Definition Administrator", 394 | "Id": "8424c6f0-a189-499e-bbd0-26c1753c96d4", 395 | "Description": "Define and manage the definition of custom security attributes." 396 | }, 397 | { 398 | "DisplayName": "Attribute Assignment Administrator", 399 | "Id": "58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d", 400 | "Description": "Assign custom security attribute keys and values to supported Microsoft Entra objects." 401 | }, 402 | { 403 | "DisplayName": "Attribute Definition Reader", 404 | "Id": "1d336d2c-4ae8-42ef-9711-b3604ce3fc2c", 405 | "Description": "Read the definition of custom security attributes." 406 | }, 407 | { 408 | "DisplayName": "Attribute Assignment Reader", 409 | "Id": "ffd52fa5-98dc-465c-991d-fc073eb59f8f", 410 | "Description": "Read custom security attribute keys and values for supported Microsoft Entra objects." 411 | }, 412 | { 413 | "DisplayName": "Exchange Recipient Administrator", 414 | "Id": "31392ffb-586c-42d1-9346-e59415a2cc4e", 415 | "Description": "Can create or update Exchange Online recipients within the Exchange Online organization." 416 | }, 417 | { 418 | "DisplayName": "Identity Governance Administrator", 419 | "Id": "45d8d3c5-c802-45c6-b32a-1d70b5e1e86e", 420 | "Description": "Manage access using Microsoft Entra ID for identity governance scenarios." 421 | }, 422 | { 423 | "DisplayName": "Cloud App Security Administrator", 424 | "Id": "892c5842-a9a6-463a-8041-72aa08ca3cf6", 425 | "Description": "Can manage all aspects of the Cloud App Security product." 426 | }, 427 | { 428 | "DisplayName": "Windows Update Deployment Administrator", 429 | "Id": "32696413-001a-46ae-978c-ce0f6b3620d2", 430 | "Description": "Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service." 431 | }, 432 | { 433 | "DisplayName": "Windows 365 Administrator", 434 | "Id": "11451d60-acb2-45eb-a7d6-43d0f0125c13", 435 | "Description": "Can provision and manage all aspects of Cloud PCs." 436 | }, 437 | { 438 | "DisplayName": "Edge Administrator", 439 | "Id": "3f1acade-1e04-4fbc-9b69-f0302cd84aef", 440 | "Description": "Manage all aspects of Microsoft Edge." 441 | }, 442 | { 443 | "DisplayName": "Yammer Administrator", 444 | "Id": "810a2642-a034-447f-a5e8-41beaa378541", 445 | "Description": "Manage all aspects of the Yammer service." 446 | }, 447 | { 448 | "DisplayName": "Authentication Extensibility Administrator", 449 | "Id": "25a516ed-2fa0-40ea-a2d0-12923a21473a", 450 | "Description": "Customize sign in and sign up experiences for users by creating and managing custom authentication extensions." 451 | }, 452 | { 453 | "DisplayName": "Virtual Visits Administrator", 454 | "Id": "e300d9e7-4a2b-4295-9eff-f1c78b36cc98", 455 | "Description": "Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app." 456 | }, 457 | { 458 | "DisplayName": "Insights Analyst", 459 | "Id": "25df335f-86eb-4119-b717-0ff02de207e9", 460 | "Description": "Access the analytical capabilities in Microsoft Viva Insights and run custom queries." 461 | }, 462 | { 463 | "DisplayName": "Microsoft Hardware Warranty Administrator", 464 | "Id": "1501b917-7653-4ff9-a4b5-203eaf33784f", 465 | "Description": "Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens." 466 | }, 467 | { 468 | "DisplayName": "Microsoft Hardware Warranty Specialist", 469 | "Id": "281fe777-fb20-4fbb-b7a3-ccebce5b0d96", 470 | "Description": "Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens." 471 | }, 472 | { 473 | "DisplayName": "Tenant Creator", 474 | "Id": "112ca1a2-15ad-4102-995e-45b0bc479a6a", 475 | "Description": "Create new Microsoft Entra or Azure AD B2C tenants." 476 | }, 477 | { 478 | "DisplayName": "Lifecycle Workflows Administrator", 479 | "Id": "59d46f88-662b-457b-bceb-5c3809e5908f", 480 | "Description": "Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID." 481 | }, 482 | { 483 | "DisplayName": "Viva Goals Administrator", 484 | "Id": "92b086b3-e367-4ef2-b869-1de128fb986e", 485 | "Description": "Manage and configure all aspects of Microsoft Viva Goals." 486 | }, 487 | { 488 | "DisplayName": "User Experience Success Manager", 489 | "Id": "27460883-1df1-4691-b032-3b79643e5e63", 490 | "Description": "View product feedback, survey results, and reports to find training and communication opportunities." 491 | }, 492 | { 493 | "DisplayName": "Permissions Management Administrator", 494 | "Id": "af78dc32-cf4d-46f9-ba4e-4428526346b5", 495 | "Description": "Manage all aspects of Entra Permissions Management." 496 | }, 497 | { 498 | "DisplayName": "Organizational Messages Writer", 499 | "Id": "507f53e4-4e52-4077-abd3-d2e1558b6ea2", 500 | "Description": "Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces." 501 | }, 502 | { 503 | "DisplayName": "Global Secure Access Administrator", 504 | "Id": "ac434307-12b9-4fa1-a708-88bf58caabc1", 505 | "Description": "Create and manage all aspects of Global Secure Internet Access and Microsoft Global Secure Private Access, including managing access to public and private endpoints." 506 | }, 507 | { 508 | "DisplayName": "Viva Pulse Administrator", 509 | "Id": "87761b17-1ed2-4af3-9acd-92a150038160", 510 | "Description": "Can manage all settings for Microsoft Viva Pulse app." 511 | }, 512 | { 513 | "DisplayName": "Extended Directory User Administrator", 514 | "Id": "dd13091a-6207-4fc0-82ba-3641e056ab95", 515 | "Description": "Manage all aspects of external user profiles in the extended directory for Teams." 516 | }, 517 | { 518 | "DisplayName": "Attribute Log Administrator", 519 | "Id": "5b784334-f94b-471a-a387-e7219fc49ca2", 520 | "Description": "Read audit logs and configure diagnostic settings for events related to custom security attributes." 521 | }, 522 | { 523 | "DisplayName": "Attribute Log Reader", 524 | "Id": "9c99539d-8186-4804-835f-fd51ef9e2dcd", 525 | "Description": "Read audit logs related to custom security attributes." 526 | }, 527 | { 528 | "DisplayName": "Teams Reader", 529 | "Id": "1076ac91-f3d9-41a7-a339-dcdf5f480acc", 530 | "Description": "Read everything in the Teams admin center, but not update anything." 531 | }, 532 | { 533 | "DisplayName": "Teams Telephony Administrator", 534 | "Id": "aa38014f-0993-46e9-9b45-30501a20909d", 535 | "Description": "Manage voice and telephony features and troubleshoot communication issues within the Microsoft Teams service." 536 | }, 537 | { 538 | "DisplayName": "Dynamics 365 Business Central Administrator", 539 | "Id": "963797fb-eb3b-4cde-8ce3-5878b3f32a3f", 540 | "Description": "Access and perform all administrative tasks on Dynamics 365 Business Central environments." 541 | }, 542 | { 543 | "DisplayName": "Microsoft 365 Migration Administrator", 544 | "Id": "8c8b803f-96e1-4129-9349-20738d9f9652", 545 | "Description": "Perform all migration functionality to migrate content to Microsoft 365 using Migration Manager." 546 | }, 547 | { 548 | "DisplayName": "SharePoint Embedded Administrator", 549 | "Id": "1a7d78b6-429f-476b-b8eb-35fb715fffd4", 550 | "Description": "Manage all aspects of SharePoint Embedded containers." 551 | }, 552 | { 553 | "DisplayName": "Organizational Branding Administrator", 554 | "Id": "92ed04bf-c94a-4b82-9729-b799a7a4c178", 555 | "Description": "Manage all aspects of organizational branding in a tenant." 556 | }, 557 | { 558 | "DisplayName": "Organizational Messages Approver", 559 | "Id": "e48398e2-f4bb-4074-8f31-4586725e205b", 560 | "Description": "Review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users." 561 | }, 562 | { 563 | "DisplayName": "Microsoft Graph Data Connect Administrator", 564 | "Id": "ee67aa9c-e510-4759-b906-227085a7fd4d", 565 | "Description": "Manage aspects of Microsoft Graph Data Connect service in a tenant." 566 | }, 567 | { 568 | "DisplayName": "Microsoft 365 Backup Administrator", 569 | "Id": "1707125e-0aa2-4d4d-8655-a7c786c76a25", 570 | "Description": "Back up and restore content across supported services (SharePoint, OneDrive, and Exchange Online) in Microsoft 365 Backup" 571 | }, 572 | { 573 | "DisplayName": "On Premises Directory Sync Account", 574 | "Id": "a92aed5d-d78a-4d16-b381-09adb37eb3b0", 575 | "Description": "Only used by Microsoft Entra Connect Sync Account." 576 | }, 577 | { 578 | "DisplayName": "Attribute Provisioning Reader", 579 | "Id": "422218e4-db15-4ef9-bbe0-8afb41546d79", 580 | "Description": "Read the provisioning configuration of all active custom security attributes for an application." 581 | }, 582 | { 583 | "DisplayName": "Attribute Provisioning Administrator", 584 | "Id": "ecb2c6bf-0ab6-418e-bd87-7986f8d63bbe", 585 | "Description": "Read and edit the provisioning configuration of all active custom security attributes for an application." 586 | }, 587 | { 588 | "DisplayName": "Global Secure Access Log Reader", 589 | "Id": "843318fb-79a6-4168-9e6f-aa9a07481cc4", 590 | "Description": "Provides designated security personnel with read-only access to network traffic logs in Microsoft Entra Internet Access and Microsoft Entra Private Access for detailed analysis." 591 | }, 592 | { 593 | "DisplayName": "Organizational Data Source Administrator", 594 | "Id": "9d70768a-0cbc-4b4c-aea3-2e124b2477f4", 595 | "Description": "Set up and manage the ingestion of organizational data into Microsoft 365." 596 | }, 597 | { 598 | "DisplayName": "People Administrator", 599 | "Id": "024906de-61e5-49c8-8572-40335f1e0e10", 600 | "Description": "Manage profile photos of users and people settings for all users in the organization." 601 | }, 602 | { 603 | "DisplayName": "IoT Device Administrator", 604 | "Id": "2ea5ce4c-b2d8-4668-bd81-3680bd2d227a", 605 | "Description": "Provision new IoT devices, manage their lifecycle, configure certificates, and manage device templates." 606 | }, 607 | { 608 | "DisplayName": "Viva Glint Tenant Administrator", 609 | "Id": "0ec3f692-38d6-4d14-9e69-0377ca7797ad", 610 | "Description": "Manage and configure Microsoft Viva Glint settings in the Microsoft 365 admin center." 611 | } 612 | ] 613 | -------------------------------------------------------------------------------- /AzureRoles.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Name": "Access Review Operator Service Role", 4 | "Id": "76cc9ee4-d5d3-4a45-a930-26add3d73475", 5 | "Description": "Lets you grant Access Review System app permissions to discover and revoke access as needed by the access review process." 6 | }, 7 | { 8 | "Name": "AcrDelete", 9 | "Id": "c2f4ef07-c644-48eb-af81-4b1b4947fb11", 10 | "Description": "acr delete" 11 | }, 12 | { 13 | "Name": "AcrImageSigner", 14 | "Id": "6cef56e8-d556-48e5-a04f-b8e64114680f", 15 | "Description": "acr image signer" 16 | }, 17 | { 18 | "Name": "AcrPull", 19 | "Id": "7f951dda-4ed3-4680-a7ca-43fe172d538d", 20 | "Description": "acr pull" 21 | }, 22 | { 23 | "Name": "AcrPush", 24 | "Id": "8311e382-0749-4cb8-b61a-304f252e45ec", 25 | "Description": "acr push" 26 | }, 27 | { 28 | "Name": "AcrQuarantineReader", 29 | "Id": "cdda3590-29a3-44f6-95f2-9f980659eb04", 30 | "Description": "acr quarantine data reader" 31 | }, 32 | { 33 | "Name": "AcrQuarantineWriter", 34 | "Id": "c8d4ff99-41c3-41a8-9f60-21dfdad59608", 35 | "Description": "acr quarantine data writer" 36 | }, 37 | { 38 | "Name": "Advisor Recommendations Contributor (Assessments and Reviews)", 39 | "Id": "6b534d80-e337-47c4-864f-140f5c7f593d", 40 | "Description": "View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started)." 41 | }, 42 | { 43 | "Name": "Advisor Reviews Contributor", 44 | "Id": "8aac15f0-d885-4138-8afa-bfb5872f7d13", 45 | "Description": "View reviews for a workload and triage recommendations linked to them." 46 | }, 47 | { 48 | "Name": "Advisor Reviews Reader", 49 | "Id": "c64499e0-74c3-47ad-921c-13865957895c", 50 | "Description": "View reviews for a workload and recommendations linked to them." 51 | }, 52 | { 53 | "Name": "AgFood Platform Dataset Admin", 54 | "Id": "a8d4b70f-0fb9-4f72-b267-b87b2f990aec", 55 | "Description": "Provides access to Dataset APIs" 56 | }, 57 | { 58 | "Name": "AgFood Platform Sensor Partner Contributor", 59 | "Id": "6b77f0a0-0d89-41cc-acd1-579c22c17a67", 60 | "Description": "Provides contribute access to manage sensor related entities in AgFood Platform Service" 61 | }, 62 | { 63 | "Name": "AgFood Platform Service Admin", 64 | "Id": "f8da80de-1ff9-4747-ad80-a19b7f6079e3", 65 | "Description": "Provides admin access to AgFood Platform Service" 66 | }, 67 | { 68 | "Name": "AgFood Platform Service Contributor", 69 | "Id": "8508508a-4469-4e45-963b-2518ee0bb728", 70 | "Description": "Provides contribute access to AgFood Platform Service" 71 | }, 72 | { 73 | "Name": "AgFood Platform Service Reader", 74 | "Id": "7ec7ccdc-f61e-41fe-9aaf-980df0a44eba", 75 | "Description": "Provides read access to AgFood Platform Service" 76 | }, 77 | { 78 | "Name": "AnyBuild Builder", 79 | "Id": "a2138dac-4907-4679-a376-736901ed8ad8", 80 | "Description": "Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities." 81 | }, 82 | { 83 | "Name": "API Management Developer Portal Content Editor", 84 | "Id": "c031e6a8-4391-4de0-8d69-4706a7ed3729", 85 | "Description": "Can customize the developer portal, edit its content, and publish it." 86 | }, 87 | { 88 | "Name": "API Management Service Contributor", 89 | "Id": "312a565d-c81f-4fd8-895a-4e21e48d571c", 90 | "Description": "Can manage service and the APIs" 91 | }, 92 | { 93 | "Name": "API Management Service Operator Role", 94 | "Id": "e022efe7-f5ba-4159-bbe4-b44f577e9b61", 95 | "Description": "Can manage service but not the APIs" 96 | }, 97 | { 98 | "Name": "API Management Service Reader Role", 99 | "Id": "71522526-b88f-4d52-b57f-d31fc3546d0d", 100 | "Description": "Read-only access to service and APIs" 101 | }, 102 | { 103 | "Name": "API Management Service Workspace API Developer", 104 | "Id": "9565a273-41b9-4368-97d2-aeb0c976a9b3", 105 | "Description": "Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope." 106 | }, 107 | { 108 | "Name": "API Management Service Workspace API Product Manager", 109 | "Id": "d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da", 110 | "Description": "Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope." 111 | }, 112 | { 113 | "Name": "API Management Workspace API Developer", 114 | "Id": "56328988-075d-4c6a-8766-d93edd6725b6", 115 | "Description": "Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope." 116 | }, 117 | { 118 | "Name": "API Management Workspace API Product Manager", 119 | "Id": "73c2c328-d004-4c5e-938c-35c6f5679a1f", 120 | "Description": "Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope." 121 | }, 122 | { 123 | "Name": "API Management Workspace Contributor", 124 | "Id": "0c34c906-8d99-4cb7-8bb7-33f5b0a1a799", 125 | "Description": "Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope." 126 | }, 127 | { 128 | "Name": "API Management Workspace Reader", 129 | "Id": "ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2", 130 | "Description": "Has read-only access to entities in the workspace. This role should be assigned on the workspace scope." 131 | }, 132 | { 133 | "Name": "App Compliance Automation Administrator", 134 | "Id": "0f37683f-2463-46b6-9ce7-9b788b988ba2", 135 | "Description": "Create, read, download, modify and delete reports objects and related other resource objects." 136 | }, 137 | { 138 | "Name": "App Compliance Automation Reader", 139 | "Id": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e", 140 | "Description": "Read, download the reports objects and related other resource objects." 141 | }, 142 | { 143 | "Name": "App Configuration Data Owner", 144 | "Id": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", 145 | "Description": "Allows full access to App Configuration data." 146 | }, 147 | { 148 | "Name": "App Configuration Data Reader", 149 | "Id": "516239f1-63e1-4d78-a4de-a74fb236a071", 150 | "Description": "Allows read access to App Configuration data." 151 | }, 152 | { 153 | "Name": "AppGw for Containers Configuration Manager", 154 | "Id": "fbc52c3f-28ad-4303-a892-8a056630b8f1", 155 | "Description": "Allows access and configuration updates to Application Gateway for Containers resource." 156 | }, 157 | { 158 | "Name": "Application Group Contributor", 159 | "Id": "ca6382a4-1721-4bcf-a114-ff0c70227b6b", 160 | "Description": "Contributor of the Application Group." 161 | }, 162 | { 163 | "Name": "Application Insights Component Contributor", 164 | "Id": "ae349356-3a1b-4a5e-921d-050484c6347e", 165 | "Description": "Can manage Application Insights components" 166 | }, 167 | { 168 | "Name": "Application Insights Snapshot Debugger", 169 | "Id": "08954f03-6346-4c2e-81c0-ec3a5cfae23b", 170 | "Description": "Gives user permission to use Application Insights Snapshot Debugger features" 171 | }, 172 | { 173 | "Name": "Azure AI Developer", 174 | "Id": "64702f94-c441-49e6-a78b-ef80e0188fee", 175 | "Description": "Can perform all actions within an Azure AI resource besides managing the resource itself." 176 | }, 177 | { 178 | "Name": "Azure AI Enterprise Network Connection Approver", 179 | "Id": "b556d68e-0be0-4f35-a333-ad7ee1ce17ea", 180 | "Description": "Can approve private endpoint connections to Azure AI common dependency resources" 181 | }, 182 | { 183 | "Name": "Azure AI Inference Deployment Operator", 184 | "Id": "3afb7f49-54cb-416e-8c09-6dc049efa503", 185 | "Description": "Can perform all actions required to create a resource deployment within a resource group." 186 | }, 187 | { 188 | "Name": "Azure API Center Compliance Manager", 189 | "Id": "ede9aaa3-4627-494e-be13-4aa7c256148d", 190 | "Description": "Allows managing API compliance in Azure API Center service." 191 | }, 192 | { 193 | "Name": "Azure API Center Data Reader", 194 | "Id": "c7244dfb-f447-457d-b2ba-3999044d1706", 195 | "Description": "Allows for access to Azure API Center data plane read operations." 196 | }, 197 | { 198 | "Name": "Azure API Center Service Contributor", 199 | "Id": "dd24193f-ef65-44e5-8a7e-6fa6e03f7713", 200 | "Description": "Allows managing Azure API Center service." 201 | }, 202 | { 203 | "Name": "Azure API Center Service Reader", 204 | "Id": "6cba8790-29c5-48e5-bab1-c7541b01cb04", 205 | "Description": "Allows read-only access to Azure API Center service." 206 | }, 207 | { 208 | "Name": "Azure Arc Enabled Kubernetes Cluster User Role", 209 | "Id": "00493d72-78f6-4148-b6c5-d3ce8e4799dd", 210 | "Description": "List cluster user credentials action." 211 | }, 212 | { 213 | "Name": "Azure Arc Kubernetes Admin", 214 | "Id": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96", 215 | "Description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces." 216 | }, 217 | { 218 | "Name": "Azure Arc Kubernetes Cluster Admin", 219 | "Id": "8393591c-06b9-48a2-a542-1bd6b377f6a2", 220 | "Description": "Lets you manage all resources in the cluster." 221 | }, 222 | { 223 | "Name": "Azure Arc Kubernetes Viewer", 224 | "Id": "63f0a09d-1495-4db4-a681-037d84835eb4", 225 | "Description": "Lets you view all resources in cluster/namespace, except secrets." 226 | }, 227 | { 228 | "Name": "Azure Arc Kubernetes Writer", 229 | "Id": "5b999177-9696-4545-85c7-50de3797e5a1", 230 | "Description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings." 231 | }, 232 | { 233 | "Name": "Azure Arc ScVmm Administrator role", 234 | "Id": "a92dfd61-77f9-4aec-a531-19858b406c87", 235 | "Description": "Arc ScVmm VM Administrator has permissions to perform all ScVmm actions." 236 | }, 237 | { 238 | "Name": "Azure Arc ScVmm Private Cloud User", 239 | "Id": "c0781e91-8102-4553-8951-97c6d4243cda", 240 | "Description": "Azure Arc ScVmm Private Cloud User has permissions to use the ScVmm resources to deploy VMs." 241 | }, 242 | { 243 | "Name": "Azure Arc ScVmm Private Clouds Onboarding", 244 | "Id": "6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9", 245 | "Description": "Azure Arc ScVmm Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vmm server instances to Azure." 246 | }, 247 | { 248 | "Name": "Azure Arc ScVmm VM Contributor", 249 | "Id": "e582369a-e17b-42a5-b10c-874c387c530b", 250 | "Description": "Arc ScVmm VM Contributor has permissions to perform all VM actions." 251 | }, 252 | { 253 | "Name": "Azure Arc VMware Administrator role ", 254 | "Id": "ddc140ed-e463-4246-9145-7c664192013f", 255 | "Description": "Arc VMware VM Contributor has permissions to perform all connected VMwarevSphere actions." 256 | }, 257 | { 258 | "Name": "Azure Arc VMware Private Cloud User", 259 | "Id": "ce551c02-7c42-47e0-9deb-e3b6fc3a9a83", 260 | "Description": "Azure Arc VMware Private Cloud User has permissions to use the VMware cloud resources to deploy VMs." 261 | }, 262 | { 263 | "Name": "Azure Arc VMware Private Clouds Onboarding", 264 | "Id": "67d33e57-3129-45e6-bb0b-7cc522f762fa", 265 | "Description": "Azure Arc VMware Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vCenter instances to Azure." 266 | }, 267 | { 268 | "Name": "Azure Arc VMware VM Contributor", 269 | "Id": "b748a06d-6150-4f8a-aaa9-ce3940cd96cb", 270 | "Description": "Arc VMware VM Contributor has permissions to perform all VM actions." 271 | }, 272 | { 273 | "Name": "Azure Center for SAP solutions administrator", 274 | "Id": "7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7", 275 | "Description": "This role provides read and write access to all capabilities of Azure Center for SAP solutions." 276 | }, 277 | { 278 | "Name": "Azure Center for SAP solutions Management role", 279 | "Id": "6d949e1d-41e2-46e3-8920-c6e4f31a8310", 280 | "Description": "This role has permissions which allow users to register existing systems, view and manage systems." 281 | }, 282 | { 283 | "Name": "Azure Center for SAP solutions reader", 284 | "Id": "05352d14-a920-4328-a0de-4cbe7430e26b", 285 | "Description": "This role provides read access to all capabilities of Azure Center for SAP solutions." 286 | }, 287 | { 288 | "Name": "Azure Center for SAP solutions service role", 289 | "Id": "aabbc5dd-1af0-458b-a942-81af88f9c138", 290 | "Description": "Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems." 291 | }, 292 | { 293 | "Name": "Azure Center for SAP solutions Service role for management", 294 | "Id": "0105a6b0-4bb9-43d2-982a-12806f9faddb", 295 | "Description": "This role has permissions that the user assigned managed identity must have to enable registration for the existing systems." 296 | }, 297 | { 298 | "Name": "Azure Connected Machine Onboarding", 299 | "Id": "b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", 300 | "Description": "Can onboard Azure Connected Machines." 301 | }, 302 | { 303 | "Name": "Azure Connected Machine Resource Administrator", 304 | "Id": "cd570a14-e51a-42ad-bac8-bafd67325302", 305 | "Description": "Can read, write, delete and re-onboard Azure Connected Machines." 306 | }, 307 | { 308 | "Name": "Azure Connected Machine Resource Manager", 309 | "Id": "f5819b54-e033-4d82-ac66-4fec3cbf3f4c", 310 | "Description": "Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group" 311 | }, 312 | { 313 | "Name": "Azure Connected SQL Server Onboarding", 314 | "Id": "e8113dce-c529-4d33-91fa-e9b972617508", 315 | "Description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS." 316 | }, 317 | { 318 | "Name": "Azure Container Storage Operator", 319 | "Id": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619", 320 | "Description": "Role required by a Managed Identity for Azure Container Storage operations" 321 | }, 322 | { 323 | "Name": "Azure ContainerApps Session Creator", 324 | "Id": "0fb8eba5-a2bb-4abe-b1c1-49dfad359bb0", 325 | "Description": "Create and execute sessions in a sessionPool" 326 | }, 327 | { 328 | "Name": "Azure Customer Lockbox Approver for Subscription", 329 | "Id": "4dae6930-7baf-46f5-909e-0383bc931c46", 330 | "Description": "Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is enabled on the tenant where the subscription resides. - in Public Preview." 331 | }, 332 | { 333 | "Name": "Azure Digital Twins Data Owner", 334 | "Id": "bcd981a7-7f74-457b-83e1-cceb9e632ffe", 335 | "Description": "Full access role for Digital Twins data-plane" 336 | }, 337 | { 338 | "Name": "Azure Digital Twins Data Reader", 339 | "Id": "d57506d4-4c8d-48b1-8587-93c323f6a5a3", 340 | "Description": "Read-only role for Digital Twins data-plane properties" 341 | }, 342 | { 343 | "Name": "Azure Edge On-Site Deployment Engineer", 344 | "Id": "207bcc4b-86a6-4487-9141-d6c1f4c238aa", 345 | "Description": "Grants you access to take actions as an on-site person to assist in the provisioning of an edge device" 346 | }, 347 | { 348 | "Name": "Azure Event Hubs Data Owner", 349 | "Id": "f526a384-b230-433a-b45c-95f59c4a2dec", 350 | "Description": "Allows for full access to Azure Event Hubs resources." 351 | }, 352 | { 353 | "Name": "Azure Event Hubs Data Receiver", 354 | "Id": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde", 355 | "Description": "Allows receive access to Azure Event Hubs resources." 356 | }, 357 | { 358 | "Name": "Azure Event Hubs Data Sender", 359 | "Id": "2b629674-e913-4c01-ae53-ef4638d8f975", 360 | "Description": "Allows send access to Azure Event Hubs resources." 361 | }, 362 | { 363 | "Name": "Azure Extension for SQL Server Deployment", 364 | "Id": "7392c568-9289-4bde-aaaa-b7131215889d", 365 | "Description": "Microsoft.AzureArcData service role to enable deployment of Azure Extension for SQL Server" 366 | }, 367 | { 368 | "Name": "Azure Front Door Domain Contributor", 369 | "Id": "0ab34830-df19-4f8c-b84e-aa85b8afa6e8", 370 | "Description": "For internal use within Azure. Can manage Azure Front Door domains, but can\u0027t grant access to other users." 371 | }, 372 | { 373 | "Name": "Azure Front Door Domain Reader", 374 | "Id": "0f99d363-226e-4dca-9920-b807cf8e1a5f", 375 | "Description": "For internal use within Azure. Can view Azure Front Door domains, but can\u0027t make changes." 376 | }, 377 | { 378 | "Name": "Azure Front Door Profile Reader", 379 | "Id": "662802e2-50f6-46b0-aed2-e834bacc6d12", 380 | "Description": "Can view AFD standard and premium profiles and their endpoints, but can\u0027t make changes." 381 | }, 382 | { 383 | "Name": "Azure Front Door Secret Contributor", 384 | "Id": "3f2eb865-5811-4578-b90a-6fc6fa0df8e5", 385 | "Description": "For internal use within Azure. Can manage Azure Front Door secrets, but can\u0027t grant access to other users." 386 | }, 387 | { 388 | "Name": "Azure Front Door Secret Reader", 389 | "Id": "0db238c4-885e-4c4f-a933-aa2cef684fca", 390 | "Description": "For internal use within Azure. Can view Azure Front Door secrets, but can\u0027t make changes." 391 | }, 392 | { 393 | "Name": "Azure Hybrid Database Administrator - Read Only Service Role", 394 | "Id": "5d9c6a55-fc0e-4e21-ae6f-f7b095497342", 395 | "Description": "Read only access to Azure hybrid database services resources." 396 | }, 397 | { 398 | "Name": "Azure impact-insight reader", 399 | "Id": "dfb2f09d-25f8-4558-8986-497084006d7a", 400 | "Description": "built-in role for azure impact-insight read access" 401 | }, 402 | { 403 | "Name": "Azure Kubernetes Fleet Manager Contributor Role", 404 | "Id": "63bb64ad-9799-4770-b5c3-24ed299a07bf", 405 | "Description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc." 406 | }, 407 | { 408 | "Name": "Azure Kubernetes Fleet Manager RBAC Admin", 409 | "Id": "434fb43a-c01c-447e-9f67-c3ad923cfaba", 410 | "Description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces." 411 | }, 412 | { 413 | "Name": "Azure Kubernetes Fleet Manager RBAC Cluster Admin", 414 | "Id": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69", 415 | "Description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster." 416 | }, 417 | { 418 | "Name": "Azure Kubernetes Fleet Manager RBAC Reader", 419 | "Id": "30b27cfc-9c84-438e-b0ce-70e35255df80", 420 | "Description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces." 421 | }, 422 | { 423 | "Name": "Azure Kubernetes Fleet Manager RBAC Writer", 424 | "Id": "5af6afb3-c06c-4fa4-8848-71a8aee05683", 425 | "Description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces." 426 | }, 427 | { 428 | "Name": "Azure Kubernetes Service Arc Cluster Admin Role", 429 | "Id": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f", 430 | "Description": "List cluster admin credential action." 431 | }, 432 | { 433 | "Name": "Azure Kubernetes Service Arc Cluster User Role", 434 | "Id": "233ca253-b031-42ff-9fba-87ef12d6b55f", 435 | "Description": "List cluster user credential action." 436 | }, 437 | { 438 | "Name": "Azure Kubernetes Service Arc Contributor Role", 439 | "Id": "5d3f1697-4507-4d08-bb4a-477695db5f82", 440 | "Description": "Grants access to read and write Azure Kubernetes Services hybrid clusters" 441 | }, 442 | { 443 | "Name": "Azure Kubernetes Service Cluster Admin Role", 444 | "Id": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", 445 | "Description": "List cluster admin credential action." 446 | }, 447 | { 448 | "Name": "Azure Kubernetes Service Cluster Monitoring User", 449 | "Id": "1afdec4b-e479-420e-99e7-f82237c7c5e6", 450 | "Description": "List cluster monitoring user credential action." 451 | }, 452 | { 453 | "Name": "Azure Kubernetes Service Cluster User Role", 454 | "Id": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f", 455 | "Description": "List cluster user credential action." 456 | }, 457 | { 458 | "Name": "Azure Kubernetes Service Contributor Role", 459 | "Id": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", 460 | "Description": "Grants access to read and write Azure Kubernetes Service clusters" 461 | }, 462 | { 463 | "Name": "Azure Kubernetes Service Hybrid Cluster Admin Role", 464 | "Id": "b5092dac-c796-4349-8681-1a322a31c3f9", 465 | "Description": "List cluster admin credential action." 466 | }, 467 | { 468 | "Name": "Azure Kubernetes Service Hybrid Cluster User Role", 469 | "Id": "fc3f91a1-40bf-4439-8c46-45edbd83563a", 470 | "Description": "List cluster user credential action." 471 | }, 472 | { 473 | "Name": "Azure Kubernetes Service Hybrid Contributor Role", 474 | "Id": "e7037d40-443a-4434-a3fb-8cd202011e1d", 475 | "Description": "Grants access to read and write Azure Kubernetes Services hybrid clusters" 476 | }, 477 | { 478 | "Name": "Azure Kubernetes Service Policy Add-on Deployment", 479 | "Id": "18ed5180-3e48-46fd-8541-4ea054d57064", 480 | "Description": "Deploy the Azure Policy add-on on Azure Kubernetes Service clusters" 481 | }, 482 | { 483 | "Name": "Azure Kubernetes Service RBAC Admin", 484 | "Id": "3498e952-d568-435e-9b2c-8d77e338d7f7", 485 | "Description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces." 486 | }, 487 | { 488 | "Name": "Azure Kubernetes Service RBAC Cluster Admin", 489 | "Id": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", 490 | "Description": "Lets you manage all resources in the cluster." 491 | }, 492 | { 493 | "Name": "Azure Kubernetes Service RBAC Reader", 494 | "Id": "7f6c6a51-bcf8-42ba-9220-52d62157d7db", 495 | "Description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces." 496 | }, 497 | { 498 | "Name": "Azure Kubernetes Service RBAC Writer", 499 | "Id": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", 500 | "Description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces." 501 | }, 502 | { 503 | "Name": "Azure Machine Learning Workspace Connection Secrets Reader", 504 | "Id": "ea01e6af-a1c1-4350-9563-ad00f8c72ec5", 505 | "Description": "Can list workspace connection secrets" 506 | }, 507 | { 508 | "Name": "Azure Maps Contributor", 509 | "Id": "dba33070-676a-4fb0-87fa-064dc56ff7fb", 510 | "Description": "Grants access all Azure Maps resource management." 511 | }, 512 | { 513 | "Name": "Azure Maps Data Contributor", 514 | "Id": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", 515 | "Description": "Grants access to read, write, and delete access to map related data from an Azure maps account." 516 | }, 517 | { 518 | "Name": "Azure Maps Data Read and Batch Role", 519 | "Id": "d6470a16-71bd-43ab-86b3-6f3a73f4e787", 520 | "Description": "This role can be used to assign read and batch actions on Azure Maps." 521 | }, 522 | { 523 | "Name": "Azure Maps Data Reader", 524 | "Id": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", 525 | "Description": "Grants access to read map related data from an Azure maps account." 526 | }, 527 | { 528 | "Name": "Azure Maps Search and Render Data Reader", 529 | "Id": "6be48352-4f82-47c9-ad5e-0acacefdb005", 530 | "Description": "Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs." 531 | }, 532 | { 533 | "Name": "Azure Messaging Catalog Data Owner", 534 | "Id": "f27b7598-bc64-41f7-8a44-855ff16326c2", 535 | "Description": "Allows for full access to Azure Messaging Catalog resources." 536 | }, 537 | { 538 | "Name": "Azure Programmable Connectivity Gateway Dataplane User", 539 | "Id": "c20923c5-b089-47a5-bf67-fd89569c4ad9", 540 | "Description": "Allows access to all Gateway dataplane APIs." 541 | }, 542 | { 543 | "Name": "Azure Programmable Connectivity Gateway User", 544 | "Id": "609c0c20-e0a0-4a71-b99f-e7e755ac493d", 545 | "Description": "Allows access to all Gateway dataplane APIs." 546 | }, 547 | { 548 | "Name": "Azure RedHat OpenShift Azure Files Storage Operator Role", 549 | "Id": "0d7aedc0-15fd-4a67-a412-efad370c947e", 550 | "Description": "Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use Azure Files." 551 | }, 552 | { 553 | "Name": "Azure RedHat OpenShift Cloud Controller Manager Role", 554 | "Id": "a1f96423-95ce-4224-ab27-4e3dc72facd4", 555 | "Description": "Enables permissions for the operator to manage and update the cloud controller managers deployed on top of OpenShift." 556 | }, 557 | { 558 | "Name": "Azure RedHat OpenShift Cluster Ingress Operator Role", 559 | "Id": "0336e1d3-7a87-462b-b6db-342b63f7802c", 560 | "Description": "Enables permissions for the operator to configure and manage the OpenShift router." 561 | }, 562 | { 563 | "Name": "Azure RedHat OpenShift Image Registry Operator Role", 564 | "Id": "8b32b316-c2f5-4ddf-b05b-83dacd2d08b5", 565 | "Description": "Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry, including creating storage." 566 | }, 567 | { 568 | "Name": "Azure RedHat OpenShift Machine API Operator Role", 569 | "Id": "0358943c-7e01-48ba-8889-02cc51d78637", 570 | "Description": "Enables permissions for the operator to manage the lifecycle of specific purpose custom resource definitions (CRD), controllers, and RBAC objects that extend the Kubernetes API. This declares the desired state of machines in a cluster." 571 | }, 572 | { 573 | "Name": "Azure RedHat OpenShift Network Operator Role", 574 | "Id": "be7a6435-15ae-4171-8f30-4a343eff9e8f", 575 | "Description": "Enables permissions to install and upgrade the networking components on an OpenShift cluster." 576 | }, 577 | { 578 | "Name": "Azure RedHat OpenShift Service Operator", 579 | "Id": "4436bae4-7702-4c84-919b-c4069ff25ee2", 580 | "Description": "The ARO Operator is responsible for maintaining features, checks, and resources that are specific to an Azure Red Hat OpenShift cluster\u0027s continued functionality as a managed service. This includes, but is not limited to, machine management and health, network configuration, and monitoring." 581 | }, 582 | { 583 | "Name": "Azure RedHat OpenShift Storage Operator Role", 584 | "Id": "5b7237c5-45e1-49d6-bc18-a1f62f400748", 585 | "Description": "Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use various storage backends." 586 | }, 587 | { 588 | "Name": "Azure Relay Listener", 589 | "Id": "26e0b698-aa6d-4085-9386-aadae190014d", 590 | "Description": "Allows for listen access to Azure Relay resources." 591 | }, 592 | { 593 | "Name": "Azure Relay Owner", 594 | "Id": "2787bf04-f1f5-4bfe-8383-c8a24483ee38", 595 | "Description": "Allows for full access to Azure Relay resources." 596 | }, 597 | { 598 | "Name": "Azure Relay Sender", 599 | "Id": "26baccc8-eea7-41f1-98f4-1762cc7f685d", 600 | "Description": "Allows for send access to Azure Relay resources." 601 | }, 602 | { 603 | "Name": "Azure Resource Bridge Deployment Role", 604 | "Id": "7b1f81f9-4196-4058-8aae-762e593270df", 605 | "Description": "Azure Resource Bridge Deployment Role" 606 | }, 607 | { 608 | "Name": "Azure Resource Notifications System Topics Subscriber", 609 | "Id": "0b962ed2-6d56-471c-bd5f-3477d83a7ba4", 610 | "Description": "Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications" 611 | }, 612 | { 613 | "Name": "Azure Service Bus Data Owner", 614 | "Id": "090c5cfd-751d-490a-894a-3ce6f1109419", 615 | "Description": "Allows for full access to Azure Service Bus resources." 616 | }, 617 | { 618 | "Name": "Azure Service Bus Data Receiver", 619 | "Id": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", 620 | "Description": "Allows for receive access to Azure Service Bus resources." 621 | }, 622 | { 623 | "Name": "Azure Service Bus Data Sender", 624 | "Id": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", 625 | "Description": "Allows for send access to Azure Service Bus resources." 626 | }, 627 | { 628 | "Name": "Azure Sphere Contributor", 629 | "Id": "8b9dfcab-4b77-4632-a6df-94bd07820648", 630 | "Description": "Allows user read and write access to Azure Sphere resources." 631 | }, 632 | { 633 | "Name": "Azure Sphere Owner", 634 | "Id": "5a382001-fe36-41ff-bba4-8bf06bd54da9", 635 | "Description": "Allows user read and write access to Azure Sphere resources and RBAC configuration, includes an ABAC condition to constrain role assignments." 636 | }, 637 | { 638 | "Name": "Azure Sphere Publisher", 639 | "Id": "6d994134-994b-4a59-9974-f479f0b227fb", 640 | "Description": "Allows user to read and download Azure Sphere resources and upload images." 641 | }, 642 | { 643 | "Name": "Azure Sphere Reader", 644 | "Id": "c8ae6279-5a0b-4cb2-b3f0-d4d62845742c", 645 | "Description": "Allows user to read Azure Sphere resources." 646 | }, 647 | { 648 | "Name": "Azure Spring Apps Application Configuration Service Config File Pattern Reader Role", 649 | "Id": "25211fc6-dc78-40b6-b205-e4ac934fd9fd", 650 | "Description": "Read content of config file pattern for Application Configuration Service in Azure Spring Apps" 651 | }, 652 | { 653 | "Name": "Azure Spring Apps Application Configuration Service Log Reader Role", 654 | "Id": "6593e776-2a30-40f9-8a32-4fe28b77655d", 655 | "Description": "Read real-time logs for Application Configuration Service in Azure Spring Apps" 656 | }, 657 | { 658 | "Name": "Azure Spring Apps Connect Role", 659 | "Id": "80558df3-64f9-4c0f-b32d-e5094b036b0b", 660 | "Description": "Azure Spring Apps Connect Role" 661 | }, 662 | { 663 | "Name": "Azure Spring Apps Managed Components Log Reader Role", 664 | "Id": "52fd16bd-6ed5-46af-9c40-29cbd7952a29", 665 | "Description": "Read real-time logs for all managed components in Azure Spring Apps" 666 | }, 667 | { 668 | "Name": "Azure Spring Apps Remote Debugging Role", 669 | "Id": "a99b0159-1064-4c22-a57b-c9b3caa1c054", 670 | "Description": "Azure Spring Apps Remote Debugging Role" 671 | }, 672 | { 673 | "Name": "Azure Spring Apps Spring Cloud Gateway Log Reader Role", 674 | "Id": "4301dc2a-25a9-44b0-ae63-3636cf7f2bd2", 675 | "Description": "Read real-time logs for Spring Cloud Gateway in Azure Spring Apps" 676 | }, 677 | { 678 | "Name": "Azure Spring Cloud Config Server Contributor", 679 | "Id": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", 680 | "Description": "Allow read, write and delete access to Azure Spring Cloud Config Server" 681 | }, 682 | { 683 | "Name": "Azure Spring Cloud Config Server Reader", 684 | "Id": "d04c6db6-4947-4782-9e91-30a88feb7be7", 685 | "Description": "Allow read access to Azure Spring Cloud Config Server" 686 | }, 687 | { 688 | "Name": "Azure Spring Cloud Data Reader", 689 | "Id": "b5537268-8956-4941-a8f0-646150406f0c", 690 | "Description": "Allow read access to Azure Spring Cloud Data" 691 | }, 692 | { 693 | "Name": "Azure Spring Cloud Service Registry Contributor", 694 | "Id": "f5880b48-c26d-48be-b172-7927bfa1c8f1", 695 | "Description": "Allow read, write and delete access to Azure Spring Cloud Service Registry" 696 | }, 697 | { 698 | "Name": "Azure Spring Cloud Service Registry Reader", 699 | "Id": "cff1b556-2399-4e7e-856d-a8f754be7b65", 700 | "Description": "Allow read access to Azure Spring Cloud Service Registry" 701 | }, 702 | { 703 | "Name": "Azure Stack HCI Administrator", 704 | "Id": "bda0d508-adf1-4af0-9c28-88919fc3ae06", 705 | "Description": "Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader" 706 | }, 707 | { 708 | "Name": "Azure Stack HCI Device Management Role", 709 | "Id": "865ae368-6a45-4bd1-8fbf-0d5151f56fc1", 710 | "Description": "Microsoft.AzureStackHCI Device Management Role" 711 | }, 712 | { 713 | "Name": "Azure Stack HCI VM Contributor", 714 | "Id": "874d1c73-6003-4e60-a13a-cb31ea190a85", 715 | "Description": "Grants permissions to perform all VM actions" 716 | }, 717 | { 718 | "Name": "Azure Stack HCI VM Reader", 719 | "Id": "4b3fe76c-f777-4d24-a2d7-b027b0f7b273", 720 | "Description": "Grants permissions to view VMs" 721 | }, 722 | { 723 | "Name": "Azure Stack Registration Owner", 724 | "Id": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a", 725 | "Description": "Lets you manage Azure Stack registrations." 726 | }, 727 | { 728 | "Name": "Azure Usage Billing Data Sender", 729 | "Id": "f0310ce6-e953-4cf8-b892-fb1c87eaf7f6", 730 | "Description": "Azure Usage Billing shared BuiltIn role to be used for all Customer Account Authentication" 731 | }, 732 | { 733 | "Name": "Azure VM Managed identities restore Contributor", 734 | "Id": "6ae96244-5829-4925-a7d3-5975537d91dd", 735 | "Description": "Azure VM Managed identities restore Contributors are allowed to perform Azure VM Restores with managed identities both user and system" 736 | }, 737 | { 738 | "Name": "AzureML Compute Operator", 739 | "Id": "e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", 740 | "Description": "Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs)." 741 | }, 742 | { 743 | "Name": "AzureML Data Scientist", 744 | "Id": "f6c7c914-8db3-469d-8ca1-694a8f32e121", 745 | "Description": "Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself." 746 | }, 747 | { 748 | "Name": "AzureML Metrics Writer (preview)", 749 | "Id": "635dd51f-9968-44d3-b7fb-6d9a6bd613ae", 750 | "Description": "Lets you write metrics to AzureML workspace" 751 | }, 752 | { 753 | "Name": "AzureML Registry User", 754 | "Id": "1823dd4f-9b8c-4ab6-ab4e-7397a3684615", 755 | "Description": "Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources." 756 | }, 757 | { 758 | "Name": "Attestation Contributor", 759 | "Id": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", 760 | "Description": "Can read write or delete the attestation provider instance" 761 | }, 762 | { 763 | "Name": "Attestation Reader", 764 | "Id": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3", 765 | "Description": "Can read the attestation provider properties" 766 | }, 767 | { 768 | "Name": "Automation Contributor", 769 | "Id": "f353d9bd-d4a6-484e-a77a-8050b599b867", 770 | "Description": "Manage azure automation resources and other resources using azure automation." 771 | }, 772 | { 773 | "Name": "Automation Job Operator", 774 | "Id": "4fe576fe-1146-4730-92eb-48519fa6bf9f", 775 | "Description": "Create and Manage Jobs using Automation Runbooks." 776 | }, 777 | { 778 | "Name": "Automation Operator", 779 | "Id": "d3881f73-407a-4167-8283-e981cbba0404", 780 | "Description": "Automation Operators are able to start, stop, suspend, and resume jobs" 781 | }, 782 | { 783 | "Name": "Automation Runbook Operator", 784 | "Id": "5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", 785 | "Description": "Read Runbook properties - to be able to create Jobs of the runbook." 786 | }, 787 | { 788 | "Name": "Autonomous Development Platform Data Contributor (Preview)", 789 | "Id": "b8b15564-4fa6-4a59-ab12-03e1d9594795", 790 | "Description": "Grants permissions to upload and manage new Autonomous Development Platform measurements." 791 | }, 792 | { 793 | "Name": "Autonomous Development Platform Data Owner (Preview)", 794 | "Id": "27f8b550-c507-4db9-86f2-f4b8e816d59d", 795 | "Description": "Grants full access to Autonomous Development Platform data." 796 | }, 797 | { 798 | "Name": "Autonomous Development Platform Data Reader (Preview)", 799 | "Id": "d63b75f7-47ea-4f27-92ac-e0d173aaf093", 800 | "Description": "Grants read access to Autonomous Development Platform data." 801 | }, 802 | { 803 | "Name": "Avere Contributor", 804 | "Id": "4f8fab4f-1852-4a58-a46a-8eaf358af14a", 805 | "Description": "Can create and manage an Avere vFXT cluster." 806 | }, 807 | { 808 | "Name": "Avere Operator", 809 | "Id": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", 810 | "Description": "Used by the Avere vFXT cluster to manage the cluster" 811 | }, 812 | { 813 | "Name": "Backup Contributor", 814 | "Id": "5e467623-bb1f-42f4-a55d-6e525e11384b", 815 | "Description": "Lets you manage backups, but can\u0027t delete vaults and give access to others" 816 | }, 817 | { 818 | "Name": "Backup MUA Admin", 819 | "Id": "c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8", 820 | "Description": "Backup MultiUser-Authorization. Can create/delete ResourceGuard " 821 | }, 822 | { 823 | "Name": "Backup MUA Operator", 824 | "Id": "f54b6d04-23c6-443e-b462-9c16ab7b4a52", 825 | "Description": "Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard" 826 | }, 827 | { 828 | "Name": "Backup Operator", 829 | "Id": "00c29273-979b-4161-815c-10b084fb9324", 830 | "Description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others" 831 | }, 832 | { 833 | "Name": "Backup Reader", 834 | "Id": "a795c7a0-d4a2-40c1-ae25-d81f01202912", 835 | "Description": "Can view backup services, but can\u0027t make changes" 836 | }, 837 | { 838 | "Name": "Bayer Ag Powered Services CWUM Solution", 839 | "Id": "a9b99099-ead7-47db-8fcf-072597a61dfa", 840 | "Description": "Provide access to CWUM Solution by Bayer Ag Powered Services" 841 | }, 842 | { 843 | "Name": "Bayer Ag Powered Services GDU Solution", 844 | "Id": "c4bc862a-3b64-4a35-a021-a380c159b042", 845 | "Description": "Provide access to GDU Solution by Bayer Ag Powered Services" 846 | }, 847 | { 848 | "Name": "Bayer Ag Powered Services Historical Weather Data Solution User Role", 849 | "Id": "b5b192c1-773c-4543-bfb0-6c59254b74a9", 850 | "Description": "Provide access to Historical Weather Data Solution by Bayer Ag Powered Services" 851 | }, 852 | { 853 | "Name": "Bayer Ag Powered Services Imagery Solution", 854 | "Id": "ef29765d-0d37-4119-a4f8-f9f9902c9588", 855 | "Description": "Provide access to Imagery Solution by Bayer Ag Powered Services" 856 | }, 857 | { 858 | "Name": "Bayer Ag Powered Services Smart Boundary Solution User Role", 859 | "Id": "539283cd-c185-4a9a-9503-d35217a1db7b", 860 | "Description": "Provide access to Smart Boundary Solution by Bayer Ag Powered Services" 861 | }, 862 | { 863 | "Name": "Billing Reader", 864 | "Id": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", 865 | "Description": "Allows read access to billing data" 866 | }, 867 | { 868 | "Name": "BizTalk Contributor", 869 | "Id": "5e3c6656-6cfa-4708-81fe-0de47ac73342", 870 | "Description": "Lets you manage BizTalk services, but not access to them." 871 | }, 872 | { 873 | "Name": "Blockchain Member Node Access (Preview)", 874 | "Id": "31a002a1-acaf-453e-8a5b-297c9ca1ea24", 875 | "Description": "Allows for access to Blockchain Member nodes" 876 | }, 877 | { 878 | "Name": "Blueprint Contributor", 879 | "Id": "41077137-e803-4205-871c-5a86e6a753b4", 880 | "Description": "Can manage blueprint definitions, but not assign them." 881 | }, 882 | { 883 | "Name": "Blueprint Operator", 884 | "Id": "437d2ced-4a38-4302-8479-ed2bcb43d090", 885 | "Description": "Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity." 886 | }, 887 | { 888 | "Name": "Carbon Optimization Reader", 889 | "Id": "fa0d39e6-28e5-40cf-8521-1eb320653a4c", 890 | "Description": "Allow read access to Azure Carbon Optimization data" 891 | }, 892 | { 893 | "Name": "CDN Endpoint Contributor", 894 | "Id": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45", 895 | "Description": "Can manage CDN endpoints, but can\u0027t grant access to other users." 896 | }, 897 | { 898 | "Name": "CDN Endpoint Reader", 899 | "Id": "871e35f6-b5c1-49cc-a043-bde969a0f2cd", 900 | "Description": "Can view CDN endpoints, but can\u0027t make changes." 901 | }, 902 | { 903 | "Name": "CDN Profile Contributor", 904 | "Id": "ec156ff8-a8d1-4d15-830c-5b80698ca432", 905 | "Description": "Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can\u0027t grant access to other users." 906 | }, 907 | { 908 | "Name": "CDN Profile Reader", 909 | "Id": "8f96442b-4075-438f-813d-ad51ab4019af", 910 | "Description": "Can view CDN profiles and their endpoints, but can\u0027t make changes." 911 | }, 912 | { 913 | "Name": "Chamber Admin", 914 | "Id": "4e9b8407-af2e-495b-ae54-bb60a55b1b5a", 915 | "Description": "Lets you manage everything under your Modeling and Simulation Workbench chamber." 916 | }, 917 | { 918 | "Name": "Chamber User", 919 | "Id": "4447db05-44ed-4da3-ae60-6cbece780e32", 920 | "Description": "Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes." 921 | }, 922 | { 923 | "Name": "Classic Network Contributor", 924 | "Id": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f", 925 | "Description": "Lets you manage classic networks, but not access to them." 926 | }, 927 | { 928 | "Name": "Classic Storage Account Contributor", 929 | "Id": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25", 930 | "Description": "Lets you manage classic storage accounts, but not access to them." 931 | }, 932 | { 933 | "Name": "Classic Storage Account Key Operator Service Role", 934 | "Id": "985d6b00-f706-48f5-a6fe-d0ca12fb668d", 935 | "Description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts" 936 | }, 937 | { 938 | "Name": "Classic Virtual Machine Contributor", 939 | "Id": "d73bb868-a0df-4d4d-bd69-98a00b01fccb", 940 | "Description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to." 941 | }, 942 | { 943 | "Name": "ClearDB MySQL DB Contributor", 944 | "Id": "9106cda0-8a86-4e81-b686-29a22c54effe", 945 | "Description": "Lets you manage ClearDB MySQL databases, but not access to them." 946 | }, 947 | { 948 | "Name": "Cognitive Search Serverless Data Contributor (Deprecated)", 949 | "Id": "7ac06ca7-21ca-47e3-a67b-cbd6e6223baf", 950 | "Description": "This role has been deprecated" 951 | }, 952 | { 953 | "Name": "Cognitive Search Serverless Data Reader (Deprecated)", 954 | "Id": "79b01272-bf9f-4f4c-9517-5506269cf524", 955 | "Description": "This role has been deprecated" 956 | }, 957 | { 958 | "Name": "Cognitive Services Contributor", 959 | "Id": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", 960 | "Description": "Lets you create, read, update, delete and manage keys of Cognitive Services." 961 | }, 962 | { 963 | "Name": "Cognitive Services Custom Vision Contributor", 964 | "Id": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", 965 | "Description": "Full access to the project, including the ability to view, create, edit, or delete projects." 966 | }, 967 | { 968 | "Name": "Cognitive Services Custom Vision Deployment", 969 | "Id": "5c4089e1-6d96-4d2f-b296-c1bc7137275f", 970 | "Description": "Publish, unpublish or export models. Deployment can view the project but can’t update." 971 | }, 972 | { 973 | "Name": "Cognitive Services Custom Vision Labeler", 974 | "Id": "88424f51-ebe7-446f-bc41-7fa16989e96c", 975 | "Description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can’t update anything other than training images and tags." 976 | }, 977 | { 978 | "Name": "Cognitive Services Custom Vision Reader", 979 | "Id": "93586559-c37d-4a6b-ba08-b9f0940c2d73", 980 | "Description": "Read-only actions in the project. Readers can’t create or update the project." 981 | }, 982 | { 983 | "Name": "Cognitive Services Custom Vision Trainer", 984 | "Id": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", 985 | "Description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can’t create or delete the project." 986 | }, 987 | { 988 | "Name": "Cognitive Services Data Reader (Preview)", 989 | "Id": "b59867f0-fa02-499b-be73-45a86b5b3e1c", 990 | "Description": "Lets you read Cognitive Services data." 991 | }, 992 | { 993 | "Name": "Cognitive Services Face Recognizer", 994 | "Id": "9894cab4-e18a-44aa-828b-cb588cd6f2d7", 995 | "Description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following \u0027least privilege\u0027 best practices." 996 | }, 997 | { 998 | "Name": "Cognitive Services Immersive Reader User", 999 | "Id": "b2de6794-95db-4659-8781-7e080d3f2b9d", 1000 | "Description": "Provides access to create Immersive Reader sessions and call APIs" 1001 | }, 1002 | { 1003 | "Name": "Cognitive Services Language Owner", 1004 | "Id": "f07febfe-79bc-46b1-8b37-790e26e6e498", 1005 | "Description": "Has access to all Read, Test, Write, Deploy and Delete functions under Language portal" 1006 | }, 1007 | { 1008 | "Name": "Cognitive Services Language Reader", 1009 | "Id": "7628b7b8-a8b2-4cdc-b46f-e9b35248918e", 1010 | "Description": "Has access to Read and Test functions under Language portal" 1011 | }, 1012 | { 1013 | "Name": "Cognitive Services Language Writer", 1014 | "Id": "f2310ca1-dc64-4889-bb49-c8e0fa3d47a8", 1015 | "Description": " Has access to all Read, Test, and Write functions under Language Portal" 1016 | }, 1017 | { 1018 | "Name": "Cognitive Services LUIS Owner", 1019 | "Id": "f72c8140-2111-481c-87ff-72b910f6e3f8", 1020 | "Description": " Has access to all Read, Test, Write, Deploy and Delete functions under LUIS" 1021 | }, 1022 | { 1023 | "Name": "Cognitive Services LUIS Reader", 1024 | "Id": "18e81cdc-4e98-4e29-a639-e7d10c5a6226", 1025 | "Description": "Has access to Read and Test functions under LUIS." 1026 | }, 1027 | { 1028 | "Name": "Cognitive Services LUIS Writer", 1029 | "Id": "6322a993-d5c9-4bed-b113-e49bbea25b27", 1030 | "Description": "Has access to all Read, Test, and Write functions under LUIS" 1031 | }, 1032 | { 1033 | "Name": "Cognitive Services Metrics Advisor Administrator", 1034 | "Id": "cb43c632-a144-4ec5-977c-e80c4affc34a", 1035 | "Description": "Full access to the project, including the system level configuration." 1036 | }, 1037 | { 1038 | "Name": "Cognitive Services Metrics Advisor User", 1039 | "Id": "3b20f47b-3825-43cb-8114-4bd2201156a8", 1040 | "Description": "Access to the project." 1041 | }, 1042 | { 1043 | "Name": "Cognitive Services OpenAI Contributor", 1044 | "Id": "a001fd3d-188f-4b5d-821b-7da978bf7442", 1045 | "Description": "Full access including the ability to fine-tune, deploy and generate text" 1046 | }, 1047 | { 1048 | "Name": "Cognitive Services OpenAI User", 1049 | "Id": "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", 1050 | "Description": "Ability to view files, models, deployments. Readers are able to call inference operations such as chat completions and image generation." 1051 | }, 1052 | { 1053 | "Name": "Cognitive Services QnA Maker Editor", 1054 | "Id": "f4cc2bf9-21be-47a1-bdf1-5c5804381025", 1055 | "Description": "Let’s you create, edit, import and export a KB. You cannot publish or delete a KB." 1056 | }, 1057 | { 1058 | "Name": "Cognitive Services QnA Maker Reader", 1059 | "Id": "466ccd10-b268-4a11-b098-b4849f024126", 1060 | "Description": "Let’s you read and test a KB only." 1061 | }, 1062 | { 1063 | "Name": "Cognitive Services Speech Contributor", 1064 | "Id": "0e75ca1e-0464-4b4d-8b93-68208a576181", 1065 | "Description": "Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice." 1066 | }, 1067 | { 1068 | "Name": "Cognitive Services Speech User", 1069 | "Id": "f2dc8367-1007-4938-bd23-fe263f013447", 1070 | "Description": "Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can’t create, delete or modify the data/test/model/endpoint for custom models." 1071 | }, 1072 | { 1073 | "Name": "Cognitive Services Usages Reader", 1074 | "Id": "bba48692-92b0-4667-a9ad-c31c7b334ac2", 1075 | "Description": "Minimal permission to view Cognitive Services usages." 1076 | }, 1077 | { 1078 | "Name": "Cognitive Services User", 1079 | "Id": "a97b65f3-24c7-4388-baec-2e87135dc908", 1080 | "Description": "Lets you read and list keys of Cognitive Services." 1081 | }, 1082 | { 1083 | "Name": "Collaborative Data Contributor", 1084 | "Id": "daa9e50b-21df-454c-94a6-a8050adab352", 1085 | "Description": "Can manage data packages of a collaborative." 1086 | }, 1087 | { 1088 | "Name": "Collaborative Runtime Operator", 1089 | "Id": "7a6f0e70-c033-4fb1-828c-08514e5f4102", 1090 | "Description": "Can manage resources created by AICS at runtime" 1091 | }, 1092 | { 1093 | "Name": "Community Contributor Role", 1094 | "Id": "49435da6-99fe-48a5-a235-fc668b9dc04a", 1095 | "Description": "Community Contributor Role to access the resources of Microsoft.Mission stored with RPSAAS." 1096 | }, 1097 | { 1098 | "Name": "Community Owner Role", 1099 | "Id": "5e28a61e-8040-49db-b175-bb5b88af6239", 1100 | "Description": "Community Owner Role to access the resources of Microsoft.Mission stored with RPSAAS." 1101 | }, 1102 | { 1103 | "Name": "Community Reader Role", 1104 | "Id": "e6aadb6b-e64f-41c0-9392-d2bba3bc3ebc", 1105 | "Description": "Community Reader Role to access the resources of Microsoft.Mission stored with RPSAAS." 1106 | }, 1107 | { 1108 | "Name": "Compute Diagnostics Role", 1109 | "Id": "df2711a6-406d-41cf-b366-b0250bff9ad1", 1110 | "Description": "Grants permissions to execute diagnostics provided by Compute Diagnostic Service for Compute Resources." 1111 | }, 1112 | { 1113 | "Name": "Compute Gallery Sharing Admin", 1114 | "Id": "1ef6a3be-d0ac-425d-8c01-acb62866290b", 1115 | "Description": "This role allows user to share gallery to another subscription/tenant or share it to the public." 1116 | }, 1117 | { 1118 | "Name": "Connected Cluster Managed Identity CheckAccess Reader", 1119 | "Id": "65a14201-8f6c-4c28-bec4-12619c5a9aaa", 1120 | "Description": "Built-in role that allows a Connected Cluster managed identity to call the checkAccess API" 1121 | }, 1122 | { 1123 | "Name": "ContainerApp Reader", 1124 | "Id": "ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b", 1125 | "Description": "View all containerapp resources, but does not allow you to make any changes." 1126 | }, 1127 | { 1128 | "Name": "Contributor", 1129 | "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c", 1130 | "Description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries." 1131 | }, 1132 | { 1133 | "Name": "Cosmos DB Account Reader Role", 1134 | "Id": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8", 1135 | "Description": "Can read Azure Cosmos DB Accounts data" 1136 | }, 1137 | { 1138 | "Name": "Cosmos DB Operator", 1139 | "Id": "230815da-be43-4aae-9cb4-875f7bd000aa", 1140 | "Description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings." 1141 | }, 1142 | { 1143 | "Name": "CosmosBackupOperator", 1144 | "Id": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb", 1145 | "Description": "Can submit restore request for a Cosmos DB database or a container for an account" 1146 | }, 1147 | { 1148 | "Name": "CosmosRestoreOperator", 1149 | "Id": "5432c526-bc82-444a-b7ba-57c5b0b5b34f", 1150 | "Description": "Can perform restore action for Cosmos DB database account with continuous backup mode" 1151 | }, 1152 | { 1153 | "Name": "Cost Management Contributor", 1154 | "Id": "434105ed-43f6-45c7-a02f-909b2ba83430", 1155 | "Description": "Can view costs and manage cost configuration (e.g. budgets, exports)" 1156 | }, 1157 | { 1158 | "Name": "Cost Management Reader", 1159 | "Id": "72fafb9e-0641-4937-9268-a91bfd8191a3", 1160 | "Description": "Can view cost data and configuration (e.g. budgets, exports)" 1161 | }, 1162 | { 1163 | "Name": "CrossConnectionManager", 1164 | "Id": "399c3b2b-64c2-4ff1-af34-571db925b068", 1165 | "Description": "Allows for read, write access to ExpressRoute CrossConnections" 1166 | }, 1167 | { 1168 | "Name": "CrossConnectionReader", 1169 | "Id": "b6ee44de-fe58-4ddc-b5c2-ab174eb23f05", 1170 | "Description": "Allows for read access to ExpressRoute CrossConnections" 1171 | }, 1172 | { 1173 | "Name": "Data Boundary Tenant Administrator", 1174 | "Id": "d1a38570-4b05-4d70-b8e4-1100bcf76d12", 1175 | "Description": "Allows tenant level administration for data boundaries." 1176 | }, 1177 | { 1178 | "Name": "Data Box Contributor", 1179 | "Id": "add466c9-e687-43fc-8d98-dfcf8d720be5", 1180 | "Description": "Lets you manage everything under Data Box Service except giving access to others." 1181 | }, 1182 | { 1183 | "Name": "Data Box Reader", 1184 | "Id": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", 1185 | "Description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others." 1186 | }, 1187 | { 1188 | "Name": "Data Factory Contributor", 1189 | "Id": "673868aa-7521-48a0-acc6-0f60742d39f5", 1190 | "Description": "Create and manage data factories, as well as child resources within them." 1191 | }, 1192 | { 1193 | "Name": "Data Labeling - Labeler", 1194 | "Id": "c6decf44-fd0a-444c-a844-d653c394e7ab", 1195 | "Description": "Can label data in Labeling." 1196 | }, 1197 | { 1198 | "Name": "Data Lake Analytics Developer", 1199 | "Id": "47b7735b-770e-4598-a7da-8b91488b4c88", 1200 | "Description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts." 1201 | }, 1202 | { 1203 | "Name": "Data Operator for Managed Disks", 1204 | "Id": "959f8984-c045-4866-89c7-12bf9737be2e", 1205 | "Description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication." 1206 | }, 1207 | { 1208 | "Name": "Data Purger", 1209 | "Id": "150f5e0c-0603-4f03-8c7f-cf70034c4e90", 1210 | "Description": "Can purge analytics data" 1211 | }, 1212 | { 1213 | "Name": "Defender for Storage Data Scanner", 1214 | "Id": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40", 1215 | "Description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage." 1216 | }, 1217 | { 1218 | "Name": "Defender Kubernetes Agent Operator", 1219 | "Id": "8bb6f106-b146-4ee6-a3f9-b9c5a96e0ae5", 1220 | "Description": "Grants Microsoft Defender for Cloud permissions to provision the Kubernetes defender security agent" 1221 | }, 1222 | { 1223 | "Name": "DeID Batch Data Owner", 1224 | "Id": "8a90fa6b-6997-4a07-8a95-30633a7c97b9", 1225 | "Description": "Create and manage DeID batch jobs. This role is in preview and subject to change." 1226 | }, 1227 | { 1228 | "Name": "DeID Batch Data Reader", 1229 | "Id": "b73a14ee-91f5-41b7-bd81-920e12466be9", 1230 | "Description": "Read DeID batch jobs. This role is in preview and subject to change." 1231 | }, 1232 | { 1233 | "Name": "DeID Realtime Data User", 1234 | "Id": "bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e", 1235 | "Description": "Execute requests against DeID realtime endpoint. This role is in preview and subject to change." 1236 | }, 1237 | { 1238 | "Name": "Deployment Environments Reader", 1239 | "Id": "eb960402-bf75-4cc3-8d68-35b34f960f72", 1240 | "Description": "Provides read access to environment resources." 1241 | }, 1242 | { 1243 | "Name": "Deployment Environments User", 1244 | "Id": "18e40d4e-8d2e-438d-97e1-9528336e149c", 1245 | "Description": "Provides access to manage environment resources." 1246 | }, 1247 | { 1248 | "Name": "Desktop Virtualization Application Group Contributor", 1249 | "Id": "86240b0e-9422-4c43-887b-b61143f32ba8", 1250 | "Description": "Contributor of the Desktop Virtualization Application Group." 1251 | }, 1252 | { 1253 | "Name": "Desktop Virtualization Application Group Reader", 1254 | "Id": "aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", 1255 | "Description": "Reader of the Desktop Virtualization Application Group." 1256 | }, 1257 | { 1258 | "Name": "Desktop Virtualization Contributor", 1259 | "Id": "082f0a83-3be5-4ba1-904c-961cca79b387", 1260 | "Description": "Contributor of Desktop Virtualization." 1261 | }, 1262 | { 1263 | "Name": "Desktop Virtualization Host Pool Contributor", 1264 | "Id": "e307426c-f9b6-4e81-87de-d99efb3c32bc", 1265 | "Description": "Contributor of the Desktop Virtualization Host Pool." 1266 | }, 1267 | { 1268 | "Name": "Desktop Virtualization Host Pool Reader", 1269 | "Id": "ceadfde2-b300-400a-ab7b-6143895aa822", 1270 | "Description": "Reader of the Desktop Virtualization Host Pool." 1271 | }, 1272 | { 1273 | "Name": "Desktop Virtualization Power On Contributor", 1274 | "Id": "489581de-a3bd-480d-9518-53dea7416b33", 1275 | "Description": "Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines." 1276 | }, 1277 | { 1278 | "Name": "Desktop Virtualization Power On Off Contributor", 1279 | "Id": "40c5ff49-9181-41f8-ae61-143b0e78555e", 1280 | "Description": "Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines." 1281 | }, 1282 | { 1283 | "Name": "Desktop Virtualization Reader", 1284 | "Id": "49a72310-ab8d-41df-bbb0-79b649203868", 1285 | "Description": "Reader of Desktop Virtualization." 1286 | }, 1287 | { 1288 | "Name": "Desktop Virtualization Session Host Operator", 1289 | "Id": "2ad6aaab-ead9-4eaa-8ac5-da422f562408", 1290 | "Description": "Operator of the Desktop Virtualization Session Host." 1291 | }, 1292 | { 1293 | "Name": "Desktop Virtualization User", 1294 | "Id": "1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", 1295 | "Description": "Allows user to use the applications in an application group." 1296 | }, 1297 | { 1298 | "Name": "Desktop Virtualization User Session Operator", 1299 | "Id": "ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", 1300 | "Description": "Operator of the Desktop Virtualization Uesr Session." 1301 | }, 1302 | { 1303 | "Name": "Desktop Virtualization Virtual Machine Contributor", 1304 | "Id": "a959dbd1-f747-45e3-8ba6-dd80f235f97c", 1305 | "Description": "This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines." 1306 | }, 1307 | { 1308 | "Name": "Desktop Virtualization Workspace Contributor", 1309 | "Id": "21efdde3-836f-432b-bf3d-3e8e734d4b2b", 1310 | "Description": "Contributor of the Desktop Virtualization Workspace." 1311 | }, 1312 | { 1313 | "Name": "Desktop Virtualization Workspace Reader", 1314 | "Id": "0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", 1315 | "Description": "Reader of the Desktop Virtualization Workspace." 1316 | }, 1317 | { 1318 | "Name": "DevCenter Dev Box User", 1319 | "Id": "45d50f46-0b78-4001-a660-4198cbe8cd05", 1320 | "Description": "Provides access to create and manage dev boxes." 1321 | }, 1322 | { 1323 | "Name": "DevCenter Project Admin", 1324 | "Id": "331c37c6-af14-46d9-b9f4-e1909e1b95a0", 1325 | "Description": "Provides access to manage project resources." 1326 | }, 1327 | { 1328 | "Name": "Device Provisioning Service Data Contributor", 1329 | "Id": "dfce44e4-17b7-4bd1-a6d1-04996ec95633", 1330 | "Description": "Allows for full access to Device Provisioning Service data-plane operations." 1331 | }, 1332 | { 1333 | "Name": "Device Provisioning Service Data Reader", 1334 | "Id": "10745317-c249-44a1-a5ce-3a4353c0bbd8", 1335 | "Description": "Allows for full read access to Device Provisioning Service data-plane properties." 1336 | }, 1337 | { 1338 | "Name": "Device Update Administrator", 1339 | "Id": "02ca0879-e8e4-47a5-a61e-5c618b76e64a", 1340 | "Description": "Gives you full access to management and content operations" 1341 | }, 1342 | { 1343 | "Name": "Device Update Content Administrator", 1344 | "Id": "0378884a-3af5-44ab-8323-f5b22f9f3c98", 1345 | "Description": "Gives you full access to content operations" 1346 | }, 1347 | { 1348 | "Name": "Device Update Content Reader", 1349 | "Id": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", 1350 | "Description": "Gives you read access to content operations, but does not allow making changes" 1351 | }, 1352 | { 1353 | "Name": "Device Update Deployments Administrator", 1354 | "Id": "e4237640-0e3d-4a46-8fda-70bc94856432", 1355 | "Description": "Gives you full access to management operations" 1356 | }, 1357 | { 1358 | "Name": "Device Update Deployments Reader", 1359 | "Id": "49e2f5d2-7741-4835-8efa-19e1fe35e47f", 1360 | "Description": "Gives you read access to management operations, but does not allow making changes" 1361 | }, 1362 | { 1363 | "Name": "Device Update Reader", 1364 | "Id": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", 1365 | "Description": "Gives you read access to management and content operations, but does not allow making changes" 1366 | }, 1367 | { 1368 | "Name": "DevTest Labs User", 1369 | "Id": "76283e04-6283-4c54-8f91-bcf1374a3c64", 1370 | "Description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs." 1371 | }, 1372 | { 1373 | "Name": "DICOM Data Owner", 1374 | "Id": "58a3b984-7adf-4c20-983a-32417c86fbc8", 1375 | "Description": "Full access to DICOM data." 1376 | }, 1377 | { 1378 | "Name": "DICOM Data Reader", 1379 | "Id": "e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a", 1380 | "Description": "Read and search DICOM data." 1381 | }, 1382 | { 1383 | "Name": "Disk Backup Reader", 1384 | "Id": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", 1385 | "Description": "Provides permission to backup vault to perform disk backup." 1386 | }, 1387 | { 1388 | "Name": "Disk Pool Operator", 1389 | "Id": "60fc6e62-5479-42d4-8bf4-67625fcc2840", 1390 | "Description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool." 1391 | }, 1392 | { 1393 | "Name": "Disk Restore Operator", 1394 | "Id": "b50d9833-a0cb-478e-945f-707fcc997c13", 1395 | "Description": "Provides permission to backup vault to perform disk restore." 1396 | }, 1397 | { 1398 | "Name": "Disk Snapshot Contributor", 1399 | "Id": "7efff54f-a5b4-42b5-a1c5-5411624893ce", 1400 | "Description": "Provides permission to backup vault to manage disk snapshots." 1401 | }, 1402 | { 1403 | "Name": "DNS Resolver Contributor", 1404 | "Id": "0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d", 1405 | "Description": "Lets you manage DNS resolver resources." 1406 | }, 1407 | { 1408 | "Name": "DNS Zone Contributor", 1409 | "Id": "befefa01-2a29-4197-83a8-272ff33ce314", 1410 | "Description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them." 1411 | }, 1412 | { 1413 | "Name": "DocumentDB Account Contributor", 1414 | "Id": "5bd9cd88-fe45-4216-938b-f97437e15450", 1415 | "Description": "Lets you manage DocumentDB accounts, but not access to them." 1416 | }, 1417 | { 1418 | "Name": "Domain Services Contributor", 1419 | "Id": "eeaeda52-9324-47f6-8069-5d5bade478b2", 1420 | "Description": "Can manage Azure AD Domain Services and related network configurations" 1421 | }, 1422 | { 1423 | "Name": "Domain Services Reader", 1424 | "Id": "361898ef-9ed1-48c2-849c-a832951106bb", 1425 | "Description": "Can view Azure AD Domain Services and related network configurations" 1426 | }, 1427 | { 1428 | "Name": "Elastic SAN Network Admin", 1429 | "Id": "fa6cecf6-5db3-4c43-8470-c540bcb4eafa", 1430 | "Description": "Allows access to create Private Endpoints on SAN resources, and to read SAN resources" 1431 | }, 1432 | { 1433 | "Name": "Elastic SAN Owner", 1434 | "Id": "80dcbedb-47ef-405d-95bd-188a1b4ac406", 1435 | "Description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access" 1436 | }, 1437 | { 1438 | "Name": "Elastic SAN Reader", 1439 | "Id": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca", 1440 | "Description": "Allows for control path read access to Azure Elastic SAN" 1441 | }, 1442 | { 1443 | "Name": "Elastic SAN Snapshot Exporter", 1444 | "Id": "1c4770c0-34f7-4110-a1ea-a5855cc7a939", 1445 | "Description": "Allows for creating and exporting Snapshot of Elastic San Volume" 1446 | }, 1447 | { 1448 | "Name": "Elastic SAN Volume Group Owner", 1449 | "Id": "a8281131-f312-4f34-8d98-ae12be9f0d23", 1450 | "Description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access" 1451 | }, 1452 | { 1453 | "Name": "Elastic SAN Volume Importer", 1454 | "Id": "90e8b822-3e73-47b5-868a-787dc80c008f", 1455 | "Description": "Allows for Importing Elastic San Volume" 1456 | }, 1457 | { 1458 | "Name": "Enclave Contributor Role", 1459 | "Id": "19feefae-eacc-4106-81fd-ac34c0671f14", 1460 | "Description": "Enclave Contributor Role to access the resources of Microsoft.Mission stored with RPSAAS." 1461 | }, 1462 | { 1463 | "Name": "Enclave Owner Role", 1464 | "Id": "3d5f3eff-eb94-473d-91e3-7aac74d6c0bb", 1465 | "Description": "Enclave Owner Role to access the resources of Microsoft.Mission stored with RPSAAS." 1466 | }, 1467 | { 1468 | "Name": "Enclave Reader Role", 1469 | "Id": "86fede04-b259-4277-8c3e-e26b9865abd8", 1470 | "Description": "Enclave Reader Role to access the resources of Microsoft.Mission stored with RPSAAS." 1471 | }, 1472 | { 1473 | "Name": "EventGrid Contributor", 1474 | "Id": "1e241071-0855-49ea-94dc-649edcd759de", 1475 | "Description": "Lets you manage EventGrid operations." 1476 | }, 1477 | { 1478 | "Name": "EventGrid Data Contributor", 1479 | "Id": "1d8c3fe3-8864-474b-8749-01e3783e8157", 1480 | "Description": "Allows send and receive access to event grid events." 1481 | }, 1482 | { 1483 | "Name": "EventGrid Data Receiver", 1484 | "Id": "78cbd9e7-9798-4e2e-9b5a-547d9ebb31fb", 1485 | "Description": "Allows receive access to event grid events." 1486 | }, 1487 | { 1488 | "Name": "EventGrid Data Sender", 1489 | "Id": "d5a91429-5739-47e2-a06b-3470a27159e7", 1490 | "Description": "Allows send access to event grid events." 1491 | }, 1492 | { 1493 | "Name": "EventGrid EventSubscription Contributor", 1494 | "Id": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443", 1495 | "Description": "Lets you manage EventGrid event subscription operations." 1496 | }, 1497 | { 1498 | "Name": "EventGrid EventSubscription Reader", 1499 | "Id": "2414bbcf-6497-4faf-8c65-045460748405", 1500 | "Description": "Lets you read EventGrid event subscriptions." 1501 | }, 1502 | { 1503 | "Name": "EventGrid TopicSpaces Publisher", 1504 | "Id": "a12b0b94-b317-4dcd-84a8-502ce99884c6", 1505 | "Description": "Lets you publish messages on topicspaces." 1506 | }, 1507 | { 1508 | "Name": "EventGrid TopicSpaces Subscriber", 1509 | "Id": "4b0f2fd7-60b4-4eca-896f-4435034f8bf5", 1510 | "Description": "Lets you subscribe messages on topicspaces." 1511 | }, 1512 | { 1513 | "Name": "Experimentation Administrator", 1514 | "Id": "7f646f1b-fa08-80eb-a33b-edd6ce5c915c", 1515 | "Description": "Experimentation Administrator" 1516 | }, 1517 | { 1518 | "Name": "Experimentation Contributor", 1519 | "Id": "7f646f1b-fa08-80eb-a22b-edd6ce5c915c", 1520 | "Description": "Experimentation Contributor" 1521 | }, 1522 | { 1523 | "Name": "Experimentation Metric Contributor", 1524 | "Id": "6188b7c9-7d01-4f99-a59f-c88b630326c0", 1525 | "Description": "Allows for creation, writes and reads to the metric set via the metrics service APIs." 1526 | }, 1527 | { 1528 | "Name": "Experimentation Reader", 1529 | "Id": "49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", 1530 | "Description": "Experimentation Reader" 1531 | }, 1532 | { 1533 | "Name": "FHIR Data Contributor", 1534 | "Id": "5a1fc7df-4bf1-4951-a576-89034ee01acd", 1535 | "Description": "Role allows user or principal full access to FHIR Data" 1536 | }, 1537 | { 1538 | "Name": "FHIR Data Converter", 1539 | "Id": "a1705bd2-3a8f-45a5-8683-466fcfd5cc24", 1540 | "Description": "Role allows user or principal to convert data from legacy format to FHIR" 1541 | }, 1542 | { 1543 | "Name": "FHIR Data Exporter", 1544 | "Id": "3db33094-8700-4567-8da5-1501d4e7e843", 1545 | "Description": "Role allows user or principal to read and export FHIR Data" 1546 | }, 1547 | { 1548 | "Name": "FHIR Data Importer", 1549 | "Id": "4465e953-8ced-4406-a58e-0f6e3f3b530b", 1550 | "Description": "Role allows user or principal to read and import FHIR Data" 1551 | }, 1552 | { 1553 | "Name": "FHIR Data Reader", 1554 | "Id": "4c8d0bbc-75d3-4935-991f-5f3c56d81508", 1555 | "Description": "Role allows user or principal to read FHIR Data" 1556 | }, 1557 | { 1558 | "Name": "FHIR Data Writer", 1559 | "Id": "3f88fce4-5892-4214-ae73-ba5294559913", 1560 | "Description": "Role allows user or principal to read and write FHIR Data" 1561 | }, 1562 | { 1563 | "Name": "FHIR SMART User", 1564 | "Id": "4ba50f17-9666-485c-a643-ff00808643f0", 1565 | "Description": "Role allows user to access FHIR Service according to SMART on FHIR specification" 1566 | }, 1567 | { 1568 | "Name": "Firmware Analysis Admin", 1569 | "Id": "9c1607d1-791d-4c68-885d-c7b7aaff7c8a", 1570 | "Description": "Upload and analyze firmware images in Defender for IoT" 1571 | }, 1572 | { 1573 | "Name": "GeoCatalog Administrator", 1574 | "Id": "c9c97b9c-105d-4bb5-a2a7-7d15666c2484", 1575 | "Description": "Grants full access to manage GeoCatalogs, but does not allow you to assign roles in Azure RBAC." 1576 | }, 1577 | { 1578 | "Name": "GeoCatalog Reader", 1579 | "Id": "b7b8f583-43d0-40ae-b147-6b46f53661c1", 1580 | "Description": "View GeoCatalogs, but does not allow you to make any changes." 1581 | }, 1582 | { 1583 | "Name": "Grafana Admin", 1584 | "Id": "22926164-76b3-42b3-bc55-97df8dab3e41", 1585 | "Description": "Built-in Grafana admin role" 1586 | }, 1587 | { 1588 | "Name": "Grafana Editor", 1589 | "Id": "a79a5197-3a5c-4973-a920-486035ffd60f", 1590 | "Description": "Built-in Grafana Editor role" 1591 | }, 1592 | { 1593 | "Name": "Grafana Viewer", 1594 | "Id": "60921a7e-fef1-4a43-9b16-a26c52ad4769", 1595 | "Description": "Built-in Grafana Viewer role" 1596 | }, 1597 | { 1598 | "Name": "Graph Owner", 1599 | "Id": "b60367af-1334-4454-b71e-769d9a4f83d9", 1600 | "Description": "Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions" 1601 | }, 1602 | { 1603 | "Name": "GroupQuota Reader", 1604 | "Id": "d0f495dc-44ef-4140-aeb0-b89110e6a7c1", 1605 | "Description": "Read GroupQuota requests, get GroupQuota request status, and get groupQuotaLimits." 1606 | }, 1607 | { 1608 | "Name": "GroupQuota Request Operator", 1609 | "Id": "e2217c0e-04bb-4724-9580-91cf9871bc01", 1610 | "Description": "Read and create GroupQuota requests, get GroupQuota request status, and get groupQuotaLimits." 1611 | }, 1612 | { 1613 | "Name": "Guest Configuration Resource Contributor", 1614 | "Id": "088ab73d-1256-47ae-bea9-9de8e7131f31", 1615 | "Description": "Lets you read, write Guest Configuration Resource." 1616 | }, 1617 | { 1618 | "Name": "HDInsight Cluster Operator", 1619 | "Id": "61ed4efc-fab3-44fd-b111-e24485cc132a", 1620 | "Description": "Lets you read and modify HDInsight cluster configurations." 1621 | }, 1622 | { 1623 | "Name": "HDInsight Domain Services Contributor", 1624 | "Id": "8d8d5a11-05d3-4bda-a417-a08778121c7c", 1625 | "Description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package" 1626 | }, 1627 | { 1628 | "Name": "HDInsight on AKS Cluster Admin", 1629 | "Id": "fd036e6b-1266-47a0-b0bb-a05d04831731", 1630 | "Description": "Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters." 1631 | }, 1632 | { 1633 | "Name": "HDInsight on AKS Cluster Pool Admin", 1634 | "Id": "7656b436-37d4-490a-a4ab-d39f838f0042", 1635 | "Description": "Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters" 1636 | }, 1637 | { 1638 | "Name": "Health Bot Admin", 1639 | "Id": "f1082fec-a70f-419f-9230-885d2550fb38", 1640 | "Description": "Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys \u0026 secrets." 1641 | }, 1642 | { 1643 | "Name": "Health Bot Editor", 1644 | "Id": "af854a69-80ce-4ff7-8447-f1118a2e0ca8", 1645 | "Description": "Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys \u0026 secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels." 1646 | }, 1647 | { 1648 | "Name": "Health Bot Reader", 1649 | "Id": "eb5a76d5-50e7-4c33-a449-070e7c9c4cf2", 1650 | "Description": "Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys \u0026 secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs)." 1651 | }, 1652 | { 1653 | "Name": "Hierarchy Settings Administrator", 1654 | "Id": "350f8d15-c687-4448-8ae1-157740a3936d", 1655 | "Description": "Allows users to edit and delete Hierarchy Settings" 1656 | }, 1657 | { 1658 | "Name": "Hybrid Server Onboarding", 1659 | "Id": "5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", 1660 | "Description": "Can onboard new Hybrid servers to the Hybrid Resource Provider." 1661 | }, 1662 | { 1663 | "Name": "Hybrid Server Resource Administrator", 1664 | "Id": "48b40c6e-82e0-4eb3-90d5-19e40f49b624", 1665 | "Description": "Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider." 1666 | }, 1667 | { 1668 | "Name": "Impact Reader", 1669 | "Id": "68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e", 1670 | "Description": "Allows read-only access to reported impacts and impact categories" 1671 | }, 1672 | { 1673 | "Name": "Impact Reporter", 1674 | "Id": "36e80216-a7e8-4f42-a7e1-f12c98cbaf8a", 1675 | "Description": "Allows access to create/report, read and delete impacts" 1676 | }, 1677 | { 1678 | "Name": "Integration Service Environment Contributor", 1679 | "Id": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8", 1680 | "Description": "Lets you manage integration service environments, but not access to them." 1681 | }, 1682 | { 1683 | "Name": "Integration Service Environment Developer", 1684 | "Id": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", 1685 | "Description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments." 1686 | }, 1687 | { 1688 | "Name": "Intelligent Systems Account Contributor", 1689 | "Id": "03a6d094-3444-4b3d-88af-7477090a9e5e", 1690 | "Description": "Lets you manage Intelligent Systems accounts, but not access to them." 1691 | }, 1692 | { 1693 | "Name": "IoT Hub Data Contributor", 1694 | "Id": "4fc6c259-987e-4a07-842e-c321cc9d413f", 1695 | "Description": "Allows for full access to IoT Hub data plane operations." 1696 | }, 1697 | { 1698 | "Name": "IoT Hub Data Reader", 1699 | "Id": "b447c946-2db7-41ec-983d-d8bf3b1c77e3", 1700 | "Description": "Allows for full read access to IoT Hub data-plane properties" 1701 | }, 1702 | { 1703 | "Name": "IoT Hub Registry Contributor", 1704 | "Id": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47", 1705 | "Description": "Allows for full access to IoT Hub device registry." 1706 | }, 1707 | { 1708 | "Name": "IoT Hub Twin Contributor", 1709 | "Id": "494bdba2-168f-4f31-a0a1-191d2f7c028c", 1710 | "Description": "Allows for read and write access to all IoT Hub device and module twins." 1711 | }, 1712 | { 1713 | "Name": "IPAM Pool User", 1714 | "Id": "7b3e853f-ad5d-4fb5-a7b8-56a3581c7037", 1715 | "Description": "Read IPAM Pools and child resources. Create and remove associations. This role is in preview and subject to change." 1716 | }, 1717 | { 1718 | "Name": "Key Vault Administrator", 1719 | "Id": "00482a5a-887f-4fb3-b363-3b7fe8e74483", 1720 | "Description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1721 | }, 1722 | { 1723 | "Name": "Key Vault Certificate User", 1724 | "Id": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba", 1725 | "Description": "Read certificate contents. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1726 | }, 1727 | { 1728 | "Name": "Key Vault Certificates Officer", 1729 | "Id": "a4417e6f-fecd-4de8-b567-7b0420556985", 1730 | "Description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1731 | }, 1732 | { 1733 | "Name": "Key Vault Contributor", 1734 | "Id": "f25e0fa2-a7c8-4377-a976-54943a77a395", 1735 | "Description": "Lets you manage key vaults, but not access to them." 1736 | }, 1737 | { 1738 | "Name": "Key Vault Crypto Officer", 1739 | "Id": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603", 1740 | "Description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1741 | }, 1742 | { 1743 | "Name": "Key Vault Crypto Service Encryption User", 1744 | "Id": "e147488a-f6f5-4113-8e2d-b22465e65bf6", 1745 | "Description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1746 | }, 1747 | { 1748 | "Name": "Key Vault Crypto Service Release User", 1749 | "Id": "08bbd89e-9f13-488c-ac41-acfcb10c90ab", 1750 | "Description": "Release keys. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1751 | }, 1752 | { 1753 | "Name": "Key Vault Crypto User", 1754 | "Id": "12338af0-0e69-4776-bea7-57ae8d297424", 1755 | "Description": "Perform cryptographic operations using keys. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1756 | }, 1757 | { 1758 | "Name": "Key Vault Data Access Administrator", 1759 | "Id": "8b54135c-b56d-4d72-a534-26097cfdc8d8", 1760 | "Description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments." 1761 | }, 1762 | { 1763 | "Name": "Key Vault Reader", 1764 | "Id": "21090545-7ca7-4776-b22c-e363652d74d2", 1765 | "Description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1766 | }, 1767 | { 1768 | "Name": "Key Vault Secrets Officer", 1769 | "Id": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7", 1770 | "Description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1771 | }, 1772 | { 1773 | "Name": "Key Vault Secrets User", 1774 | "Id": "4633458b-17de-408a-b874-0445c86b69e6", 1775 | "Description": "Read secret contents. Only works for key vaults that use the \u0027Azure role-based access control\u0027 permission model." 1776 | }, 1777 | { 1778 | "Name": "Knowledge Consumer", 1779 | "Id": "ee361c5d-f7b5-4119-b4b6-892157c8f64c", 1780 | "Description": "Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query" 1781 | }, 1782 | { 1783 | "Name": "Kubernetes Agent Operator", 1784 | "Id": "5e93ba01-8f92-4c7a-b12a-801e3df23824", 1785 | "Description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services" 1786 | }, 1787 | { 1788 | "Name": "Kubernetes Agentless Operator", 1789 | "Id": "d5a2ae44-610b-4500-93be-660a0c5f5ca6", 1790 | "Description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services" 1791 | }, 1792 | { 1793 | "Name": "Kubernetes Cluster - Azure Arc Onboarding", 1794 | "Id": "34e09817-6cbe-4d01-b1a2-e0eac5743d41", 1795 | "Description": "Role definition to authorize any user/service to create connectedClusters resource" 1796 | }, 1797 | { 1798 | "Name": "Kubernetes Extension Contributor", 1799 | "Id": "85cb6faf-e071-4c9b-8136-154b5a04f717", 1800 | "Description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations" 1801 | }, 1802 | { 1803 | "Name": "Kubernetes Namespace User", 1804 | "Id": "ba79058c-0414-4a34-9e42-c3399d80cd5a", 1805 | "Description": "Allows a user to read namespace resources and retrieve kubeconfig for the cluster" 1806 | }, 1807 | { 1808 | "Name": "KubernetesRuntime Storage Class Contributor Role", 1809 | "Id": "0cd9749a-3aaf-4ae5-8803-bd217705bf3b", 1810 | "Description": "Read, write, and delete KubernetesRuntime storage classes in an Arc connected Kubernetes cluster" 1811 | }, 1812 | { 1813 | "Name": "Lab Assistant", 1814 | "Id": "ce40b423-cede-4313-a93f-9b28290b72e1", 1815 | "Description": "The lab assistant role" 1816 | }, 1817 | { 1818 | "Name": "Lab Contributor", 1819 | "Id": "5daaa2af-1fe8-407c-9122-bba179798270", 1820 | "Description": "The lab contributor role" 1821 | }, 1822 | { 1823 | "Name": "Lab Creator", 1824 | "Id": "b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", 1825 | "Description": "Lets you create new labs under your Azure Lab Accounts." 1826 | }, 1827 | { 1828 | "Name": "Lab Operator", 1829 | "Id": "a36e6959-b6be-4b12-8e9f-ef4b474d304d", 1830 | "Description": "The lab operator role" 1831 | }, 1832 | { 1833 | "Name": "Lab Services Contributor", 1834 | "Id": "f69b8690-cc87-41d6-b77a-a4bc3c0a966f", 1835 | "Description": "The lab services contributor role" 1836 | }, 1837 | { 1838 | "Name": "Lab Services Reader", 1839 | "Id": "2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", 1840 | "Description": "The lab services reader role" 1841 | }, 1842 | { 1843 | "Name": "Landing Zone Management Owner", 1844 | "Id": "38863829-c2a4-4f8d-b1d2-2e325973ebc7", 1845 | "Description": "Microsoft.Sovereign Landing Zone Management Owner allowing to review and modify Landing Zone Configurations as well as reading and adding Landing Zone Registrations. Also enables read-access to policies and management groups for enabling the full user experience of the Sovereign Services RP in the Azure Portal (as otherwise some elements might not be accessible to end users)." 1846 | }, 1847 | { 1848 | "Name": "Landing Zone Management Reader", 1849 | "Id": "8fe6e843-6d9e-417b-9073-106b048f50bb", 1850 | "Description": "Microsoft.Sovereign Landing Zone Management Reader allowing to review Landing Zone Configurations and corresponding Registrations without the ability to modify. Also enables read-access to policies and management groups for enabling the full user experience of the Sovereign Services RP in the Azure Portal (as otherwise some elements might not be accessible to end users)." 1851 | }, 1852 | { 1853 | "Name": "Load Test Contributor", 1854 | "Id": "749a398d-560b-491b-bb21-08924219302e", 1855 | "Description": "View, create, update, delete and execute load tests. View and list load test resources but can not make any changes." 1856 | }, 1857 | { 1858 | "Name": "Load Test Owner", 1859 | "Id": "45bb0b16-2f0c-4e78-afaa-a07599b003f6", 1860 | "Description": "Execute all operations on load test resources and load tests" 1861 | }, 1862 | { 1863 | "Name": "Load Test Reader", 1864 | "Id": "3ae3fb29-0000-4ccd-bf80-542e7b26e081", 1865 | "Description": "View and list all load tests and load test resources but can not make any changes" 1866 | }, 1867 | { 1868 | "Name": "LocalNGFirewallAdministrator role", 1869 | "Id": "a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2", 1870 | "Description": "Allows user to create, modify, describe, or delete NGFirewalls." 1871 | }, 1872 | { 1873 | "Name": "LocalRulestacksAdministrator role", 1874 | "Id": "bfc3b73d-c6ff-45eb-9a5f-40298295bf20", 1875 | "Description": "Allows users to create, modify, describe, or delete Rulestacks." 1876 | }, 1877 | { 1878 | "Name": "Log Analytics Contributor", 1879 | "Id": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", 1880 | "Description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources." 1881 | }, 1882 | { 1883 | "Name": "Log Analytics Reader", 1884 | "Id": "73c42c96-874c-492b-b04d-ab87d138a893", 1885 | "Description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources." 1886 | }, 1887 | { 1888 | "Name": "Logic App Contributor", 1889 | "Id": "87a39d53-fc1b-424a-814c-f7e04687dc9e", 1890 | "Description": "Lets you manage logic app, but not access to them." 1891 | }, 1892 | { 1893 | "Name": "Logic App Operator", 1894 | "Id": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", 1895 | "Description": "Lets you read, enable and disable logic app." 1896 | }, 1897 | { 1898 | "Name": "Logic Apps Standard Contributor (Preview)", 1899 | "Id": "ad710c24-b039-4e85-a019-deb4a06e8570", 1900 | "Description": "You can manage all aspects of a Standard logic app and workflows. You can\u0027t change access or ownership." 1901 | }, 1902 | { 1903 | "Name": "Logic Apps Standard Developer (Preview)", 1904 | "Id": "523776ba-4eb2-4600-a3c8-f2dc93da4bdb", 1905 | "Description": "You can create and edit workflows, connections, and settings for a Standard logic app. You can\u0027t make changes outside the workflow scope." 1906 | }, 1907 | { 1908 | "Name": "Logic Apps Standard Operator (Preview)", 1909 | "Id": "b70c96e9-66fe-4c09-b6e7-c98e69c98555", 1910 | "Description": "You can enable and disable the logic app, resubmit workflow runs, as well as create connections. You can\u0027t edit workflows or settings." 1911 | }, 1912 | { 1913 | "Name": "Logic Apps Standard Reader (Preview)", 1914 | "Id": "4accf36b-2c05-432f-91c8-5c532dff4c73", 1915 | "Description": "You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history." 1916 | }, 1917 | { 1918 | "Name": "Managed Application Contributor Role", 1919 | "Id": "641177b8-a67a-45b9-a033-47bc880bb21e", 1920 | "Description": "Allows for creating managed application resources." 1921 | }, 1922 | { 1923 | "Name": "Managed Application Operator Role", 1924 | "Id": "c7393b34-138c-406f-901b-d8cf2b17e6ae", 1925 | "Description": "Lets you read and perform actions on Managed Application resources" 1926 | }, 1927 | { 1928 | "Name": "Managed Applications Reader", 1929 | "Id": "b9331d33-8a36-4f8c-b097-4f54124fdb44", 1930 | "Description": "Lets you read resources in a managed app and request JIT access." 1931 | }, 1932 | { 1933 | "Name": "Managed HSM contributor", 1934 | "Id": "18500a29-7fe2-46b2-a342-b16a415e101d", 1935 | "Description": "Lets you manage managed HSM pools, but not access to them." 1936 | }, 1937 | { 1938 | "Name": "Managed Identity Contributor", 1939 | "Id": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", 1940 | "Description": "Create, Read, Update, and Delete User Assigned Identity" 1941 | }, 1942 | { 1943 | "Name": "Managed Identity Operator", 1944 | "Id": "f1a07417-d97a-45cb-824c-7a7467783830", 1945 | "Description": "Read and Assign User Assigned Identity" 1946 | }, 1947 | { 1948 | "Name": "Managed Services Registration assignment Delete Role", 1949 | "Id": "91c1777a-f3dc-4fae-b103-61d183457e46", 1950 | "Description": "Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant." 1951 | }, 1952 | { 1953 | "Name": "Management Group Contributor", 1954 | "Id": "5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", 1955 | "Description": "Management Group Contributor Role" 1956 | }, 1957 | { 1958 | "Name": "Management Group Reader", 1959 | "Id": "ac63b705-f282-497d-ac71-919bf39d939d", 1960 | "Description": "Management Group Reader Role" 1961 | }, 1962 | { 1963 | "Name": "Media Services Account Administrator", 1964 | "Id": "054126f8-9a2b-4f1c-a9ad-eca461f08466", 1965 | "Description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources." 1966 | }, 1967 | { 1968 | "Name": "Media Services Live Events Administrator", 1969 | "Id": "532bc159-b25e-42c0-969e-a1d439f60d77", 1970 | "Description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources." 1971 | }, 1972 | { 1973 | "Name": "Media Services Media Operator", 1974 | "Id": "e4395492-1534-4db2-bedf-88c14621589c", 1975 | "Description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources." 1976 | }, 1977 | { 1978 | "Name": "Media Services Policy Administrator", 1979 | "Id": "c4bba371-dacd-4a26-b320-7250bca963ae", 1980 | "Description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources." 1981 | }, 1982 | { 1983 | "Name": "Media Services Streaming Endpoints Administrator", 1984 | "Id": "99dba123-b5fe-44d5-874c-ced7199a5804", 1985 | "Description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources." 1986 | }, 1987 | { 1988 | "Name": "Microsoft Sentinel Automation Contributor", 1989 | "Id": "f4c81013-99ee-4d62-a7ee-b3f1f648599a", 1990 | "Description": "Microsoft Sentinel Automation Contributor" 1991 | }, 1992 | { 1993 | "Name": "Microsoft Sentinel Business Applications Agent Operator", 1994 | "Id": "c18f9900-27b8-47c7-a8f0-5b3b3d4c2bc2", 1995 | "Description": "List and update actions on a business applications system. This role is in preview and subject to change." 1996 | }, 1997 | { 1998 | "Name": "Microsoft Sentinel Contributor", 1999 | "Id": "ab8e14d6-4a74-4a29-9ba8-549422addade", 2000 | "Description": "Microsoft Sentinel Contributor" 2001 | }, 2002 | { 2003 | "Name": "Microsoft Sentinel Playbook Operator", 2004 | "Id": "51d6186e-6489-4900-b93f-92e23144cca5", 2005 | "Description": "Microsoft Sentinel Playbook Operator" 2006 | }, 2007 | { 2008 | "Name": "Microsoft Sentinel Reader", 2009 | "Id": "8d289c81-5878-46d4-8554-54e1e3d8b5cb", 2010 | "Description": "Microsoft Sentinel Reader" 2011 | }, 2012 | { 2013 | "Name": "Microsoft Sentinel Responder", 2014 | "Id": "3e150937-b8fe-4cfb-8069-0eaf05ecd056", 2015 | "Description": "Microsoft Sentinel Responder" 2016 | }, 2017 | { 2018 | "Name": "Microsoft.Kubernetes connected cluster role", 2019 | "Id": "5548b2cf-c94c-4228-90ba-30851930a12f", 2020 | "Description": "Microsoft.Kubernetes connected cluster role." 2021 | }, 2022 | { 2023 | "Name": "Monitoring Contributor", 2024 | "Id": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", 2025 | "Description": "Can read all monitoring data and update monitoring settings." 2026 | }, 2027 | { 2028 | "Name": "Monitoring Data Reader", 2029 | "Id": "b0d8363b-8ddd-447d-831f-62ca05bff136", 2030 | "Description": "Can access the data in an Azure Monitor Workspace." 2031 | }, 2032 | { 2033 | "Name": "Monitoring Metrics Publisher", 2034 | "Id": "3913510d-42f4-4e42-8a64-420c390055eb", 2035 | "Description": "Enables publishing metrics against Azure resources" 2036 | }, 2037 | { 2038 | "Name": "Monitoring Reader", 2039 | "Id": "43d0d8ad-25c7-4714-9337-8ba259a9fe05", 2040 | "Description": "Can read all monitoring data." 2041 | }, 2042 | { 2043 | "Name": "MySQL Backup And Export Operator", 2044 | "Id": "d18ad5f3-1baf-4119-b49b-d944edb1f9d0", 2045 | "Description": "Grants full access to manage backup and export resources" 2046 | }, 2047 | { 2048 | "Name": "Network Contributor", 2049 | "Id": "4d97b98b-1d4f-4787-a291-c67834d212e7", 2050 | "Description": "Lets you manage networks, but not access to them." 2051 | }, 2052 | { 2053 | "Name": "New Relic APM Account Contributor", 2054 | "Id": "5d28c62d-5b37-4476-8438-e587778df237", 2055 | "Description": "Lets you manage New Relic Application Performance Management accounts and applications, but not access to them." 2056 | }, 2057 | { 2058 | "Name": "Object Anchors Account Owner", 2059 | "Id": "ca0835dd-bacc-42dd-8ed2-ed5e7230d15b", 2060 | "Description": "Provides user with ingestion capabilities for an object anchors account." 2061 | }, 2062 | { 2063 | "Name": "Object Anchors Account Reader", 2064 | "Id": "4a167cdf-cb95-4554-9203-2347fe489bd9", 2065 | "Description": "Lets you read ingestion jobs for an object anchors account." 2066 | }, 2067 | { 2068 | "Name": "Object Understanding Account Owner", 2069 | "Id": "4dd61c23-6743-42fe-a388-d8bdd41cb745", 2070 | "Description": "Provides user with ingestion capabilities for Azure Object Understanding." 2071 | }, 2072 | { 2073 | "Name": "Object Understanding Account Reader", 2074 | "Id": "d18777c0-1514-4662-8490-608db7d334b6", 2075 | "Description": "Lets you read ingestion jobs for an object understanding account." 2076 | }, 2077 | { 2078 | "Name": "Operator Nexus Key Vault Writer Service Role (Preview)", 2079 | "Id": "44f0a1a8-6fea-4b35-980a-8ff50c487c97", 2080 | "Description": "(Preview) Provides Azure Operator Nexus services the ability to write to a Key Vault. This role is in preview and subject to change." 2081 | }, 2082 | { 2083 | "Name": "Oracle Subscriptions Manager Built-in Role", 2084 | "Id": "4caf51ec-f9f5-413f-8a94-b9f5fddba66b", 2085 | "Description": "Grants full access to manage all Oracle Subscriptions resources" 2086 | }, 2087 | { 2088 | "Name": "Oracle.Database Owner Built-in Role", 2089 | "Id": "4562aac9-b209-4bd7-a144-6d7f3bb516f4", 2090 | "Description": "Grants full access to manage all Oracle.Database resources" 2091 | }, 2092 | { 2093 | "Name": "Oracle.Database VmCluster Administrator Built-in Role", 2094 | "Id": "e9ce8739-6fa2-4123-a0a2-0ef41a67806f", 2095 | "Description": "Grants full access to manage all VmCluster resources" 2096 | }, 2097 | { 2098 | "Name": "Owner", 2099 | "Id": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", 2100 | "Description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC." 2101 | }, 2102 | { 2103 | "Name": "PlayFab Contributor", 2104 | "Id": "0c8b84dc-067c-4039-9615-fa1a4b77c726", 2105 | "Description": "Provides contributor access to PlayFab resources" 2106 | }, 2107 | { 2108 | "Name": "PlayFab Reader", 2109 | "Id": "a9a19cc5-31f4-447c-901f-56c0bb18fcaf", 2110 | "Description": "Provides read access to PlayFab resources" 2111 | }, 2112 | { 2113 | "Name": "Policy Insights Data Writer (Preview)", 2114 | "Id": "66bb4e9e-b016-4a94-8249-4c0511c2be84", 2115 | "Description": "Allows read access to resource policies and write access to resource component policy events." 2116 | }, 2117 | { 2118 | "Name": "PostgreSQL Flexible Server Long Term Retention Backup Role", 2119 | "Id": "c088a766-074b-43ba-90d4-1fb21feae531", 2120 | "Description": "Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup." 2121 | }, 2122 | { 2123 | "Name": "Private DNS Zone Contributor", 2124 | "Id": "b12aa53e-6015-4669-85d0-8515ebb3ae7f", 2125 | "Description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to." 2126 | }, 2127 | { 2128 | "Name": "Procurement Contributor", 2129 | "Id": "be1a1ac2-09d3-4261-9e57-a73a6e227f53", 2130 | "Description": "Lets you manage the procurement of products and services." 2131 | }, 2132 | { 2133 | "Name": "Project Babylon Data Curator", 2134 | "Id": "9ef4ef9c-a049-46b0-82ab-dd8ac094c889", 2135 | "Description": "The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change." 2136 | }, 2137 | { 2138 | "Name": "Project Babylon Data Reader", 2139 | "Id": "c8d896ba-346d-4f50-bc1d-7d1c84130446", 2140 | "Description": "The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change." 2141 | }, 2142 | { 2143 | "Name": "Project Babylon Data Source Administrator", 2144 | "Id": "05b7651b-dc44-475e-b74d-df3db49fae0f", 2145 | "Description": "The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change." 2146 | }, 2147 | { 2148 | "Name": "Purview role 1 (Deprecated)", 2149 | "Id": "8a3c2885-9b38-4fd2-9d99-91af537c1347", 2150 | "Description": "Deprecated role." 2151 | }, 2152 | { 2153 | "Name": "Purview role 2 (Deprecated)", 2154 | "Id": "200bba9e-f0c8-430f-892b-6f0794863803", 2155 | "Description": "Deprecated role." 2156 | }, 2157 | { 2158 | "Name": "Purview role 3 (Deprecated)", 2159 | "Id": "ff100721-1b9d-43d8-af52-42b69c1272db", 2160 | "Description": "Deprecated role." 2161 | }, 2162 | { 2163 | "Name": "Quota Request Operator", 2164 | "Id": "0e5f05e5-9ab9-446b-b98d-1e2157c94125", 2165 | "Description": "Read and create quota requests, get quota request status, and create support tickets." 2166 | }, 2167 | { 2168 | "Name": "Reader", 2169 | "Id": "acdd72a7-3385-48ef-bd42-f606fba81ae7", 2170 | "Description": "View all resources, but does not allow you to make any changes." 2171 | }, 2172 | { 2173 | "Name": "Reader and Data Access", 2174 | "Id": "c12c1c16-33a1-487b-954d-41c89c60f349", 2175 | "Description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys." 2176 | }, 2177 | { 2178 | "Name": "Redis Cache Contributor", 2179 | "Id": "e0f68234-74aa-48ed-b826-c38b57376e17", 2180 | "Description": "Lets you manage Redis caches, but not access to them." 2181 | }, 2182 | { 2183 | "Name": "Remote Rendering Administrator", 2184 | "Id": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e", 2185 | "Description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering" 2186 | }, 2187 | { 2188 | "Name": "Remote Rendering Client", 2189 | "Id": "d39065c4-c120-43c9-ab0a-63eed9795f0a", 2190 | "Description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering." 2191 | }, 2192 | { 2193 | "Name": "Reservation Purchaser", 2194 | "Id": "f7b75c60-3036-4b75-91c3-6b41c27c1689", 2195 | "Description": "Lets you purchase reservations" 2196 | }, 2197 | { 2198 | "Name": "Resource Policy Contributor", 2199 | "Id": "36243c78-bf99-498c-9df9-86d9f8d28608", 2200 | "Description": "Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy." 2201 | }, 2202 | { 2203 | "Name": "Role Based Access Control Administrator", 2204 | "Id": "f58310d9-a9f6-439a-9e8d-f62e7b41a168", 2205 | "Description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy." 2206 | }, 2207 | { 2208 | "Name": "SaaS Hub Contributor", 2209 | "Id": "e9b8712a-cbcf-4ea7-b0f7-e71b803401e6", 2210 | "Description": "SaaS Hub contributor can manage SaaS Hub resource" 2211 | }, 2212 | { 2213 | "Name": "Savings plan Administrator", 2214 | "Id": "182a574c-b3c6-4acc-b019-48ae44cd4677", 2215 | "Description": "Lets one read and manage all the savings plans in a tenant" 2216 | }, 2217 | { 2218 | "Name": "Savings plan Purchaser", 2219 | "Id": "3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74", 2220 | "Description": "Lets you purchase savings plans" 2221 | }, 2222 | { 2223 | "Name": "Savings plan Reader", 2224 | "Id": "d534ad90-4ac5-4815-a178-b2e47397baab", 2225 | "Description": "Lets you read all savings plans in a tenant" 2226 | }, 2227 | { 2228 | "Name": "Scheduled Patching Contributor", 2229 | "Id": "cd08ab90-6b14-449c-ad9a-8f8e549482c6", 2230 | "Description": "Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments" 2231 | }, 2232 | { 2233 | "Name": "Scheduler Job Collections Contributor", 2234 | "Id": "188a0f2f-5c9e-469b-ae67-2aa5ce574b94", 2235 | "Description": "Lets you manage Scheduler job collections, but not access to them." 2236 | }, 2237 | { 2238 | "Name": "Schema Registry Contributor (Preview)", 2239 | "Id": "5dffeca3-4936-4216-b2bc-10343a5abb25", 2240 | "Description": "Read, write, and delete Schema Registry groups and schemas." 2241 | }, 2242 | { 2243 | "Name": "Schema Registry Reader (Preview)", 2244 | "Id": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", 2245 | "Description": "Read and list Schema Registry groups and schemas." 2246 | }, 2247 | { 2248 | "Name": "Search Index Data Contributor", 2249 | "Id": "8ebe5a00-799e-43f5-93ac-243d3dce84a7", 2250 | "Description": "Grants full access to Azure Cognitive Search index data." 2251 | }, 2252 | { 2253 | "Name": "Search Index Data Reader", 2254 | "Id": "1407120a-92aa-4202-b7e9-c0e197c71c8f", 2255 | "Description": "Grants read access to Azure Cognitive Search index data." 2256 | }, 2257 | { 2258 | "Name": "Search Parameter Manager", 2259 | "Id": "a02f7c31-354d-4106-865a-deedf37fa038", 2260 | "Description": "Role allows user or principal access to $status and $reindex to update search parameters" 2261 | }, 2262 | { 2263 | "Name": "Search Service Contributor", 2264 | "Id": "7ca78c08-252a-4471-8644-bb5ff32d4ba0", 2265 | "Description": "Lets you manage Search services, but not access to them." 2266 | }, 2267 | { 2268 | "Name": "Security Admin", 2269 | "Id": "fb1c8493-542b-48eb-b624-b4c8fea62acd", 2270 | "Description": "Security Admin Role" 2271 | }, 2272 | { 2273 | "Name": "Security Assessment Contributor", 2274 | "Id": "612c2aa1-cb24-443b-ac28-3ab7272de6f5", 2275 | "Description": "Lets you push assessments to Security Center" 2276 | }, 2277 | { 2278 | "Name": "Security Detonation Chamber Publisher", 2279 | "Id": "352470b3-6a9c-4686-b503-35deb827e500", 2280 | "Description": "Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber" 2281 | }, 2282 | { 2283 | "Name": "Security Detonation Chamber Reader", 2284 | "Id": "28241645-39f8-410b-ad48-87863e2951d5", 2285 | "Description": "Allowed to query submission info and files from Security Detonation Chamber" 2286 | }, 2287 | { 2288 | "Name": "Security Detonation Chamber Submission Manager", 2289 | "Id": "a37b566d-3efa-4beb-a2f2-698963fa42ce", 2290 | "Description": "Allowed to create and manage submissions to Security Detonation Chamber" 2291 | }, 2292 | { 2293 | "Name": "Security Detonation Chamber Submitter", 2294 | "Id": "0b555d9b-b4a7-4f43-b330-627f0e5be8f0", 2295 | "Description": "Allowed to create submissions to Security Detonation Chamber" 2296 | }, 2297 | { 2298 | "Name": "Security Manager (Legacy)", 2299 | "Id": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10", 2300 | "Description": "This is a legacy role. Please use Security Administrator instead" 2301 | }, 2302 | { 2303 | "Name": "Security Reader", 2304 | "Id": "39bc4728-0917-49c7-9d2c-d95423bc2eb4", 2305 | "Description": "Security Reader Role" 2306 | }, 2307 | { 2308 | "Name": "Services Hub Operator", 2309 | "Id": "82200a5b-e217-47a5-b665-6d8765ee745b", 2310 | "Description": "Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors." 2311 | }, 2312 | { 2313 | "Name": "SignalR AccessKey Reader", 2314 | "Id": "04165923-9d83-45d5-8227-78b77b0a687e", 2315 | "Description": "Read SignalR Service Access Keys" 2316 | }, 2317 | { 2318 | "Name": "SignalR App Server", 2319 | "Id": "420fcaa2-552c-430f-98ca-3264be4806c7", 2320 | "Description": "Lets your app server access SignalR Service with AAD auth options." 2321 | }, 2322 | { 2323 | "Name": "SignalR REST API Owner", 2324 | "Id": "fd53cd77-2268-407a-8f46-7e7863d0f521", 2325 | "Description": "Full access to Azure SignalR Service REST APIs" 2326 | }, 2327 | { 2328 | "Name": "SignalR REST API Reader", 2329 | "Id": "ddde6b66-c0df-4114-a159-3618637b3035", 2330 | "Description": "Read-only access to Azure SignalR Service REST APIs" 2331 | }, 2332 | { 2333 | "Name": "SignalR Service Owner", 2334 | "Id": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3", 2335 | "Description": "Full access to Azure SignalR Service REST APIs" 2336 | }, 2337 | { 2338 | "Name": "SignalR/Web PubSub Contributor", 2339 | "Id": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", 2340 | "Description": "Create, Read, Update, and Delete SignalR service resources" 2341 | }, 2342 | { 2343 | "Name": "Site Recovery Contributor", 2344 | "Id": "6670b86e-a3f7-4917-ac9b-5d6ab1be4567", 2345 | "Description": "Lets you manage Site Recovery service except vault creation and role assignment" 2346 | }, 2347 | { 2348 | "Name": "Site Recovery Operator", 2349 | "Id": "494ae006-db33-4328-bf46-533a6560a3ca", 2350 | "Description": "Lets you failover and failback but not perform other Site Recovery management operations" 2351 | }, 2352 | { 2353 | "Name": "Site Recovery Reader", 2354 | "Id": "dbaa88c4-0c30-4179-9fb3-46319faa6149", 2355 | "Description": "Lets you view Site Recovery status but not perform other management operations" 2356 | }, 2357 | { 2358 | "Name": "Spatial Anchors Account Contributor", 2359 | "Id": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", 2360 | "Description": "Lets you manage spatial anchors in your account, but not delete them" 2361 | }, 2362 | { 2363 | "Name": "Spatial Anchors Account Owner", 2364 | "Id": "70bbe301-9835-447d-afdd-19eb3167307c", 2365 | "Description": "Lets you manage spatial anchors in your account, including deleting them" 2366 | }, 2367 | { 2368 | "Name": "Spatial Anchors Account Reader", 2369 | "Id": "5d51204f-eb77-4b1c-b86a-2ec626c49413", 2370 | "Description": "Lets you locate and read properties of spatial anchors in your account" 2371 | }, 2372 | { 2373 | "Name": "SpatialMapsAccounts Account Owner", 2374 | "Id": "e9c9ed2b-2a99-4071-b2ff-5b113ebf73a1", 2375 | "Description": "Lets you manage data in your account, including deleting them" 2376 | }, 2377 | { 2378 | "Name": "SQL DB Contributor", 2379 | "Id": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", 2380 | "Description": "Lets you manage SQL databases, but not access to them. Also, you can\u0027t manage their security-related policies or their parent SQL servers." 2381 | }, 2382 | { 2383 | "Name": "SQL Managed Instance Contributor", 2384 | "Id": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", 2385 | "Description": "Lets you manage SQL Managed Instances and required network configuration, but can’t give access to others." 2386 | }, 2387 | { 2388 | "Name": "SQL Security Manager", 2389 | "Id": "056cd41c-7e88-42e1-933e-88ba6a50c9c3", 2390 | "Description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them." 2391 | }, 2392 | { 2393 | "Name": "SQL Server Contributor", 2394 | "Id": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", 2395 | "Description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies." 2396 | }, 2397 | { 2398 | "Name": "SqlDb Migration Role", 2399 | "Id": "189207d4-bb67-4208-a635-b06afe8b2c57", 2400 | "Description": "Role for SqlDb migration" 2401 | }, 2402 | { 2403 | "Name": "SqlMI Migration Role", 2404 | "Id": "1d335eef-eee1-47fe-a9e0-53214eba8872", 2405 | "Description": "Role for SqlMI migration" 2406 | }, 2407 | { 2408 | "Name": "SqlVM Migration Role", 2409 | "Id": "ae8036db-e102-405b-a1b9-bae082ea436d", 2410 | "Description": "Role for SqlVM migration" 2411 | }, 2412 | { 2413 | "Name": "Storage Account Backup Contributor", 2414 | "Id": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", 2415 | "Description": "Lets you perform backup and restore operations using Azure Backup on the storage account." 2416 | }, 2417 | { 2418 | "Name": "Storage Account Contributor", 2419 | "Id": "17d1049b-9a84-46fb-8f53-869881c3d3ab", 2420 | "Description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data." 2421 | }, 2422 | { 2423 | "Name": "Storage Account Encryption Scope Contributor Role", 2424 | "Id": "a316ed6d-1efe-48ac-ac08-f7995a9c26fb", 2425 | "Description": "Allows management of Encryption Scopes on a Storage Account" 2426 | }, 2427 | { 2428 | "Name": "Storage Account Key Operator Service Role", 2429 | "Id": "81a9662b-bebf-436f-a333-f67b29880f12", 2430 | "Description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts" 2431 | }, 2432 | { 2433 | "Name": "Storage Blob Data Contributor", 2434 | "Id": "ba92f5b4-2d11-453d-a403-e96b0029c9fe", 2435 | "Description": "Allows for read, write and delete access to Azure Storage blob containers and data" 2436 | }, 2437 | { 2438 | "Name": "Storage Blob Data Owner", 2439 | "Id": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b", 2440 | "Description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control." 2441 | }, 2442 | { 2443 | "Name": "Storage Blob Data Reader", 2444 | "Id": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", 2445 | "Description": "Allows for read access to Azure Storage blob containers and data" 2446 | }, 2447 | { 2448 | "Name": "Storage Blob Delegator", 2449 | "Id": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a", 2450 | "Description": "Allows for generation of a user delegation key which can be used to sign SAS tokens" 2451 | }, 2452 | { 2453 | "Name": "Storage File Data Privileged Contributor", 2454 | "Id": "69566ab7-960f-475b-8e7c-b3118f30c6bd", 2455 | "Description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares." 2456 | }, 2457 | { 2458 | "Name": "Storage File Data Privileged Reader", 2459 | "Id": "b8eda974-7b85-4f76-af95-65846b26df6d", 2460 | "Description": "Customer has read access on Azure Storage file shares." 2461 | }, 2462 | { 2463 | "Name": "Storage File Data SMB Share Contributor", 2464 | "Id": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", 2465 | "Description": "Allows for read, write, and delete access in Azure Storage file shares over SMB" 2466 | }, 2467 | { 2468 | "Name": "Storage File Data SMB Share Elevated Contributor", 2469 | "Id": "a7264617-510b-434b-a828-9731dc254ea7", 2470 | "Description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB" 2471 | }, 2472 | { 2473 | "Name": "Storage File Data SMB Share Reader", 2474 | "Id": "aba4ae5f-2193-4029-9191-0cb91df5e314", 2475 | "Description": "Allows for read access to Azure File Share over SMB" 2476 | }, 2477 | { 2478 | "Name": "Storage Queue Data Contributor", 2479 | "Id": "974c5e8b-45b9-4653-ba55-5f855dd0fb88", 2480 | "Description": "Allows for read, write, and delete access to Azure Storage queues and queue messages" 2481 | }, 2482 | { 2483 | "Name": "Storage Queue Data Message Processor", 2484 | "Id": "8a0f0c08-91a1-4084-bc3d-661d67233fed", 2485 | "Description": "Allows for peek, receive, and delete access to Azure Storage queue messages" 2486 | }, 2487 | { 2488 | "Name": "Storage Queue Data Message Sender", 2489 | "Id": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", 2490 | "Description": "Allows for sending of Azure Storage queue messages" 2491 | }, 2492 | { 2493 | "Name": "Storage Queue Data Reader", 2494 | "Id": "19e7f393-937e-4f77-808e-94535e297925", 2495 | "Description": "Allows for read access to Azure Storage queues and queue messages" 2496 | }, 2497 | { 2498 | "Name": "Storage Table Data Contributor", 2499 | "Id": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", 2500 | "Description": "Allows for read, write and delete access to Azure Storage tables and entities" 2501 | }, 2502 | { 2503 | "Name": "Storage Table Data Reader", 2504 | "Id": "76199698-9eea-4c19-bc75-cec21354c6b6", 2505 | "Description": "Allows for read access to Azure Storage tables and entities" 2506 | }, 2507 | { 2508 | "Name": "Stream Analytics Query Tester", 2509 | "Id": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", 2510 | "Description": "Lets you perform query testing without creating a stream analytics job first" 2511 | }, 2512 | { 2513 | "Name": "Support Request Contributor", 2514 | "Id": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", 2515 | "Description": "Lets you create and manage Support requests" 2516 | }, 2517 | { 2518 | "Name": "Tag Contributor", 2519 | "Id": "4a9ae827-6dc8-4573-8ac7-8239d42aa03f", 2520 | "Description": "Lets you manage tags on entities, without providing access to the entities themselves." 2521 | }, 2522 | { 2523 | "Name": "Template Spec Contributor", 2524 | "Id": "1c9b6475-caf0-4164-b5a1-2142a7116f4b", 2525 | "Description": "Allows full access to Template Spec operations at the assigned scope." 2526 | }, 2527 | { 2528 | "Name": "Template Spec Reader", 2529 | "Id": "392ae280-861d-42bd-9ea5-08ee6d83b80e", 2530 | "Description": "Allows read access to Template Specs at the assigned scope." 2531 | }, 2532 | { 2533 | "Name": "Test Base Reader", 2534 | "Id": "15e0f5a1-3450-4248-8e25-e2afe88a9e85", 2535 | "Description": "Let you view and download packages and test results." 2536 | }, 2537 | { 2538 | "Name": "Traffic Manager Contributor", 2539 | "Id": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", 2540 | "Description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them." 2541 | }, 2542 | { 2543 | "Name": "Trusted Signing Certificate Profile Signer", 2544 | "Id": "2837e146-70d7-4cfd-ad55-7efa6464f958", 2545 | "Description": "Sign files with a certificate profile. This role is in preview and subject to change." 2546 | }, 2547 | { 2548 | "Name": "Trusted Signing Identity Verifier", 2549 | "Id": "4339b7cf-9826-4e41-b4ed-c7f4505dac08", 2550 | "Description": "Manage identity or business verification requests. This role is in preview and subject to change." 2551 | }, 2552 | { 2553 | "Name": "User Access Administrator", 2554 | "Id": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", 2555 | "Description": "Lets you manage user access to Azure resources." 2556 | }, 2557 | { 2558 | "Name": "Web Plan Contributor", 2559 | "Id": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", 2560 | "Description": "Lets you manage the web plans for websites, but not access to them." 2561 | }, 2562 | { 2563 | "Name": "Web PubSub Service Owner", 2564 | "Id": "12cf5a90-567b-43ae-8102-96cf46c7d9b4", 2565 | "Description": "Full access to Azure Web PubSub Service REST APIs" 2566 | }, 2567 | { 2568 | "Name": "Web PubSub Service Reader", 2569 | "Id": "bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf", 2570 | "Description": "Read-only access to Azure Web PubSub Service REST APIs" 2571 | }, 2572 | { 2573 | "Name": "Website Contributor", 2574 | "Id": "de139f84-1756-47ae-9be6-808fbbe84772", 2575 | "Description": "Lets you manage websites (not web plans), but not access to them." 2576 | }, 2577 | { 2578 | "Name": "Video Indexer Restricted Viewer", 2579 | "Id": "a2c4a527-7dc0-4ee3-897b-403ade70fafb", 2580 | "Description": "Has access to view and search through all video\u0027s insights and transcription in the Video Indexer portal. No access to model customization, embedding of widget, downloading videos, or sharing the account." 2581 | }, 2582 | { 2583 | "Name": "Windows 365 Network Interface Contributor", 2584 | "Id": "1f135831-5bbe-4924-9016-264044c00788", 2585 | "Description": "This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces." 2586 | }, 2587 | { 2588 | "Name": "Windows 365 Network User", 2589 | "Id": "7eabc9a4-85f7-4f71-b8ab-75daaccc1033", 2590 | "Description": "This role is used by Windows 365 to read virtual networks and join the designated virtual networks." 2591 | }, 2592 | { 2593 | "Name": "Windows Admin Center Administrator Login", 2594 | "Id": "a6333a3e-0164-44c3-b281-7a577aff287f", 2595 | "Description": "Let\u0027s you manage the OS of your resource via Windows Admin Center as an administrator." 2596 | }, 2597 | { 2598 | "Name": "Windows365SubscriptionReader", 2599 | "Id": "3d55a8f6-4133-418d-8051-facdb1735758", 2600 | "Description": "Read subscriptions, images, azure firewalls. This role is used in Windows365 scenarios." 2601 | }, 2602 | { 2603 | "Name": "Virtual Machine Administrator Login", 2604 | "Id": "1c0163c0-47e6-4577-8991-ea5c82e286e4", 2605 | "Description": "View Virtual Machines in the portal and login as administrator" 2606 | }, 2607 | { 2608 | "Name": "Virtual Machine Contributor", 2609 | "Id": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", 2610 | "Description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they\u0027re connected to." 2611 | }, 2612 | { 2613 | "Name": "Virtual Machine Data Access Administrator (preview)", 2614 | "Id": "66f75aeb-eabe-4b70-9f1e-c350c4c9ad04", 2615 | "Description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments." 2616 | }, 2617 | { 2618 | "Name": "Virtual Machine Local User Login", 2619 | "Id": "602da2ba-a5c2-41da-b01d-5360126ab525", 2620 | "Description": "View Virtual Machines in the portal and login as a local user configured on the arc server" 2621 | }, 2622 | { 2623 | "Name": "Virtual Machine User Login", 2624 | "Id": "fb879df8-f326-4884-b1cf-06f3ad86be52", 2625 | "Description": "View Virtual Machines in the portal and login as a regular user." 2626 | }, 2627 | { 2628 | "Name": "VM Scanner Operator", 2629 | "Id": "d24ecba3-c1f4-40fa-a7bb-4588a071e8fd", 2630 | "Description": "Role that provides access to disk snapshot for security analysis." 2631 | }, 2632 | { 2633 | "Name": "Workbook Contributor", 2634 | "Id": "e8ddcd69-c73f-4f9f-9844-4100522f16ad", 2635 | "Description": "Can save shared workbooks." 2636 | }, 2637 | { 2638 | "Name": "Workbook Reader", 2639 | "Id": "b279062a-9be3-42a0-92ae-8b3cf002ec4d", 2640 | "Description": "Can read workbooks." 2641 | }, 2642 | { 2643 | "Name": "WorkloadBuilder Migration Agent Role", 2644 | "Id": "d17ce0a2-0697-43bc-aac5-9113337ab61c", 2645 | "Description": "WorkloadBuilder Migration Agent Role." 2646 | } 2647 | ] 2648 | --------------------------------------------------------------------------------