Azure built-in roles for Integration

This article lists the Azure built-in roles in the Integration category.

API Management Developer Portal Content Editor

Can customize the developer portal, edit its content, and publish it.

Learn more

Actions Description
Microsoft.ApiManagement/service/portalRevisions/read Lists a collection of developer portal revision entities. or Gets developer portal revision specified by its identifier.
Microsoft.ApiManagement/service/portalRevisions/write Creates a new developer portal revision. or Updates the description of specified portal revision or makes it current.
Microsoft.ApiManagement/service/contentTypes/read Returns list of content types or Returns content type
Microsoft.ApiManagement/service/contentTypes/delete Removes content type.
Microsoft.ApiManagement/service/contentTypes/write Creates new content type
Microsoft.ApiManagement/service/contentTypes/contentItems/read Returns list of content items or Returns content item details
Microsoft.ApiManagement/service/contentTypes/contentItems/write Creates new content item or Updates specified content item
Microsoft.ApiManagement/service/contentTypes/contentItems/delete Removes specified content item.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can customize the developer portal, edit its content, and publish it.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729",
  "name": "c031e6a8-4391-4de0-8d69-4706a7ed3729",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/portalRevisions/read",
        "Microsoft.ApiManagement/service/portalRevisions/write",
        "Microsoft.ApiManagement/service/contentTypes/read",
        "Microsoft.ApiManagement/service/contentTypes/delete",
        "Microsoft.ApiManagement/service/contentTypes/write",
        "Microsoft.ApiManagement/service/contentTypes/contentItems/read",
        "Microsoft.ApiManagement/service/contentTypes/contentItems/write",
        "Microsoft.ApiManagement/service/contentTypes/contentItems/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Developer Portal Content Editor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Contributor

Can manage service and the APIs

Learn more

Actions Description
Microsoft.ApiManagement/service/* Create and manage API Management service
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage service and the APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c",
  "name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Operator Role

Can manage service but not the APIs

Learn more

Actions Description
Microsoft.ApiManagement/service/*/read Read API Management Service instances
Microsoft.ApiManagement/service/backup/action Backup API Management Service to the specified container in a user provided storage account
Microsoft.ApiManagement/service/delete Delete API Management Service instance
Microsoft.ApiManagement/service/managedeployments/action Change SKU/units, add/remove regional deployments of API Management Service
Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance
Microsoft.ApiManagement/service/restore/action Restore API Management Service from the specified container in a user provided storage account
Microsoft.ApiManagement/service/updatecertificate/action Upload TLS/SSL certificate for an API Management Service
Microsoft.ApiManagement/service/updatehostname/action Setup, update or remove custom domain names for an API Management Service
Microsoft.ApiManagement/service/write Create or Update API Management Service instance
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
Microsoft.ApiManagement/service/users/keys/read Get keys associated with user
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage service but not the APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61",
  "name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/backup/action",
        "Microsoft.ApiManagement/service/delete",
        "Microsoft.ApiManagement/service/managedeployments/action",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.ApiManagement/service/restore/action",
        "Microsoft.ApiManagement/service/updatecertificate/action",
        "Microsoft.ApiManagement/service/updatehostname/action",
        "Microsoft.ApiManagement/service/write",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Operator Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Reader Role

Read-only access to service and APIs

Learn more

Actions Description
Microsoft.ApiManagement/service/*/read Read API Management Service instances
Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
Microsoft.ApiManagement/service/users/keys/read Get keys associated with user
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only access to service and APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d",
  "name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Workspace API Developer

Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope.

Learn more

Actions Description
Microsoft.ApiManagement/service/tags/read Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier.
Microsoft.ApiManagement/service/tags/apiLinks/*
Microsoft.ApiManagement/service/tags/operationLinks/*
Microsoft.ApiManagement/service/tags/productLinks/*
Microsoft.ApiManagement/service/products/read Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier.
Microsoft.ApiManagement/service/products/apiLinks/*
Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance
Microsoft.ApiManagement/service/authorizationServers/read Lists a collection of authorization servers defined within a service instance. or Gets the details of the authorization server without secrets.
Microsoft.Authorization/*/read Read roles and role assignments
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/9565a273-41b9-4368-97d2-aeb0c976a9b3",
  "name": "9565a273-41b9-4368-97d2-aeb0c976a9b3",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/tags/read",
        "Microsoft.ApiManagement/service/tags/apiLinks/*",
        "Microsoft.ApiManagement/service/tags/operationLinks/*",
        "Microsoft.ApiManagement/service/tags/productLinks/*",
        "Microsoft.ApiManagement/service/products/read",
        "Microsoft.ApiManagement/service/products/apiLinks/*",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.ApiManagement/service/authorizationServers/read",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Workspace API Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Workspace API Product Manager

Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.

Learn more

Actions Description
Microsoft.ApiManagement/service/users/read Lists a collection of registered users in the specified service instance. or Gets the details of the user specified by its identifier.
Microsoft.ApiManagement/service/tags/read Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier.
Microsoft.ApiManagement/service/tags/apiLinks/*
Microsoft.ApiManagement/service/tags/operationLinks/*
Microsoft.ApiManagement/service/tags/productLinks/*
Microsoft.ApiManagement/service/products/read Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier.
Microsoft.ApiManagement/service/products/apiLinks/*
Microsoft.ApiManagement/service/groups/read Lists a collection of groups defined within a service instance. or Gets the details of the group specified by its identifier.
Microsoft.ApiManagement/service/groups/users/*
Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance
Microsoft.ApiManagement/service/authorizationServers/read Lists a collection of authorization servers defined within a service instance. or Gets the details of the authorization server without secrets.
Microsoft.Authorization/*/read Read roles and role assignments
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da",
  "name": "d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/users/read",
        "Microsoft.ApiManagement/service/tags/read",
        "Microsoft.ApiManagement/service/tags/apiLinks/*",
        "Microsoft.ApiManagement/service/tags/operationLinks/*",
        "Microsoft.ApiManagement/service/tags/productLinks/*",
        "Microsoft.ApiManagement/service/products/read",
        "Microsoft.ApiManagement/service/products/apiLinks/*",
        "Microsoft.ApiManagement/service/groups/read",
        "Microsoft.ApiManagement/service/groups/users/*",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.ApiManagement/service/authorizationServers/read",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Workspace API Product Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management Workspace API Developer

Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.

Learn more

Actions Description
Microsoft.ApiManagement/service/workspaces/*/read
Microsoft.ApiManagement/service/workspaces/apis/*
Microsoft.ApiManagement/service/workspaces/apiVersionSets/*
Microsoft.ApiManagement/service/workspaces/policies/*
Microsoft.ApiManagement/service/workspaces/schemas/*
Microsoft.ApiManagement/service/workspaces/products/*
Microsoft.ApiManagement/service/workspaces/policyFragments/*
Microsoft.ApiManagement/service/workspaces/namedValues/*
Microsoft.ApiManagement/service/workspaces/tags/*
Microsoft.ApiManagement/service/workspaces/backends/*
Microsoft.ApiManagement/service/workspaces/certificates/*
Microsoft.ApiManagement/service/workspaces/diagnostics/*
Microsoft.ApiManagement/service/workspaces/loggers/*
Microsoft.Authorization/*/read Read roles and role assignments
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/56328988-075d-4c6a-8766-d93edd6725b6",
  "name": "56328988-075d-4c6a-8766-d93edd6725b6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/workspaces/*/read",
        "Microsoft.ApiManagement/service/workspaces/apis/*",
        "Microsoft.ApiManagement/service/workspaces/apiVersionSets/*",
        "Microsoft.ApiManagement/service/workspaces/policies/*",
        "Microsoft.ApiManagement/service/workspaces/schemas/*",
        "Microsoft.ApiManagement/service/workspaces/products/*",
        "Microsoft.ApiManagement/service/workspaces/policyFragments/*",
        "Microsoft.ApiManagement/service/workspaces/namedValues/*",
        "Microsoft.ApiManagement/service/workspaces/tags/*",
        "Microsoft.ApiManagement/service/workspaces/backends/*",
        "Microsoft.ApiManagement/service/workspaces/certificates/*",
        "Microsoft.ApiManagement/service/workspaces/diagnostics/*",
        "Microsoft.ApiManagement/service/workspaces/loggers/*",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Workspace API Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management Workspace API Product Manager

Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.

Learn more

Actions Description
Microsoft.ApiManagement/service/workspaces/*/read
Microsoft.ApiManagement/service/workspaces/products/*
Microsoft.ApiManagement/service/workspaces/subscriptions/*
Microsoft.ApiManagement/service/workspaces/groups/*
Microsoft.ApiManagement/service/workspaces/tags/*
Microsoft.ApiManagement/service/workspaces/notifications/*
Microsoft.Authorization/*/read Read roles and role assignments
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/73c2c328-d004-4c5e-938c-35c6f5679a1f",
  "name": "73c2c328-d004-4c5e-938c-35c6f5679a1f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/workspaces/*/read",
        "Microsoft.ApiManagement/service/workspaces/products/*",
        "Microsoft.ApiManagement/service/workspaces/subscriptions/*",
        "Microsoft.ApiManagement/service/workspaces/groups/*",
        "Microsoft.ApiManagement/service/workspaces/tags/*",
        "Microsoft.ApiManagement/service/workspaces/notifications/*",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Workspace API Product Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management Workspace Contributor

Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.

Learn more

Actions Description
Microsoft.ApiManagement/service/workspaces/*
Microsoft.Authorization/*/read Read roles and role assignments
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0c34c906-8d99-4cb7-8bb7-33f5b0a1a799",
  "name": "0c34c906-8d99-4cb7-8bb7-33f5b0a1a799",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/workspaces/*",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Workspace Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management Workspace Reader

Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.

Learn more

Actions Description
Microsoft.ApiManagement/service/workspaces/*/read
Microsoft.Authorization/*/read Read roles and role assignments
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2",
  "name": "ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/workspaces/*/read",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Workspace Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

App Configuration Contributor

Grants permission for all management operations, except purge, for App Configuration resources.

Actions Description
Microsoft.AppConfiguration/*
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action Purge the specified deleted configuration store.
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permission for all management operations, except purge, for App Configuration resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fe86443c-f201-4fc4-9d2a-ac61149fbda0",
  "name": "fe86443c-f201-4fc4-9d2a-ac61149fbda0",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppConfiguration/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [
        "Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

App Configuration Data Owner

Allows full access to App Configuration data.

Learn more

Actions Description
none
NotActions
none
DataActions
Microsoft.AppConfiguration/configurationStores/*/read
Microsoft.AppConfiguration/configurationStores/*/write
Microsoft.AppConfiguration/configurationStores/*/delete
Microsoft.AppConfiguration/configurationStores/*/action
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows full access to App Configuration data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
  "name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read",
        "Microsoft.AppConfiguration/configurationStores/*/write",
        "Microsoft.AppConfiguration/configurationStores/*/delete",
        "Microsoft.AppConfiguration/configurationStores/*/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

App Configuration Data Reader

Allows read access to App Configuration data.

Learn more

Actions Description
none
NotActions
none
DataActions
Microsoft.AppConfiguration/configurationStores/*/read
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read access to App Configuration data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071",
  "name": "516239f1-63e1-4d78-a4de-a74fb236a071",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

App Configuration Reader

Grants permission for read operations for App Configuration resources.

Actions Description
Microsoft.AppConfiguration/*/read
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/read Read a classic metric alert
Microsoft.Resources/deployments/read Gets or lists deployments.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permission for read operations for App Configuration resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/175b81b9-6e0d-490a-85e4-0d422273c10c",
  "name": "175b81b9-6e0d-490a-85e4-0d422273c10c",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppConfiguration/*/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Relay Listener

Allows for listen access to Azure Relay resources.

Actions Description
Microsoft.Relay/*/wcfRelays/read
Microsoft.Relay/*/hybridConnections/read
NotActions
none
DataActions
Microsoft.Relay/*/listen/action
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for listen access to Azure Relay resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d",
  "name": "26e0b698-aa6d-4085-9386-aadae190014d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*/wcfRelays/read",
        "Microsoft.Relay/*/hybridConnections/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*/listen/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Relay Listener",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Relay Owner

Allows for full access to Azure Relay resources.

Actions Description
Microsoft.Relay/*
NotActions
none
DataActions
Microsoft.Relay/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Relay resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38",
  "name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38",
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Relay Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Relay Sender

Allows for send access to Azure Relay resources.

Actions Description
Microsoft.Relay/*/wcfRelays/read
Microsoft.Relay/*/hybridConnections/read
NotActions
none
DataActions
Microsoft.Relay/*/send/action
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for send access to Azure Relay resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d",
  "name": "26baccc8-eea7-41f1-98f4-1762cc7f685d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*/wcfRelays/read",
        "Microsoft.Relay/*/hybridConnections/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Relay Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Resource Notifications System Topics Subscriber

Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications

Learn more

Actions Description
Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action Permission to perform creation and event subscription creation on a Resources system topic
Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action Permission to perform creation and event subscription creation on a HealthResources system topic
Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action Permission to perform creation and event subscription creation on a MaintenanceResources system topic
Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/action Permission to perform creation and event subscription creation on a ComputeResources system topic
Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleResources/action Permission to perform creation and event subscription creation on a ComputeScheduleResources system topic
Microsoft.EventGrid/eventSubscriptions/write Create or update an eventSubscription
Microsoft.EventGrid/systemTopics/eventSubscriptions/write Create or update a SystemTopic eventSubscription
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0b962ed2-6d56-471c-bd5f-3477d83a7ba4",
  "name": "0b962ed2-6d56-471c-bd5f-3477d83a7ba4",
  "permissions": [
    {
      "actions": [
        "Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action",
        "Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action",
        "Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action",
        "Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/action",
        "Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleResources/action",
        "Microsoft.EventGrid/eventSubscriptions/write",
        "Microsoft.EventGrid/systemTopics/eventSubscriptions/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Resource Notifications System Topics Subscriber",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Service Bus Data Owner

Allows for full access to Azure Service Bus resources.

Learn more

Actions Description
Microsoft.ServiceBus/*
NotActions
none
DataActions
Microsoft.ServiceBus/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Service Bus resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
  "name": "090c5cfd-751d-490a-894a-3ce6f1109419",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Service Bus Data Receiver

Allows for receive access to Azure Service Bus resources.

Learn more

Actions Description
Microsoft.ServiceBus/*/queues/read
Microsoft.ServiceBus/*/topics/read
Microsoft.ServiceBus/*/topics/subscriptions/read
NotActions
none
DataActions
Microsoft.ServiceBus/*/receive/action
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for receive access to Azure Service Bus resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
  "name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/receive/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Receiver",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Service Bus Data Sender

Allows for send access to Azure Service Bus resources.

Learn more

Actions Description
Microsoft.ServiceBus/*/queues/read
Microsoft.ServiceBus/*/topics/read
Microsoft.ServiceBus/*/topics/subscriptions/read
NotActions
none
DataActions
Microsoft.ServiceBus/*/send/action
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for send access to Azure Service Bus resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

BizTalk Contributor

Lets you manage BizTalk services, but not access to them.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.BizTalkServices/BizTalk/* Create and manage BizTalk services
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage BizTalk services, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342",
  "name": "5e3c6656-6cfa-4708-81fe-0de47ac73342",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.BizTalkServices/BizTalk/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "BizTalk Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DeID Batch Data Owner

Create and manage DeID batch jobs. This role is in preview and subject to change.

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthDataAIServices/DeidServices/Batch/write Creates batches
Microsoft.HealthDataAIServices/DeidServices/Batch/delete Deletes a batch
Microsoft.HealthDataAIServices/DeidServices/Batch/read Reads a batch
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create and manage DeID batch jobs. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8a90fa6b-6997-4a07-8a95-30633a7c97b9",
  "name": "8a90fa6b-6997-4a07-8a95-30633a7c97b9",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthDataAIServices/DeidServices/Batch/write",
        "Microsoft.HealthDataAIServices/DeidServices/Batch/delete",
        "Microsoft.HealthDataAIServices/DeidServices/Batch/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "DeID Batch Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DeID Batch Data Reader

Read DeID batch jobs. This role is in preview and subject to change.

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthDataAIServices/DeidServices/Batch/read Reads a batch
NotDataActions
Microsoft.HealthDataAIServices/DeidServices/Batch/write Creates batches
Microsoft.HealthDataAIServices/DeidServices/Batch/delete Deletes a batch
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read DeID batch jobs. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b73a14ee-91f5-41b7-bd81-920e12466be9",
  "name": "b73a14ee-91f5-41b7-bd81-920e12466be9",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthDataAIServices/DeidServices/Batch/read"
      ],
      "notDataActions": [
        "Microsoft.HealthDataAIServices/DeidServices/Batch/write",
        "Microsoft.HealthDataAIServices/DeidServices/Batch/delete"
      ]
    }
  ],
  "roleName": "DeID Batch Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DeID Data Owner

Full access to DeID data. This role is in preview and subject to change

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthDataAIServices/DeidServices/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to DeID data. This role is in preview and subject to change",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/78e4b983-1a0b-472e-8b7d-8d770f7c5890",
  "name": "78e4b983-1a0b-472e-8b7d-8d770f7c5890",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthDataAIServices/DeidServices/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "DeID Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DeID Realtime Data User

Execute requests against DeID realtime endpoint. This role is in preview and subject to change.

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthDataAIServices/DeidServices/Realtime/action Allows access to the realtime endpoint
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Execute requests against DeID realtime endpoint. This role is in preview and subject to change.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e",
  "name": "bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthDataAIServices/DeidServices/Realtime/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "DeID Realtime Data User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DICOM Data Owner

Full access to DICOM data.

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthcareApis/workspaces/dicomservices/resources/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to DICOM data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8",
  "name": "58a3b984-7adf-4c20-983a-32417c86fbc8",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/workspaces/dicomservices/resources/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "DICOM Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DICOM Data Reader

Read and search DICOM data.

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthcareApis/workspaces/dicomservices/resources/read Read DICOM resources (includes searching and change feed).
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and search DICOM data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a",
  "name": "e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/workspaces/dicomservices/resources/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "DICOM Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid Contributor

Lets you manage EventGrid operations.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.EventGrid/* Create and manage Event Grid resources
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage EventGrid operations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de",
  "name": "1e241071-0855-49ea-94dc-649edcd759de",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid Data Sender

Allows send access to event grid events.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.EventGrid/topics/read Read a topic
Microsoft.EventGrid/domains/read Read a domain
Microsoft.EventGrid/partnerNamespaces/read Read a partner namespace
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.EventGrid/namespaces/read Read a namespace
NotActions
none
DataActions
Microsoft.EventGrid/events/send/action Send events to topics
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows send access to event grid events.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7",
  "name": "d5a91429-5739-47e2-a06b-3470a27159e7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/topics/read",
        "Microsoft.EventGrid/domains/read",
        "Microsoft.EventGrid/partnerNamespaces/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.EventGrid/namespaces/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventGrid/events/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription Contributor

Lets you manage EventGrid event subscription operations.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.EventGrid/eventSubscriptions/* Create and manage regional event subscriptions
Microsoft.EventGrid/topicTypes/eventSubscriptions/read List global event subscriptions by topic type
Microsoft.EventGrid/locations/eventSubscriptions/read List regional event subscriptions
Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read List regional event subscriptions by topictype
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage EventGrid event subscription operations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
  "name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/*",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid EventSubscription Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription Reader

Lets you read EventGrid event subscriptions.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.EventGrid/eventSubscriptions/read Read an eventSubscription
Microsoft.EventGrid/topicTypes/eventSubscriptions/read List global event subscriptions by topic type
Microsoft.EventGrid/locations/eventSubscriptions/read List regional event subscriptions
Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read List regional event subscriptions by topictype
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read EventGrid event subscriptions.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405",
  "name": "2414bbcf-6497-4faf-8c65-045460748405",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid EventSubscription Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid TopicSpaces Publisher

Lets you publish messages on topicspaces.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.EventGrid/*/read
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
Microsoft.EventGrid/topicSpaces/publish/action Publish to a topic space
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you publish messages on topicspaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a12b0b94-b317-4dcd-84a8-502ce99884c6",
  "name": "a12b0b94-b317-4dcd-84a8-502ce99884c6",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventGrid/topicSpaces/publish/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid TopicSpaces Publisher",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid TopicSpaces Subscriber

Lets you subscribe messages on topicspaces.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.EventGrid/*/read
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
Microsoft.EventGrid/topicSpaces/subscribe/action Subscribe to a topic space
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you subscribe messages on topicspaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4b0f2fd7-60b4-4eca-896f-4435034f8bf5",
  "name": "4b0f2fd7-60b4-4eca-896f-4435034f8bf5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventGrid/topicSpaces/subscribe/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid TopicSpaces Subscriber",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Contributor

Role allows user or principal full access to FHIR Data

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthcareApis/services/fhir/resources/*
Microsoft.HealthcareApis/workspaces/fhirservices/resources/*
NotDataActions
Microsoft.HealthcareApis/services/fhir/resources/smart/action Allows user to access FHIR Service according to SMART on FHIR specification.
Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action Allows user to access FHIR Service according to SMART on FHIR specification.
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal full access to FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd",
  "name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/*",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
      ],
      "notDataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/smart/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action"
      ]
    }
  ],
  "roleName": "FHIR Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Converter

Role allows user or principal to convert data from legacy format to FHIR

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthcareApis/services/fhir/resources/convertData/action Data convert operation ($convert-data)
Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action Data convert operation ($convert-data)
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to convert data from legacy format to FHIR",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24",
  "name": "a1705bd2-3a8f-45a5-8683-466fcfd5cc24",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/convertData/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Converter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Exporter

Role allows user or principal to read and export FHIR Data

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history).
Microsoft.HealthcareApis/services/fhir/resources/export/action Export operation ($export).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action Export operation ($export).
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and export FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",
  "name": "3db33094-8700-4567-8da5-1501d4e7e843",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/services/fhir/resources/export/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Exporter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Importer

Role allows user or principal to read and import FHIR Data

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action Import FHIR resources in batch.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and import FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b",
  "name": "4465e953-8ced-4406-a58e-0f6e3f3b530b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Importer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Reader

Role allows user or principal to read FHIR Data

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history).
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508",
  "name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Writer

Role allows user or principal to read and write FHIR Data

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history).
Microsoft.HealthcareApis/services/fhir/resources/write Write FHIR resources (includes create and update).
Microsoft.HealthcareApis/services/fhir/resources/delete Delete FHIR resources (soft delete).
Microsoft.HealthcareApis/services/fhir/resources/export/action Export operation ($export).
Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action Validate operation ($validate).
Microsoft.HealthcareApis/services/fhir/resources/reindex/action Allows user to run Reindex job to index any search parameters that haven't yet been indexed.
Microsoft.HealthcareApis/services/fhir/resources/convertData/action Data convert operation ($convert-data)
Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action Allows user to perform Create Update Delete operations on profile resources.
Microsoft.HealthcareApis/services/fhir/resources/import/action Import FHIR resources in batch.
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/write Write FHIR resources (includes create and update).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete Delete FHIR resources (soft delete).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action Export operation ($export).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action Validate operation ($validate).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action Allows user to run Reindex job to index any search parameters that haven't yet been indexed.
Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action Data convert operation ($convert-data)
Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action Allows user to perform Create Update Delete operations on profile resources.
Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action Import FHIR resources in batch.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and write FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913",
  "name": "3f88fce4-5892-4214-ae73-ba5294559913",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/services/fhir/resources/write",
        "Microsoft.HealthcareApis/services/fhir/resources/delete",
        "Microsoft.HealthcareApis/services/fhir/resources/export/action",
        "Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action",
        "Microsoft.HealthcareApis/services/fhir/resources/reindex/action",
        "Microsoft.HealthcareApis/services/fhir/resources/convertData/action",
        "Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action",
        "Microsoft.HealthcareApis/services/fhir/resources/import/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/write",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR SMART User

Role allows user to access FHIR Service according to SMART on FHIR specification

Actions Description
none
NotActions
none
DataActions
Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history).
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history).
Microsoft.HealthcareApis/services/fhir/resources/smart/action Allows user to access FHIR Service according to SMART on FHIR specification.
Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action Allows user to access FHIR Service according to SMART on FHIR specification.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user to access FHIR Service according to SMART on FHIR specification",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0",
  "name": "4ba50f17-9666-485c-a643-ff00808643f0",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
        "Microsoft.HealthcareApis/services/fhir/resources/smart/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR SMART User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Integration Service Environment Contributor

Lets you manage integration service environments, but not access to them.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Logic/integrationServiceEnvironments/*
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage integration service environments, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
  "name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Logic/integrationServiceEnvironments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Integration Service Environment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Integration Service Environment Developer

Allows developers to create and update workflows, integration accounts and API connections in integration service environments.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Logic/integrationServiceEnvironments/read Reads the integration service environment.
Microsoft.Logic/integrationServiceEnvironments/*/join/action
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
  "name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Logic/integrationServiceEnvironments/read",
        "Microsoft.Logic/integrationServiceEnvironments/*/join/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Integration Service Environment Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Intelligent Systems Account Contributor

Lets you manage Intelligent Systems accounts, but not access to them.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.IntelligentSystems/accounts/* Create and manage intelligent systems accounts
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Intelligent Systems accounts, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e",
  "name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.IntelligentSystems/accounts/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Intelligent Systems Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Logic App Contributor

Lets you manage logic apps, but not change access to them.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.ClassicStorage/storageAccounts/listKeys/action Lists the access keys for the storage accounts.
Microsoft.ClassicStorage/storageAccounts/read Return the storage account with the given account.
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Insights/metricAlerts/*
Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server
Microsoft.Insights/logdefinitions/* This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log.
Microsoft.Insights/metricDefinitions/* Read metric definitions (list of available metric types for a resource).
Microsoft.Logic/* Manages Logic Apps resources.
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Storage/storageAccounts/listkeys/action Returns the access keys for the specified storage account.
Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.Web/connectionGateways/* Create and manages a Connection Gateway.
Microsoft.Web/connections/* Create and manages a Connection.
Microsoft.Web/customApis/* Creates and manages a Custom API.
Microsoft.Web/serverFarms/join/action Joins an App Service Plan
Microsoft.Web/serverFarms/read Get the properties on an App Service Plan
Microsoft.Web/sites/functions/listSecrets/action List Function secrets.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage logic app, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e",
  "name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.ClassicStorage/storageAccounts/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metricAlerts/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Insights/logdefinitions/*",
        "Microsoft.Insights/metricDefinitions/*",
        "Microsoft.Logic/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Web/connectionGateways/*",
        "Microsoft.Web/connections/*",
        "Microsoft.Web/customApis/*",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/functions/listSecrets/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic App Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Logic App Operator

Lets you read, enable, and disable logic apps, but not edit or update them.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/*/read Read Insights alert rules
Microsoft.Insights/metricAlerts/*/read
Microsoft.Insights/diagnosticSettings/*/read Gets diagnostic settings for Logic Apps
Microsoft.Insights/metricDefinitions/*/read Gets the available metrics for Logic Apps.
Microsoft.Logic/*/read Reads Logic Apps resources.
Microsoft.Logic/workflows/disable/action Disables the workflow.
Microsoft.Logic/workflows/enable/action Enables the workflow.
Microsoft.Logic/workflows/validate/action Validates the workflow.
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Web/connectionGateways/*/read Read Connection Gateways.
Microsoft.Web/connections/*/read Read Connections.
Microsoft.Web/customApis/*/read Read Custom API.
Microsoft.Web/serverFarms/read Get the properties on an App Service Plan
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read, enable and disable logic app.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
  "name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*/read",
        "Microsoft.Insights/metricAlerts/*/read",
        "Microsoft.Insights/diagnosticSettings/*/read",
        "Microsoft.Insights/metricDefinitions/*/read",
        "Microsoft.Logic/*/read",
        "Microsoft.Logic/workflows/disable/action",
        "Microsoft.Logic/workflows/enable/action",
        "Microsoft.Logic/workflows/validate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
        "Microsoft.Web/connectionGateways/*/read",
        "Microsoft.Web/connections/*/read",
        "Microsoft.Web/customApis/*/read",
        "Microsoft.Web/serverFarms/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic App Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Logic Apps Standard Contributor (Preview)

You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Web/*/read
Microsoft.Web/certificates/* Create and manage a certificate.
Microsoft.Web/connectionGateways/* Create and manages a Connection Gateway.
Microsoft.Web/connections/* Create and manages a Connection.
Microsoft.Web/customApis/* Creates and manages a Custom API.
Microsoft.Web/serverFarms/* Create and manage an App Service Plan.
Microsoft.Web/sites/* Create and manage a web app.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ad710c24-b039-4e85-a019-deb4a06e8570",
  "name": "ad710c24-b039-4e85-a019-deb4a06e8570",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Web/*/read",
        "Microsoft.Web/certificates/*",
        "Microsoft.Web/connectionGateways/*",
        "Microsoft.Web/connections/*",
        "Microsoft.Web/customApis/*",
        "Microsoft.Web/serverFarms/*",
        "Microsoft.Web/sites/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic Apps Standard Contributor (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Logic Apps Standard Developer (Preview)

You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Web/*/read
Microsoft.Web/connections/* Create and manages a Connection.
Microsoft.Web/customApis/* Creates and manages a Custom API.
Microsoft.Web/sites/config/list/Action List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings
microsoft.web/sites/config/Write Update Web App's configuration settings
microsoft.web/sites/config/web/appsettings/delete Delete Web Apps App Setting
microsoft.web/sites/config/web/appsettings/write Create or Update Web App Single App setting
microsoft.web/sites/deployWorkflowArtifacts/action Create the artifacts in a Logic App.
microsoft.web/sites/hostruntime/* Get or list hostruntime artifacts for the web app or function app.
microsoft.web/sites/listworkflowsconnections/action List logic app's connections by its ID in a Logic App.
Microsoft.Web/sites/publish/Action Publish a Web App
microsoft.web/sites/slots/config/appsettings/write Create or Update Web App Slot's Single App setting
Microsoft.Web/sites/slots/config/list/Action List Web App Slot's security sensitive settings, such as publishing credentials, app settings and connection strings
microsoft.web/sites/slots/config/web/appsettings/delete Delete Web App Slot's App Setting
microsoft.web/sites/slots/deployWorkflowArtifacts/action Create the artifacts in a deployment slot in a Logic App.
microsoft.web/sites/slots/listworkflowsconnections/action List logic app's connections by its ID in a deployment slot in a Logic App.
Microsoft.Web/sites/slots/publish/Action Publish a Web App Slot
microsoft.web/sites/workflows/*
microsoft.web/sites/workflowsconfiguration/*
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/523776ba-4eb2-4600-a3c8-f2dc93da4bdb",
  "name": "523776ba-4eb2-4600-a3c8-f2dc93da4bdb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Web/*/read",
        "Microsoft.Web/connections/*",
        "Microsoft.Web/customApis/*",
        "Microsoft.Web/sites/config/list/Action",
        "microsoft.web/sites/config/Write",
        "microsoft.web/sites/config/web/appsettings/delete",
        "microsoft.web/sites/config/web/appsettings/write",
        "microsoft.web/sites/deployWorkflowArtifacts/action",
        "microsoft.web/sites/hostruntime/*",
        "microsoft.web/sites/listworkflowsconnections/action",
        "Microsoft.Web/sites/publish/Action",
        "microsoft.web/sites/slots/config/appsettings/write",
        "Microsoft.Web/sites/slots/config/list/Action",
        "microsoft.web/sites/slots/config/web/appsettings/delete",
        "microsoft.web/sites/slots/deployWorkflowArtifacts/action",
        "microsoft.web/sites/slots/listworkflowsconnections/action",
        "Microsoft.Web/sites/slots/publish/Action",
        "microsoft.web/sites/workflows/*",
        "microsoft.web/sites/workflowsconfiguration/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic Apps Standard Developer (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Logic Apps Standard Operator (Preview)

You can enable and disable the logic app, resubmit workflow runs, as well as create connections. You can't edit workflows or settings.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Web/*/read
Microsoft.Web/sites/applySlotConfig/Action Apply web app slot configuration from target slot to the current web app
microsoft.web/sites/hostruntime/* Get or list hostruntime artifacts for the web app or function app.
Microsoft.Web/sites/restart/Action Restart a Web App
Microsoft.Web/sites/slots/restart/Action Restart a Web App Slot
Microsoft.Web/sites/slots/slotsswap/Action Swap Web App deployment slots
Microsoft.Web/sites/slots/start/Action Start a Web App Slot
Microsoft.Web/sites/slots/stop/Action Stop a Web App Slot
Microsoft.Web/sites/slotsdiffs/Action Get differences in configuration between web app and slots
Microsoft.Web/sites/slotsswap/Action Swap Web App deployment slots
Microsoft.Web/sites/start/Action Start a Web App
Microsoft.Web/sites/stop/Action Stop a Web App
Microsoft.Web/sites/write Create a new Web App or update an existing one
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "You can enable and disable the logic app, resubmit workflow runs, as well as create connections. You can't edit workflows or settings.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b70c96e9-66fe-4c09-b6e7-c98e69c98555",
  "name": "b70c96e9-66fe-4c09-b6e7-c98e69c98555",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Web/*/read",
        "Microsoft.Web/sites/applySlotConfig/Action",
        "microsoft.web/sites/hostruntime/*",
        "Microsoft.Web/sites/restart/Action",
        "Microsoft.Web/sites/slots/restart/Action",
        "Microsoft.Web/sites/slots/slotsswap/Action",
        "Microsoft.Web/sites/slots/start/Action",
        "Microsoft.Web/sites/slots/stop/Action",
        "Microsoft.Web/sites/slotsdiffs/Action",
        "Microsoft.Web/sites/slotsswap/Action",
        "Microsoft.Web/sites/start/Action",
        "Microsoft.Web/sites/stop/Action",
        "Microsoft.Web/sites/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic Apps Standard Operator (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Logic Apps Standard Reader (Preview)

You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Web/*/read
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4accf36b-2c05-432f-91c8-5c532dff4c73",
  "name": "4accf36b-2c05-432f-91c8-5c532dff4c73",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Web/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic Apps Standard Reader (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Scheduler Job Collections Contributor

Lets you manage Scheduler job collections, but not access to them.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Scheduler/jobcollections/* Create and manage job collections
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Scheduler job collections, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94",
  "name": "188a0f2f-5c9e-469b-ae67-2aa5ce574b94",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Scheduler/jobcollections/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Scheduler Job Collections Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Services Hub Operator

Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.ServicesHub/connectors/write Create or update a Services Hub Connector
Microsoft.ServicesHub/connectors/read View or List Services Hub Connectors
Microsoft.ServicesHub/connectors/delete Delete Services Hub Connectors
Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action Lists the Assessment Entitlements for a given Services Hub Workspace
Microsoft.ServicesHub/supportOfferingEntitlement/read View the Support Offering Entitlements for a given Services Hub Workspace
Microsoft.ServicesHub/workspaces/read List the Services Hub Workspaces for a given User
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b",
  "name": "82200a5b-e217-47a5-b665-6d8765ee745b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.ServicesHub/connectors/write",
        "Microsoft.ServicesHub/connectors/read",
        "Microsoft.ServicesHub/connectors/delete",
        "Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action",
        "Microsoft.ServicesHub/supportOfferingEntitlement/read",
        "Microsoft.ServicesHub/workspaces/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Services Hub Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Next steps