用于标识的 Azure 内置角色
本文列出了标识类别的 Azure 内置角色。
域服务参与者
可以管理 Azure AD 域服务和相关网络配置
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/deployments/read | 获取或列出部署。 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/deployments/delete | 删除部署。 |
| Microsoft.Resources/deployments/cancel/action | 取消部署。 |
| Microsoft.Resources/deployments/validate/action | 验证部署。 |
| Microsoft.Resources/deployments/whatIf/action | 预测模板部署更改。 |
| Microsoft.Resources/deployments/exportTemplate/action | 导出部署的模板 |
| Microsoft.Resources/deployments/operations/read | 获取或列出部署操作。 |
| Microsoft.Resources/deployments/operationstatuses/read | 获取或列出部署操作状态。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Insights/AlertRules/Write | 创建或更新经典指标警报 |
| Microsoft.Insights/AlertRules/Delete | 删除经典指标警报 |
| Microsoft.Insights/AlertRules/Read | 读取经典指标警报 |
| Microsoft.Insights/AlertRules/Activated/Action | 经典指标警报已激活 |
| Microsoft.Insights/AlertRules/Resolved/Action | 经典指标警报已解决 |
| Microsoft.Insights/AlertRules/Throttled/Action | 经典指标预警规则已中止 |
| Microsoft.Insights/AlertRules/Incidents/Read | 读取经典指标警报事件 |
| Microsoft.Insights/Logs/Read | 从所有日志中读取数据 |
| Microsoft.Insights/Metrics/Read | 添加指标 |
| Microsoft.Insights/DiagnosticSettings/* | 创建、更新或读取 Analysis Server 的诊断设置 |
| Microsoft.Insights/DiagnosticSettingsCategories/Read | 读取诊断设置类别 |
| Microsoft.AAD/register/action | 注册域服务 |
| Microsoft.AAD/unregister/action | 取消注册域服务 |
| Microsoft.AAD/domainServices/* | |
| Microsoft.Network/register/action | 注册订阅 |
| Microsoft.Network/unregister/action | 取消注册订阅 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/virtualNetworks/write | 创建虚拟网络,或更新现有的虚拟网络 |
| Microsoft.Network/virtualNetworks/delete | 删除虚拟网络 |
| Microsoft.Network/virtualNetworks/peer/action | 在两个不同的虚拟网络之间建立对等互连 |
| Microsoft.Network/virtualNetworks/join/action | 加入虚拟网络。 不可发出警报。 |
| Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
| Microsoft.Network/virtualNetworks/subnets/write | 创建虚拟网络子网,或更新现有的虚拟网络子网 |
| Microsoft.Network/virtualNetworks/subnets/delete | 删除虚拟网络子网 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。 不可发出警报。 |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | 获取虚拟网络对等互连定义 |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write | 创建虚拟网络对等互连,或更新现有的虚拟网络对等互连 |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete | 删除虚拟网络对等互连 |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | 获取虚拟网络的诊断设置 |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | 获取 PingMesh 的可用指标 |
| Microsoft.Network/azureFirewalls/read | 获取 Azure 防火墙 |
| Microsoft.Network/ddosProtectionPlans/read | 获取 DDoS 保护计划 |
| Microsoft.Network/ddosProtectionPlans/join/action | 加入 DDoS 保护计划。 不可发出警报。 |
| Microsoft.Network/loadBalancers/read | 获取负载均衡器定义 |
| Microsoft.Network/loadBalancers/delete | 删除负载均衡器 |
| Microsoft.Network/loadBalancers/*/read | |
| Microsoft.Network/loadBalancers/backendAddressPools/join/action | 加入负载均衡器后端地址池。 不可发出警报。 |
| Microsoft.Network/loadBalancers/inboundNatRules/join/action | 加入负载均衡器入站 NAT 规则。 不可发出警报。 |
| Microsoft.Network/natGateways/join/action | 加入 NAT 网关 |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Network/networkInterfaces/write | 创建网络接口,或更新现有的网络接口。 |
| Microsoft.Network/networkInterfaces/delete | 删除网络接口 |
| Microsoft.Network/networkInterfaces/join/action | 将虚拟机加入到网络接口。 不可发出警报。 |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | 获取默认的安全规则定义 |
| Microsoft.Network/networkSecurityGroups/read | 获取网络安全组定义 |
| Microsoft.Network/networkSecurityGroups/write | 创建网络安全组,或更新现有的网络安全组 |
| Microsoft.Network/networkSecurityGroups/delete | 删除网络安全组 |
| Microsoft.Network/networkSecurityGroups/join/action | 加入网络安全组。 不可发出警报。 |
| Microsoft.Network/networkSecurityGroups/securityRules/read | 获取安全规则定义 |
| Microsoft.Network/networkSecurityGroups/securityRules/write | 创建安全规则,或更新现有的安全规则 |
| Microsoft.Network/networkSecurityGroups/securityRules/delete | 删除安全规则 |
| Microsoft.Network/routeTables/read | 获取路由表定义 |
| Microsoft.Network/routeTables/write | 创建路由表,或更新现有的路由表 |
| Microsoft.Network/routeTables/delete | 删除路由表定义 |
| Microsoft.Network/routeTables/join/action | 加入路由表。 不可发出警报。 |
| Microsoft.Network/routeTables/routes/read | 获取路由定义 |
| Microsoft.Network/routeTables/routes/write | 创建路由,或更新现有的路由 |
| Microsoft.Network/routeTables/routes/delete | 删除路由定义 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
"name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.Insights/DiagnosticSettings/*",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/register/action",
"Microsoft.AAD/unregister/action",
"Microsoft.AAD/domainServices/*",
"Microsoft.Network/register/action",
"Microsoft.Network/unregister/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/natGateways/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
域服务读取者
可以查看 Azure AD 域服务和相关网络配置
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/deployments/read | 获取或列出部署。 |
| Microsoft.Resources/deployments/operations/read | 获取或列出部署操作。 |
| Microsoft.Resources/deployments/operationstatuses/read | 获取或列出部署操作状态。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Insights/AlertRules/Read | 读取经典指标警报 |
| Microsoft.Insights/AlertRules/Incidents/Read | 读取经典指标警报事件 |
| Microsoft.Insights/Logs/Read | 从所有日志中读取数据 |
| Microsoft.Insights/Metrics/read | 添加指标 |
| Microsoft.Insights/DiagnosticSettings/read | 读取资源诊断设置 |
| Microsoft.Insights/DiagnosticSettingsCategories/Read | 读取诊断设置类别 |
| Microsoft.AAD/domainServices/*/read | |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | 获取虚拟网络对等互连定义 |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | 获取虚拟网络的诊断设置 |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | 获取 PingMesh 的可用指标 |
| Microsoft.Network/azureFirewalls/read | 获取 Azure 防火墙 |
| Microsoft.Network/ddosProtectionPlans/read | 获取 DDoS 保护计划 |
| Microsoft.Network/loadBalancers/read | 获取负载均衡器定义 |
| Microsoft.Network/loadBalancers/*/read | |
| Microsoft.Network/natGateways/read | 获取 NAT 网关定义 |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | 获取默认的安全规则定义 |
| Microsoft.Network/networkSecurityGroups/read | 获取网络安全组定义 |
| Microsoft.Network/networkSecurityGroups/securityRules/read | 获取安全规则定义 |
| Microsoft.Network/routeTables/read | 获取路由表定义 |
| Microsoft.Network/routeTables/routes/read | 获取路由定义 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Can view Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
"name": "361898ef-9ed1-48c2-849c-a832951106bb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Insights/DiagnosticSettings/read",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/routes/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
托管的标识参与者
创建、读取、更新和删除用户分配的标识
| 操作 | 描述 |
|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities/read | 获取现有用户分配标识 |
| Microsoft.ManagedIdentity/userAssignedIdentities/write | 创建新的用户分配标识或更新与现有用户分配标识关联的标记 |
| Microsoft.ManagedIdentity/userAssignedIdentities/delete | 删除现有用户分配标识 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
托管的标识操作员
读取和分配用户分配的标识
| 操作 | 描述 |
|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities/*/read | |
| Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action | |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Read and Assign User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
"name": "f1a07417-d97a-45cb-824c-7a7467783830",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}