Back to Operation

Defender Unified RBAC Scoped Reader

Azure Built-in Role

Role Information

Details and metadata

Role ID
d56b031f-8d90-4376-9231-b5c94fce88ef
Type
BuiltInRole
Last Updated (Azure)
2025-11-25 16:15:47

Change History

Track all modifications to this role

2025-11-25 16:15:47 Created
View details
+ {
+ "properties": {
+ "roleName": "Defender Unified RBAC Scoped Reader",
+ "type": "BuiltInRole",
+ "description": "Defender Unified RBAC Scoped Reader. This role is managed and assigned automatically by the Defender Unified RBAC system. Manual assignment of this role is not recommended, as the Defender Unified RBAC system may modify or remove it at any time based on system requirements.",
+ "assignableScopes": [
+ "/"
+ ],
+ "permissions": [
+ {
+ "actions": [
+ "Microsoft.SecurityInsights/*/read",
+ "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
+ "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
+ "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
+ "Microsoft.OperationalInsights/workspaces/analytics/query/action",
+ "Microsoft.OperationalInsights/workspaces/*/read",
+ "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
+ "Microsoft.OperationalInsights/workspaces/savedSearches/read",
+ "Microsoft.OperationsManagement/solutions/read",
+ "Microsoft.OperationalInsights/workspaces/query/read",
+ "Microsoft.OperationalInsights/workspaces/query/*/read",
+ "Microsoft.OperationalInsights/querypacks/*/read",
+ "Microsoft.OperationalInsights/workspaces/dataSources/read",
+ "Microsoft.OperationalInsights/workspaces/read"
+ ],
+ "notActions": [
+ "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
+ "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*",
+ "Microsoft.SecurityInsights/alertRules/read"
+ ],
+ "dataActions": [
+ "Microsoft.OperationalInsights/workspaces/tables/data/read"
+ ],
+ "notDataActions": []
+ }
+ ],
+ "createdOn": "2025-11-25T16:15:47.963Z",
+ "updatedOn": "2025-11-25T16:15:47.963Z",
+ "createdBy": null,
+ "updatedBy": null
+ },
+ "id": "/providers/Microsoft.Authorization/roleDefinitions/d56b031f-8d90-4376-9231-b5c94fce88ef",
+ "type": "Microsoft.Authorization/roleDefinitions",
+ "name": "d56b031f-8d90-4376-9231-b5c94fce88ef"
+ }

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Defender Unified RBAC Scoped Reader",
    "type": "BuiltInRole",
    "description": "Defender Unified RBAC Scoped Reader. This role is managed and assigned automatically by the Defender Unified RBAC system. Manual assignment of this role is not recommended, as the Defender Unified RBAC system may modify or remove it at any time based on system requirements.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.SecurityInsights/*/read",
          "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
          "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
          "Microsoft.OperationalInsights/workspaces/analytics/query/action",
          "Microsoft.OperationalInsights/workspaces/*/read",
          "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
          "Microsoft.OperationalInsights/workspaces/savedSearches/read",
          "Microsoft.OperationsManagement/solutions/read",
          "Microsoft.OperationalInsights/workspaces/query/read",
          "Microsoft.OperationalInsights/workspaces/query/*/read",
          "Microsoft.OperationalInsights/querypacks/*/read",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/workspaces/read"
        ],
        "notActions": [
          "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
          "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*",
          "Microsoft.SecurityInsights/alertRules/read"
        ],
        "dataActions": [
          "Microsoft.OperationalInsights/workspaces/tables/data/read"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2025-11-25T16:15:47.963Z",
    "updatedOn": "2025-11-25T16:15:47.963Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d56b031f-8d90-4376-9231-b5c94fce88ef",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "d56b031f-8d90-4376-9231-b5c94fce88ef"
}

Effective Permissions

Operations granted by this role (948 total)

Permission Patterns (from role definition)

Actions 14 patterns
Microsoft.SecurityInsights/*/read Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action Microsoft.SecurityInsights/threatIntelligence/indicators/query/action Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/LinkedServices/read Microsoft.OperationalInsights/workspaces/savedSearches/read Microsoft.OperationsManagement/solutions/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/querypacks/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.OperationalInsights/workspaces/read
NotActions (excluded)
Microsoft.SecurityInsights/ConfidentialWatchlists/* Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* Microsoft.SecurityInsights/alertRules/read
Data Actions 1 pattern
Microsoft.OperationalInsights/workspaces/tables/data/read

Control Plane Operations (947)

Data Plane Operations (1)