Επεξεργασία

Κοινή χρήση μέσω


Azure built-in roles

Azure role-based access control (Azure RBAC) has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles. For information about how to assign roles, see Steps to assign an Azure role.

This article lists the Azure built-in roles. If you are looking for administrator roles for Microsoft Entra ID, see Microsoft Entra built-in roles.

The following table provides a brief description of each built-in role. Click the role name to see the list of Actions, NotActions, DataActions, and NotDataActions for each role. For information about what these actions mean and how they apply to the control and data planes, see Understand Azure role definitions.

Privileged

Built-in role Description ID
Contributor Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. b24988ac-6180-42a0-ab88-20f7382dd24c
Owner Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
Reservations Administrator Lets one read and manage all the reservations in a tenant a8889054-8d42-49c9-bc1c-52486c10e7cd
Role Based Access Control Administrator Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. f58310d9-a9f6-439a-9e8d-f62e7b41a168
User Access Administrator Lets you manage user access to Azure resources. 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9

General

Built-in role Description ID
Reader View all resources, but does not allow you to make any changes. acdd72a7-3385-48ef-bd42-f606fba81ae7

Compute

Built-in role Description ID
Azure Arc VMware VM Contributor Arc VMware VM Contributor has permissions to perform all VM actions. b748a06d-6150-4f8a-aaa9-ce3940cd96cb
Classic Virtual Machine Contributor Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. d73bb868-a0df-4d4d-bd69-98a00b01fccb
Compute Gallery Artifacts Publisher This is the role for publishing gallery artifacts. 85a2d0d9-2eba-4c9c-b355-11c2cc0788ab
Compute Gallery Image Reader This is the role for reading gallery images. cf7c76d2-98a3-4358-a134-615aa78bf44d
Compute Gallery Sharing Admin This role allows user to share gallery to another subscription/tenant or share it to the public. 1ef6a3be-d0ac-425d-8c01-acb62866290b
Data Operator for Managed Disks Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. 959f8984-c045-4866-89c7-12bf9737be2e
Desktop Virtualization Application Group Contributor Contributor of the Desktop Virtualization Application Group. 86240b0e-9422-4c43-887b-b61143f32ba8
Desktop Virtualization Application Group Reader Reader of the Desktop Virtualization Application Group. aebf23d0-b568-4e86-b8f9-fe83a2c6ab55
Desktop Virtualization Contributor Contributor of Desktop Virtualization. 082f0a83-3be5-4ba1-904c-961cca79b387
Desktop Virtualization Host Pool Contributor Contributor of the Desktop Virtualization Host Pool. e307426c-f9b6-4e81-87de-d99efb3c32bc
Desktop Virtualization Host Pool Reader Reader of the Desktop Virtualization Host Pool. ceadfde2-b300-400a-ab7b-6143895aa822
Desktop Virtualization Power On Contributor Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. 489581de-a3bd-480d-9518-53dea7416b33
Desktop Virtualization Power On Off Contributor Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. 40c5ff49-9181-41f8-ae61-143b0e78555e
Desktop Virtualization Reader Reader of Desktop Virtualization. 49a72310-ab8d-41df-bbb0-79b649203868
Desktop Virtualization Session Host Operator Operator of the Desktop Virtualization Session Host. 2ad6aaab-ead9-4eaa-8ac5-da422f562408
Desktop Virtualization User Allows user to use the applications in an application group. 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63
Desktop Virtualization User Session Operator Operator of the Desktop Virtualization User Session. ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6
Desktop Virtualization Virtual Machine Contributor This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. a959dbd1-f747-45e3-8ba6-dd80f235f97c
Desktop Virtualization Workspace Contributor Contributor of the Desktop Virtualization Workspace. 21efdde3-836f-432b-bf3d-3e8e734d4b2b
Desktop Virtualization Workspace Reader Reader of the Desktop Virtualization Workspace. 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d
Disk Backup Reader Provides permission to backup vault to perform disk backup. 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24
Disk Pool Operator Provide permission to StoragePool Resource Provider to manage disks added to a disk pool. 60fc6e62-5479-42d4-8bf4-67625fcc2840
Disk Restore Operator Provides permission to backup vault to perform disk restore. b50d9833-a0cb-478e-945f-707fcc997c13
Disk Snapshot Contributor Provides permission to backup vault to manage disk snapshots. 7efff54f-a5b4-42b5-a1c5-5411624893ce
Virtual Machine Administrator Login View Virtual Machines in the portal and login as administrator 1c0163c0-47e6-4577-8991-ea5c82e286e4
Virtual Machine Contributor Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
Virtual Machine Data Access Administrator (preview) Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04
Virtual Machine Local User Login View Virtual Machines in the portal and login as a local user configured on the arc server 602da2ba-a5c2-41da-b01d-5360126ab525
Virtual Machine User Login View Virtual Machines in the portal and login as a regular user. fb879df8-f326-4884-b1cf-06f3ad86be52
Virtual Machine Restore Operator Provides permissions to Recovery Services vault to staging storage account and target resource group for VM restore operations. dfce897125e342e3ba336055438e3080
Windows 365 Network Interface Contributor This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. 1f135831-5bbe-4924-9016-264044c00788
Windows 365 Network User This role is used by Windows 365 to read virtual networks and join the designated virtual networks. 7eabc9a4-85f7-4f71-b8ab-75daaccc1033
Windows Admin Center Administrator Login Let's you manage the OS of your resource via Windows Admin Center as an administrator. a6333a3e-0164-44c3-b281-7a577aff287f

Networking

Built-in role Description ID
Azure Front Door Domain Contributor For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users. 0ab34830-df19-4f8c-b84e-aa85b8afa6e8
Azure Front Door Domain Reader For internal use within Azure. Can view Azure Front Door domains, but can't make changes. 0f99d363-226e-4dca-9920-b807cf8e1a5f
Azure Front Door Profile Reader Can view AFD standard and premium profiles and their endpoints, but can't make changes. 662802e2-50f6-46b0-aed2-e834bacc6d12
Azure Front Door Secret Contributor For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users. 3f2eb865-5811-4578-b90a-6fc6fa0df8e5
Azure Front Door Secret Reader For internal use within Azure. Can view Azure Front Door secrets, but can't make changes. 0db238c4-885e-4c4f-a933-aa2cef684fca
CDN Endpoint Contributor Can manage CDN endpoints, but can't grant access to other users. 426e0c7f-0c7e-4658-b36f-ff54d6c29b45
CDN Endpoint Reader Can view CDN endpoints, but can't make changes. 871e35f6-b5c1-49cc-a043-bde969a0f2cd
CDN Profile Contributor Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. ec156ff8-a8d1-4d15-830c-5b80698ca432
CDN Profile Reader Can view CDN profiles and their endpoints, but can't make changes. 8f96442b-4075-438f-813d-ad51ab4019af
Classic Network Contributor Lets you manage classic networks, but not access to them. b34d265f-36f7-4a0d-a4d4-e158ca92e90f
DNS Zone Contributor Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. befefa01-2a29-4197-83a8-272ff33ce314
Network Contributor Lets you manage networks, but not access to them. This role does not grant you permission to deploy or manage Virtual Machines. 4d97b98b-1d4f-4787-a291-c67834d212e7
Private DNS Zone Contributor Lets you manage private DNS zone resources, but not the virtual networks they are linked to. b12aa53e-6015-4669-85d0-8515ebb3ae7f
Traffic Manager Contributor Lets you manage Traffic Manager profiles, but does not let you control who has access to them. a4b10055-b0c7-44c2-b00f-c7b5b3550cf7

Storage

Built-in role Description ID
Avere Contributor Can create and manage an Avere vFXT cluster. 4f8fab4f-1852-4a58-a46a-8eaf358af14a
Avere Operator Used by the Avere vFXT cluster to manage the cluster c025889f-8102-4ebf-b32c-fc0c6f0c6bd9
Backup Contributor Lets you manage backup service, but can't create vaults and give access to others 5e467623-bb1f-42f4-a55d-6e525e11384b
Backup MUA Admin Backup MultiUser-Authorization. Can create/delete ResourceGuard c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8
Backup MUA Operator Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard f54b6d04-23c6-443e-b462-9c16ab7b4a52
Backup Operator Lets you manage backup services, except removal of backup, vault creation and giving access to others 00c29273-979b-4161-815c-10b084fb9324
Backup Reader Can view backup services, but can't make changes a795c7a0-d4a2-40c1-ae25-d81f01202912
Classic Storage Account Contributor Lets you manage classic storage accounts, but not access to them. 86e8f5dc-a6e9-4c67-9d15-de283e8eac25
Classic Storage Account Key Operator Service Role Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts 985d6b00-f706-48f5-a6fe-d0ca12fb668d
Data Box Contributor Lets you manage everything under Data Box Service except giving access to others. add466c9-e687-43fc-8d98-dfcf8d720be5
Data Box Reader Lets you manage Data Box Service except creating order or editing order details and giving access to others. 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027
Data Lake Analytics Developer Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. 47b7735b-770e-4598-a7da-8b91488b4c88
Defender for Storage Data Scanner Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40
Elastic SAN Network Admin Allows access to create Private Endpoints on SAN resources, and to read SAN resources fa6cecf6-5db3-4c43-8470-c540bcb4eafa
Elastic SAN Owner Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access 80dcbedb-47ef-405d-95bd-188a1b4ac406
Elastic SAN Reader Allows for control path read access to Azure Elastic SAN af6a70f8-3c9f-4105-acf1-d719e9fca4ca
Elastic SAN Volume Group Owner Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access a8281131-f312-4f34-8d98-ae12be9f0d23
Reader and Data Access Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. c12c1c16-33a1-487b-954d-41c89c60f349
Storage Account Backup Contributor Lets you perform backup and restore operations using Azure Backup on the storage account. e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1
Storage Account Contributor Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. 17d1049b-9a84-46fb-8f53-869881c3d3ab
Storage Account Key Operator Service Role Permits listing and regenerating storage account access keys. 81a9662b-bebf-436f-a333-f67b29880f12
Storage Blob Data Contributor Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations. ba92f5b4-2d11-453d-a403-e96b0029c9fe
Storage Blob Data Owner Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling data operations. b7e6dc6d-f1e8-4753-8033-0f276bb0955b
Storage Blob Data Reader Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations. 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
Storage Blob Delegator Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS. db58b8e5-c6ad-4a2a-8342-4190687cbf4a
Storage File Data Privileged Contributor Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. 69566ab7-960f-475b-8e7c-b3118f30c6bd
Storage File Data Privileged Reader Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. b8eda974-7b85-4f76-af95-65846b26df6d
Storage File Data SMB Share Contributor Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb
Storage File Data SMB Share Elevated Contributor Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. a7264617-510b-434b-a828-9731dc254ea7
Storage File Data SMB Share Reader Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. aba4ae5f-2193-4029-9191-0cb91df5e314
Storage Queue Data Contributor Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations. 974c5e8b-45b9-4653-ba55-5f855dd0fb88
Storage Queue Data Message Processor Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations. 8a0f0c08-91a1-4084-bc3d-661d67233fed
Storage Queue Data Message Sender Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations. c6a89b2d-59bc-44d0-9896-0f6e12d7b80a
Storage Queue Data Reader Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations. 19e7f393-937e-4f77-808e-94535e297925
Storage Table Data Contributor Allows for read, write and delete access to Azure Storage tables and entities 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3
Storage Table Data Reader Allows for read access to Azure Storage tables and entities 76199698-9eea-4c19-bc75-cec21354c6b6

Web and Mobile

Built-in role Description ID
Azure Maps Data Contributor Grants access to read, write, and delete access to map related data from an Azure maps account. 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204
Azure Maps Data Reader Grants access to read map related data from an Azure maps account. 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa
Azure Maps Search and Render Data Reader Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. 6be48352-4f82-47c9-ad5e-0acacefdb005
Azure Spring Apps Application Configuration Service Config File Pattern Reader Role Read content of config file pattern for Application Configuration Service in Azure Spring Apps 25211fc6-dc78-40b6-b205-e4ac934fd9fd
Azure Spring Apps Application Configuration Service Log Reader Role Read real-time logs for Application Configuration Service in Azure Spring Apps 6593e776-2a30-40f9-8a32-4fe28b77655d
Azure Spring Apps Connect Role Azure Spring Apps Connect Role 80558df3-64f9-4c0f-b32d-e5094b036b0b
Azure Spring Apps Job Log Reader Role Read real-time logs for jobs in Azure Spring Apps b459aa1d-e3c8-436f-ae21-c0531140f43e
Azure Spring Apps Remote Debugging Role Azure Spring Apps Remote Debugging Role a99b0159-1064-4c22-a57b-c9b3caa1c054
Azure Spring Apps Spring Cloud Gateway Log Reader Role Read real-time logs for Spring Cloud Gateway in Azure Spring Apps 4301dc2a-25a9-44b0-ae63-3636cf7f2bd2
Azure Spring Cloud Config Server Contributor Allow read, write and delete access to Azure Spring Cloud Config Server a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b
Azure Spring Cloud Config Server Reader Allow read access to Azure Spring Cloud Config Server d04c6db6-4947-4782-9e91-30a88feb7be7
Azure Spring Cloud Data Reader Allow read access to Azure Spring Cloud Data b5537268-8956-4941-a8f0-646150406f0c
Azure Spring Cloud Service Registry Contributor Allow read, write and delete access to Azure Spring Cloud Service Registry f5880b48-c26d-48be-b172-7927bfa1c8f1
Azure Spring Cloud Service Registry Reader Allow read access to Azure Spring Cloud Service Registry cff1b556-2399-4e7e-856d-a8f754be7b65
Media Services Account Administrator Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. 054126f8-9a2b-4f1c-a9ad-eca461f08466
Media Services Live Events Administrator Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. 532bc159-b25e-42c0-969e-a1d439f60d77
Media Services Media Operator Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. e4395492-1534-4db2-bedf-88c14621589c
Media Services Policy Administrator Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. c4bba371-dacd-4a26-b320-7250bca963ae
Media Services Streaming Endpoints Administrator Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. 99dba123-b5fe-44d5-874c-ced7199a5804
SignalR AccessKey Reader Read SignalR Service Access Keys 04165923-9d83-45d5-8227-78b77b0a687e
SignalR App Server Lets your app server access SignalR Service with AAD auth options. 420fcaa2-552c-430f-98ca-3264be4806c7
SignalR REST API Owner Full access to Azure SignalR Service REST APIs fd53cd77-2268-407a-8f46-7e7863d0f521
SignalR REST API Reader Read-only access to Azure SignalR Service REST APIs ddde6b66-c0df-4114-a159-3618637b3035
SignalR Service Owner Full access to Azure SignalR Service REST APIs 7e4f1700-ea5a-4f59-8f37-079cfe29dce3
SignalR/Web PubSub Contributor Create, Read, Update, and Delete SignalR service resources 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761
Web Plan Contributor Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC. 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b
Web PubSub Service Owner Full access to Azure Web PubSub Service REST APIs 12cf5a90-567b-43ae-8102-96cf46c7d9b4
Web PubSub Service Reader Read-only access to Azure Web PubSub Service REST APIs bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf
Website Contributor Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC. de139f84-1756-47ae-9be6-808fbbe84772

Containers

Built-in role Description ID
AcrDelete Delete repositories, tags, or manifests from a container registry. c2f4ef07-c644-48eb-af81-4b1b4947fb11
AcrImageSigner Push trusted images to or pull trusted images from a container registry enabled for content trust. 6cef56e8-d556-48e5-a04f-b8e64114680f
AcrPull Pull artifacts from a container registry. 7f951dda-4ed3-4680-a7ca-43fe172d538d
AcrPush Push artifacts to or pull artifacts from a container registry. 8311e382-0749-4cb8-b61a-304f252e45ec
AcrQuarantineReader Pull quarantined images from a container registry. cdda3590-29a3-44f6-95f2-9f980659eb04
AcrQuarantineWriter Push quarantined images to or pull quarantined images from a container registry. c8d4ff99-41c3-41a8-9f60-21dfdad59608
Azure Arc Enabled Kubernetes Cluster User Role List cluster user credentials action. 00493d72-78f6-4148-b6c5-d3ce8e4799dd
Azure Arc Kubernetes Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. dffb1e0c-446f-4dde-a09f-99eb5cc68b96
Azure Arc Kubernetes Cluster Admin Lets you manage all resources in the cluster. 8393591c-06b9-48a2-a542-1bd6b377f6a2
Azure Arc Kubernetes Viewer Lets you view all resources in cluster/namespace, except secrets. 63f0a09d-1495-4db4-a681-037d84835eb4
Azure Arc Kubernetes Writer Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. 5b999177-9696-4545-85c7-50de3797e5a1
Azure Container Storage Contributor Install Azure Container Storage and manage its storage resources. Includes an ABAC condition to constrain role assignments. 95dd08a6-00bd-4661-84bf-f6726f83a4d0
Azure Container Storage Operator Enable a managed identity to perform Azure Container Storage operations, such as manage virtual machines and manage virtual networks. 08d4c71a-cc63-4ce4-a9c8-5dd251b4d619
Azure Container Storage Owner Install Azure Container Storage, grant access to its storage resources, and configure Azure Elastic storage area network (SAN). Includes an ABAC condition to constrain role assignments. 95de85bd-744d-4664-9dde-11430bc34793
Azure Kubernetes Fleet Manager Contributor Role Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc. 63bb64ad-9799-4770-b5c3-24ed299a07bf
Azure Kubernetes Fleet Manager RBAC Admin Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. 434fb43a-c01c-447e-9f67-c3ad923cfaba
Azure Kubernetes Fleet Manager RBAC Cluster Admin Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster. 18ab4d3d-a1bf-4477-8ad9-8359bc988f69
Azure Kubernetes Fleet Manager RBAC Reader Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. 30b27cfc-9c84-438e-b0ce-70e35255df80
Azure Kubernetes Fleet Manager RBAC Writer Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces. 5af6afb3-c06c-4fa4-8848-71a8aee05683
Azure Kubernetes Service Arc Cluster Admin Role List cluster admin credential action. b29efa5f-7782-4dc3-9537-4d5bc70a5e9f
Azure Kubernetes Service Arc Cluster User Role List cluster user credential action. 233ca253-b031-42ff-9fba-87ef12d6b55f
Azure Kubernetes Service Arc Contributor Role Grants access to read and write Azure Kubernetes Services hybrid clusters 5d3f1697-4507-4d08-bb4a-477695db5f82
Azure Kubernetes Service Cluster Admin Role List cluster admin credential action. 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8
Azure Kubernetes Service Cluster Monitoring User List cluster monitoring user credential action. 1afdec4b-e479-420e-99e7-f82237c7c5e6
Azure Kubernetes Service Cluster User Role List cluster user credential action. 4abbcc35-e782-43d8-92c5-2d3f1bd2253f
Azure Kubernetes Service Contributor Role Grants access to read and write Azure Kubernetes Service clusters ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8
Azure Kubernetes Service RBAC Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. 3498e952-d568-435e-9b2c-8d77e338d7f7
Azure Kubernetes Service RBAC Cluster Admin Lets you manage all resources in the cluster. b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b
Azure Kubernetes Service RBAC Reader Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. 7f6c6a51-bcf8-42ba-9220-52d62157d7db
Azure Kubernetes Service RBAC Writer Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb
Connected Cluster Managed Identity CheckAccess Reader Built-in role that allows a Connected Cluster managed identity to call the checkAccess API 65a14201-8f6c-4c28-bec4-12619c5a9aaa
Kubernetes Agentless Operator Grants Microsoft Defender for Cloud access to Azure Kubernetes Services d5a2ae44-610b-4500-93be-660a0c5f5ca6
Kubernetes Cluster - Azure Arc Onboarding Role definition to authorize any user/service to create connectedClusters resource 34e09817-6cbe-4d01-b1a2-e0eac5743d41
Kubernetes Extension Contributor Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations 85cb6faf-e071-4c9b-8136-154b5a04f717
Service Fabric Cluster Contributor Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc. b6efc156-f0da-4e90-a50a-8c000140b017
Service Fabric Managed Cluster Contributor Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services. 83f80186-3729-438c-ad2d-39e94d718838

Databases

Built-in role Description ID
Azure Connected SQL Server Onboarding Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. e8113dce-c529-4d33-91fa-e9b972617508
Cosmos DB Account Reader Role Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. fbdf93bf-df7d-467e-a4d2-9458aa1360c8
Cosmos DB Operator Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. 230815da-be43-4aae-9cb4-875f7bd000aa
CosmosBackupOperator Can submit restore request for a Cosmos DB database or a container for an account db7b14f2-5adf-42da-9f96-f2ee17bab5cb
CosmosRestoreOperator Can perform restore action for Cosmos DB database account with continuous backup mode 5432c526-bc82-444a-b7ba-57c5b0b5b34f
DocumentDB Account Contributor Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. 5bd9cd88-fe45-4216-938b-f97437e15450
PostgreSQL Flexible Server Long Term Retention Backup Role Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup. c088a766-074b-43ba-90d4-1fb21feae531
Redis Cache Contributor Lets you manage Redis caches, but not access to them. e0f68234-74aa-48ed-b826-c38b57376e17
SQL DB Contributor Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec
SQL Managed Instance Contributor Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d
SQL Security Manager Lets you manage the security-related policies of SQL servers and databases, but not access to them. 056cd41c-7e88-42e1-933e-88ba6a50c9c3
SQL Server Contributor Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437

Analytics

Built-in role Description ID
Azure Event Hubs Data Owner Allows for full access to Azure Event Hubs resources. f526a384-b230-433a-b45c-95f59c4a2dec
Azure Event Hubs Data Receiver Allows receive access to Azure Event Hubs resources. a638d3c7-ab3a-418d-83e6-5f17a39d4fde
Azure Event Hubs Data Sender Allows send access to Azure Event Hubs resources. 2b629674-e913-4c01-ae53-ef4638d8f975
Data Factory Contributor Create and manage data factories, as well as child resources within them. 673868aa-7521-48a0-acc6-0f60742d39f5
Data Purger Delete private data from a Log Analytics workspace. 150f5e0c-0603-4f03-8c7f-cf70034c4e90
HDInsight Cluster Operator Lets you read and modify HDInsight cluster configurations. 61ed4efc-fab3-44fd-b111-e24485cc132a
HDInsight Domain Services Contributor Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package 8d8d5a11-05d3-4bda-a417-a08778121c7c
HDInsight on AKS Cluster Admin Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters. fd036e6b-1266-47a0-b0bb-a05d04831731
HDInsight on AKS Cluster Pool Admin Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters 7656b436-37d4-490a-a4ab-d39f838f0042
Log Analytics Contributor Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. 92aaf0da-9dab-42b6-94a3-d43ce8d16293
Log Analytics Reader Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. 73c42c96-874c-492b-b04d-ab87d138a893
Schema Registry Contributor (Preview) Read, write, and delete Schema Registry groups and schemas. 5dffeca3-4936-4216-b2bc-10343a5abb25
Schema Registry Reader (Preview) Read and list Schema Registry groups and schemas. 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2
Stream Analytics Query Tester Lets you perform query testing without creating a stream analytics job first 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf

AI + machine learning

Built-in role Description ID
AgFood Platform Sensor Partner Contributor Provides contribute access to manage sensor related entities in AgFood Platform Service 6b77f0a0-0d89-41cc-acd1-579c22c17a67
AgFood Platform Service Admin Provides admin access to AgFood Platform Service f8da80de-1ff9-4747-ad80-a19b7f6079e3
AgFood Platform Service Contributor Provides contribute access to AgFood Platform Service 8508508a-4469-4e45-963b-2518ee0bb728
AgFood Platform Service Reader Provides read access to AgFood Platform Service 7ec7ccdc-f61e-41fe-9aaf-980df0a44eba
Azure AI Developer Can perform all actions within an Azure AI resource besides managing the resource itself. 64702f94-c441-49e6-a78b-ef80e0188fee
Azure AI Enterprise Network Connection Approver Can approve private endpoint connections to Azure AI common dependency resources b556d68e-0be0-4f35-a333-ad7ee1ce17ea
Azure AI Inference Deployment Operator Can perform all actions required to create a resource deployment within a resource group. 3afb7f49-54cb-416e-8c09-6dc049efa503
AzureML Compute Operator Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). e503ece1-11d0-4e8e-8e2c-7a6c3bf38815
AzureML Data Scientist Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. f6c7c914-8db3-469d-8ca1-694a8f32e121
AzureML Metrics Writer (preview) Lets you write metrics to AzureML workspace 635dd51f-9968-44d3-b7fb-6d9a6bd613ae
AzureML Registry User Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources. 1823dd4f-9b8c-4ab6-ab4e-7397a3684615
Cognitive Services Contributor Lets you create, read, update, delete and manage keys of Cognitive Services. 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68
Cognitive Services Custom Vision Contributor Full access to the project, including the ability to view, create, edit, or delete projects. c1ff6cc2-c111-46fe-8896-e0ef812ad9f3
Cognitive Services Custom Vision Deployment Publish, unpublish or export models. Deployment can view the project but can't update. 5c4089e1-6d96-4d2f-b296-c1bc7137275f
Cognitive Services Custom Vision Labeler View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. 88424f51-ebe7-446f-bc41-7fa16989e96c
Cognitive Services Custom Vision Reader Read-only actions in the project. Readers can't create or update the project. 93586559-c37d-4a6b-ba08-b9f0940c2d73
Cognitive Services Custom Vision Trainer View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b
Cognitive Services Data Reader Lets you read Cognitive Services data. b59867f0-fa02-499b-be73-45a86b5b3e1c
Cognitive Services Face Recognizer Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. 9894cab4-e18a-44aa-828b-cb588cd6f2d7
Cognitive Services Immersive Reader User Provides access to create Immersive Reader sessions and call APIs b2de6794-95db-4659-8781-7e080d3f2b9d
Cognitive Services Language Owner Has access to all Read, Test, Write, Deploy and Delete functions under Language portal f07febfe-79bc-46b1-8b37-790e26e6e498
Cognitive Services Language Reader Has access to Read and Test functions under Language portal 7628b7b8-a8b2-4cdc-b46f-e9b35248918e
Cognitive Services Language Writer Has access to all Read, Test, and Write functions under Language Portal f2310ca1-dc64-4889-bb49-c8e0fa3d47a8
Cognitive Services LUIS Owner Has access to all Read, Test, Write, Deploy and Delete functions under LUIS f72c8140-2111-481c-87ff-72b910f6e3f8
Cognitive Services LUIS Reader Has access to Read and Test functions under LUIS. 18e81cdc-4e98-4e29-a639-e7d10c5a6226
Cognitive Services LUIS Writer Has access to all Read, Test, and Write functions under LUIS 6322a993-d5c9-4bed-b113-e49bbea25b27
Cognitive Services Metrics Advisor Administrator Full access to the project, including the system level configuration. cb43c632-a144-4ec5-977c-e80c4affc34a
Cognitive Services Metrics Advisor User Access to the project. 3b20f47b-3825-43cb-8114-4bd2201156a8
Cognitive Services OpenAI Contributor Full access including the ability to fine-tune, deploy and generate text a001fd3d-188f-4b5d-821b-7da978bf7442
Cognitive Services OpenAI User Read access to view files, models, deployments. The ability to create completion and embedding calls. 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd
Cognitive Services QnA Maker Editor Let's you create, edit, import and export a KB. You cannot publish or delete a KB. f4cc2bf9-21be-47a1-bdf1-5c5804381025
Cognitive Services QnA Maker Reader Let's you read and test a KB only. 466ccd10-b268-4a11-b098-b4849f024126
Cognitive Services Speech Contributor Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. 0e75ca1e-0464-4b4d-8b93-68208a576181
Cognitive Services Speech User Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. f2dc8367-1007-4938-bd23-fe263f013447
Cognitive Services Usages Reader Minimal permission to view Cognitive Services usages. bba48692-92b0-4667-a9ad-c31c7b334ac2
Cognitive Services User Lets you read and list keys of Cognitive Services. a97b65f3-24c7-4388-baec-2e87135dc908
Health Bot Admin Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets. f1082fec-a70f-419f-9230-885d2550fb38
Health Bot Editor Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels. af854a69-80ce-4ff7-8447-f1118a2e0ca8
Health Bot Reader Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). eb5a76d5-50e7-4c33-a449-070e7c9c4cf2
Search Index Data Contributor Grants full access to Azure Cognitive Search index data. 8ebe5a00-799e-43f5-93ac-243d3dce84a7
Search Index Data Reader Grants read access to Azure Cognitive Search index data. 1407120a-92aa-4202-b7e9-c0e197c71c8f
Search Service Contributor Lets you manage Search services, but not access to them. 7ca78c08-252a-4471-8644-bb5ff32d4ba0

Internet of Things

Built-in role Description ID
Azure Digital Twins Data Owner Full access role for Digital Twins data-plane bcd981a7-7f74-457b-83e1-cceb9e632ffe
Azure Digital Twins Data Reader Read-only role for Digital Twins data-plane properties d57506d4-4c8d-48b1-8587-93c323f6a5a3
Device Provisioning Service Data Contributor Allows for full access to Device Provisioning Service data-plane operations. dfce44e4-17b7-4bd1-a6d1-04996ec95633
Device Provisioning Service Data Reader Allows for full read access to Device Provisioning Service data-plane properties. 10745317-c249-44a1-a5ce-3a4353c0bbd8
Device Update Administrator Gives you full access to management and content operations 02ca0879-e8e4-47a5-a61e-5c618b76e64a
Device Update Content Administrator Gives you full access to content operations 0378884a-3af5-44ab-8323-f5b22f9f3c98
Device Update Content Reader Gives you read access to content operations, but does not allow making changes d1ee9a80-8b14-47f0-bdc2-f4a351625a7b
Device Update Deployments Administrator Gives you full access to management operations e4237640-0e3d-4a46-8fda-70bc94856432
Device Update Deployments Reader Gives you read access to management operations, but does not allow making changes 49e2f5d2-7741-4835-8efa-19e1fe35e47f
Device Update Reader Gives you read access to management and content operations, but does not allow making changes e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f
Firmware Analysis Admin Upload and analyze firmware images in Defender for IoT 9c1607d1-791d-4c68-885d-c7b7aaff7c8a
IoT Hub Data Contributor Allows for full access to IoT Hub data plane operations. 4fc6c259-987e-4a07-842e-c321cc9d413f
IoT Hub Data Reader Allows for full read access to IoT Hub data-plane properties b447c946-2db7-41ec-983d-d8bf3b1c77e3
IoT Hub Registry Contributor Allows for full access to IoT Hub device registry. 4ea46cd5-c1b2-4a8e-910b-273211f9ce47
IoT Hub Twin Contributor Allows for read and write access to all IoT Hub device and module twins. 494bdba2-168f-4f31-a0a1-191d2f7c028c

Mixed reality

Built-in role Description ID
Remote Rendering Administrator Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering 3df8b902-2a6f-47c7-8cc5-360e9b272a7e
Remote Rendering Client Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. d39065c4-c120-43c9-ab0a-63eed9795f0a
Spatial Anchors Account Contributor Lets you manage spatial anchors in your account, but not delete them 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827
Spatial Anchors Account Owner Lets you manage spatial anchors in your account, including deleting them 70bbe301-9835-447d-afdd-19eb3167307c
Spatial Anchors Account Reader Lets you locate and read properties of spatial anchors in your account 5d51204f-eb77-4b1c-b86a-2ec626c49413

Integration

Built-in role Description ID
API Management Developer Portal Content Editor Can customize the developer portal, edit its content, and publish it. c031e6a8-4391-4de0-8d69-4706a7ed3729
API Management Service Contributor Can manage service and the APIs 312a565d-c81f-4fd8-895a-4e21e48d571c
API Management Service Operator Role Can manage service but not the APIs e022efe7-f5ba-4159-bbe4-b44f577e9b61
API Management Service Reader Role Read-only access to service and APIs 71522526-b88f-4d52-b57f-d31fc3546d0d
API Management Service Workspace API Developer Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. 9565a273-41b9-4368-97d2-aeb0c976a9b3
API Management Service Workspace API Product Manager Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da
API Management Workspace API Developer Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. 56328988-075d-4c6a-8766-d93edd6725b6
API Management Workspace API Product Manager Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. 73c2c328-d004-4c5e-938c-35c6f5679a1f
API Management Workspace Contributor Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799
API Management Workspace Reader Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2
App Configuration Contributor Grants permission for all management operations, except purge, for App Configuration resources. fe86443c-f201-4fc4-9d2a-ac61149fbda0
App Configuration Data Owner Allows full access to App Configuration data. 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b
App Configuration Data Reader Allows read access to App Configuration data. 516239f1-63e1-4d78-a4de-a74fb236a071
App Configuration Reader Grants permission for read operations for App Configuration resources. 175b81b9-6e0d-490a-85e4-0d422273c10c
Azure API Center Compliance Manager Allows managing API compliance in Azure API Center service. ede9aaa3-4627-494e-be13-4aa7c256148d
Azure API Center Data Reader Allows for access to Azure API Center data plane read operations. c7244dfb-f447-457d-b2ba-3999044d1706
Azure API Center Service Contributor Allows managing Azure API Center service. dd24193f-ef65-44e5-8a7e-6fa6e03f7713
Azure API Center Service Reader Allows read-only access to Azure API Center service. 6cba8790-29c5-48e5-bab1-c7541b01cb04
Azure Relay Listener Allows for listen access to Azure Relay resources. 26e0b698-aa6d-4085-9386-aadae190014d
Azure Relay Owner Allows for full access to Azure Relay resources. 2787bf04-f1f5-4bfe-8383-c8a24483ee38
Azure Relay Sender Allows for send access to Azure Relay resources. 26baccc8-eea7-41f1-98f4-1762cc7f685d
Azure Resource Notifications System Topics Subscriber Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications 0b962ed2-6d56-471c-bd5f-3477d83a7ba4
Azure Service Bus Data Owner Allows for full access to Azure Service Bus resources. 090c5cfd-751d-490a-894a-3ce6f1109419
Azure Service Bus Data Receiver Allows for receive access to Azure Service Bus resources. 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0
Azure Service Bus Data Sender Allows for send access to Azure Service Bus resources. 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39
BizTalk Contributor Lets you manage BizTalk services, but not access to them. 5e3c6656-6cfa-4708-81fe-0de47ac73342
Chamber Admin Lets you manage everything under your Modeling and Simulation Workbench chamber. 4e9b8407-af2e-495b-ae54-bb60a55b1b5a
Chamber User Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes. 4447db05-44ed-4da3-ae60-6cbece780e32
DeID Batch Data Owner Create and manage DeID batch jobs. This role is in preview and subject to change. 8a90fa6b-6997-4a07-8a95-30633a7c97b9
DeID Batch Data Reader Read DeID batch jobs. This role is in preview and subject to change. b73a14ee-91f5-41b7-bd81-920e12466be9
DeID Data Owner Full access to DeID data. This role is in preview and subject to change 78e4b983-1a0b-472e-8b7d-8d770f7c5890
DeID Realtime Data User Execute requests against DeID realtime endpoint. This role is in preview and subject to change. bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e
DICOM Data Owner Full access to DICOM data. 58a3b984-7adf-4c20-983a-32417c86fbc8
DICOM Data Reader Read and search DICOM data. e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a
EventGrid Contributor Lets you manage EventGrid operations. 1e241071-0855-49ea-94dc-649edcd759de
EventGrid Data Sender Allows send access to event grid events. d5a91429-5739-47e2-a06b-3470a27159e7
EventGrid EventSubscription Contributor Lets you manage EventGrid event subscription operations. 428e0ff0-5e57-4d9c-a221-2c70d0e0a443
EventGrid EventSubscription Reader Lets you read EventGrid event subscriptions. 2414bbcf-6497-4faf-8c65-045460748405
EventGrid TopicSpaces Publisher Lets you publish messages on topicspaces. a12b0b94-b317-4dcd-84a8-502ce99884c6
EventGrid TopicSpaces Subscriber Lets you subscribe messages on topicspaces. 4b0f2fd7-60b4-4eca-896f-4435034f8bf5
FHIR Data Contributor Role allows user or principal full access to FHIR Data 5a1fc7df-4bf1-4951-a576-89034ee01acd
FHIR Data Converter Role allows user or principal to convert data from legacy format to FHIR a1705bd2-3a8f-45a5-8683-466fcfd5cc24
FHIR Data Exporter Role allows user or principal to read and export FHIR Data 3db33094-8700-4567-8da5-1501d4e7e843
FHIR Data Importer Role allows user or principal to read and import FHIR Data 4465e953-8ced-4406-a58e-0f6e3f3b530b
FHIR Data Reader Role allows user or principal to read FHIR Data 4c8d0bbc-75d3-4935-991f-5f3c56d81508
FHIR Data Writer Role allows user or principal to read and write FHIR Data 3f88fce4-5892-4214-ae73-ba5294559913
FHIR SMART User Role allows user to access FHIR Service according to SMART on FHIR specification 4ba50f17-9666-485c-a643-ff00808643f0
Integration Service Environment Contributor Lets you manage integration service environments, but not access to them. a41e2c5b-bd99-4a07-88f4-9bf657a760b8
Integration Service Environment Developer Allows developers to create and update workflows, integration accounts and API connections in integration service environments. c7aa55d3-1abb-444a-a5ca-5e51e485d6ec
Intelligent Systems Account Contributor Lets you manage Intelligent Systems accounts, but not access to them. 03a6d094-3444-4b3d-88af-7477090a9e5e
Logic App Contributor Lets you manage logic apps, but not change access to them. 87a39d53-fc1b-424a-814c-f7e04687dc9e
Logic App Operator Lets you read, enable, and disable logic apps, but not edit or update them. 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe
Logic Apps Standard Contributor (Preview) You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership. ad710c24-b039-4e85-a019-deb4a06e8570
Logic Apps Standard Developer (Preview) You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope. 523776ba-4eb2-4600-a3c8-f2dc93da4bdb
Logic Apps Standard Operator (Preview) You can enable and disable the logic app, resubmit workflow runs, as well as create connections. You can't edit workflows or settings. b70c96e9-66fe-4c09-b6e7-c98e69c98555
Logic Apps Standard Reader (Preview) You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. 4accf36b-2c05-432f-91c8-5c532dff4c73
Scheduler Job Collections Contributor Lets you manage Scheduler job collections, but not access to them. 188a0f2f-5c9e-469b-ae67-2aa5ce574b94
Services Hub Operator Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. 82200a5b-e217-47a5-b665-6d8765ee745b

Identity

Built-in role Description ID
Domain Services Contributor Can manage Azure AD Domain Services and related network configurations eeaeda52-9324-47f6-8069-5d5bade478b2
Domain Services Reader Can view Azure AD Domain Services and related network configurations 361898ef-9ed1-48c2-849c-a832951106bb
Managed Identity Contributor Create, Read, Update, and Delete User Assigned Identity e40ec5ca-96e0-45a2-b4ff-59039f2c2b59
Managed Identity Operator Read and Assign User Assigned Identity f1a07417-d97a-45cb-824c-7a7467783830

Security

Built-in role Description ID
App Compliance Automation Administrator Create, read, download, modify and delete reports objects and related other resource objects. 0f37683f-2463-46b6-9ce7-9b788b988ba2
App Compliance Automation Reader Read, download the reports objects and related other resource objects. ffc6bbe0-e443-4c3b-bf54-26581bb2f78e
Attestation Contributor Can read write or delete the attestation provider instance bbf86eb8-f7b4-4cce-96e4-18cddf81d86e
Attestation Reader Can read the attestation provider properties fd1bd22b-8476-40bc-a0bc-69b95687b9f3
Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. 00482a5a-887f-4fb3-b363-3b7fe8e74483
Key Vault Certificate User Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. db79e9a7-68ee-4b58-9aeb-b90e7c24fcba
Key Vault Certificates Officer Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. a4417e6f-fecd-4de8-b567-7b0420556985
Key Vault Contributor Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. f25e0fa2-a7c8-4377-a976-54943a77a395
Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. 14b46e9e-c2b7-41b4-b07b-48a6ebf60603
Key Vault Crypto Service Encryption User Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. e147488a-f6f5-4113-8e2d-b22465e65bf6
Key Vault Crypto Service Release User Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model. 08bbd89e-9f13-488c-ac41-acfcb10c90ab
Key Vault Crypto User Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. 12338af0-0e69-4776-bea7-57ae8d297424
Key Vault Data Access Administrator Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. 8b54135c-b56d-4d72-a534-26097cfdc8d8
Key Vault Reader Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. 21090545-7ca7-4776-b22c-e363652d74d2
Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. b86a8fe4-44ce-4948-aee5-eccb2c155cd7
Key Vault Secrets User Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. 4633458b-17de-408a-b874-0445c86b69e6
Managed HSM contributor Lets you manage managed HSM pools, but not access to them. 18500a29-7fe2-46b2-a342-b16a415e101d
Microsoft Sentinel Automation Contributor Microsoft Sentinel Automation Contributor f4c81013-99ee-4d62-a7ee-b3f1f648599a
Microsoft Sentinel Contributor Microsoft Sentinel Contributor ab8e14d6-4a74-4a29-9ba8-549422addade
Microsoft Sentinel Playbook Operator Microsoft Sentinel Playbook Operator 51d6186e-6489-4900-b93f-92e23144cca5
Microsoft Sentinel Reader Microsoft Sentinel Reader 8d289c81-5878-46d4-8554-54e1e3d8b5cb
Microsoft Sentinel Responder Microsoft Sentinel Responder 3e150937-b8fe-4cfb-8069-0eaf05ecd056
Security Admin View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.

For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring.
fb1c8493-542b-48eb-b624-b4c8fea62acd
Security Assessment Contributor Lets you push assessments to Microsoft Defender for Cloud 612c2aa1-cb24-443b-ac28-3ab7272de6f5
Security Manager (Legacy) This is a legacy role. Please use Security Admin instead. e3d13bf0-dd5a-482e-ba6b-9b8433878d10
Security Reader View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.

For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring.
39bc4728-0917-49c7-9d2c-d95423bc2eb4

DevOps

Built-in role Description ID
Deployment Environments Reader Provides read access to environment resources. eb960402-bf75-4cc3-8d68-35b34f960f72
Deployment Environments User Provides access to manage environment resources. 18e40d4e-8d2e-438d-97e1-9528336e149c
DevCenter Dev Box User Provides access to create and manage dev boxes. 45d50f46-0b78-4001-a660-4198cbe8cd05
DevCenter Project Admin Provides access to manage project resources. 331c37c6-af14-46d9-b9f4-e1909e1b95a0
DevTest Labs User Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. 76283e04-6283-4c54-8f91-bcf1374a3c64
Lab Assistant Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. ce40b423-cede-4313-a93f-9b28290b72e1
Lab Contributor Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. 5daaa2af-1fe8-407c-9122-bba179798270
Lab Creator Lets you create new labs under your Azure Lab Accounts. b97fb8bc-a8b2-4522-a38b-dd33c7e65ead
Lab Operator Gives you limited ability to manage existing labs. a36e6959-b6be-4b12-8e9f-ef4b474d304d
Lab Services Contributor Enables you to fully control all Lab Services scenarios in the resource group. f69b8690-cc87-41d6-b77a-a4bc3c0a966f
Lab Services Reader Enables you to view, but not change, all lab plans and lab resources. 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc
Load Test Contributor View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. 749a398d-560b-491b-bb21-08924219302e
Load Test Owner Execute all operations on load test resources and load tests 45bb0b16-2f0c-4e78-afaa-a07599b003f6
Load Test Reader View and list all load tests and load test resources but can not make any changes 3ae3fb29-0000-4ccd-bf80-542e7b26e081

Monitor

Built-in role Description ID
Application Insights Component Contributor Can manage Application Insights components ae349356-3a1b-4a5e-921d-050484c6347e
Application Insights Snapshot Debugger Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the Owner or Contributor roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. 08954f03-6346-4c2e-81c0-ec3a5cfae23b
Azure Managed Grafana Workspace Contributor Can manage Azure Managed Grafana resources, without providing access to the workspaces themselves. 5c2d7e57-b7c2-4d8a-be4f-82afa42c6e95
Grafana Admin Manage server-wide settings and manage access to resources such as organizations, users, and licenses. 22926164-76b3-42b3-bc55-97df8dab3e41
Grafana Editor Create, edit, delete, or view dashboards; create, edit, or delete folders; and edit or view playlists. a79a5197-3a5c-4973-a920-486035ffd60f
Grafana Limited Viewer View home page. 41e04612-9dac-4699-a02b-c82ff2cc3fb5
Grafana Viewer View dashboards, playlists, and query data sources. 60921a7e-fef1-4a43-9b16-a26c52ad4769
Monitoring Contributor Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor. 749f88d5-cbae-40b8-bcfc-e573ddc772fa
Monitoring Metrics Publisher Enables publishing metrics against Azure resources 3913510d-42f4-4e42-8a64-420c390055eb
Monitoring Reader Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor. 43d0d8ad-25c7-4714-9337-8ba259a9fe05
Workbook Contributor Can save shared workbooks. e8ddcd69-c73f-4f9f-9844-4100522f16ad
Workbook Reader Can read workbooks. b279062a-9be3-42a0-92ae-8b3cf002ec4d

Management and governance

Built-in role Description ID
Advisor Recommendations Contributor (Assessments and Reviews) View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started). 6b534d80-e337-47c4-864f-140f5c7f593d
Advisor Reviews Contributor View reviews for a workload and triage recommendations linked to them. 8aac15f0-d885-4138-8afa-bfb5872f7d13
Advisor Reviews Reader View reviews for a workload and recommendations linked to them. c64499e0-74c3-47ad-921c-13865957895c
Automation Contributor Manage Azure Automation resources and other resources using Azure Automation. f353d9bd-d4a6-484e-a77a-8050b599b867
Automation Job Operator Create and Manage Jobs using Automation Runbooks. 4fe576fe-1146-4730-92eb-48519fa6bf9f
Automation Operator Automation Operators are able to start, stop, suspend, and resume jobs d3881f73-407a-4167-8283-e981cbba0404
Automation Runbook Operator Read Runbook properties - to be able to create Jobs of the runbook. 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5
Azure Center for SAP solutions administrator This role provides read and write access to all capabilities of Azure Center for SAP solutions. 7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7
Azure Center for SAP solutions reader This role provides read access to all capabilities of Azure Center for SAP solutions. 05352d14-a920-4328-a0de-4cbe7430e26b
Azure Center for SAP solutions service role Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems. aabbc5dd-1af0-458b-a942-81af88f9c138
Azure Connected Machine Onboarding Can onboard Azure Connected Machines. b64e21ea-ac4e-4cdf-9dc9-5b892992bee7
Azure Connected Machine Resource Administrator Can read, write, delete and re-onboard Azure Connected Machines. cd570a14-e51a-42ad-bac8-bafd67325302
Azure Connected Machine Resource Manager Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group f5819b54-e033-4d82-ac66-4fec3cbf3f4c
Azure Customer Lockbox Approver for Subscription Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is enabled on the tenant where the subscription resides. 4dae6930-7baf-46f5-909e-0383bc931c46
Billing Reader Allows read access to billing data fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
Blueprint Contributor Can manage blueprint definitions, but not assign them. 41077137-e803-4205-871c-5a86e6a753b4
Blueprint Operator Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. 437d2ced-4a38-4302-8479-ed2bcb43d090
Carbon Optimization Reader Allow read access to Azure Carbon Optimization data fa0d39e6-28e5-40cf-8521-1eb320653a4c
Cost Management Contributor Can view costs and manage cost configuration (e.g. budgets, exports) 434105ed-43f6-45c7-a02f-909b2ba83430
Cost Management Reader Can view cost data and configuration (e.g. budgets, exports) 72fafb9e-0641-4937-9268-a91bfd8191a3
Hierarchy Settings Administrator Allows users to edit and delete Hierarchy Settings 350f8d15-c687-4448-8ae1-157740a3936d
Managed Application Contributor Role Allows for creating managed application resources. 641177b8-a67a-45b9-a033-47bc880bb21e
Managed Application Operator Role Lets you read and perform actions on Managed Application resources c7393b34-138c-406f-901b-d8cf2b17e6ae
Managed Applications Reader Lets you read resources in a managed app and request JIT access. b9331d33-8a36-4f8c-b097-4f54124fdb44
Managed Services Registration assignment Delete Role Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. 91c1777a-f3dc-4fae-b103-61d183457e46
Management Group Contributor Management Group Contributor Role 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c
Management Group Reader Management Group Reader Role ac63b705-f282-497d-ac71-919bf39d939d
New Relic APM Account Contributor Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. 5d28c62d-5b37-4476-8438-e587778df237
Policy Insights Data Writer (Preview) Allows read access to resource policies and write access to resource component policy events. 66bb4e9e-b016-4a94-8249-4c0511c2be84
Quota Request Operator Read and create quota requests, get quota request status, and create support tickets. 0e5f05e5-9ab9-446b-b98d-1e2157c94125
Reservation Purchaser Lets you purchase reservations f7b75c60-3036-4b75-91c3-6b41c27c1689
Reservations Reader Lets one read all the reservations in a tenant 582fc458-8989-419f-a480-75249bc5db7e
Resource Policy Contributor Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. 36243c78-bf99-498c-9df9-86d9f8d28608
Savings plan Purchaser Lets you purchase savings plans 3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74
Scheduled Patching Contributor Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments cd08ab90-6b14-449c-ad9a-8f8e549482c6
Site Recovery Contributor Lets you manage Site Recovery service except vault creation and role assignment 6670b86e-a3f7-4917-ac9b-5d6ab1be4567
Site Recovery Operator Lets you failover and failback but not perform other Site Recovery management operations 494ae006-db33-4328-bf46-533a6560a3ca
Site Recovery Reader Lets you view Site Recovery status but not perform other management operations dbaa88c4-0c30-4179-9fb3-46319faa6149
Support Request Contributor Lets you create and manage Support requests cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e
Tag Contributor Lets you manage tags on entities, without providing access to the entities themselves. 4a9ae827-6dc8-4573-8ac7-8239d42aa03f
Template Spec Contributor Allows full access to Template Spec operations at the assigned scope. 1c9b6475-caf0-4164-b5a1-2142a7116f4b
Template Spec Reader Allows read access to Template Specs at the assigned scope. 392ae280-861d-42bd-9ea5-08ee6d83b80e

Hybrid + multicloud

Built-in role Description ID
Azure Resource Bridge Deployment Role Azure Resource Bridge Deployment Role 7b1f81f9-4196-4058-8aae-762e593270df
Azure Stack HCI Administrator Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader bda0d508-adf1-4af0-9c28-88919fc3ae06
Azure Stack HCI Device Management Role Microsoft.AzureStackHCI Device Management Role 865ae368-6a45-4bd1-8fbf-0d5151f56fc1
Azure Stack HCI VM Contributor Grants permissions to perform all VM actions 874d1c73-6003-4e60-a13a-cb31ea190a85
Azure Stack HCI VM Reader Grants permissions to view VMs 4b3fe76c-f777-4d24-a2d7-b027b0f7b273
Azure Stack Registration Owner Lets you manage Azure Stack registrations. 6f12a6df-dd06-4f3e-bcb1-ce8be600526a
Hybrid Server Resource Administrator Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. 48b40c6e-82e0-4eb3-90d5-19e40f49b624

Next steps