Back to Operation

Defender Unified RBAC Contributor and Responder

Azure Built-in Role

Role Information

Details and metadata

Role ID
625a1cea-653b-4a19-bd3a-df1d66ab6637
Type
BuiltInRole
Last Updated (Azure)
2025-09-22 15:13:20

Change History

Track all modifications to this role since 2025-12-15 01:08:16+00:00

2025-09-22 15:13:20 Initial Scan
View details 
{
  "properties": {
    "roleName": "Defender Unified RBAC Contributor and Responder",
    "type": "BuiltInRole",
    "description": "Defender Unified RBAC Contributor and Responder. This role is managed and assigned automatically by the Defender Unified RBAC system. Manual assignment of this role is not recommended, as the Defender Unified RBAC system may modify or remove it at any time based on system requirements.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.OperationalInsights/querypacks/*/read",
          "Microsoft.OperationalInsights/workspaces/*/read",
          "Microsoft.OperationalInsights/workspaces/analytics/query/action",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/workspaces/query/*/read",
          "Microsoft.OperationalInsights/workspaces/query/read",
          "Microsoft.OperationalInsights/workspaces/savedSearches/*",
          "Microsoft.OperationalInsights/workspaces/savedSearches/read",
          "Microsoft.OperationsManagement/solutions/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.SecurityInsights/*",
          "Microsoft.SecurityInsights/*/read",
          "Microsoft.SecurityInsights/automationRules/*",
          "Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
          "Microsoft.SecurityInsights/cases/*",
          "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
          "Microsoft.SecurityInsights/entities/runPlaybook/action",
          "Microsoft.SecurityInsights/incidents/*",
          "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
          "Microsoft.Insights/workbooks/*",
          "Microsoft.Authorization/*/read"
        ],
        "notActions": [
          "Microsoft.SecurityInsights/cases/*/Delete",
          "Microsoft.SecurityInsights/incidents/*/Delete",
          "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
          "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
        ],
        "dataActions": [],
        "notDataActions": []
      }
    ],
    "createdOn": "2025-09-02T15:09:18.274Z",
    "updatedOn": "2025-09-22T15:13:20.212Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/625a1cea-653b-4a19-bd3a-df1d66ab6637",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "625a1cea-653b-4a19-bd3a-df1d66ab6637"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Defender Unified RBAC Contributor and Responder",
    "type": "BuiltInRole",
    "description": "Defender Unified RBAC Contributor and Responder. This role is managed and assigned automatically by the Defender Unified RBAC system. Manual assignment of this role is not recommended, as the Defender Unified RBAC system may modify or remove it at any time based on system requirements.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.OperationalInsights/querypacks/*/read",
          "Microsoft.OperationalInsights/workspaces/*/read",
          "Microsoft.OperationalInsights/workspaces/analytics/query/action",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/workspaces/query/*/read",
          "Microsoft.OperationalInsights/workspaces/query/read",
          "Microsoft.OperationalInsights/workspaces/savedSearches/*",
          "Microsoft.OperationalInsights/workspaces/savedSearches/read",
          "Microsoft.OperationsManagement/solutions/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.SecurityInsights/*",
          "Microsoft.SecurityInsights/*/read",
          "Microsoft.SecurityInsights/automationRules/*",
          "Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
          "Microsoft.SecurityInsights/cases/*",
          "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
          "Microsoft.SecurityInsights/entities/runPlaybook/action",
          "Microsoft.SecurityInsights/incidents/*",
          "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
          "Microsoft.Insights/workbooks/*",
          "Microsoft.Authorization/*/read"
        ],
        "notActions": [
          "Microsoft.SecurityInsights/cases/*/Delete",
          "Microsoft.SecurityInsights/incidents/*/Delete",
          "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
          "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
        ],
        "dataActions": [],
        "notDataActions": []
      }
    ],
    "createdOn": "2025-09-02T15:09:18.274Z",
    "updatedOn": "2025-09-22T15:13:20.212Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/625a1cea-653b-4a19-bd3a-df1d66ab6637",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "625a1cea-653b-4a19-bd3a-df1d66ab6637"
}

Effective Permissions

Operations granted by this role (1100 total)

Permission Patterns (from role definition)

Actions 26 patterns
Microsoft.OperationalInsights/querypacks/*/read Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/savedSearches/* Microsoft.OperationalInsights/workspaces/savedSearches/read Microsoft.OperationsManagement/solutions/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.SecurityInsights/* Microsoft.SecurityInsights/*/read Microsoft.SecurityInsights/automationRules/* Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action Microsoft.SecurityInsights/cases/* Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action Microsoft.SecurityInsights/entities/runPlaybook/action Microsoft.SecurityInsights/incidents/* Microsoft.SecurityInsights/threatIntelligence/bulkTag/action Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action Microsoft.SecurityInsights/threatIntelligence/indicators/query/action Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action Microsoft.Insights/workbooks/* Microsoft.Authorization/*/read
NotActions (excluded)
Microsoft.SecurityInsights/cases/*/Delete Microsoft.SecurityInsights/incidents/*/Delete Microsoft.SecurityInsights/ConfidentialWatchlists/* Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*

Control Plane Operations (1100)

Data Plane Operations (0)

No data plane operations granted