Merge pull request #310041 from rolyon/rolyon-rbac-roles-dec-2025-new

[Azure RBAC] Roles and permissions for Dec 2025

Author: JamesJBarnett

.openpublishing.redirection.json

@@ -5064,6 +5064,16 @@
       "redirect_url": "/azure/role-based-access-control/quickstart-role-assignments-template",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/role-based-access-control/built-in-roles/mixed-reality.md",
+      "redirect_url": "/azure/role-based-access-control/built-in-roles",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/role-based-access-control/permissions/mixed-reality.md",
+      "redirect_url": "/azure/role-based-access-control/resource-provider-operations",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/scheduler/get-started-portal.md",
       "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",

articles/role-based-access-control/TOC.yml

@@ -201,8 +201,6 @@
       href: built-in-roles/ai-machine-learning.md
     - name: Internet of Things
       href: built-in-roles/internet-of-things.md
-    - name: Mixed reality
-      href: built-in-roles/mixed-reality.md
     - name: Integration
       href: built-in-roles/integration.md
     - name: Identity
@@ -211,6 +209,8 @@
       href: built-in-roles/security.md
     - name: DevOps
       href: built-in-roles/devops.md
+    - name: Migration
+      href: built-in-roles/migration.md
     - name: Monitor
       href: built-in-roles/monitor.md
     - name: Management and governance
@@ -241,8 +241,6 @@
       href: permissions/ai-machine-learning.md
     - name: Internet of Things
       href: permissions/internet-of-things.md
-    - name: Mixed reality
-      href: permissions/mixed-reality.md
     - name: Integration
       href: permissions/integration.md
     - name: Identity

articles/role-based-access-control/built-in-roles.md

@@ -7,7 +7,7 @@ ms.workload: identity
 author: rolyon
 manager: pmwongera
 ms.author: rolyon
-ms.date: 05/25/2025
+ms.date: 12/31/2025
 ms.custom: generated
 ---
 
@@ -641,4 +641,4 @@ Lets you perform query testing without creating a stream analytics job first
 
 ## Next steps
 
-- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal)
+- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal)

articles/role-based-access-control/built-in-roles/ai-machine-learning.md

@@ -7,7 +7,7 @@ ms.workload: identity
 author: rolyon
 manager: pmwongera
 ms.author: rolyon
-ms.date: 09/03/2025
+ms.date: 12/31/2025
 ms.custom: generated
 ---
 
@@ -166,6 +166,7 @@ Arc VMware VM Contributor has permissions to perform all VM actions.
   "type": "Microsoft.Authorization/roleDefinitions"
 }
 ```
+
 ## Azure Batch Account Contributor
 
 Grants full access to manage all Batch resources, including Batch accounts, pools and jobs.
@@ -1709,6 +1710,8 @@ Provides permission to backup vault to perform disk restore.
 > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
 > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one |
 > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/read | Get the properties of a Disk |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/endGetAccess/action | Revoke the SAS URI of the Disk |
 > | **NotActions** |  |
 > | *none* |  |
 > | **DataActions** |  |
@@ -1730,7 +1733,9 @@ Provides permission to backup vault to perform disk restore.
         "Microsoft.Authorization/*/read",
         "Microsoft.Resources/subscriptions/resourceGroups/read",
         "Microsoft.Compute/disks/write",
-        "Microsoft.Compute/disks/read"
+        "Microsoft.Compute/disks/read",
+        "Microsoft.Compute/disks/beginGetAccess/action",
+        "Microsoft.Compute/disks/endGetAccess/action"
       ],
       "notActions": [],
       "dataActions": [],

articles/role-based-access-control/built-in-roles/analytics.md

@@ -7,7 +7,7 @@ ms.workload: identity
 author: rolyon
 manager: pmwongera
 ms.author: rolyon
-ms.date: 05/25/2025
+ms.date: 12/31/2025
 ms.custom: generated
 ---
 
@@ -130,6 +130,7 @@ Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents
 > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket |
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
 > | **NotActions** |  |
+> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/copyJobs/* |  |
 > | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/dataTransferJobs/* |  |
 > | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/readonlyKeys/* |  |
 > | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/regenerateKey/* |  |
@@ -169,6 +170,7 @@ Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents
         "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
       ],
       "notActions": [
+        "Microsoft.DocumentDB/databaseAccounts/copyJobs/*",
         "Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*",
         "Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
         "Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
@@ -202,8 +204,8 @@ Can submit restore request for a Cosmos DB database or a container for an accoun
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/backup/action | Submit a request to configure backup |
-> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/restore/action | Submit a restore request |
+> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/backup/action | Submit a request to trigger external backup operation |
+> | [Microsoft.DocumentDB](../permissions/databases.md#microsoftdocumentdb)/databaseAccounts/restore/action | Submit a request to trigger external restore operation |
 > | **NotActions** |  |
 > | *none* |  |
 > | **DataActions** |  |
@@ -661,7 +663,7 @@ Lets you manage the security-related policies of SQL servers and databases, but
 > | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server |
 > | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server |
 > | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/auditingSettings/* | Create and manage SQL server auditing setting |
-> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/extendedAuditingSettings/read | Retrieve details of the extended server blob auditing policy configured on a given server |
+> | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/extendedAuditingSettings/* |  |
 > | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database |
 > | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database |
 > | [Microsoft.Sql](../permissions/databases.md#microsoftsql)/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database |
@@ -752,7 +754,7 @@ Lets you manage the security-related policies of SQL servers and databases, but
         "Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
         "Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
         "Microsoft.Sql/servers/auditingSettings/*",
-        "Microsoft.Sql/servers/extendedAuditingSettings/read",
+        "Microsoft.Sql/servers/extendedAuditingSettings/*",
         "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
         "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
         "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",