Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists the Azure built-in roles in the Migration category.
Azure Migrate Decide and Plan Expert
Grants restricted access on Azure Migrate project to only perform planning operations including appliance-based discovery, managing inventory, identifying server dependencies, creation of business case & assessment reports.
| Actions | Description |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/locations/read | Gets the list of locations supported. |
| Microsoft.Resources/checkResourceName/action | Check the resource name for validity. |
| Microsoft.Resources/deploymentScripts/write | Creates or updates a deployment script |
| Microsoft.Resources/deploymentScripts/read | Gets or lists deployment scripts |
| Microsoft.Resources/links/write | Creates or updates a resource link. |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Authorization/locks/write | Add locks at the specified scope. |
| Microsoft.Authorization/locks/delete | Delete locks at the specified scope. |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Migrate/* | |
| Microsoft.ApplicationMigration/* | |
| Microsoft.OffAzure/* | |
| Microsoft.MySQLDiscovery/* | |
| Microsoft.DependencyMap/* | |
| Microsoft.KeyVault/vaults/* | |
| Microsoft.KeyVault/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
| Microsoft.HybridCompute/machines/read | Read any Azure Arc machines |
| Microsoft.HybridCompute/machines/write | Writes an Azure Arc machines |
| Microsoft.HybridCompute/machines/delete | Deletes an Azure Arc machines |
| Microsoft.HybridCompute/register/action | Registers the subscription for the Microsoft.HybridCompute Resource Provider |
| Microsoft.Network/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet |
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
| Microsoft.Network/virtualNetworks/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/privateEndpoints/read | Gets an private endpoint resource. |
| Microsoft.Network/privateEndpoints/write | Creates a new private endpoint, or updates an existing private endpoint. |
| Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write | Puts a Private DNS Zone Group |
| Microsoft.Network/privateDnsZones/write | Create or update a Private DNS zone within a resource group. Note that this command cannot be used to create or update virtual network links or record sets within the zone. |
| Microsoft.Network/privateDnsZones/virtualNetworkLinks/write | Create or update a Private DNS zone link to virtual network. |
| Microsoft.Network/privateDnsZones/join/action | Joins a Private DNS Zone |
| Microsoft.Network/privateDnsZones/A/write | Create or update a record set of type 'A' within a Private DNS zone. The records specified will replace the current records in the record set. |
| Microsoft.Network/register/action | Registers the subscription |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
| Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read | Gets a Private DNS Zone Group |
| Microsoft.Storage/storageAccounts/*/read | |
| Microsoft.Storage/storageAccounts/*/write | |
| Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
| Microsoft.GuestConfiguration/register/action | Registers the subscription for the Microsoft.GuestConfiguration resource provider. |
| Microsoft.HybridConnectivity/register/action | Register the subscription for Microsoft.HybridConnectivity |
| Microsoft.DataReplication/*/read | |
| Microsoft.DataReplication/register/action | Registers the subscription for the Microsoft.DataReplication resource provider |
| Microsoft.DataReplication/replicationVaults/write | Updates any vault |
| Microsoft.RecoveryServices/vaults/* | |
| Microsoft.RecoveryServices/register/action | Registers subscription for given Resource Provider |
| Microsoft.KeyVault/register/action | Registers a subscription |
| Microsoft.AzureArcData/register/action | Register the subscription for Microsoft.AzureArcData |
| Microsoft.Resources/links/read | Gets or lists resource links. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants restricted access on Azure Migrate project to only perform planning operations including appliance-based discovery, managing inventory, identifying server dependencies, creation of business case & assessment reports.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7859c0b0-0bb9-4994-bd12-cd529af7d646",
"name": "7859c0b0-0bb9-4994-bd12-cd529af7d646",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/checkResourceName/action",
"Microsoft.Resources/deploymentScripts/write",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/links/write",
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Insights/alertRules/*",
"Microsoft.Migrate/*",
"Microsoft.ApplicationMigration/*",
"Microsoft.OffAzure/*",
"Microsoft.MySQLDiscovery/*",
"Microsoft.DependencyMap/*",
"Microsoft.KeyVault/vaults/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/register/action",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
"Microsoft.Network/privateDnsZones/write",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
"Microsoft.Network/privateDnsZones/join/action",
"Microsoft.Network/privateDnsZones/A/write",
"Microsoft.Network/register/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",
"Microsoft.Storage/storageAccounts/*/read",
"Microsoft.Storage/storageAccounts/*/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.GuestConfiguration/register/action",
"Microsoft.HybridConnectivity/register/action",
"Microsoft.DataReplication/*/read",
"Microsoft.DataReplication/register/action",
"Microsoft.DataReplication/replicationVaults/write",
"Microsoft.RecoveryServices/vaults/*",
"Microsoft.RecoveryServices/register/action",
"Microsoft.KeyVault/register/action",
"Microsoft.AzureArcData/register/action",
"Microsoft.Resources/links/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Migrate Decide and Plan Expert",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Migrate Execute Expert
Grants restricted access on an Azure Migrate project to only perform migration related operations, including replication, execution of test migrations, tracking and monitoring of migration progress, and initiation of agentless and agent-based migrations.
Includes an ABAC condition to constrain role assignments.
| Actions | Description |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/write | Creates or updates a resource group. |
| Microsoft.Resources/subscriptions/locations/read | Gets the list of locations supported. |
| Microsoft.Resources/checkResourceName/action | Check the resource name for validity. |
| Microsoft.Resources/deploymentScripts/write | Creates or updates a deployment script |
| Microsoft.Resources/deploymentScripts/read | Gets or lists deployment scripts |
| Microsoft.Resources/links/write | Creates or updates a resource link. |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Authorization/locks/write | Add locks at the specified scope. |
| Microsoft.Authorization/locks/delete | Delete locks at the specified scope. |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Migrate/*/read | |
| Microsoft.ApplicationMigration/*/read | |
| Microsoft.OffAzure/*/read | |
| Microsoft.MySQLDiscovery/*/read | |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Network/networkInterfaces/write | Creates a network interface or updates an existing network interface. |
| Microsoft.Network/networkInterfaces/delete | Deletes a network interface |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
| Microsoft.Storage/storageAccounts/*/read | |
| Microsoft.Storage/storageAccounts/*/write | |
| Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Compute/register/action | Registers Subscription with Microsoft.Compute resource provider |
| Microsoft.Compute/availabilitySets/read | Get the properties of an availability set |
| Microsoft.Compute/availabilitySets/vmSizes/read | List available sizes for creating or updating a virtual machine in the availability set |
| Microsoft.Compute/diskEncryptionSets/read | Get the properties of a disk encryption set |
| Microsoft.Compute/skus/read | Gets the list of Microsoft.Compute SKUs available for your Subscription |
| Microsoft.Compute/disks/read | Get the properties of a Disk |
| Microsoft.Compute/disks/write | Creates a new Disk or updates an existing one |
| Microsoft.Compute/disks/delete | Deletes the Disk |
| Microsoft.Compute/virtualMachines/read | Get the properties of a virtual machine |
| Microsoft.Compute/virtualMachines/write | Creates a new virtual machine or updates an existing virtual machine |
| Microsoft.Compute/virtualMachines/delete | Deletes the virtual machine |
| Microsoft.RecoveryServices/vaults/* | |
| Microsoft.RecoveryServices/register/action | Registers subscription for given Resource Provider |
| Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.Resources/links/read | Gets or lists resource links. |
| Microsoft.DependencyMap/*/read | |
| Microsoft.DependencyMap/maps/*/action | |
| NotActions | |
| Microsoft.OffAzure/hypervSites/machines/inventoryinsights/pendingupdates/* | |
| Microsoft.OffAzure/hypervSites/machines/inventoryinsights/vulnerabilities/* | |
| Microsoft.OffAzure/serverSites/machines/inventoryinsights/pendingupdates/* | |
| Microsoft.OffAzure/serverSites/machines/inventoryinsights/vulnerabilities/* | |
| Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/vulnerabilities/* | |
| Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/pendingupdates/* | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Actions | |
| Microsoft.Authorization/roleAssignments/write | Create a role assignment at the specified scope. |
| Microsoft.Authorization/roleAssignments/delete | Delete a role assignment at the specified scope. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Condition | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe})) | Add or remove role assignments for the following roles: Storage Account Contributor Storage Blob Data Contributor |
{
"assignableScopes": [
"/"
],
"description": "Grants restricted access on an Azure Migrate project to only perform migration related operations, including replication, execution of test migrations, tracking and monitoring of migration progress, and initiation of agentless and agent-based migrations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1cfa4eac-9a23-481c-a793-bfb6958e836b",
"name": "1cfa4eac-9a23-481c-a793-bfb6958e836b",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/checkResourceName/action",
"Microsoft.Resources/deploymentScripts/write",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/links/write",
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Insights/alertRules/*",
"Microsoft.Migrate/*/read",
"Microsoft.ApplicationMigration/*/read",
"Microsoft.OffAzure/*/read",
"Microsoft.MySQLDiscovery/*/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Storage/storageAccounts/*/read",
"Microsoft.Storage/storageAccounts/*/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Compute/register/action",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.RecoveryServices/vaults/*",
"Microsoft.RecoveryServices/register/action",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.Resources/links/read",
"Microsoft.DependencyMap/*/read",
"Microsoft.DependencyMap/maps/*/action"
],
"notActions": [
"Microsoft.OffAzure/hypervSites/machines/inventoryinsights/pendingupdates/*",
"Microsoft.OffAzure/hypervSites/machines/inventoryinsights/vulnerabilities/*",
"Microsoft.OffAzure/serverSites/machines/inventoryinsights/pendingupdates/*",
"Microsoft.OffAzure/serverSites/machines/inventoryinsights/vulnerabilities/*",
"Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/vulnerabilities/*",
"Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/pendingupdates/*"
],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe}))"
}
],
"roleName": "Azure Migrate Execute Expert",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Migrate Owner
Grants full access to create and manage Azure Migrate projects including appliance-based discovery, creation of business case & assessment report and execution of migrations; Also grants ability to assign Azure Migrate specific roles in Azure RBAC.
Includes an ABAC condition to constrain role assignments.
| Actions | Description |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/write | Creates or updates a resource group. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/locations/read | Gets the list of locations supported. |
| Microsoft.Resources/checkResourceName/action | Check the resource name for validity. |
| Microsoft.Resources/deploymentScripts/write | Creates or updates a deployment script |
| Microsoft.Resources/deploymentScripts/read | Gets or lists deployment scripts |
| Microsoft.Resources/links/write | Creates or updates a resource link. |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Authorization/locks/write | Add locks at the specified scope. |
| Microsoft.Authorization/locks/delete | Delete locks at the specified scope. |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Migrate/* | |
| Microsoft.ApplicationMigration/* | |
| Microsoft.OffAzure/* | |
| Microsoft.MySQLDiscovery/* | |
| Microsoft.DependencyMap/* | |
| Microsoft.KeyVault/vaults/* | |
| Microsoft.KeyVault/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
| Microsoft.HybridCompute/machines/read | Read any Azure Arc machines |
| Microsoft.HybridCompute/machines/write | Writes an Azure Arc machines |
| Microsoft.HybridCompute/machines/delete | Deletes an Azure Arc machines |
| Microsoft.HybridCompute/register/action | Registers the subscription for the Microsoft.HybridCompute Resource Provider |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Network/networkInterfaces/write | Creates a network interface or updates an existing network interface. |
| Microsoft.Network/networkInterfaces/delete | Deletes a network interface |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet |
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
| Microsoft.Network/virtualNetworks/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/privateEndpoints/read | Gets an private endpoint resource. |
| Microsoft.Network/privateEndpoints/write | Creates a new private endpoint, or updates an existing private endpoint. |
| Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write | Puts a Private DNS Zone Group |
| Microsoft.Network/privateDnsZones/write | Create or update a Private DNS zone within a resource group. Note that this command cannot be used to create or update virtual network links or record sets within the zone. |
| Microsoft.Network/privateDnsZones/virtualNetworkLinks/write | Create or update a Private DNS zone link to virtual network. |
| Microsoft.Network/privateDnsZones/join/action | Joins a Private DNS Zone |
| Microsoft.Network/privateDnsZones/A/write | Create or update a record set of type 'A' within a Private DNS zone. The records specified will replace the current records in the record set. |
| Microsoft.Network/register/action | Registers the subscription |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
| Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read | Gets a Private DNS Zone Group |
| Microsoft.Storage/storageAccounts/* | Create and manage storage accounts |
| Microsoft.GuestConfiguration/register/action | Registers the subscription for the Microsoft.GuestConfiguration resource provider. |
| Microsoft.Compute/register/action | Registers Subscription with Microsoft.Compute resource provider |
| Microsoft.Compute/availabilitySets/read | Get the properties of an availability set |
| Microsoft.Compute/availabilitySets/vmSizes/read | List available sizes for creating or updating a virtual machine in the availability set |
| Microsoft.Compute/diskEncryptionSets/read | Get the properties of a disk encryption set |
| Microsoft.Compute/skus/read | Gets the list of Microsoft.Compute SKUs available for your Subscription |
| Microsoft.Compute/disks/read | Get the properties of a Disk |
| Microsoft.Compute/disks/write | Creates a new Disk or updates an existing one |
| Microsoft.Compute/disks/delete | Deletes the Disk |
| Microsoft.Compute/virtualMachines/read | Get the properties of a virtual machine |
| Microsoft.Compute/virtualMachines/write | Creates a new virtual machine or updates an existing virtual machine |
| Microsoft.Compute/virtualMachines/delete | Deletes the virtual machine |
| Microsoft.HybridConnectivity/register/action | Register the subscription for Microsoft.HybridConnectivity |
| Microsoft.RecoveryServices/vaults/* | |
| Microsoft.RecoveryServices/register/action | Registers subscription for given Resource Provider |
| Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.DataReplication/*/read | |
| Microsoft.DataReplication/register/action | Registers the subscription for the Microsoft.DataReplication resource provider |
| Microsoft.DataReplication/replicationVaults/write | Updates any vault |
| Microsoft.KeyVault/register/action | Registers a subscription |
| Microsoft.AzureArcData/register/action | Register the subscription for Microsoft.AzureArcData |
| Microsoft.Resources/links/read | Gets or lists resource links. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Actions | |
| Microsoft.Authorization/roleAssignments/write | Create a role assignment at the specified scope. |
| Microsoft.Authorization/roleAssignments/delete | Delete a role assignment at the specified scope. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Condition | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7859c0b0-0bb9-4994-bd12-cd529af7d646, 1cfa4eac-9a23-481c-a793-bfb6958e836b, 17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe, ba480ccd-6499-4709-b581-8f38bb215c63})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7859c0b0-0bb9-4994-bd12-cd529af7d646, 1cfa4eac-9a23-481c-a793-bfb6958e836b, 17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe, ba480ccd-6499-4709-b581-8f38bb215c63})) | Add or remove role assignments for the following roles: Azure Migrate Decide and Plan Expert Azure Migrate Execute Expert Storage Account Contributor Storage Blob Data Contributor Azure Migrate Service Reader |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to create and manage Azure Migrate projects including appliance-based discovery, creation of business case & assessment report and execution of migrations; Also grants ability to assign Azure Migrate specific roles in Azure RBAC.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd8ea4d5-6509-4db0-bada-356ab233b4fa",
"name": "fd8ea4d5-6509-4db0-bada-356ab233b4fa",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/checkResourceName/action",
"Microsoft.Resources/deploymentScripts/write",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/links/write",
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Insights/alertRules/*",
"Microsoft.Migrate/*",
"Microsoft.ApplicationMigration/*",
"Microsoft.OffAzure/*",
"Microsoft.MySQLDiscovery/*",
"Microsoft.DependencyMap/*",
"Microsoft.KeyVault/vaults/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/register/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
"Microsoft.Network/privateDnsZones/write",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
"Microsoft.Network/privateDnsZones/join/action",
"Microsoft.Network/privateDnsZones/A/write",
"Microsoft.Network/register/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.GuestConfiguration/register/action",
"Microsoft.Compute/register/action",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.HybridConnectivity/register/action",
"Microsoft.RecoveryServices/vaults/*",
"Microsoft.RecoveryServices/register/action",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.DataReplication/*/read",
"Microsoft.DataReplication/register/action",
"Microsoft.DataReplication/replicationVaults/write",
"Microsoft.KeyVault/register/action",
"Microsoft.AzureArcData/register/action",
"Microsoft.Resources/links/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7859c0b0-0bb9-4994-bd12-cd529af7d646, 1cfa4eac-9a23-481c-a793-bfb6958e836b, 17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe, ba480ccd-6499-4709-b581-8f38bb215c63})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7859c0b0-0bb9-4994-bd12-cd529af7d646, 1cfa4eac-9a23-481c-a793-bfb6958e836b, 17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe, ba480ccd-6499-4709-b581-8f38bb215c63}))"
}
],
"roleName": "Azure Migrate Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Migrate Service Reader
Grants required access to the system assigned managed identity of Azure Migrate project resource.
| Actions | Description |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.ApplicationMigration/*/read | |
| Microsoft.Migrate/*/read | |
| Microsoft.OffAzure/*/read | |
| Microsoft.MySQLDiscovery/*/read | |
| Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read | Read any Protectable Items |
| Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read | Read any Protected Items |
| Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/read | Read any Migration Items |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants required access to the system assigned managed identity of Azure Migrate project resource.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ba480ccd-6499-4709-b581-8f38bb215c63",
"name": "ba480ccd-6499-4709-b581-8f38bb215c63",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.ApplicationMigration/*/read",
"Microsoft.Migrate/*/read",
"Microsoft.OffAzure/*/read",
"Microsoft.MySQLDiscovery/*/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Migrate Service Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Migrate Arc Discovery Reader - Preview
Read metadata of Azure Arc enabled server resources and metadata, performance and migration suitability of Arc enabled SQL server resources. Users creating Azure Migrate project that uses Arc resource discovery require this role on Arc scope of the project. To enable periodic sync, Azure Migrate project managed identity must be assigned this role. This role is in preview and subject to change.
| Actions | Description |
|---|---|
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.AzureArcData/sqlServerInstances/read | Retrieves a SQL Server Instance resource |
| Microsoft.AzureArcData/sqlServerInstances/databases/read | read databases |
| Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/read | read availabilityGroups |
| Microsoft.AzureArcData/sqlServerInstances/getTelemetry/action | Retrieves SQL Server instance telemetry |
| Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/getDetailView/action | Retrieves detailed properties of the Availability Group. |
| Microsoft.HybridCompute/machines/read | Read any Azure Arc machines |
| Microsoft.HybridCompute/machines/extensions/read | Reads any Azure Arc extensions |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of Azure Arc enabled server resources and metadata, performance and migration suitability of Arc enabled SQL server resources. Users creating Azure Migrate project that uses Arc resource discovery require this role on Arc scope of the project. To enable periodic sync, Azure Migrate project managed identity must be assigned this role. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d5dddae-e124-4753-972d-aae60b37deb4",
"name": "5d5dddae-e124-4753-972d-aae60b37deb4",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/databases/read",
"Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/read",
"Microsoft.AzureArcData/sqlServerInstances/getTelemetry/action",
"Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/getDetailView/action",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/extensions/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Migrate Arc Discovery Reader - Preview",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}