Back to Operation

AVS Orchestrator Role

Azure Built-in Role

Role Information

Details and metadata

Role ID
d715fb95-a0f0-4f1c-8be6-5ad2d2767f67
Type
BuiltInRole
Last Updated (Azure)
2025-02-17 16:06:34

Change History

Track all modifications to this role

2025-02-17 16:06:34 Initial Scan
View details 
{
  "properties": {
    "roleName": "AVS Orchestrator Role",
    "type": "BuiltInRole",
    "description": "Do not remove this role from your resource group because it is critical to enable your AVS private cloud to operate. If the role is removed, it will cause your AVS private cloud control plane to no longer operate correctly. The role is used to enable the AVS private cloud control plane to create the supporting resources in the resource group of the private clouds attached virtual network and bind them to the attached virtual network. This role is not intended for use cases outside of assignment to the associated AVS identity in your entra-id tenant.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/read",
          "Microsoft.Resources/subscriptions/resourcegroups/read",
          "Microsoft.Resources/deployments/write",
          "Microsoft.Resources/deployments/operationStatuses/read",
          "Microsoft.Resources/deployments/operations/read",
          "Microsoft.Resources/deployments/delete",
          "Microsoft.Resources/deployments/read",
          "Microsoft.Network/virtualHubs/delete",
          "Microsoft.Network/publicIPAddresses/delete",
          "Microsoft.Network/networkInterfaces/delete",
          "Microsoft.Network/networkInterfaces/write",
          "Microsoft.Network/networkInterfaces/join/action",
          "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete",
          "Microsoft.Network/virtualNetworks/subnets/delete",
          "Microsoft.Network/networkIntentPolicies/read",
          "Microsoft.Network/networkIntentPolicies/delete",
          "Microsoft.Network/networkIntentPolicies/write",
          "Microsoft.Network/networkSecurityGroups/delete",
          "Microsoft.Network/networkSecurityGroups/write",
          "Microsoft.Network/networkSecurityGroups/read",
          "Microsoft.Network/networkSecurityGroups/join/action",
          "Microsoft.Network/networkSecurityGroups/securityRules/read",
          "Microsoft.Network/networkSecurityGroups/securityRules/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/delete",
          "Microsoft.Network/virtualNetworks/subnets/write",
          "Microsoft.Network/virtualNetworks/subnets/join/action",
          "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/write",
          "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/read",
          "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete",
          "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
          "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action",
          "Microsoft.Network/virtualHubs/write",
          "Microsoft.Network/publicIPAddresses/write",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/virtualHubs/ipConfigurations/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/read",
          "Microsoft.Network/virtualHubs/ipConfigurations/read",
          "Microsoft.Network/virtualHubs/bgpConnections/write",
          "Microsoft.Network/virtualHubs/bgpConnections/read",
          "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
          "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
          "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
          "Microsoft.Network/virtualNetworks/peer/action",
          "Microsoft.Network/locations/operations/read",
          "Microsoft.Network/locations/operationResults/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/write",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/routeTables/read",
          "Microsoft.Network/routeTables/write",
          "Microsoft.Network/routeTables/delete",
          "Microsoft.Network/routeTables/join/action",
          "Microsoft.Network/routeTables/routes/read",
          "Microsoft.Network/routeTables/routes/write",
          "Microsoft.Network/routeTables/routes/delete",
          "Microsoft.Network/virtualNetworks/join/action"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      },
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/delete"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "(!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{d715fb95a0f04f1c8be65ad2d2767f67, 4d97b98b1d4f4787a291c67834d212e7, 49fc33c1886f4b21a00e1d9993234734}",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2024-08-29T15:27:16.58Z",
    "updatedOn": "2025-02-17T16:06:34.702Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d715fb95-a0f0-4f1c-8be6-5ad2d2767f67",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "d715fb95-a0f0-4f1c-8be6-5ad2d2767f67"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "AVS Orchestrator Role",
    "type": "BuiltInRole",
    "description": "Do not remove this role from your resource group because it is critical to enable your AVS private cloud to operate. If the role is removed, it will cause your AVS private cloud control plane to no longer operate correctly. The role is used to enable the AVS private cloud control plane to create the supporting resources in the resource group of the private clouds attached virtual network and bind them to the attached virtual network. This role is not intended for use cases outside of assignment to the associated AVS identity in your entra-id tenant.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/read",
          "Microsoft.Resources/subscriptions/resourcegroups/read",
          "Microsoft.Resources/deployments/write",
          "Microsoft.Resources/deployments/operationStatuses/read",
          "Microsoft.Resources/deployments/operations/read",
          "Microsoft.Resources/deployments/delete",
          "Microsoft.Resources/deployments/read",
          "Microsoft.Network/virtualHubs/delete",
          "Microsoft.Network/publicIPAddresses/delete",
          "Microsoft.Network/networkInterfaces/delete",
          "Microsoft.Network/networkInterfaces/write",
          "Microsoft.Network/networkInterfaces/join/action",
          "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete",
          "Microsoft.Network/virtualNetworks/subnets/delete",
          "Microsoft.Network/networkIntentPolicies/read",
          "Microsoft.Network/networkIntentPolicies/delete",
          "Microsoft.Network/networkIntentPolicies/write",
          "Microsoft.Network/networkSecurityGroups/delete",
          "Microsoft.Network/networkSecurityGroups/write",
          "Microsoft.Network/networkSecurityGroups/read",
          "Microsoft.Network/networkSecurityGroups/join/action",
          "Microsoft.Network/networkSecurityGroups/securityRules/read",
          "Microsoft.Network/networkSecurityGroups/securityRules/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/delete",
          "Microsoft.Network/virtualNetworks/subnets/write",
          "Microsoft.Network/virtualNetworks/subnets/join/action",
          "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/write",
          "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/read",
          "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete",
          "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
          "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action",
          "Microsoft.Network/virtualHubs/write",
          "Microsoft.Network/publicIPAddresses/write",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/virtualHubs/ipConfigurations/write",
          "Microsoft.Network/networkSecurityGroups/securityRules/read",
          "Microsoft.Network/virtualHubs/ipConfigurations/read",
          "Microsoft.Network/virtualHubs/bgpConnections/write",
          "Microsoft.Network/virtualHubs/bgpConnections/read",
          "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
          "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
          "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
          "Microsoft.Network/virtualNetworks/peer/action",
          "Microsoft.Network/locations/operations/read",
          "Microsoft.Network/locations/operationResults/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/write",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/routeTables/read",
          "Microsoft.Network/routeTables/write",
          "Microsoft.Network/routeTables/delete",
          "Microsoft.Network/routeTables/join/action",
          "Microsoft.Network/routeTables/routes/read",
          "Microsoft.Network/routeTables/routes/write",
          "Microsoft.Network/routeTables/routes/delete",
          "Microsoft.Network/virtualNetworks/join/action"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      },
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/delete"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "(!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{d715fb95a0f04f1c8be65ad2d2767f67, 4d97b98b1d4f4787a291c67834d212e7, 49fc33c1886f4b21a00e1d9993234734}",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2024-08-29T15:27:16.58Z",
    "updatedOn": "2025-02-17T16:06:34.702Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d715fb95-a0f0-4f1c-8be6-5ad2d2767f67",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "d715fb95-a0f0-4f1c-8be6-5ad2d2767f67"
}

Effective Permissions

Operations granted by this role (54 total)

Conditional Permissions

This role has conditions that may restrict effective permissions based on context (e.g., resource attributes, request properties).

Control Plane Operations (54)

Data Plane Operations (0)

No data plane operations granted