Back to Operation

Microsoft Defender for Cloud administrator (preview)

Azure Built-in Role

Role Information

Details and metadata

Role ID
87a87389-f3af-4c43-a694-f6e5efec8582
Type
BuiltInRole
Last Updated (Azure)
2024-02-27 16:09:01

Change History

Track all modifications to this role

2024-02-27 16:09:01 Created
View details
+ {
+ "properties": {
+ "roleName": "Microsoft Defender for Cloud administrator (preview)",
+ "type": "BuiltInRole",
+ "description": "Lets you enable and configure Defender for Cloud capabilities on an Azure subscription. Includes an ABAC condition to constrain role assignments.",
+ "assignableScopes": [
+ "/"
+ ],
+ "permissions": [
+ {
+ "actions": [
+ "Microsoft.Security/*",
+ "Microsoft.Authorization/roleAssignments/write",
+ "Microsoft.Authorization/roleAssignments/delete",
+ "Microsoft.Authorization/*/read",
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.Resources/subscriptions/read",
+ "Microsoft.Management/managementGroups/read",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Support/*"
+ ],
+ "notActions": [],
+ "dataActions": [],
+ "notDataActions": [],
+ "Condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1e241071085549ea94dc649edcd759de, d24ecba3c1f440faa7bb4588a071e8fd, d5a2ae44610b450093be660a0c5f5ca6, acdd72a7338548efbd42f606fba81ae7, 8480c0f04509422993397c10018cb8c4, 0f641de80b884198bdefbd8b45ceba96})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1e241071085549ea94dc649edcd759de, d24ecba3c1f440faa7bb4588a071e8fd, d5a2ae44610b450093be660a0c5f5ca6, acdd72a7338548efbd42f606fba81ae7, 8480c0f04509422993397c10018cb8c4, 0f641de80b884198bdefbd8b45ceba96}))",
+ "ConditionVersion": "2.0"
+ }
+ ],
+ "createdOn": "2024-02-27T16:09:01.306Z",
+ "updatedOn": "2024-02-27T16:09:01.306Z",
+ "createdBy": null,
+ "updatedBy": null
+ },
+ "id": "/providers/Microsoft.Authorization/roleDefinitions/87a87389-f3af-4c43-a694-f6e5efec8582",
+ "type": "Microsoft.Authorization/roleDefinitions",
+ "name": "87a87389-f3af-4c43-a694-f6e5efec8582"
+ }

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Microsoft Defender for Cloud administrator (preview)",
    "type": "BuiltInRole",
    "description": "Lets you enable and configure Defender for Cloud capabilities on an Azure subscription. Includes an ABAC condition to constrain role assignments.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Security/*",
          "Microsoft.Authorization/roleAssignments/write",
          "Microsoft.Authorization/roleAssignments/delete",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Management/managementGroups/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Support/*"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1e241071085549ea94dc649edcd759de, d24ecba3c1f440faa7bb4588a071e8fd, d5a2ae44610b450093be660a0c5f5ca6, acdd72a7338548efbd42f606fba81ae7, 8480c0f04509422993397c10018cb8c4, 0f641de80b884198bdefbd8b45ceba96})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1e241071085549ea94dc649edcd759de, d24ecba3c1f440faa7bb4588a071e8fd, d5a2ae44610b450093be660a0c5f5ca6, acdd72a7338548efbd42f606fba81ae7, 8480c0f04509422993397c10018cb8c4, 0f641de80b884198bdefbd8b45ceba96}))",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2024-02-27T16:09:01.306Z",
    "updatedOn": "2024-02-27T16:09:01.306Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/87a87389-f3af-4c43-a694-f6e5efec8582",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "87a87389-f3af-4c43-a694-f6e5efec8582"
}

Effective Permissions

Operations granted by this role (260 total)

Conditional Permissions

This role has conditions that may restrict effective permissions based on context (e.g., resource attributes, request properties).

Permission Patterns (from role definition)

Actions 9 patterns
Microsoft.Security/* Microsoft.Authorization/roleAssignments/write Microsoft.Authorization/roleAssignments/delete Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/read Microsoft.Management/managementGroups/read Microsoft.Resources/deployments/* Microsoft.Support/*

Control Plane Operations (260)

Data Plane Operations (0)

No data plane operations granted