用于标识的 Azure 内置角色

本文列出了标识类别的 Azure 内置角色。

域服务参与者

可以管理 Azure AD 域服务和相关网络配置

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/read 获取或列出部署。
Microsoft.Resources/deployments/write 创建或更新部署。
Microsoft.Resources/deployments/delete 删除部署。
Microsoft.Resources/deployments/cancel/action 取消部署。
Microsoft.Resources/deployments/validate/action 验证部署。
Microsoft.Resources/deployments/whatIf/action 预测模板部署更改。
Microsoft.Resources/deployments/exportTemplate/action 导出部署的模板
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/deployments/operationstatuses/read 获取或列出部署操作状态。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/AlertRules/Write 创建或更新经典指标警报
Microsoft.Insights/AlertRules/Delete 删除经典指标警报
Microsoft.Insights/AlertRules/Read 读取经典指标警报
Microsoft.Insights/AlertRules/Activated/Action 经典指标警报已激活
Microsoft.Insights/AlertRules/Resolved/Action 经典指标警报已解决
Microsoft.Insights/AlertRules/Throttled/Action 经典指标预警规则已中止
Microsoft.Insights/AlertRules/Incidents/Read 读取经典指标警报事件
Microsoft.Insights/Logs/Read 从所有日志中读取数据
Microsoft.Insights/Metrics/Read 添加指标
Microsoft.Insights/DiagnosticSettings/* 创建、更新或读取 Analysis Server 的诊断设置
Microsoft.Insights/DiagnosticSettingsCategories/Read 读取诊断设置类别
Microsoft.AAD/register/action 注册域服务
Microsoft.AAD/unregister/action 取消注册域服务
Microsoft.AAD/domainServices/*
Microsoft.Network/register/action 注册订阅
Microsoft.Network/unregister/action 取消注册订阅
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/virtualNetworks/write 创建虚拟网络,或更新现有的虚拟网络
Microsoft.Network/virtualNetworks/delete 删除虚拟网络
Microsoft.Network/virtualNetworks/peer/action 在两个不同的虚拟网络之间建立对等互连
Microsoft.Network/virtualNetworks/join/action 加入虚拟网络。 不可发出警报。
Microsoft.Network/virtualNetworks/subnets/read 获取虚拟网络子网定义
Microsoft.Network/virtualNetworks/subnets/write 创建虚拟网络子网,或更新现有的虚拟网络子网
Microsoft.Network/virtualNetworks/subnets/delete 删除虚拟网络子网
Microsoft.Network/virtualNetworks/subnets/join/action 加入虚拟网络。 不可发出警报。
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read 获取虚拟网络对等互连定义
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write 创建虚拟网络对等互连,或更新现有的虚拟网络对等互连
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete 删除虚拟网络对等互连
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read 获取虚拟网络的诊断设置
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read 获取 PingMesh 的可用指标
Microsoft.Network/azureFirewalls/read 获取 Azure 防火墙
Microsoft.Network/ddosProtectionPlans/read 获取 DDoS 保护计划
Microsoft.Network/ddosProtectionPlans/join/action 加入 DDoS 保护计划。 不可发出警报。
Microsoft.Network/loadBalancers/read 获取负载均衡器定义
Microsoft.Network/loadBalancers/delete 删除负载均衡器
Microsoft.Network/loadBalancers/*/read
Microsoft.Network/loadBalancers/backendAddressPools/join/action 加入负载均衡器后端地址池。 不可发出警报。
Microsoft.Network/loadBalancers/inboundNatRules/join/action 加入负载均衡器入站 NAT 规则。 不可发出警报。
Microsoft.Network/natGateways/join/action 加入 NAT 网关
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Network/networkInterfaces/write 创建网络接口,或更新现有的网络接口。
Microsoft.Network/networkInterfaces/delete 删除网络接口
Microsoft.Network/networkInterfaces/join/action 将虚拟机加入到网络接口。 不可发出警报。
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read 获取默认的安全规则定义
Microsoft.Network/networkSecurityGroups/read 获取网络安全组定义
Microsoft.Network/networkSecurityGroups/write 创建网络安全组,或更新现有的网络安全组
Microsoft.Network/networkSecurityGroups/delete 删除网络安全组
Microsoft.Network/networkSecurityGroups/join/action 加入网络安全组。 不可发出警报。
Microsoft.Network/networkSecurityGroups/securityRules/read 获取安全规则定义
Microsoft.Network/networkSecurityGroups/securityRules/write 创建安全规则,或更新现有的安全规则
Microsoft.Network/networkSecurityGroups/securityRules/delete 删除安全规则
Microsoft.Network/routeTables/read 获取路由表定义
Microsoft.Network/routeTables/write 创建路由表,或更新现有的路由表
Microsoft.Network/routeTables/delete 删除路由表定义
Microsoft.Network/routeTables/join/action 加入路由表。 不可发出警报。
Microsoft.Network/routeTables/routes/read 获取路由定义
Microsoft.Network/routeTables/routes/write 创建路由,或更新现有的路由
Microsoft.Network/routeTables/routes/delete 删除路由定义
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage Azure AD Domain Services and related network configurations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
  "name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/deployments/whatIf/action",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Insights/Logs/Read",
        "Microsoft.Insights/Metrics/Read",
        "Microsoft.Insights/DiagnosticSettings/*",
        "Microsoft.Insights/DiagnosticSettingsCategories/Read",
        "Microsoft.AAD/register/action",
        "Microsoft.AAD/unregister/action",
        "Microsoft.AAD/domainServices/*",
        "Microsoft.Network/register/action",
        "Microsoft.Network/unregister/action",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/peer/action",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/virtualNetworks/subnets/delete",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Network/azureFirewalls/read",
        "Microsoft.Network/ddosProtectionPlans/read",
        "Microsoft.Network/ddosProtectionPlans/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/delete",
        "Microsoft.Network/loadBalancers/*/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/natGateways/join/action",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkInterfaces/delete",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/networkSecurityGroups/delete",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/write",
        "Microsoft.Network/networkSecurityGroups/securityRules/delete",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/routeTables/write",
        "Microsoft.Network/routeTables/delete",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/routeTables/routes/read",
        "Microsoft.Network/routeTables/routes/write",
        "Microsoft.Network/routeTables/routes/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Domain Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

域服务读取者

可以查看 Azure AD 域服务和相关网络配置

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/read 获取或列出部署。
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/deployments/operationstatuses/read 获取或列出部署操作状态。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/AlertRules/Read 读取经典指标警报
Microsoft.Insights/AlertRules/Incidents/Read 读取经典指标警报事件
Microsoft.Insights/Logs/Read 从所有日志中读取数据
Microsoft.Insights/Metrics/read 添加指标
Microsoft.Insights/DiagnosticSettings/read 读取资源诊断设置
Microsoft.Insights/DiagnosticSettingsCategories/Read 读取诊断设置类别
Microsoft.AAD/domainServices/*/read
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/virtualNetworks/subnets/read 获取虚拟网络子网定义
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read 获取虚拟网络对等互连定义
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read 获取虚拟网络的诊断设置
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read 获取 PingMesh 的可用指标
Microsoft.Network/azureFirewalls/read 获取 Azure 防火墙
Microsoft.Network/ddosProtectionPlans/read 获取 DDoS 保护计划
Microsoft.Network/loadBalancers/read 获取负载均衡器定义
Microsoft.Network/loadBalancers/*/read
Microsoft.Network/natGateways/read 获取 NAT 网关定义
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read 获取默认的安全规则定义
Microsoft.Network/networkSecurityGroups/read 获取网络安全组定义
Microsoft.Network/networkSecurityGroups/securityRules/read 获取安全规则定义
Microsoft.Network/routeTables/read 获取路由表定义
Microsoft.Network/routeTables/routes/read 获取路由定义
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view Azure AD Domain Services and related network configurations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
  "name": "361898ef-9ed1-48c2-849c-a832951106bb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Insights/Logs/Read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Insights/DiagnosticSettings/read",
        "Microsoft.Insights/DiagnosticSettingsCategories/Read",
        "Microsoft.AAD/domainServices/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Network/azureFirewalls/read",
        "Microsoft.Network/ddosProtectionPlans/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/*/read",
        "Microsoft.Network/natGateways/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/routeTables/routes/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Domain Services Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管的标识参与者

创建、读取、更新和删除用户分配的标识

了解详细信息

操作 描述
Microsoft.ManagedIdentity/userAssignedIdentities/read 获取现有用户分配标识
Microsoft.ManagedIdentity/userAssignedIdentities/write 创建新的用户分配标识或更新与现有用户分配标识关联的标记
Microsoft.ManagedIdentity/userAssignedIdentities/delete 删除现有用户分配标识
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read 获取或列出联合标识凭据
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write 添加或更新联合标识凭据
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete 删除联合标识凭据
Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action 撤消了用户分配标识上的所有现有令牌
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete User Assigned Identity",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
        "Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管的标识操作员

读取和分配用户分配的标识

了解详细信息

操作 描述
Microsoft.ManagedIdentity/userAssignedIdentities/*/read
Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and Assign User Assigned Identity",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
  "name": "f1a07417-d97a-45cb-824c-7a7467783830",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

后续步骤