| title | Azure built-in roles for Privileged - Azure RBAC |
|---|---|
| description | This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Privileged category. It lists Actions, NotActions, DataActions, and NotDataActions. |
| ms.service | role-based-access-control |
| ms.topic | generated-reference |
| ms.workload | identity |
| author | rolyon |
| manager | pmwongera |
| ms.author | rolyon |
| ms.date | 02/23/2026 |
| ms.custom | generated |
This article lists the Azure built-in roles in the Privileged category.
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
[!div class="mx-tableFixed"]
Actions Description * Create and manage resources of all types NotActions Microsoft.Authorization/*/Delete Delete roles, policy assignments, policy definitions and policy set definitions Microsoft.Authorization/*/Write Create roles, role assignments, policy assignments, policy definitions and policy set definitions Microsoft.Authorization/elevateAccess/Action Grants the caller User Access Administrator access at the tenant scope Microsoft.Blueprint/blueprintAssignments/write Create or update any blueprint assignments Microsoft.Blueprint/blueprintAssignments/delete Delete any blueprint assignments Microsoft.Compute/galleries/share/action Shares a Gallery to different scopes Microsoft.Purview/consents/write Create or Update a Consent Resource. Microsoft.Purview/consents/delete Delete the Consent Resource. Microsoft.Resources/deploymentStacks/manageDenySetting/action Manage the denySettings property of a deployment stack. Microsoft.Subscription/cancel/action Cancels the Subscription Microsoft.Subscription/enable/action Reactivates the Subscription DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Purview/consents/write",
"Microsoft.Purview/consents/delete",
"Microsoft.Resources/deploymentStacks/manageDenySetting/action",
"Microsoft.Subscription/cancel/action",
"Microsoft.Subscription/enable/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
[!div class="mx-tableFixed"]
Actions Description * Create and manage resources of all types NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"permissions": [
{
"actions": [
"*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets one read and manage all the reservations in a tenant
[!div class="mx-tableFixed"]
Actions Description Microsoft.Capacity/*/read Microsoft.Capacity/*/action Microsoft.Capacity/*/write Microsoft.Authorization/roleAssignments/read Get information about a role assignment. Microsoft.Authorization/roleDefinitions/read Get information about a role definition. Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope. Microsoft.Authorization/roleAssignments/delete Delete a role assignment at the specified scope. NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/providers/Microsoft.Capacity"
],
"description": "Lets one read and manage all the reservations in a tenant",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a8889054-8d42-49c9-bc1c-52486c10e7cd",
"name": "a8889054-8d42-49c9-bc1c-52486c10e7cd",
"permissions": [
{
"actions": [
"Microsoft.Capacity/*/read",
"Microsoft.Capacity/*/action",
"Microsoft.Capacity/*/write",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reservations Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.
[!INCLUDE role-read-permissions.md]
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope. Microsoft.Authorization/roleAssignments/delete Delete a role assignment at the specified scope. */read Read control plane information for all Azure resources. Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Role Based Access Control Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you manage user access to Azure resources.
[!INCLUDE role-read-permissions.md]
[!div class="mx-tableFixed"]
Actions Description */read Read control plane information for all Azure resources. Microsoft.Authorization/* Manage authorization Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage user access to Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Authorization/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "User Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}