你当前正在访问 Microsoft Azure Global Edition 技术文档网站。如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站，请访问 https://docs.azure.cn。

适用于 Privileged 的 Azure 内置角色

2025-10-10

本文列出了 Privileged 类别中的 Azure 内置角色。

参与者

授予完全访问权限来管理所有资源，但不允许在 Azure RBAC 中分配角色或在 Azure 蓝图中管理分配，也不允许共享映像库。

操作	说明
*	创建和管理所有类型的资源
不操作
Microsoft.Authorization/*/删除	删除角色、策略分配、策略定义和策略集定义
Microsoft.Authorization/*/Write	创建角色、角色分配、策略分配、策略定义和策略集定义
Microsoft.Authorization/elevateAccess/Action	向调用方授予租户范围的“用户访问管理员”访问权限
Microsoft.Blueprint/blueprintAssignments/write	创建或更新任何蓝图分配
Microsoft.Blueprint/blueprintAssignments/delete	删除任何蓝图分配
Microsoft.Compute/galleries/share/action	将库共享到不同的范围
Microsoft.Purview/consents/write	创建或更新同意资源。
Microsoft.Purview/consents/delete	删除同意资源。
Microsoft.Resources/deploymentStacks/manageDenySetting/action	管理部署堆栈的 denySettings 属性。
Microsoft.Subscription/cancel/action	取消订阅
Microsoft.Subscription/enable/action	重新激活订阅
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
  "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.Compute/galleries/share/action",
        "Microsoft.Purview/consents/write",
        "Microsoft.Purview/consents/delete",
        "Microsoft.Resources/deploymentStacks/manageDenySetting/action",
        "Microsoft.Subscription/cancel/action",
        "Microsoft.Subscription/enable/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

所有者

授予管理所有资源的完全访问权限，包括允许在 Azure RBAC 中分配角色。

了解详细信息

操作	说明
*	创建和管理所有类型的资源
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 文件同步管理员

此角色提供完全访问权限来管理所有 Azure 文件同步（存储同步服务）资源，包括分配 Azure RBAC 中的角色的功能。

分配 Azure 文件同步管理员角色时，请按照以下步骤确保最低权限。

在“条件”选项卡下，选择“允许用户仅将所选角色分配给所选主体”（权限更少）。
单击 “选择角色和主体 ”，然后选择“条件”#1 下的“ 添加作 ”。
选择“ 创建角色分配”，然后单击“ 选择”。
选择 “添加表达式”，然后选择“ 请求”。
在“属性源”下，选择“属性”下的角色定义 ID，然后选择“运算符”下的 ForAnyOfAnyValues：GuidEquals。
选择 “添加角色”。添加 读取者和数据访问、 存储文件数据特权参与者和 存储帐户参与者 角色，然后选择“ 保存”。

了解详细信息

操作	说明
Microsoft.StorageSync/register/action	将服务器注册到存储同步服务
Microsoft.StorageSync/unregister/action	将服务器注销到存储同步服务
Microsoft.StorageSync/locations/*
Microsoft.StorageSync/deployments/preflight/action
Microsoft.StorageSync/storageSyncServices/*
Microsoft.StorageSync/operations/read	返回存储同步作的状态
Microsoft.Insights/AlertRules/*	创建和管理经典指标警报
Microsoft.Resources/deployments/*	创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	获取或列出资源组
Microsoft.Support/*	创建和更新支持票证
Microsoft.Authorization/roleAssignments/write	创建和更新角色分配
Microsoft.Authorization/roleAssignments/read	读取角色分配
Microsoft.Storage/storageAccounts/read	返回存储帐户列表或获取指定存储帐户的属性
Microsoft.Storage/storageAccounts/fileServices/read	列出文件服务
Microsoft.Storage/storageAccounts/fileServices/shares/read	获取文件共享
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "This role provides full access to manage all Azure File Sync (Storage Sync Service) resources, including the ability to assign roles in Azure RBAC.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/92b92042-07d9-4307-87f7-36a593fc5850",
  "name": "92b92042-07d9-4307-87f7-36a593fc5850",
  "permissions": [
    {
      "actions": [
        "Microsoft.StorageSync/register/action",
        "Microsoft.StorageSync/unregister/action",
        "Microsoft.StorageSync/locations/*",
        "Microsoft.StorageSync/deployments/preflight/action",
        "Microsoft.StorageSync/storageSyncServices/*",
        "Microsoft.StorageSync/operations/read",
        "Microsoft.Insights/AlertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/fileServices/read",
        "Microsoft.Storage/storageAccounts/fileServices/shares/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure File Sync Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

预留管理员

允许用户读取和管理租户中的所有预留

了解详细信息

操作	说明
Microsoft.Capacity/*/read
Microsoft.Capacity/*/action
Microsoft.Capacity/*/write
Microsoft.Authorization/roleAssignments/read	获取有关角色分配的信息。
Microsoft.Authorization/roleDefinitions/read	获取有关角色定义的信息。
Microsoft.Authorization/roleAssignments/write	创建指定范围的角色分配。
Microsoft.Authorization/roleAssignments/delete	删除指定范围的角色分配。
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/providers/Microsoft.Capacity"
  ],
  "description": "Lets one read and manage all the reservations in a tenant",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a8889054-8d42-49c9-bc1c-52486c10e7cd",
  "name": "a8889054-8d42-49c9-bc1c-52486c10e7cd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Capacity/*/read",
        "Microsoft.Capacity/*/action",
        "Microsoft.Capacity/*/write",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reservations Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

基于角色的访问控制管理员

通过使用 Azure RBAC 分配角色来管理对 Azure 资源的访问。此角色不允许使用其他方式（如 Azure Policy）管理访问权限。

注释

此角色包括控制平面的 */read 操作。分配此角色的用户可以读取所有 Azure 资源的控制平面信息。

操作	说明
Microsoft.Authorization/roleAssignments/write	创建指定范围的角色分配。
Microsoft.Authorization/roleAssignments/delete	删除指定范围的角色分配。
*/read	读取所有 Azure 资源的控制平面信息。
Microsoft.Support/*	创建和更新支持票证
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
  "name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Role Based Access Control Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

用户访问管理员

允许管理用户对 Azure 资源的访问权限。

注释

此角色包括控制平面的 */read 操作。分配此角色的用户可以读取所有 Azure 资源的控制平面信息。

了解详细信息

操作	说明
*/read	读取所有 Azure 资源的控制平面信息。
Microsoft.Authorization/*	管理授权
Microsoft.Support/*	创建和更新支持票证
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage user access to Azure resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "User Access Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

后续步骤

使用 Azure 门户分配 Azure 角色

反馈

此页面是否有帮助？

通过

适用于 Privileged 的 Azure 内置角色

参与者

所有者

Azure 文件同步管理员

预留管理员

基于角色的访问控制管理员

用户访问管理员

后续步骤

反馈

其他资源