# Azure permission mapping
| Category | Entity create level | Tessell Permission | Cloud Description | Applicable for Register Use Case(Not completely managed Tessell Sub) | Feature Mapping | Private CP DP Use Case |
| ------------------------------------- | -------------------------- | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ------------------------------------ |
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/read | Grants read access to blob services within storage accounts. | Yes | Subscription | Private CP DP
Public CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/write | Allows updating settings of blob services within storage
accounts.
| Yes | Subscription | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/\* | Grants all permissions on blobs within containers in blob
services of storage accounts.
| Yes | PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | Allows adding new blobs to containers. | Yes | PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Grants permission to delete blobs within containers. | Yes | SLA | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | Allows moving blobs between containers or within a container. | Yes | PITR,DAP | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Grants read access to blobs within containers. | Yes
| PITR,Clone | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Allows writing or updating blobs within containers. | Yes
| PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/listkeys/action | Allows listing the access keys for a storage account. | Yes
| PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/checknameavailability/read | Allows checking the availability of a storage account name. | Yes | PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/read | Grants read access to storage accounts | Yes
| Subscription,PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/write | Allows creating or updating storage accounts. | No
| Subscription,PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/delete | Grants permission to delete storage accounts. | No
| Delete AM | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/locations/checknameavailability/read | Allows checking storage account name availability in specific
locations.
| Yes
| PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/operations/read | Grants read access to storage account operations metadata. | Yes
| PITR,Clone | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/objectReplicationPolicies/write | Allows creating or updating object replication policies for storage accounts. | Yes | DAP | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/objectReplicationPolicies/read | Grants read access to object replication policies within storage accounts. | Yes | DAP | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete | Grants permission to delete object replication policies within
storage accounts.
| Yes | DAP | Public CP DP
Private CP DP
|
| Compute Operations | | Microsoft.Compute/locations/operations/read | Grants read access to compute operations in specific locations. | Yes | Provisioning,Add Instance,Clone,Restore,Service
Resize
| Public CP DP
Private CP DP
|
| Data Collection Endpoints | Region | Microsoft.Insights/DataCollectionEndpoints/Write | Allows creating or updating data collection endpoints. | Yes | Subscription, DB Logs | Public CP DP
Private CP DP
|
| Data Collection Endpoints | Region | Microsoft.Insights/DataCollectionEndpoints/Read | Grants read access to data collection endpoints. | Yes | Subscription,Provisioning,Add
Instance,Clone,Restore, DB Logs
| Public CP DP
Private CP DP
|
| Data Collection Endpoints | Region | Microsoft.Insights/DataCollectionEndpoints/Delete | Grants permission to delete data collection endpoints. | Yes
| Subscription,DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRuleAssociations/Write | Allows creating or updating data collection rule associations. | Yes
| Provisioning,Add Instance,Clone,Restore, DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRuleAssociations/Read | Grants read access to data collection rule associations. | Yes
| Provisioning,Add Instance,Clone,Restore, DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRuleAssociations/Delete | Grants permission to delete data collection rule associations. | Yes
| Delete Service,DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRules/write | Allows creating or updating data collection rules. | Yes
| Provisioning,Add Instance,Clone,Restore,DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRules/read | Grants read access to data collection rules. | Yes
| Provisioning,Add Instance,Clone,Restore, DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRules/Delete | Grants permission to delete data collection rules. | Yes
| Delete Service,DB Logs | Public CP DP
Private CP DP
|
| Disk Encryption Sets | Region | Microsoft.Compute/diskEncryptionSets/read | Grants read access to disk encryption sets. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Disk Encryption Sets | Region | Microsoft.Compute/diskEncryptionSets/write | Allows creating or updating disk encryption sets. | No
| Provisioning,Add Instance,Clone,Restore-BYOK | Public CP DP
Private CP DP
|
| Disk Encryption Sets | Region | Microsoft.Compute/diskEncryptionSets/delete | Grants permission to delete disk encryption sets. | No
| Provisioning,Add Instance,Clone,Restore-BYOK | Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/read | Grants read access to disks. | Yes
| Provisioning,Add
Instance,Clone,Restore,Patching,Resize
| Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/write | Allows creating or updating disks. | Yes
| Provisioning,Add
Instance,Clone,Restore,Patching,Resize
| Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/delete | Grants permission to delete disks. | Yes | Delete Service, Delete Instance, Patching | Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/beginGetAccess/action | Initiates access to a disk. | Yes | Provisioning,Add
Instance,Clone,Restore,Patching,Resize
| Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/endGetAccess/action | Revokes access toa disk. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/download/action | Allows downloading disks. | Yes | | Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/upload/action | Allows uploading data to disks. | Yes | | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/accessPolicies/write | Allows creating or updating access policies for a Key Vault. | No | Subscription | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/deploy/action | Allows deploying resources into a Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/versions/read | Grants read access to all versions of a key in a Key Vault. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/read | Grants read access to keys stored in a Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/write | Allows creating or updating keys in a Key Vault. | No
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/encrypt/action | Allows encrypting data using keys stored in the Key Vault. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/decrypt/action | Allows decrypting data using keys stored in the Key Vault. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/create/action | Allows creating new keys in the Key Vault. | No
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/update/action | Allows updating existing keys in the Key Vault. | No
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/delete | Grants permmission to delete keys from the Key Vault. | No
| Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/purge/action | Allows purging deleted keys from the Key Vault permanently. | No | Delete Service,Delete Instance | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/import/action | Allows importing keys into the Key Vault. | No
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/ocations/operationResults/read | Grants read access to the results of Key Vault operations in
specific locations.
| Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/operations/read | Grants read access to Key Vault operations metadata. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/write | Allows creating or updating secrets in a Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CPDP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/delete | Grants permission to delete secrets from the Key Vault. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/getSecret/action | Allows retrieving (reading) secrets from the Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/update/action | Allows updating secrets in the Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/purge/action | Allows purging deleted secrets from the Key Vault permanently. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/setSecret/action | Allows setting (creating or updating) secrets in the Key Vault. | Yes | Change Password | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/read | Grants read access to Key Vaults. | Yes | | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/write | Allows creating or updating Key Vaults. | No | | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/delete | Grants permission to delete Key Vaults. | No
| | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/backendAddressPools/write | Allows creating or updating backend address pools of load
balancers.
| Yes | | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/backendAddressPools/read | Grants read access to backend address pools of load balanoers. | Yes | | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/backendAddressPools/delete | Grants permission to delete backend address pools of load
balancers.
| Yes | | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/backendAddressPools/join/action | Allows backend pools to be associated with other resources. | Yes | | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/read | Grants read access to load balancers. | Yes | Create Private Link | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/write | Allows creating or updating load balancers. | Yes | Create Private Link | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/delete | Grants permission to delete load balancers. | Yes | Create Private Link | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/datasources/write | Allows creating or updating data sources in a Log Analytics
workspace.
| Yes | Provisioning,Add Instance,Clone,Restore, DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/locations/operationstatuses/read | Grants read access to operation statuses of Log Analytics in
specific locations.
| Yes | Subscription, Provisioning,Add
Instance,Clone,Restore, DB Logs
| Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.OperationalInsights/workspaces/tables/query/read | Grants read access to queries on tables in a Log Analytics
workspace.
| Yes | DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/tables/write | Allows creating or updating tables in a Log Analytics workspace. | Yes | Subscription,DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/tables/read | Grants read access to tables in a Log Analytics workspace. | Yes | Subscription,DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/tables/delete | Grants permission to delete tables in a Log Analytics workspace. | Yes | Subscription,DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/query/"/read | Grants read access to all queries in a Log Analytics workspace. | Yes | DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/read | Grants read access to Log Analytics workspaces. | Yes | Subscription, DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/sharedkeys/action | Allows access to shared keys of a Log Analytics workspace. | Yes | Subscription,DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/delete | Grants permission to delete Log Analytics workspaces. | No | Subscription,DB Logs | Public CP DP
Private CP DP
|
| NAT Gateway | VPC | Microsoft.Network/natGateways/write | Allows creating or updating NAT gateways. | Yes | Update Service access from Public to
Private(Non-BYON)
| Public CP DP |
| NAT Gateway | VPC | Microsoft.Network/natGateways/delete | Grants permission to delete NAT gateways. | Yes | Update Service access from Public to
Private(Non-BYON)
| Public CP DP |
| NAT Gateway | VPC | Microsoft.Network/natGateways/read | Grants read access to NAT gateways. | Yes
| Update Service access from Public to
Private(Non-BYON)
| Public CP DP |
| NAT Gateway | VPC | Microsoft.Network/natGateways/join/action | Allows NAT gateways to be associated with other resources. | Yes
| Update Service access from Public to
Private(Non-BYON)
| Public CP DP |
| Network Interface | Compute
Resource
| Microsoft.Network/networkinterfaces/read | Grants read access to network interfaces. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Interface | Compute
Resource
| Microsoft.Network/networkInterfaces/write | Allows creating or updating network interfaces. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Interface | Compute
Resource
| Microsoft.Network/networkinterfaces/delete | Grants permission to delete network interfaces. | Yes
| Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Network Interface | Compute
Resource
| Microsoft.Network/networkinterfaces/join/action | Allows network interfaces to be associated with other resources. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/securityRules/read | Grants read access to security rules within network security
groups.
| Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/securityRules/write | Allows creating or updating security rules within network security groups. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/securityRules/delete | Grants permission to delete security rules within network
security groups.
| Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/read | Grants read access to network security groups (NSGs). | Yes | Provisioning.Add Instance,Clone,Restore,Add IPs | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/write | Allows creating or updating network security groups. | Yes | Provisioning,Add Instance,Clone,Restore,Add IPs | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/delete | Grants permission to delete network security groups. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/join/action | Allows NSGs to be associated with other resources. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/privateEndpointConnections/read | Grants read access to private endpoint connections associated with a private link service. | Yes | Subscription,Service Private Link | Public CP DP
Private CP DP
|
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/privateEndpointConnections/write | Allows updating private endpoint connections associated with a private link service. | Yes | Create Service Private Link | Public CP DP
Private CP DP
|
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/privateEndpointConnections/delete | Grants permission to delete private endpoint connections
associated with a private link service.
| Yes | Delete Service Private Link | Public CP DP
Private CP DP
|
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action | Allows approving private endpoint connections to a private link service. | Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/notifyPrivateEndpointMove/action | Allows notifying about private endpoint moves related to a
private link service.
| Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateEndpoints/read | Grants read access to private endpoints. | Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Insights/PrivateLinkScopes/ScopedResources/Read | Grants read access to resources scoped within a Private Link Scope. | Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Insights/PrivateLinkScopes/ScopedResources/Write | Allows adding or updating resources scoped within a Private
Link Scope.
| Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Insights/PrivateLinkScopes/ScopedResources/Delete | Grants permission to delete resources scoped within a Private Link Scope. | Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Insights/privateLinkScopes/read | Grants read access to Azure Monitor Private Link Scopes. | Yes | Subscription | Private CP DP |
| Private Link Services | VPC | Microsoft.Network/locations/autoApprovedPrivateLinkServices/read | Grants read access to auto-approved private link services in
specific locations.
| Yes | Create Service Private Link | Private CP DP
Public CP DP
|
| Private Link Services | VPC | Microsoft.Network/locations/availablePrivateEndpointTypes/read | Grants read access to available private endpoint types in
specific locations.
| Yes | Create Service Private Link | Private CP DP
Public CP DP
|
| Private Link Services | VPC | Microsoft.Network/privateLinkServices/read | Grants read access to private link services. | Yes | Private Link | Public CP DP
Private CP DP
|
| Private Link Services | VPC | Microsoft.Network/privateLinkServices/write | Allows creating or updating private link services. | Yes | Create Service Private Link | Public CP DP
Private CP DP
|
| Private Link Services | VPC | Microsoft.Network/privateLinkServices/delete | Grants permission to delete private link services. | Yes
| Delete Service Private Link | Public CP DP
Private CP DP
|
| Public IP Address | Compute
Resource
| Microsoft.Network/publiclPAddresses/read | Grants read access to public IP addresses. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Public IP Address | Compute
Resource
| Microsoft.Network/publiclPAddresses/write | Allows creating or updating public IP addresses. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Public IP Address | Compute
Resource
| Microsoft.Network/publiclPAddresses/delete | Grants permission to delete public IP addresses. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Public IP Address | Compute
Resource
| Microsoft.Network/publiclPAddresses/join/action | Allows public IP addresses to be associated with other
resources.
| Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Resource Groups | | Microsoft.Resources/subscriptions/resourceGroups/read | Grants read access to resource groups within a subscription. | Yes | Subscription | Public CP DP
Private CPDP
|
| Resource Locks | Compute
Resource
| Microsoft.Authorization/locks/read | Grants read access to resource locks. | Yes | Provisioning,Add Instance,Clone,Restore, Start
Service, Stop Service, Delete Service
| Public CP DP
Private CP DP
|
| Resource Locks | Compute
Resource
| Microsoft.Authorization/locks/write | Allows creating or updating resource locks. | Yes | Provisioning,Add Instance,Clone,Restore, Start
Service,Stop Service, Delete Service
| Public CP DP
Private CP DP
|
| Resource Locks | Compute
Resource
| Microsoft.Authorization/locks/delete | Grants permission to delete resource locks. | Yes | Stop Service, Delete Service | Public CP DP
Private CP DP
|
| Role Assignments | | Microsoft.Authorization/roleAssignments/read | Grants read access to role assignments. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Run Commands | | Microsoft.Compute/virtualMachines/runCommands/write | Allows creating or updating run commands on virtual machines. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CPDP
|
| Shared Image Gallery
Images
| | Microsoft.Compute/galleries/images/versions/read | Grants read access to image versions in shared image galleries. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Shared Image Gallery
Images
| | Microsoft.Compute/galleries/images/versions/write | Allows creating or updating image versions in shared image
galleries.
| Yes
| | Public CP DP
Private CP DP
|
| Shared Image Gallery
Images
| | Microsoft.Compute/galleries/images/versions/delete | Grants permission to delete image versions in shared image
galleries.
| Yes
| | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/write | Allows creating or updating snapshots of disks. | Yes | AM | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/delete | Grants permission to delete disk snapshots. | Yes
| AM | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/beginGetAccess/action | Initiates access to a snapshot. | Yes
| AM | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/endGetAccess/action | Revokes access to a snapshot. | Yes | AM | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/read | Grants read access to disk snapshots. | Yes | Clone,Restore | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/download/action | Allows downloading snapshots. | Yes | | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/upload/action | Allows uploading data to snapshots. | Yes | | Public CP DP
Private CP DP
|
| Managed Identity | Resource
Group
| Microsoft.Managedldentity/userAssignedldentities/read | Grants read access to user-assigned managed identities. | Yes | Subscription, Provisioning.Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Managed Identity | Resource
Group
| Microsoft.Managedldentity/userAssignedldentities/assign/action | Allows assigning a user-assigned managed identity to a
resource.
| Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/read | Grants read access to virtual machines (VMs). | Yes
| Provisioning,Add Instance,Clone,Restore,Stop
Service,Start Service
| Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/write | Allows creating or updating virtual machines. | Yes
| Provisioning,Add Instance,Clone,Restore,Stop
Service,Start Service
| Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/delete | Grants permission to delete virtual machines. | Yes
| Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/start/action | Allows starting a virtual machine. | Yes
| Start Service | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/powerOff/action | Allows powering off a virtual machine. | Yes
| Stop Service | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/restart/action | Allows restarting a virtual machine. | Yes
| | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/runCommand/action | Allows running commands on a virtual machine remotely. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/deallocate/action | Allows deallocating a virtual machine. | Yes
| Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Virtual Network Peerings | VPC | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | Grants read access to virtual network peerings. | No
| Add Instance | Public CPDP
Private CP DP
|
| Virtual Network Peerings | VPC | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write | Allows creating or updating virtual network peerings. | No
| Add Instance | Public CP DP
Private CP DP
|
| Virtual Network Peerings | VPC | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete | Grants permission to delete virtual network peerings. | No
| Add Instance | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/read | Grants read access to virtual networks. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/write | Allows creating or updating virtual networks. | No | Add Network | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/delete | Grants permission to delete virtual networks. | No
| Remove Network | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/peer/action | Allows peering of virtual networks. | No
| Add Instance | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/subnets/read | Grants read access to subnets within a virtual network. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/subnets/join/action | Allows subnets to be associated with other resources. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/subnets/write | Allows creating or updating subnets within a virtual network. | No
| Add Network | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/subnets/delete | Grants permission to delete subnets within a virtual network. | No | Remove Network | Public CP DP
Private CP DP
|
| VM Evtensi | | Microsoft.Compute/virtualMachines/extensions/write | Allows adding or updating extensions on virtual machines. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| VM Extensions | | Microsoft.Compute/virtualMachines/extensions/read | Grants read access to virtual machine extensions. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|