| Name | Description |
| AcrDelete | acr delete |
| AcrImageSigner | acr image signer |
| AcrPull | acr pull |
| AcrPush | acr push |
| AcrQuarantineReader | acr quarantine data reader |
| AcrQuarantineWriter | acr quarantine data writer |
| AgFood Platform Service Admin | Provides admin access to AgFood Platform Service |
| AgFood Platform Service Contributor | Provides contribute access to AgFood Platform Service |
| AgFood Platform Service Reader | Provides read access to AgFood Platform Service |
| API Management Service Contributor | Can manage service and the APIs |
| API Management Service Operator Role | Can manage service but not the APIs |
| API Management Service Reader Role | Read-only access to service and APIs |
| App Configuration Data Owner | Allows full access to App Configuration data. |
| App Configuration Data Reader | Allows read access to App Configuration data. |
| Application Insights Component Contributor | Can manage Application Insights components |
| Application Insights Snapshot Debugger | Gives user permission to use Application Insights Snapshot Debugger features |
| Attestation Contributor | Can read write or delete the attestation provider instance |
| Attestation Reader | Can read the attestation provider properties |
| Automation Job Operator | Create and Manage Jobs using Automation Runbooks. |
| Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs |
| Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. |
| Avere Contributor | Can create and manage an Avere vFXT cluster. |
| Avere Operator | Used by the Avere vFXT cluster to manage the cluster |
| Azure Arc Enabled Kubernetes Cluster User Role | List cluster user credentials action. |
| Azure Arc Kubernetes Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. |
| Azure Arc Kubernetes Cluster Admin | Lets you manage all resources in the cluster. |
| Azure Arc Kubernetes Viewer | Lets you view all resources in cluster/namespace, except secrets. |
| Azure Arc Kubernetes Writer | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. |
| Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. |
| Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. |
| Azure Digital Twins Data Owner | Full access role for Digital Twins data-plane |
| Azure Digital Twins Data Reader | Read-only role for Digital Twins data-plane properties |
| Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. |
| Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. |
| Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. |
| Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. |
| Azure Kubernetes Service Cluster User Role | List cluster user credential action. |
| Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters |
| Azure Kubernetes Service RBAC Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. |
| Azure Kubernetes Service RBAC Cluster Admin | Lets you manage all resources in the cluster. |
| Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API a… |
| Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels o… |
| Azure Maps Data Contributor | Grants access to read, write, and delete access to map related data from an Azure maps account. |
| Azure Maps Data Reader | Grants access to read map related data from an Azure maps account. |
| Azure Sentinel Contributor | Azure Sentinel Contributor |
| Azure Sentinel Reader | Azure Sentinel Reader |
| Azure Sentinel Responder | Azure Sentinel Responder |
| Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. |
| Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. |
| Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. |
| Azure Stack Registration Owner | Lets you manage Azure Stack registrations. |
| AzureML Metrics Writer (preview) | Lets you write metrics to AzureML workspace |
| Backup Contributor | Lets you manage backup service,but can't create vaults and give access to others |
| Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others |
| Backup Reader | Can view backup services, but can't make changes |
| Billing Reader | Allows read access to billing data |
| BizTalk Contributor | Lets you manage BizTalk services, but not access to them. |
| Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes |
| Blueprint Contributor | Can manage blueprint definitions, but not assign them. |
| Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. |
| CDN Endpoint Contributor | Can manage CDN endpoints, but can’t grant access to other users. |
| CDN Endpoint Reader | Can view CDN endpoints, but can’t make changes. |
| CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can’t grant access to other users. |
| CDN Profile Reader | Can view CDN profiles and their endpoints, but can’t make changes. |
| Classic Network Contributor | Lets you manage classic networks, but not access to them. |
| Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. |
| Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts |
| Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. |
| ClearDB MySQL DB Contributor | Lets you manage ClearDB MySQL databases, but not access to them. |
| Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. |
| Cognitive Services Custom Vision Contributor | Full access to the project, including the ability to view, create, edit, or delete projects. |
| Cognitive Services Custom Vision Deployment | Publish, unpublish or export models. Deployment can view the project but can’t update. |
| Cognitive Services Custom Vision Labeler | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can’t update anything other than training images and tags. |
| Cognitive Services Custom Vision Reader | Read-only actions in the project. Readers can’t create or update the project. |
| Cognitive Services Custom Vision Trainer | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can’t create or delete the project. |
| Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. |
| Cognitive Services Metrics Advisor Administrator | Full access to the project, including the system level configuration. |
| Cognitive Services Metrics Advisor User | Access to the project. |
| Cognitive Services QnA Maker Editor | Let’s you create, edit, import and export a KB. You cannot publish or delete a KB. |
| Cognitive Services QnA Maker Reader | Let’s you read and test a KB only. |
| Cognitive Services User | Lets you read and list keys of Cognitive Services. |
| Collaborative Data Contributor | Can manage data packages of a collaborative. |
| Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC. |
| Cosmos DB Account Reader Role | Can read Azure Cosmos DB Accounts data |
| Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. |
| CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account |
| Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) |
| Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) |
| Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. |
| Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. |
| Data Factory Contributor | Create and manage data factories, as well as child resources within them. |
| Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. |
| Data Purger | Can purge analytics data |
| Desktop Virtualization User | Allows user to use the applications in an application group. |
| Device Update Administrator | Gives you full access to management and content operations |
| Device Update Content Administrator | Gives you full access to content operations |
| Device Update Content Reader | Gives you read access to content operations, but does not allow making changes |
| Device Update Deployments Administrator | Gives you full access to management operations |
| Device Update Deployments Reader | Gives you read access to management operations, but does not allow making changes |
| Device Update Reader | Gives you read access to management and content operations, but does not allow making changes |
| DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. |
| DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. |
| DocumentDB Account Contributor | Lets you manage DocumentDB accounts, but not access to them. |
| EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. |
| EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. |
| Experimentation Administrator | Experimentation Administrator |
| Experimentation Contributor | Experimentation Contributor |
| Experimentation Reader | Experimentation Reader |
| FHIR Data Contributor | Role allows user or principal full access to FHIR Data |
| FHIR Data Exporter | Role allows user or principal to read and export FHIR Data |
| FHIR Data Reader | Role allows user or principal to read FHIR Data |
| FHIR Data Writer | Role allows user or principal to read and write FHIR Data |
| Graph Owner | Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions |
| HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. |
| HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package |
| Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings |
| Hybrid Server Onboarding | Can onboard new Hybrid servers to the Hybrid Resource Provider. |
| Hybrid Server Resource Administrator | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. |
| Integration Service Environment Contributor | Lets you manage integration service environments, but not access to them. |
| Integration Service Environment Developer | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. |
| Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. |
| Key Vault Administrator (preview) | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Certificates Officer (preview) | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Contributor | Lets you manage key vaults, but not access to them. |
| Key Vault Crypto Officer (preview) | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Crypto Service Encryption (preview) | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Crypto User (preview) | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Reader (preview) | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Secrets Officer (preview) | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Secrets User (preview) | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Knowledge Consumer | Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query |
| Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource |
| Lab Creator | Lets you create new labs under your Azure Lab Accounts. |
| Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Autom… |
| Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. |
| Logic App Contributor | Lets you manage logic app, but not access to them. |
| Logic App Operator | Lets you read, enable and disable logic app. |
| Managed Application Contributor Role | Allows for creating managed application resources. |
| Managed Application Operator Role | Lets you read and perform actions on Managed Application resources |
| Managed Applications Reader | Lets you read resources in a managed app and request JIT access. |
| Managed HSM contributor | Lets you manage managed HSM pools, but not access to them. |
| Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity |
| Managed Identity Operator | Read and Assign User Assigned Identity |
| Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. |
| Management Group Contributor | Management Group Contributor Role |
| Management Group Reader | Management Group Reader Role |
| Marketplace Admin | Administrator of marketplace resource provider |
| Metric Contributor | Allows for creation, writes and reads to the metric set via the metrics service APIs. |
| Monitoring Contributor | Can read all monitoring data and update monitoring settings. |
| Monitoring Metrics Publisher | Enables publishing metrics against Azure resources |
| Monitoring Reader | Can read all monitoring data. |
| Network Contributor | Lets you manage networks, but not access to them. |
| New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. |
| Object Understanding Account Owner | Provides user with ingestion capabilities for Azure Object Understanding. |
| Object Understanding Account Reader | Lets you read ingestion jobs for an object understanding account. |
| Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. |
| Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. |
| Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. |
| Project Babylon Data Curator | The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. |
| Project Babylon Data Reader | The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change. |
| Project Babylon Data Source Administrator | The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change. |
| Purview Data Curator | The Microsoft.Purview data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. |
| Purview Data Reader | The Microsoft.Purview data reader can read catalog data objects. This role is in preview and subject to change. |
| Purview Data Source Administrator | The Microsoft.Purview data source administrator can manage data sources and data scans. This role is in preview and subject to change. |
| Reader | View all resources, but does not allow you to make any changes. |
| Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. |
| Redis Cache Contributor | Lets you manage Redis caches, but not access to them. |
| Remote Rendering Administrator | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering |
| Remote Rendering Client | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. |
| Reservation Purchaser | Lets you purchase reservations |
| Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. |
| Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. |
| Schema Registry Contributor (Preview) | Read, write, and delete Schema Registry groups and schemas. |
| Schema Registry Reader (Preview) | Read and list Schema Registry groups and schemas. |
| Search Service Contributor | Lets you manage Search services, but not access to them. |
| Security Admin | Security Admin Role |
| Security Assessment Contributor | Lets you push assessments to Security Center |
| Security Detonation Chamber Submitter | Allowed to create submissions to Security Detonation Chamber |
| Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead |
| Security Reader | Security Reader Role |
| Services Hub Operator | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. |
| SignalR AccessKey Reader | Read SignalR Service Access Keys |
| SignalR App Server (Preview) | Lets your app server access SignalR Service with AAD auth options. |
| SignalR Contributor | Create, Read, Update, and Delete SignalR service resources |
| SignalR Serverless Contributor (Preview) | Lets your app access service in serverless mode with AAD auth options. |
| SignalR Service Owner (Preview) | Full access to Azure SignalR Service REST APIs |
| SignalR Service Reader (Preview) | Read-only access to Azure SignalR Service REST APIs |
| Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment |
| Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations |
| Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations |
| Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them |
| Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them |
| Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account |
| SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. |
| SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can’t give access to others. |
| SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. |
| SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. |
| Storage Account Backup Contributor Role | Storage Account Backup Contributors are allowed to perform backup and restore of Storage Account. |
| Storage Account Contributor | Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. |
| Storage Account Key Operator Service Role | Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts |
| Storage Blob Data Contributor | Allows for read, write and delete access to Azure Storage blob containers and data |
| Storage Blob Data Owner | Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. |
| Storage Blob Data Reader | Allows for read access to Azure Storage blob containers and data |
| Storage Blob Delegator | Allows for generation of a user delegation key which can be used to sign SAS tokens |
| Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB |
| Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB |
| Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB |
| Storage Queue Data Contributor | Allows for read, write, and delete access to Azure Storage queues and queue messages |
| Storage Queue Data Message Processor | Allows for peek, receive, and delete access to Azure Storage queue messages |
| Storage Queue Data Message Sender | Allows for sending of Azure Storage queue messages |
| Storage Queue Data Reader | Allows for read access to Azure Storage queues and queue messages |
| Support Request Contributor | Lets you create and manage Support requests |
| Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. |
| Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. |
| User Access Administrator | Lets you manage user access to Azure resources. |
| Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator |
| Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. |
| Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. |
| Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. |
| Website Contributor | Lets you manage websites (not web plans), but not access to them. |
| Workbook Contributor | Can save shared workbooks. |
| Workbook Reader | Can read workbooks. |