Azure built-in roles for Storage
This article lists the Azure built-in roles in the Storage category.
Backup Contributor
Lets you manage backup service, but can't create vaults and give access to others
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
Microsoft.RecoveryServices/locations/* | |
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* | Manage results of operation on backup management |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* | Create and manage backup containers inside backup fabrics of Recovery Services vault |
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list |
Microsoft.RecoveryServices/Vaults/backupJobs/* | Create and manage backup jobs |
Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
Microsoft.RecoveryServices/Vaults/backupOperationResults/* | Create and manage Results of backup management operations |
Microsoft.RecoveryServices/Vaults/backupPolicies/* | Create and manage backup policies |
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | Create and manage items which can be backed up |
Microsoft.RecoveryServices/Vaults/backupProtectedItems/* | Create and manage backed up items |
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* | Create and manage containers holding backup items |
Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* | |
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
Microsoft.RecoveryServices/Vaults/certificates/* | Create and manage certificates related to backup in Recovery Services vault |
Microsoft.RecoveryServices/Vaults/extendedInformation/* | Create and manage extended info related to vault |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
Microsoft.RecoveryServices/Vaults/registeredIdentities/* | Create and manage registered identities |
Microsoft.RecoveryServices/Vaults/usages/* | Create and manage usage of Recovery Services vault |
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
Microsoft.RecoveryServices/Vaults/backupconfig/* | |
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item |
Microsoft.RecoveryServices/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' |
Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* | |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers |
Microsoft.RecoveryServices/vaults/operationStatus/read | Gets Operation Status for a given Operation |
Microsoft.RecoveryServices/vaults/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
Microsoft.RecoveryServices/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
Microsoft.RecoveryServices/locations/backupValidateFeatures/action | Validate Features |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. |
Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation |
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
Microsoft.DataProtection/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults |
Microsoft.DataProtection/backupVaults/backupInstances/write | Creates a Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/delete | Deletes the Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. |
Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action | Perform undelete of soft-deleted Backup Instance. Backup Instance moves from SoftDeleted to ProtectionStopped state. |
Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. |
Microsoft.DataProtection/backupVaults/backupPolicies/write | Creates Backup Policy |
Microsoft.DataProtection/backupVaults/backupPolicies/delete | Deletes the Backup Policy |
Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges |
Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. |
Microsoft.DataProtection/backupVaults/write | Update BackupVault operation updates an Azure resource of type 'Backup Vault' |
Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault |
Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
Microsoft.DataProtection/locations/checkNameAvailability/action | Checks if the requested BackupVault Name is Available |
Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance |
Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Lets you manage backups, but can't delete vaults and give access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
"name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Backup MUA Admin
Backup MultiUser-Authorization. Can create/delete ResourceGuard
Actions | Description |
Microsoft.DataProtection/*/read | |
Microsoft.DataProtection/*/resourceGuards/write | |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write | Update ResourceGuard operation updates an Azure resource of type 'ResourceGuard' |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete | The Delete ResourceGuard operation deletes the specified Azure resource of type 'ResourceGuard' |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read | Gets list of ResourceGuards in a Resource Group |
Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
Microsoft.DataProtection/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults |
Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Features/features/read | Gets the features of a subscription. |
Microsoft.Features/providers/features/read | Gets the feature of a subscription in a given resource provider. |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
Microsoft.DataProtection/subscriptions/providers/resourceGuards/read | Gets list of ResourceGuards in a Subscription |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read | Gets ResourceGuard default operation request info |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Backup MultiUser-Authorization. Can create/delete ResourceGuard ",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8",
"name": "c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Backup MUA Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Backup MUA Operator
Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard
Actions | Description |
Microsoft.DataProtection/*/action | |
Microsoft.DataProtection/*/read | |
Microsoft.Authorization/*/read | Read roles and role assignments |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f54b6d04-23c6-443e-b462-9c16ab7b4a52",
"name": "f54b6d04-23c6-443e-b462-9c16ab7b4a52",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Backup MUA Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Backup Operator
Lets you manage backup services, except removal of backup, vault creation and giving access to others
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | Returns status of the operation |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item |
Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers |
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list |
Microsoft.RecoveryServices/Vaults/backupJobs/* | Create and manage backup jobs |
Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
Microsoft.RecoveryServices/Vaults/backupOperationResults/* | Create and manage Results of backup management operations |
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. |
Microsoft.RecoveryServices/Vaults/backupPolicies/read | Returns all Protection Policies |
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | Create and manage items which can be backed up |
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. |
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription |
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
Microsoft.RecoveryServices/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. |
Microsoft.RecoveryServices/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
Microsoft.RecoveryServices/Vaults/extendedInformation/write | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
Microsoft.RecoveryServices/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. |
Microsoft.RecoveryServices/Vaults/registeredIdentities/write | The Register Service Container operation can be used to register a container with Recovery Service. |
Microsoft.RecoveryServices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item |
Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action | Validate Operation on Protected Item |
Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read | Validate Operation on Protected Item |
Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read | Validate Operation on Protected Item |
Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write | Creates a registered container |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container |
Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container |
Microsoft.RecoveryServices/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
Microsoft.RecoveryServices/locations/backupValidateFeatures/action | Validate Features |
Microsoft.RecoveryServices/locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. |
Microsoft.RecoveryServices/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |
Microsoft.RecoveryServices/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |
Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action | Trigger Cross region restore. |
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. |
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. |
Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation |
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. |
Microsoft.DataProtection/backupVaults/backupInstances/write | Creates a Backup Instance |
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. |
Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges |
Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault |
Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider |
Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. |
Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | Get the list of ResourceGuard proxies for a resource |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy' |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
"name": "00c29273-979b-4161-815c-10b084fb9324",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Backup Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Backup Reader
Can view backup services, but can't make changes
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service |
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | Returns status of the operation |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers |
Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. |
Microsoft.RecoveryServices/Vaults/backupJobs/read | Returns all Job Objects |
Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
Microsoft.RecoveryServices/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. |
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. |
Microsoft.RecoveryServices/Vaults/backupPolicies/read | Returns all Protection Policies |
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. |
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription |
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
Microsoft.RecoveryServices/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. |
Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
Microsoft.RecoveryServices/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. |
Microsoft.RecoveryServices/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. |
Microsoft.RecoveryServices/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. |
Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. |
Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container |
Microsoft.RecoveryServices/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. |
Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation |
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
Microsoft.RecoveryServices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |
Microsoft.RecoveryServices/locations/backupValidateFeatures/action | Validate Features |
Microsoft.RecoveryServices/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |
Microsoft.RecoveryServices/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. |
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. |
Microsoft.DataProtection/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults |
Microsoft.DataProtection/backupVaults/backupInstances/write | Creates a Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. |
Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance |
Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance |
Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | Returns Backup Operation Result for Backup Vault. |
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges |
Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault |
Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance |
Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. |
Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Can view backup services, but can't make changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
"name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Classic Storage Account Contributor
Lets you manage classic storage accounts, but not access to them.
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.ClassicStorage/storageAccounts/* | Create and manage storage accounts |
Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Lets you manage classic storage accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Classic Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Classic Storage Account Key Operator Service Role
Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts
Actions | Description |
Microsoft.ClassicStorage/storageAccounts/listkeys/action | Lists the access keys for the storage accounts. |
Microsoft.ClassicStorage/storageAccounts/regeneratekey/action | Regenerates the existing access keys for the storage account. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Classic Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Data Box Contributor
Lets you manage everything under Data Box Service except giving access to others.
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Databox/* | |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Lets you manage everything under Data Box Service except giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
"name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Data Box Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Data Box Reader
Lets you manage Data Box Service except creating order or editing order details and giving access to others.
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Databox/*/read | |
Microsoft.Databox/jobs/listsecrets/action | |
Microsoft.Databox/jobs/listcredentials/action | Lists the unencrypted credentials related to the order. |
Microsoft.Databox/locations/availableSkus/action | This method returns the list of available skus. |
Microsoft.Databox/locations/validateInputs/action | This method does all type of validations. |
Microsoft.Databox/locations/regionConfiguration/action | This method returns the configurations for the region. |
Microsoft.Databox/locations/validateAddress/action | Validates the shipping address and provides alternate addresses if any. |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Data Box Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Data Lake Analytics Developer
Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.BigAnalytics/accounts/* | |
Microsoft.DataLakeAnalytics/accounts/* | |
Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
NotActions | |
Microsoft.BigAnalytics/accounts/Delete | |
Microsoft.BigAnalytics/accounts/TakeOwnership/action | |
Microsoft.BigAnalytics/accounts/Write | |
Microsoft.DataLakeAnalytics/accounts/Delete | Delete a DataLakeAnalytics account. |
Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action | Grant permissions to cancel jobs submitted by other users. |
Microsoft.DataLakeAnalytics/accounts/Write | Create or update a DataLakeAnalytics account. |
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write | Create or update a linked DataLakeStore account of a DataLakeAnalytics account. |
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete | Unlink a DataLakeStore account from a DataLakeAnalytics account. |
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write | Create or update a linked Storage account of a DataLakeAnalytics account. |
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete | Unlink a Storage account from a DataLakeAnalytics account. |
Microsoft.DataLakeAnalytics/accounts/firewallRules/Write | Create or update a firewall rule. |
Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete | Delete a firewall rule. |
Microsoft.DataLakeAnalytics/accounts/computePolicies/Write | Create or update a compute policy. |
Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete | Delete a compute policy. |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
"name": "47b7735b-770e-4598-a7da-8b91488b4c88",
"permissions": [
"actions": [
"notActions": [
"dataActions": [],
"notDataActions": []
"roleName": "Data Lake Analytics Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Defender for Storage Data Scanner
Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.
Actions | Description |
Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | Returns the result of writing blob tags |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read | Returns the result of reading blob tags |
NotDataActions | |
none |
"assignableScopes": [
"description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
"name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Defender for Storage Data Scanner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Elastic SAN Network Admin
Allows access to create Private Endpoints on SAN resources, and to read SAN resources
Actions | Description |
Microsoft.ElasticSan/elasticSans/*/read | |
Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action | |
Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write | |
Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete | |
Microsoft.ElasticSan/locations/asyncoperations/read | Polls the status of an asynchronous operation. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows access to create Private Endpoints on SAN resources, and to read SAN resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fa6cecf6-5db3-4c43-8470-c540bcb4eafa",
"name": "fa6cecf6-5db3-4c43-8470-c540bcb4eafa",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Elastic SAN Network Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Elastic SAN Owner
Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.ElasticSan/elasticSans/* | |
Microsoft.ElasticSan/locations/* | |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406",
"name": "80dcbedb-47ef-405d-95bd-188a1b4ac406",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Elastic SAN Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Elastic SAN Reader
Allows for control path read access to Azure Elastic SAN
Actions | Description |
Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.ElasticSan/elasticSans/*/read | |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for control path read access to Azure Elastic SAN",
"id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
"name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Elastic SAN Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Elastic SAN Volume Group Owner
Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access
Actions | Description |
Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
Microsoft.ElasticSan/locations/asyncoperations/read | Polls the status of an asynchronous operation. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23",
"name": "a8281131-f312-4f34-8d98-ae12be9f0d23",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Elastic SAN Volume Group Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Reader and Data Access
Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.
Actions | Description |
Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
Microsoft.Storage/storageAccounts/ListAccountSas/action | Returns the Account SAS token for the specified storage account. |
Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
"name": "c12c1c16-33a1-487b-954d-41c89c60f349",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Reader and Data Access",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Account Backup Contributor
Lets you perform backup and restore operations using Azure Backup on the storage account.
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Authorization/locks/read | Gets locks at the specified scope. |
Microsoft.Authorization/locks/write | Add locks at the specified scope. |
Microsoft.Authorization/locks/delete | Delete locks at the specified scope. |
Microsoft.Features/features/read | Gets the features of a subscription. |
Microsoft.Features/providers/features/read | Gets the feature of a subscription in a given resource provider. |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Storage/operations/read | Polls the status of an asynchronous operation. |
Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete | Delete object replication policy |
Microsoft.Storage/storageAccounts/objectReplicationPolicies/read | List object replication policies |
Microsoft.Storage/storageAccounts/objectReplicationPolicies/write | Create or update object replication policy |
Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | Create object replication restore point marker |
Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers |
Microsoft.Storage/storageAccounts/blobServices/containers/write | Returns the result of put blob container |
Microsoft.Storage/storageAccounts/blobServices/read | Returns blob service properties or statistics |
Microsoft.Storage/storageAccounts/blobServices/write | Returns the result of put blob service properties |
Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
Microsoft.Storage/storageAccounts/restoreBlobRanges/action | Restore blob ranges to the state of the specified time |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Lets you perform backup and restore operations using Azure Backup on the storage account.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
"name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Storage Account Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Account Contributor
Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.
Actions | Description |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
Microsoft.Insights/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Storage/storageAccounts/* | Create and manage storage accounts |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Account Key Operator Service Role
Permits listing and regenerating storage account access keys.
Actions | Description |
Microsoft.Storage/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. |
Microsoft.Storage/storageAccounts/regeneratekey/action | Regenerates the access keys for the specified storage account. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
"name": "81a9662b-bebf-436f-a333-f67b29880f12",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Blob Data Contributor
Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations.
Actions | Description |
Microsoft.Storage/storageAccounts/blobServices/containers/delete | Delete a container. |
Microsoft.Storage/storageAccounts/blobServices/containers/read | Return a container or a list of containers. |
Microsoft.Storage/storageAccounts/blobServices/containers/write | Modify a container's metadata or properties. |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Delete a blob. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Write to a blob. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | Moves the blob from one path to another |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | Returns the result of adding blob content |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for read, write and delete access to Azure Storage blob containers and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage Blob Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Blob Data Owner
Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling data operations.
Actions | Description |
Microsoft.Storage/storageAccounts/blobServices/containers/* | Full permissions on containers. |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* | Full permissions on blobs. |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage Blob Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Blob Data Reader
Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations.
Actions | Description |
Microsoft.Storage/storageAccounts/blobServices/containers/read | Return a container or a list of containers. |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for read access to Azure Storage blob containers and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage Blob Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Blob Delegator
Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS.
Actions | Description |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [],
"notDataActions": []
"roleName": "Storage Blob Delegator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage File Data Privileged Contributor
Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers.
Actions | Description |
none | |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder |
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Semantics Privilege |
Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action | Write File Backup Semantics Privilege |
NotDataActions | |
none |
"assignableScopes": [
"description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd",
"name": "69566ab7-960f-475b-8e7c-b3118f30c6bd",
"permissions": [
"actions": [],
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage File Data Privileged Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage File Data Privileged Reader
Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers.
Actions | Description |
none | |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders |
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Semantics Privilege |
NotDataActions | |
none |
"assignableScopes": [
"description": "Customer has read access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d",
"name": "b8eda974-7b85-4f76-af95-65846b26df6d",
"permissions": [
"actions": [],
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage File Data Privileged Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage File Data SMB Share Contributor
Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers.
Actions | Description |
none | |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"permissions": [
"actions": [],
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage File Data SMB Share Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage File Data SMB Share Elevated Contributor
Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers.
Actions | Description |
none | |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder. |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
"name": "a7264617-510b-434b-a828-9731dc254ea7",
"permissions": [
"actions": [],
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage File Data SMB Share Elevated Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage File Data SMB Share Reader
Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers.
Actions | Description |
none | |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for read access to Azure File Share over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
"name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
"permissions": [
"actions": [],
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage File Data SMB Share Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Queue Data Contributor
Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations.
Actions | Description |
Microsoft.Storage/storageAccounts/queueServices/queues/delete | Delete a queue. |
Microsoft.Storage/storageAccounts/queueServices/queues/read | Return a queue or a list of queues. |
Microsoft.Storage/storageAccounts/queueServices/queues/write | Modify queue metadata or properties. |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete | Delete one or more messages from a queue. |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/write | Add a message to a queue. |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | Returns the result of processing a message |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage Queue Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Queue Data Message Processor
Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations.
Actions | Description |
none | |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Peek a message. |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | Retrieve and delete a message. |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
"name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
"permissions": [
"actions": [],
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage Queue Data Message Processor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Queue Data Message Sender
Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations.
Actions | Description |
none | |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action | Add a message to a queue. |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for sending of Azure Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"permissions": [
"actions": [],
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage Queue Data Message Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Queue Data Reader
Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations.
Actions | Description |
Microsoft.Storage/storageAccounts/queueServices/queues/read | Returns a queue or a list of queues. |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for read access to Azure Storage queues and queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
"name": "19e7f393-937e-4f77-808e-94535e297925",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage Queue Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Table Data Contributor
Allows for read, write and delete access to Azure Storage tables and entities
Actions | Description |
Microsoft.Storage/storageAccounts/tableServices/tables/read | Query tables |
Microsoft.Storage/storageAccounts/tableServices/tables/write | Create tables |
Microsoft.Storage/storageAccounts/tableServices/tables/delete | Delete tables |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | Query table entities |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Insert, merge, or replace table entities |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete | Delete table entities |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Insert table entities |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action | Merge or update table entities |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for read, write and delete access to Azure Storage tables and entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage Table Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
Storage Table Data Reader
Allows for read access to Azure Storage tables and entities
Actions | Description |
Microsoft.Storage/storageAccounts/tableServices/tables/read | Query tables |
NotActions | |
none | |
DataActions | |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | Query table entities |
NotDataActions | |
none |
"assignableScopes": [
"description": "Allows for read access to Azure Storage tables and entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6",
"name": "76199698-9eea-4c19-bc75-cec21354c6b6",
"permissions": [
"actions": [
"notActions": [],
"dataActions": [
"notDataActions": []
"roleName": "Storage Table Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"