Azure permission mapping
Storage Account
Region
Microsoft.Storage/storageAccounts/blobServices/read
Grants read access to blob services within storage accounts.
Yes
Subscription
Private CP DP Public CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/blobServices/write
Allows updating settings of blob services within storage accounts.
Yes
Subscription
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
Grants all permissions on blobs within containers in blob services of storage accounts.
Yes
PITR
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Allows adding new blobs to containers.
Yes
PITR
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Grants permission to delete blobs within containers.
Yes
SLA
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
Allows moving blobs between containers or within a container.
Yes
PITR,DAP
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Grants read access to blobs within containers.
Yes
PITR,Clone
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Allows writing or updating blobs within containers.
Yes
PITR
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/listkeys/action
Allows listing the access keys for a storage account.
Yes
PITR
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/checknameavailability/read
Allows checking the availability of a storage account name.
Yes
PITR
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/read
Grants read access to storage accounts
Yes
Subscription,PITR
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/write
Allows creating or updating storage accounts.
No
Subscription,PITR
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/delete
Grants permission to delete storage accounts.
No
Delete AM
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/locations/checknameavailability/read
Allows checking storage account name availability in specific locations.
Yes
PITR
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/operations/read
Grants read access to storage account operations metadata.
Yes
PITR,Clone
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/objectReplicationPolicies/write
Allows creating or updating object replication policies for storage accounts.
Yes
DAP
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/objectReplicationPolicies/read
Grants read access to object replication policies within storage accounts.
Yes
DAP
Public CP DP Private CP DP
Storage Account
Region
Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete
Grants permission to delete object replication policies within storage accounts.
Yes
DAP
Public CP DP Private CP DP
Compute Operations
Microsoft.Compute/locations/operations/read
Grants read access to compute operations in specific locations.
Yes
Provisioning,Add Instance,Clone,Restore,Service Resize
Public CP DP Private CP DP
Data Collection Endpoints
Region
Microsoft.Insights/DataCollectionEndpoints/Write
Allows creating or updating data collection endpoints.
Yes
Subscription, DB Logs
Public CP DP Private CP DP
Data Collection Endpoints
Region
Microsoft.Insights/DataCollectionEndpoints/Read
Grants read access to data collection endpoints.
Yes
Subscription,Provisioning,Add Instance,Clone,Restore, DB Logs
Public CP DP Private CP DP
Data Collection Endpoints
Region
Microsoft.Insights/DataCollectionEndpoints/Delete
Grants permission to delete data collection endpoints.
Yes
Subscription,DB Logs
Public CP DP Private CP DP
Data Collection Rules
Compute Resource
Microsoft.Insights/dataCollectionRuleAssociations/Write
Allows creating or updating data collection rule associations.
Yes
Provisioning,Add Instance,Clone,Restore, DB Logs
Public CP DP Private CP DP
Data Collection Rules
Compute Resource
Microsoft.Insights/dataCollectionRuleAssociations/Read
Grants read access to data collection rule associations.
Yes
Provisioning,Add Instance,Clone,Restore, DB Logs
Public CP DP Private CP DP
Data Collection Rules
Compute Resource
Microsoft.Insights/dataCollectionRuleAssociations/Delete
Grants permission to delete data collection rule associations.
Yes
Delete Service,DB Logs
Public CP DP Private CP DP
Data Collection Rules
Compute Resource
Microsoft.Insights/dataCollectionRules/write
Allows creating or updating data collection rules.
Yes
Provisioning,Add Instance,Clone,Restore,DB Logs
Public CP DP Private CP DP
Data Collection Rules
Compute Resource
Microsoft.Insights/dataCollectionRules/read
Grants read access to data collection rules.
Yes
Provisioning,Add Instance,Clone,Restore, DB Logs
Public CP DP Private CP DP
Data Collection Rules
Compute Resource
Microsoft.Insights/dataCollectionRules/Delete
Grants permission to delete data collection rules.
Yes
Delete Service,DB Logs
Public CP DP Private CP DP
Disk Encryption Sets
Region
Microsoft.Compute/diskEncryptionSets/read
Grants read access to disk encryption sets.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Disk Encryption Sets
Region
Microsoft.Compute/diskEncryptionSets/write
Allows creating or updating disk encryption sets.
No
Provisioning,Add Instance,Clone,Restore-BYOK
Public CP DP Private CP DP
Disk Encryption Sets
Region
Microsoft.Compute/diskEncryptionSets/delete
Grants permission to delete disk encryption sets.
No
Provisioning,Add Instance,Clone,Restore-BYOK
Public CP DP Private CP DP
Disks
DB Service
Microsoft.Compute/disks/read
Grants read access to disks.
Yes
Provisioning,Add Instance,Clone,Restore,Patching,Resize
Public CP DP Private CP DP
Disks
DB Service
Microsoft.Compute/disks/write
Allows creating or updating disks.
Yes
Provisioning,Add Instance,Clone,Restore,Patching,Resize
Public CP DP Private CP DP
Disks
DB Service
Microsoft.Compute/disks/delete
Grants permission to delete disks.
Yes
Delete Service, Delete Instance, Patching
Public CP DP Private CP DP
Disks
DB Service
Microsoft.Compute/disks/beginGetAccess/action
Initiates access to a disk.
Yes
Provisioning,Add Instance,Clone,Restore,Patching,Resize
Public CP DP Private CP DP
Disks
DB Service
Microsoft.Compute/disks/endGetAccess/action
Revokes access toa disk.
Yes
Delete Service, Delete Instance
Public CP DP Private CP DP
Disks
DB Service
Microsoft.Compute/disks/download/action
Allows downloading disks.
Yes
Public CP DP Private CP DP
Disks
DB Service
Microsoft.Compute/disks/upload/action
Allows uploading data to disks.
Yes
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/accessPolicies/write
Allows creating or updating access policies for a Key Vault.
No
Subscription
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/deploy/action
Allows deploying resources into a Key Vault.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/versions/read
Grants read access to all versions of a key in a Key Vault.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/read
Grants read access to keys stored in a Key Vault.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/write
Allows creating or updating keys in a Key Vault.
No
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/encrypt/action
Allows encrypting data using keys stored in the Key Vault.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/decrypt/action
Allows decrypting data using keys stored in the Key Vault.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/create/action
Allows creating new keys in the Key Vault.
No
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/update/action
Allows updating existing keys in the Key Vault.
No
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/delete
Grants permmission to delete keys from the Key Vault.
No
Delete Service, Delete Instance
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/purge/action
Allows purging deleted keys from the Key Vault permanently.
No
Delete Service,Delete Instance
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/keys/import/action
Allows importing keys into the Key Vault.
No
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/ocations/operationResults/read
Grants read access to the results of Key Vault operations in specific locations.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/operations/read
Grants read access to Key Vault operations metadata.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/secrets/write
Allows creating or updating secrets in a Key Vault.
Yes
Provisioning,Add Instance,Clone,Restore
Public CPDP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/secrets/delete
Grants permission to delete secrets from the Key Vault.
Yes
Delete Service, Delete Instance
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/secrets/getSecret/action
Allows retrieving (reading) secrets from the Key Vault.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/secrets/update/action
Allows updating secrets in the Key Vault.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/secrets/purge/action
Allows purging deleted secrets from the Key Vault permanently.
Yes
Delete Service, Delete Instance
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/secrets/setSecret/action
Allows setting (creating or updating) secrets in the Key Vault.
Yes
Change Password
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/read
Grants read access to Key Vaults.
Yes
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/write
Allows creating or updating Key Vaults.
No
Public CP DP Private CP DP
Key Vault
Region
Microsoft.KeyVault/vaults/delete
Grants permission to delete Key Vaults.
No
Public CP DP Private CP DP
Load Balancer
VPC
Microsoft.Network/loadBalancers/backendAddressPools/write
Allows creating or updating backend address pools of load balancers.
Yes
Public CP DP Private CP DP
Load Balancer
VPC
Microsoft.Network/loadBalancers/backendAddressPools/read
Grants read access to backend address pools of load balanoers.
Yes
Public CP DP Private CP DP
Load Balancer
VPC
Microsoft.Network/loadBalancers/backendAddressPools/delete
Grants permission to delete backend address pools of load balancers.
Yes
Public CP DP Private CP DP
Load Balancer
VPC
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Allows backend pools to be associated with other resources.
Yes
Public CP DP Private CP DP
Load Balancer
VPC
Microsoft.Network/loadBalancers/read
Grants read access to load balancers.
Yes
Create Private Link
Public CP DP Private CP DP
Load Balancer
VPC
Microsoft.Network/loadBalancers/write
Allows creating or updating load balancers.
Yes
Create Private Link
Public CP DP Private CP DP
Load Balancer
VPC
Microsoft.Network/loadBalancers/delete
Grants permission to delete load balancers.
Yes
Create Private Link
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.Operationallnsights/workspaces/datasources/write
Allows creating or updating data sources in a Log Analytics workspace.
Yes
Provisioning,Add Instance,Clone,Restore, DB Logs
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.Operationallnsights/locations/operationstatuses/read
Grants read access to operation statuses of Log Analytics in specific locations.
Yes
Subscription, Provisioning,Add Instance,Clone,Restore, DB Logs
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.OperationalInsights/workspaces/tables/query/read
Grants read access to queries on tables in a Log Analytics workspace.
Yes
DB Logs
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.Operationallnsights/workspaces/tables/write
Allows creating or updating tables in a Log Analytics workspace.
Yes
Subscription,DB Logs
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.Operationallnsights/workspaces/tables/read
Grants read access to tables in a Log Analytics workspace.
Yes
Subscription,DB Logs
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.Operationallnsights/workspaces/tables/delete
Grants permission to delete tables in a Log Analytics workspace.
Yes
Subscription,DB Logs
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.Operationallnsights/workspaces/query/"/read
Grants read access to all queries in a Log Analytics workspace.
Yes
DB Logs
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.Operationallnsights/workspaces/read
Grants read access to Log Analytics workspaces.
Yes
Subscription, DB Logs
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.Operationallnsights/workspaces/sharedkeys/action
Allows access to shared keys of a Log Analytics workspace.
Yes
Subscription,DB Logs
Public CP DP Private CP DP
Log Analytics Workspace
Resource Group
Microsoft.Operationallnsights/workspaces/delete
Grants permission to delete Log Analytics workspaces.
No
Subscription,DB Logs
Public CP DP Private CP DP
NAT Gateway
VPC
Microsoft.Network/natGateways/write
Allows creating or updating NAT gateways.
Yes
Update Service access from Public to Private(Non-BYON)
Public CP DP
NAT Gateway
VPC
Microsoft.Network/natGateways/delete
Grants permission to delete NAT gateways.
Yes
Update Service access from Public to Private(Non-BYON)
Public CP DP
NAT Gateway
VPC
Microsoft.Network/natGateways/read
Grants read access to NAT gateways.
Yes
Update Service access from Public to Private(Non-BYON)
Public CP DP
NAT Gateway
VPC
Microsoft.Network/natGateways/join/action
Allows NAT gateways to be associated with other resources.
Yes
Update Service access from Public to Private(Non-BYON)
Public CP DP
Network Interface
Compute Resource
Microsoft.Network/networkinterfaces/read
Grants read access to network interfaces.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Network Interface
Compute Resource
Microsoft.Network/networkInterfaces/write
Allows creating or updating network interfaces.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Network Interface
Compute Resource
Microsoft.Network/networkinterfaces/delete
Grants permission to delete network interfaces.
Yes
Delete Service, Delete Instance
Public CP DP Private CP DP
Network Interface
Compute Resource
Microsoft.Network/networkinterfaces/join/action
Allows network interfaces to be associated with other resources.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Network Security Group
DB Service
Microsoft.Network/networkSecurityGroups/securityRules/read
Grants read access to security rules within network security groups.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Network Security Group
DB Service
Microsoft.Network/networkSecurityGroups/securityRules/write
Allows creating or updating security rules within network security groups.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Network Security Group
DB Service
Microsoft.Network/networkSecurityGroups/securityRules/delete
Grants permission to delete security rules within network security groups.
Yes
Delete Service, Delete Instance
Public CP DP Private CP DP
Network Security Group
DB Service
Microsoft.Network/networkSecurityGroups/read
Grants read access to network security groups (NSGs).
Yes
Provisioning.Add Instance,Clone,Restore,Add IPs
Public CP DP Private CP DP
Network Security Group
DB Service
Microsoft.Network/networkSecurityGroups/write
Allows creating or updating network security groups.
Yes
Provisioning,Add Instance,Clone,Restore,Add IPs
Public CP DP Private CP DP
Network Security Group
DB Service
Microsoft.Network/networkSecurityGroups/delete
Grants permission to delete network security groups.
Yes
Delete Service, Delete Instance
Public CP DP Private CP DP
Network Security Group
DB Service
Microsoft.Network/networkSecurityGroups/join/action
Allows NSGs to be associated with other resources.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Network/privateLinkServices/privateEndpointConnections/read
Grants read access to private endpoint connections associated with a private link service.
Yes
Subscription,Service Private Link
Public CP DP Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Network/privateLinkServices/privateEndpointConnections/write
Allows updating private endpoint connections associated with a private link service.
Yes
Create Service Private Link
Public CP DP Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Network/privateLinkServices/privateEndpointConnections/delete
Grants permission to delete private endpoint connections associated with a private link service.
Yes
Delete Service Private Link
Public CP DP Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action
Allows approving private endpoint connections to a private link service.
Yes
Subscription
Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Network/privateLinkServices/notifyPrivateEndpointMove/action
Allows notifying about private endpoint moves related to a private link service.
Yes
Subscription
Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Network/privateEndpoints/read
Grants read access to private endpoints.
Yes
Subscription
Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Insights/PrivateLinkScopes/ScopedResources/Read
Grants read access to resources scoped within a Private Link Scope.
Yes
Subscription
Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Insights/PrivateLinkScopes/ScopedResources/Write
Allows adding or updating resources scoped within a Private Link Scope.
Yes
Subscription
Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Insights/PrivateLinkScopes/ScopedResources/Delete
Grants permission to delete resources scoped within a Private Link Scope.
Yes
Subscription
Private CP DP
Private Endpoint Connection
Resource Group
Microsoft.Insights/privateLinkScopes/read
Grants read access to Azure Monitor Private Link Scopes.
Yes
Subscription
Private CP DP
Private Link Services
VPC
Microsoft.Network/locations/autoApprovedPrivateLinkServices/read
Grants read access to auto-approved private link services in specific locations.
Yes
Create Service Private Link
Private CP DP Public CP DP
Private Link Services
VPC
Microsoft.Network/locations/availablePrivateEndpointTypes/read
Grants read access to available private endpoint types in specific locations.
Yes
Create Service Private Link
Private CP DP Public CP DP
Private Link Services
VPC
Microsoft.Network/privateLinkServices/read
Grants read access to private link services.
Yes
Private Link
Public CP DP Private CP DP
Private Link Services
VPC
Microsoft.Network/privateLinkServices/write
Allows creating or updating private link services.
Yes
Create Service Private Link
Public CP DP Private CP DP
Private Link Services
VPC
Microsoft.Network/privateLinkServices/delete
Grants permission to delete private link services.
Yes
Delete Service Private Link
Public CP DP Private CP DP
Public IP Address
Compute Resource
Microsoft.Network/publiclPAddresses/read
Grants read access to public IP addresses.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Public IP Address
Compute Resource
Microsoft.Network/publiclPAddresses/write
Allows creating or updating public IP addresses.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Public IP Address
Compute Resource
Microsoft.Network/publiclPAddresses/delete
Grants permission to delete public IP addresses.
Yes
Delete Service, Delete Instance
Public CP DP Private CP DP
Public IP Address
Compute Resource
Microsoft.Network/publiclPAddresses/join/action
Allows public IP addresses to be associated with other resources.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Resource Groups
Microsoft.Resources/subscriptions/resourceGroups/read
Grants read access to resource groups within a subscription.
Yes
Subscription
Public CP DP Private CPDP
Resource Locks
Compute Resource
Microsoft.Authorization/locks/read
Grants read access to resource locks.
Yes
Provisioning,Add Instance,Clone,Restore, Start Service, Stop Service, Delete Service
Public CP DP Private CP DP
Resource Locks
Compute Resource
Microsoft.Authorization/locks/write
Allows creating or updating resource locks.
Yes
Provisioning,Add Instance,Clone,Restore, Start Service,Stop Service, Delete Service
Public CP DP Private CP DP
Resource Locks
Compute Resource
Microsoft.Authorization/locks/delete
Grants permission to delete resource locks.
Yes
Stop Service, Delete Service
Public CP DP Private CP DP
Role Assignments
Microsoft.Authorization/roleAssignments/read
Grants read access to role assignments.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Run Commands
Microsoft.Compute/virtualMachines/runCommands/write
Allows creating or updating run commands on virtual machines.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CPDP
Shared Image Gallery Images
Microsoft.Compute/galleries/images/versions/read
Grants read access to image versions in shared image galleries.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Shared Image Gallery Images
Microsoft.Compute/galleries/images/versions/write
Allows creating or updating image versions in shared image galleries.
Yes
Public CP DP Private CP DP
Shared Image Gallery Images
Microsoft.Compute/galleries/images/versions/delete
Grants permission to delete image versions in shared image galleries.
Yes
Public CP DP Private CP DP
Snapshots
DB Service
Microsoft.Compute/snapshots/write
Allows creating or updating snapshots of disks.
Yes
AM
Public CP DP Private CP DP
Snapshots
DB Service
Microsoft.Compute/snapshots/delete
Grants permission to delete disk snapshots.
Yes
AM
Public CP DP Private CP DP
Snapshots
DB Service
Microsoft.Compute/snapshots/beginGetAccess/action
Initiates access to a snapshot.
Yes
AM
Public CP DP Private CP DP
Snapshots
DB Service
Microsoft.Compute/snapshots/endGetAccess/action
Revokes access to a snapshot.
Yes
AM
Public CP DP Private CP DP
Snapshots
DB Service
Microsoft.Compute/snapshots/read
Grants read access to disk snapshots.
Yes
Clone,Restore
Public CP DP Private CP DP
Snapshots
DB Service
Microsoft.Compute/snapshots/download/action
Allows downloading snapshots.
Yes
Public CP DP Private CP DP
Snapshots
DB Service
Microsoft.Compute/snapshots/upload/action
Allows uploading data to snapshots.
Yes
Public CP DP Private CP DP
Managed Identity
Resource Group
Microsoft.Managedldentity/userAssignedldentities/read
Grants read access to user-assigned managed identities.
Yes
Subscription, Provisioning.Add Instance,Clone,Restore
Public CP DP Private CP DP
Managed Identity
Resource Group
Microsoft.Managedldentity/userAssignedldentities/assign/action
Allows assigning a user-assigned managed identity to a resource.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Virtual Machines
Compute Resource
Microsoft.Compute/virtualMachines/read
Grants read access to virtual machines (VMs).
Yes
Provisioning,Add Instance,Clone,Restore,Stop Service,Start Service
Public CP DP Private CP DP
Virtual Machines
Compute Resource
Microsoft.Compute/virtualMachines/write
Allows creating or updating virtual machines.
Yes
Provisioning,Add Instance,Clone,Restore,Stop Service,Start Service
Public CP DP Private CP DP
Virtual Machines
Compute Resource
Microsoft.Compute/virtualMachines/delete
Grants permission to delete virtual machines.
Yes
Delete Service, Delete Instance
Public CP DP Private CP DP
Virtual Machines
Compute Resource
Microsoft.Compute/virtualMachines/start/action
Allows starting a virtual machine.
Yes
Start Service
Public CP DP Private CP DP
Virtual Machines
Compute Resource
Microsoft.Compute/virtualMachines/powerOff/action
Allows powering off a virtual machine.
Yes
Stop Service
Public CP DP Private CP DP
Virtual Machines
Compute Resource
Microsoft.Compute/virtualMachines/restart/action
Allows restarting a virtual machine.
Yes
Public CP DP Private CP DP
Virtual Machines
Compute Resource
Microsoft.Compute/virtualMachines/runCommand/action
Allows running commands on a virtual machine remotely.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Virtual Machines
Compute Resource
Microsoft.Compute/virtualMachines/deallocate/action
Allows deallocating a virtual machine.
Yes
Delete Service, Delete Instance
Public CP DP Private CP DP
Virtual Network Peerings
VPC
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
Grants read access to virtual network peerings.
No
Add Instance
Public CPDP Private CP DP
Virtual Network Peerings
VPC
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
Allows creating or updating virtual network peerings.
No
Add Instance
Public CP DP Private CP DP
Virtual Network Peerings
VPC
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete
Grants permission to delete virtual network peerings.
No
Add Instance
Public CP DP Private CP DP
Virtual Networks
VPC
Microsoft.Network/virtualNetworks/read
Grants read access to virtual networks.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Virtual Networks
VPC
Microsoft.Network/virtualNetworks/write
Allows creating or updating virtual networks.
No
Add Network
Public CP DP Private CP DP
Virtual Networks
VPC
Microsoft.Network/virtualNetworks/delete
Grants permission to delete virtual networks.
No
Remove Network
Public CP DP Private CP DP
Virtual Networks
VPC
Microsoft.Network/virtualNetworks/peer/action
Allows peering of virtual networks.
No
Add Instance
Public CP DP Private CP DP
Virtual Networks
VPC
Microsoft.Network/virtualNetworks/subnets/read
Grants read access to subnets within a virtual network.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Virtual Networks
VPC
Microsoft.Network/virtualNetworks/subnets/join/action
Allows subnets to be associated with other resources.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Virtual Networks
VPC
Microsoft.Network/virtualNetworks/subnets/write
Allows creating or updating subnets within a virtual network.
No
Add Network
Public CP DP Private CP DP
Virtual Networks
VPC
Microsoft.Network/virtualNetworks/subnets/delete
Grants permission to delete subnets within a virtual network.
No
Remove Network
Public CP DP Private CP DP
VM Evtensi
Microsoft.Compute/virtualMachines/extensions/write
Allows adding or updating extensions on virtual machines.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
VM Extensions
Microsoft.Compute/virtualMachines/extensions/read
Grants read access to virtual machine extensions.
Yes
Provisioning,Add Instance,Clone,Restore
Public CP DP Private CP DP
Last updated
Was this helpful?