AzRoleAdvertizer

last sync: 2025-Oct-31 18:22:44 UTC

Defender for Storage Scanner Operator

Azure BuiltIn RBAC Role definition

Name

Defender for Storage Scanner Operator

0f641de8-0b88-4198-bdef-bd8b45ceba96

Description

Lets you enable and configure Microsoft Defender for Storage's malware scanning and sensitive data discovery features on your storage accounts. Includes an ABAC condition to limit role assignments.

Category

None

CreatedOn

2023-11-10 10:31:03 UTC

UpdatedOn

2025-09-04 13:19:08 UTC

Permissions summary

Effective control plane and data plane operations: 72 (unique operations)
•action: 9
•delete: 4
•read: 50
•write: 9

Actions: 24
Resolved control plane operations from Actions: 72
Effective control plane operations: 72
•action: 9
•delete: 4
•read: 50
•write: 9

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 17361

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 4078

Actions

Operation	Description
Microsoft.Authorization/*/read	wildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditioned	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditioned	Create a role assignment at the specified scope.
Microsoft.EventGrid/eventSubscriptions/delete	Delete a eventSubscription
Microsoft.EventGrid/eventSubscriptions/read	Read a eventSubscription
Microsoft.EventGrid/eventSubscriptions/write	Create or update a eventSubscription
Microsoft.EventGrid/topics/read	Read a topic
Microsoft.Management/managementGroups/read	List management groups for the authenticated user.
Microsoft.Resources/deployments/*	wildcarded / no description
Microsoft.Resources/deployments/*	wildcarded / no description
Microsoft.Resources/subscriptions/read	Gets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/read	Gets or lists resource groups.
Microsoft.Security/advancedThreatProtectionSettings/read	Gets the Advanced Threat Protection Settings for the resource
Microsoft.Security/advancedThreatProtectionSettings/write	Updates the Advanced Threat Protection Settings for the resource
Microsoft.Security/dataScanners/delete	Deletes the datascanners for the scope
Microsoft.Security/datascanners/read	Gets the datascanners for the scope
Microsoft.Security/datascanners/write	Creates or updates the datascanners for the scope
Microsoft.Security/defenderforstoragesettings/read	Gets the defenderforstoragesettings for the scope
Microsoft.Security/defenderforstoragesettings/write	Creates or updates the defenderforstoragesettings for the scope
Microsoft.Storage/storageAccounts/blobServices/read	Returns blob service properties or statistics
Microsoft.Storage/storageAccounts/blobServices/write	Returns the result of put blob service properties
Microsoft.Storage/storageAccounts/read	Returns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.Storage/storageAccounts/write	Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account.
Microsoft.Support/*	wildcarded / no description

NotActions

n/a

DataActions

n/a

NotDataActions

n/a

Used in
BuiltIn Policy

none

History

Date/Time (UTC ymd) (i)	Change	Change detail
2025-09-04 17:22:36	change: Actions	Actions: 'add Microsoft.Storage/storageAccounts/blobServices/read; add Microsoft.Storage/storageAccounts/blobServices/write'
2024-07-01 18:19:32	change: Actions	Actions: 'add Microsoft.Security/advancedThreatProtectionSettings/read; add Microsoft.Security/advancedThreatProtectionSettings/write; add Microsoft.Security/datascanners/read; add Microsoft.Security/datascanners/write; add Microsoft.Security/dataScanners/delete'
2024-04-30 17:48:19	add: Role	0f641de8-0b88-4198-bdef-bd8b45ceba96

JSON

api-version=2023-07-01-preview

Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 (Defender for Storage Data Scanner),
            d5a91429-5739-47e2-a06b-3470a27159e7 (EventGrid Data Sender)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 (Defender for Storage Data Scanner),
            d5a91429-5739-47e2-a06b-3470a27159e7 (EventGrid Data Sender)
            }
        )
    )