Back to Operation

Defender for Storage Scanner Operator

Azure Built-in Role

Role Information

Details and metadata

Role ID
0f641de8-0b88-4198-bdef-bd8b45ceba96
Type
BuiltInRole
Last Updated (Azure)
2025-09-08 15:10:30

Change History

Track all modifications to this role

2025-09-08 15:10:30 Initial Scan
View details 
{
  "properties": {
    "roleName": "Defender for Storage Scanner Operator",
    "type": "BuiltInRole",
    "description": "Lets you enable and configure Microsoft Defender for Storage's malware scanning and sensitive data discovery features on your storage accounts. Includes an ABAC condition to limit role assignments.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/write",
          "Microsoft.Authorization/roleAssignments/delete",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Management/managementGroups/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Support/*",
          "Microsoft.Security/defenderforstoragesettings/read",
          "Microsoft.Security/defenderforstoragesettings/write",
          "Microsoft.Security/advancedThreatProtectionSettings/read",
          "Microsoft.Security/advancedThreatProtectionSettings/write",
          "Microsoft.Security/datascanners/read",
          "Microsoft.Security/datascanners/write",
          "Microsoft.Security/dataScanners/delete",
          "Microsoft.Storage/storageAccounts/write",
          "Microsoft.Storage/storageAccounts/read",
          "Microsoft.EventGrid/topics/read",
          "Microsoft.EventGrid/eventSubscriptions/read",
          "Microsoft.EventGrid/eventSubscriptions/write",
          "Microsoft.EventGrid/eventSubscriptions/delete",
          "Microsoft.Storage/storageAccounts/blobServices/read",
          "Microsoft.Storage/storageAccounts/blobServices/write"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40, d5a91429-5739-47e2-a06b-3470a27159e7})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40, d5a91429-5739-47e2-a06b-3470a27159e7}))",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2023-11-14T16:24:26.427Z",
    "updatedOn": "2025-09-08T15:10:30.704Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0f641de8-0b88-4198-bdef-bd8b45ceba96",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "0f641de8-0b88-4198-bdef-bd8b45ceba96"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Defender for Storage Scanner Operator",
    "type": "BuiltInRole",
    "description": "Lets you enable and configure Microsoft Defender for Storage's malware scanning and sensitive data discovery features on your storage accounts. Includes an ABAC condition to limit role assignments.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/write",
          "Microsoft.Authorization/roleAssignments/delete",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Management/managementGroups/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Support/*",
          "Microsoft.Security/defenderforstoragesettings/read",
          "Microsoft.Security/defenderforstoragesettings/write",
          "Microsoft.Security/advancedThreatProtectionSettings/read",
          "Microsoft.Security/advancedThreatProtectionSettings/write",
          "Microsoft.Security/datascanners/read",
          "Microsoft.Security/datascanners/write",
          "Microsoft.Security/dataScanners/delete",
          "Microsoft.Storage/storageAccounts/write",
          "Microsoft.Storage/storageAccounts/read",
          "Microsoft.EventGrid/topics/read",
          "Microsoft.EventGrid/eventSubscriptions/read",
          "Microsoft.EventGrid/eventSubscriptions/write",
          "Microsoft.EventGrid/eventSubscriptions/delete",
          "Microsoft.Storage/storageAccounts/blobServices/read",
          "Microsoft.Storage/storageAccounts/blobServices/write"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40, d5a91429-5739-47e2-a06b-3470a27159e7})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40, d5a91429-5739-47e2-a06b-3470a27159e7}))",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2023-11-14T16:24:26.427Z",
    "updatedOn": "2025-09-08T15:10:30.704Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0f641de8-0b88-4198-bdef-bd8b45ceba96",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "0f641de8-0b88-4198-bdef-bd8b45ceba96"
}

Effective Permissions

Operations granted by this role (71 total)

Conditional Permissions

This role has conditions that may restrict effective permissions based on context (e.g., resource attributes, request properties).

Permission Patterns (from role definition)

Actions 24 patterns
Microsoft.Authorization/roleAssignments/write Microsoft.Authorization/roleAssignments/delete Microsoft.Authorization/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/read Microsoft.Management/managementGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* Microsoft.Security/defenderforstoragesettings/read Microsoft.Security/defenderforstoragesettings/write Microsoft.Security/advancedThreatProtectionSettings/read Microsoft.Security/advancedThreatProtectionSettings/write Microsoft.Security/datascanners/read Microsoft.Security/datascanners/write Microsoft.Security/dataScanners/delete Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/read Microsoft.EventGrid/topics/read Microsoft.EventGrid/eventSubscriptions/read Microsoft.EventGrid/eventSubscriptions/write Microsoft.EventGrid/eventSubscriptions/delete Microsoft.Storage/storageAccounts/blobServices/read Microsoft.Storage/storageAccounts/blobServices/write

Control Plane Operations (71)

Data Plane Operations (0)

No data plane operations granted