Back to Dashboard

Defender CSPM Storage Scanner Operator

Azure Built-in Role

Role Information

Details and metadata

Role ID
8480c0f0-4509-4229-9339-7c10018cb8c4
Type
BuiltInRole
Last Updated (Azure)
2025-09-26 15:39:17

Change History

Track all modifications to this role since 2025-12-15 01:08:16+00:00

2025-09-26 15:39:17 Initial Scan
View details 
{
  "properties": {
    "roleName": "Defender CSPM Storage Scanner Operator",
    "type": "BuiltInRole",
    "description": "Lets you enable and configure Microsoft Defender CSPM's sensitive data discovery feature on your storage accounts. Includes an ABAC condition to limit role assignments.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Storage/storageAccounts/write",
          "Microsoft.Storage/storageAccounts/read",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Management/managementGroups/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Support/*",
          "Microsoft.Security/datascanners/read",
          "Microsoft.Security/datascanners/write",
          "Microsoft.Security/dataScanners/delete"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      },
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/write"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{2a2b9908-6ea1-4ae2-8e65-a410df84e7d1, b8eda974-7b85-4f76-af95-65846b26df6d, 0b6ca2e8-2cdc-4bd6-b896-aa3d8c21fc35}",
        "ConditionVersion": "2.0"
      },
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/delete"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{2a2b9908-6ea1-4ae2-8e65-a410df84e7d1, b8eda974-7b85-4f76-af95-65846b26df6d, 0b6ca2e8-2cdc-4bd6-b896-aa3d8c21fc35}",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2024-02-27T16:09:01.291Z",
    "updatedOn": "2025-09-26T15:39:17.583Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8480c0f0-4509-4229-9339-7c10018cb8c4",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "8480c0f0-4509-4229-9339-7c10018cb8c4"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Defender CSPM Storage Scanner Operator",
    "type": "BuiltInRole",
    "description": "Lets you enable and configure Microsoft Defender CSPM's sensitive data discovery feature on your storage accounts. Includes an ABAC condition to limit role assignments.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Storage/storageAccounts/write",
          "Microsoft.Storage/storageAccounts/read",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Management/managementGroups/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Support/*",
          "Microsoft.Security/datascanners/read",
          "Microsoft.Security/datascanners/write",
          "Microsoft.Security/dataScanners/delete"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      },
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/write"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{2a2b9908-6ea1-4ae2-8e65-a410df84e7d1, b8eda974-7b85-4f76-af95-65846b26df6d, 0b6ca2e8-2cdc-4bd6-b896-aa3d8c21fc35}",
        "ConditionVersion": "2.0"
      },
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/delete"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{2a2b9908-6ea1-4ae2-8e65-a410df84e7d1, b8eda974-7b85-4f76-af95-65846b26df6d, 0b6ca2e8-2cdc-4bd6-b896-aa3d8c21fc35}",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2024-02-27T16:09:01.291Z",
    "updatedOn": "2025-09-26T15:39:17.583Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8480c0f0-4509-4229-9339-7c10018cb8c4",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "8480c0f0-4509-4229-9339-7c10018cb8c4"
}

Effective Permissions

Operations granted by this role (61 total)

Conditional Permissions

This role has conditions that may restrict effective permissions based on context (e.g., resource attributes, request properties).

Permission Patterns (from role definition)

Actions 13 patterns
Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/read Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/read Microsoft.Management/managementGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* Microsoft.Security/datascanners/read Microsoft.Security/datascanners/write Microsoft.Security/dataScanners/delete Microsoft.Authorization/roleAssignments/write Microsoft.Authorization/roleAssignments/delete

Control Plane Operations (61)

Data Plane Operations (0)

No data plane operations granted