Azure built-in roles for Identity

This article lists the Azure built-in roles in the Identity category.

Domain Services Contributor

Can manage Azure AD Domain Services and related network configurations

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Resources/deployments/read Gets or lists deployments.
Microsoft.Resources/deployments/write Creates or updates an deployment.
Microsoft.Resources/deployments/delete Deletes a deployment.
Microsoft.Resources/deployments/cancel/action Cancels a deployment.
Microsoft.Resources/deployments/validate/action Validates an deployment.
Microsoft.Resources/deployments/whatIf/action Predicts template deployment changes.
Microsoft.Resources/deployments/exportTemplate/action Export template for a deployment
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/deployments/operationstatuses/read Gets or lists deployment operation statuses.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Insights/AlertRules/Write Create or update a classic metric alert
Microsoft.Insights/AlertRules/Delete Delete a classic metric alert
Microsoft.Insights/AlertRules/Read Read a classic metric alert
Microsoft.Insights/AlertRules/Activated/Action Classic metric alert activated
Microsoft.Insights/AlertRules/Resolved/Action Classic metric alert resolved
Microsoft.Insights/AlertRules/Throttled/Action Classic metric alert rule throttled
Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident
Microsoft.Insights/Logs/Read Reading data from all your logs
Microsoft.Insights/Metrics/Read Read metrics
Microsoft.Insights/DiagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server
Microsoft.Insights/DiagnosticSettingsCategories/Read Read diagnostic settings categories
Microsoft.AAD/register/action Register Domain Service
Microsoft.AAD/unregister/action Unregister Domain Service
Microsoft.AAD/domainServices/*
Microsoft.Network/register/action Registers the subscription
Microsoft.Network/unregister/action Unregisters the subscription
Microsoft.Network/virtualNetworks/read Get the virtual network definition
Microsoft.Network/virtualNetworks/write Creates a virtual network or updates an existing virtual network
Microsoft.Network/virtualNetworks/delete Deletes a virtual network
Microsoft.Network/virtualNetworks/peer/action Peers a virtual network with another virtual network
Microsoft.Network/virtualNetworks/join/action Joins a virtual network. Not Alertable.
Microsoft.Network/virtualNetworks/subnets/read Gets a virtual network subnet definition
Microsoft.Network/virtualNetworks/subnets/write Creates a virtual network subnet or updates an existing virtual network subnet
Microsoft.Network/virtualNetworks/subnets/delete Deletes a virtual network subnet
Microsoft.Network/virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable.
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read Gets a virtual network peering definition
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write Creates a virtual network peering or updates an existing virtual network peering
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete Deletes a virtual network peering
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read Get the diagnostic settings of Virtual Network
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read Gets available metrics for the PingMesh
Microsoft.Network/azureFirewalls/read Get Azure Firewall
Microsoft.Network/ddosProtectionPlans/read Gets a DDoS Protection Plan
Microsoft.Network/ddosProtectionPlans/join/action Joins a DDoS Protection Plan. Not alertable.
Microsoft.Network/loadBalancers/read Gets a load balancer definition
Microsoft.Network/loadBalancers/delete Deletes a load balancer
Microsoft.Network/loadBalancers/*/read
Microsoft.Network/loadBalancers/backendAddressPools/join/action Joins a load balancer backend address pool. Not Alertable.
Microsoft.Network/loadBalancers/inboundNatRules/join/action Joins a load balancer inbound nat rule. Not Alertable.
Microsoft.Network/natGateways/join/action Joins a NAT Gateway
Microsoft.Network/networkInterfaces/read Gets a network interface definition.
Microsoft.Network/networkInterfaces/write Creates a network interface or updates an existing network interface.
Microsoft.Network/networkInterfaces/delete Deletes a network interface
Microsoft.Network/networkInterfaces/join/action Joins a Virtual Machine to a network interface. Not Alertable.
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read Gets a default security rule definition
Microsoft.Network/networkSecurityGroups/read Gets a network security group definition
Microsoft.Network/networkSecurityGroups/write Creates a network security group or updates an existing network security group
Microsoft.Network/networkSecurityGroups/delete Deletes a network security group
Microsoft.Network/networkSecurityGroups/join/action Joins a network security group. Not Alertable.
Microsoft.Network/networkSecurityGroups/securityRules/read Gets a security rule definition
Microsoft.Network/networkSecurityGroups/securityRules/write Creates a security rule or updates an existing security rule
Microsoft.Network/networkSecurityGroups/securityRules/delete Deletes a security rule
Microsoft.Network/routeTables/read Gets a route table definition
Microsoft.Network/routeTables/write Creates a route table or Updates an existing route table
Microsoft.Network/routeTables/delete Deletes a route table definition
Microsoft.Network/routeTables/join/action Joins a route table. Not Alertable.
Microsoft.Network/routeTables/routes/read Gets a route definition
Microsoft.Network/routeTables/routes/write Creates a route or Updates an existing route
Microsoft.Network/routeTables/routes/delete Deletes a route definition
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage Azure AD Domain Services and related network configurations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
  "name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/deployments/whatIf/action",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Insights/Logs/Read",
        "Microsoft.Insights/Metrics/Read",
        "Microsoft.Insights/DiagnosticSettings/*",
        "Microsoft.Insights/DiagnosticSettingsCategories/Read",
        "Microsoft.AAD/register/action",
        "Microsoft.AAD/unregister/action",
        "Microsoft.AAD/domainServices/*",
        "Microsoft.Network/register/action",
        "Microsoft.Network/unregister/action",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/peer/action",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/virtualNetworks/subnets/delete",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Network/azureFirewalls/read",
        "Microsoft.Network/ddosProtectionPlans/read",
        "Microsoft.Network/ddosProtectionPlans/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/delete",
        "Microsoft.Network/loadBalancers/*/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/natGateways/join/action",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkInterfaces/delete",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/networkSecurityGroups/delete",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/write",
        "Microsoft.Network/networkSecurityGroups/securityRules/delete",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/routeTables/write",
        "Microsoft.Network/routeTables/delete",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/routeTables/routes/read",
        "Microsoft.Network/routeTables/routes/write",
        "Microsoft.Network/routeTables/routes/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Domain Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Domain Services Reader

Can view Azure AD Domain Services and related network configurations

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Resources/deployments/read Gets or lists deployments.
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/deployments/operationstatuses/read Gets or lists deployment operation statuses.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Insights/AlertRules/Read Read a classic metric alert
Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident
Microsoft.Insights/Logs/Read Reading data from all your logs
Microsoft.Insights/Metrics/read Read metrics
Microsoft.Insights/DiagnosticSettings/read Read a resource diagnostic setting
Microsoft.Insights/DiagnosticSettingsCategories/Read Read diagnostic settings categories
Microsoft.AAD/domainServices/*/read
Microsoft.Network/virtualNetworks/read Get the virtual network definition
Microsoft.Network/virtualNetworks/subnets/read Gets a virtual network subnet definition
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read Gets a virtual network peering definition
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read Get the diagnostic settings of Virtual Network
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read Gets available metrics for the PingMesh
Microsoft.Network/azureFirewalls/read Get Azure Firewall
Microsoft.Network/ddosProtectionPlans/read Gets a DDoS Protection Plan
Microsoft.Network/loadBalancers/read Gets a load balancer definition
Microsoft.Network/loadBalancers/*/read
Microsoft.Network/natGateways/read Gets a Nat Gateway Definition
Microsoft.Network/networkInterfaces/read Gets a network interface definition.
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read Gets a default security rule definition
Microsoft.Network/networkSecurityGroups/read Gets a network security group definition
Microsoft.Network/networkSecurityGroups/securityRules/read Gets a security rule definition
Microsoft.Network/routeTables/read Gets a route table definition
Microsoft.Network/routeTables/routes/read Gets a route definition
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view Azure AD Domain Services and related network configurations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
  "name": "361898ef-9ed1-48c2-849c-a832951106bb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Insights/Logs/Read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Insights/DiagnosticSettings/read",
        "Microsoft.Insights/DiagnosticSettingsCategories/Read",
        "Microsoft.AAD/domainServices/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Network/azureFirewalls/read",
        "Microsoft.Network/ddosProtectionPlans/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/*/read",
        "Microsoft.Network/natGateways/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/routeTables/routes/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Domain Services Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Managed Identity Contributor

Create, Read, Update, and Delete User Assigned Identity

Learn more

Actions Description
Microsoft.ManagedIdentity/userAssignedIdentities/read Gets an existing user assigned identity
Microsoft.ManagedIdentity/userAssignedIdentities/write Creates a new user assigned identity or updates the tags associated with an existing user assigned identity
Microsoft.ManagedIdentity/userAssignedIdentities/delete Deletes an existing user assigned identity
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read Get or list Federated Identity Credentials
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write Add or update a Federated Identity Credential
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete Delete a Federated Identity Credential
Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action Revoked all the existing tokens on a user assigned identity
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Resources/deployments/* Create and manage a deployment
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete User Assigned Identity",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
        "Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Managed Identity Operator

Read and Assign User Assigned Identity

Learn more

Actions Description
Microsoft.ManagedIdentity/userAssignedIdentities/*/read
Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Resources/deployments/* Create and manage a deployment
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and Assign User Assigned Identity",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
  "name": "f1a07417-d97a-45cb-824c-7a7467783830",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Next steps