AD Roles
Azure Event Hubs Data Owner
Allows for full access to Azure Event Hubs resources.
Azure Kubernetes Service RBAC Reader
Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.
Azure Kubernetes Service RBAC Writer
Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.
Azure Event Hubs Data Reciever
Allows receive access to Azure Event Hubs resources.
Azure Event Hubs Data Sender
Allows send access to Azure Event Hubs resources.
Managed Identity Contributor
Create, Read, Update, and Delete User Assigned Identity
Global Administrator
Full access to identity protection
Azure Kubernetes Service Contributor Role
Grants access to read and write Azure Kubernetes Service clusters
Contributor
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Owner
Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. in regards to acr - access resource manager, create/delete registry, push image, pull image, delete image data nd change policies
Authentication Administrator
Has access to view, set, and reset authentication method information for any non-admin
SQL Managed Instance Contributor
Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.
SQL DB Contributor
Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.
SQL Server Contributor
Lets you manage SQL servers and databases, but not access to them, and not their security-related policies.
Azure Kubernetes Service RBAC Cluster Admin
Lets you manage all resources in the cluster.
Azure Kubernetes Service RBAC Admin
Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.
Classic Virtual Machine Contributor
Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
SQL Security Manager
Lets you manage the security-related policies of SQL servers and databases, but not access to them.
User Access Administrator
Lets you manage user access to Azure resources.
Virtual Machine Contributor
Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
Security Assessment Contributor
Lets you push assessments to Security Center
Azure Kubernetes Service Cluster Admin Role
List cluster admin credential action.
Azure Kubernetes Service Cluster User Role
List cluster user credential action.
Key Vault Contributor
Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates.
Key Vault Administrator
Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.
Key Vault Certificates Officer
Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
Key Vault Secrets Officer
Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
AcrQuarantineReader
Quarantine reader
AcrQuarantineWriter
Quarantine writer
Managed Identity Operator
Read and Assign User Assigned Identity
Key Vault Reader
Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.
Key Vault Secrets User
Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.
Virtual Machine User Login
View Virtual Machines in the portal and login as a regular user.
Virtual Machine Administrator Login
View Virtual Machines in the portal and login as administrator
Reader
View all resources, but does not allow you to make any changes. reader in regaurds to acr - access resource manager and pull image.
Security Admin
View and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations. full access to identity protection. cannot reset a password for a user.
Security Reader
View permissions for Security Center. Can view recommendations, alerts, a security policy, and security states, but cannot make changes. view all identity protection reports and overview blade. cannot configure or change polices, reset a password for a user or configure alerts, and give feedback on detections.
Application Administrator
can create and manage all aspects of app registrations and enterprise apps. Users in this role can create application registrations when the "Users can register applications" setting is set to No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners when creating new application registrations or enterprise applications.
Application Developer
can create application registrations independent of the users can register applications setting.
Azure Sentinel Contributor
create and edit workbooks, analytic rules and other azure sentinel resources. manage incidents, view data, incidents, workbooks, and other azure sentinel resources.
Azure Sentinel contributor + login app contributor
create and run playbooks, plus create and edit workbooks, analytic rules and other azure sentinel resources. manage incidents, view data, incidents, workbooks, and other azure sentinel resources.
AcrDelete
delete image data
Azure Sentinel Responder
manage incidents, view data, incidents, workbooks, and other azure sentinel resources.
AcrPull
pull image
AcrPush
push and pull image using docker push
AcrImageSigner
sign images. typically combined with push image to allow pushing a trusted image to a registry
Security Operator
view all identity protection reports and overview blade. dismiss user risk, confirm safe sign in, confirm compromise. cannot configure or change polices, reset a password for a user or configure alerts.
Azure Sentinel Reader
view data, incidents, workbooks, and other azure sentinel resources.
