Merge pull request #301103 from codefinite-vri/main

Update Azure File Sync Administrator and Azure File Sync Reader Built-in roles.

Author: prmerger-automator[bot]

articles/role-based-access-control/built-in-roles.md

@@ -106,6 +106,8 @@ The following table provides a brief description of each built-in role. Click th
 > | --- | --- | --- |
 > | <a name='avere-contributor'></a>[Avere Contributor](./built-in-roles/storage.md#avere-contributor) | Can create and manage an Avere vFXT cluster. | 4f8fab4f-1852-4a58-a46a-8eaf358af14a |
 > | <a name='avere-operator'></a>[Avere Operator](./built-in-roles/storage.md#avere-operator) | Used by the Avere vFXT cluster to manage the cluster | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 |
+> | <a name='azure-file-sync-administrator'></a>[Azure File Sync Administrator](./built-in-roles/storage.md#azure-file-sync-administrator) | Provides full access to manage all Azure File Sync (Storage Sync Service) resources, including the ability to assign roles in Azure RBAC. | 92b92042-07d9-4307-87f7-36a593fc5850 |
+> | <a name='azure-file-sync-reader'></a>[Azure File Sync Reader](./built-in-roles/storage.md#azure-file-sync-reader) | Provides read access to Azure File Sync service (Storage Sync Service). | 754c1a27-40dc-4708-8ad4-2bffdeee09e8 |
 > | <a name='backup-contributor'></a>[Backup Contributor](./built-in-roles/storage.md#backup-contributor) | Lets you manage backup service, but can't create vaults and give access to others | 5e467623-bb1f-42f4-a55d-6e525e11384b |
 > | <a name='backup-mua-admin'></a>[Backup MUA Admin](./built-in-roles/storage.md#backup-mua-admin) | Backup MultiUser-Authorization. Can create/delete ResourceGuard  | c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8 |
 > | <a name='backup-mua-operator'></a>[Backup MUA Operator](./built-in-roles/storage.md#backup-mua-operator) | Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard | f54b6d04-23c6-443e-b462-9c16ab7b4a52 |

articles/role-based-access-control/built-in-roles/storage.md

@@ -167,7 +167,112 @@ Used by the Avere vFXT cluster to manage the cluster
   "type": "Microsoft.Authorization/roleDefinitions"
 }
 ```
+## Azure File Sync Administrator
 
+This role provides full access to manage all Azure File Sync (Storage Sync Service) resources, including the ability to assign roles in Azure RBAC.
+
+[Learn more](/azure/storage/file-sync/file-sync-deployment-guide)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/register/action | Registers the server to Storage Sync Service |
+> | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/unregister/action | Unregisters the server to Storage Sync Service  |
+> | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/locations/* |  |
+> | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/deployments/preflight/action |  |
+> | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/storageSyncServices/* |  |
+> | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/operations/read | Returns the status of Storage Sync operations |
+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/AlertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups |
+> | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket |
+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/write | Create and update role assignments |
+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/read | Read role assignments |
+> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account |
+> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/read | List file services |
+> | [Microsoft.Storage](../permissions/storage.md#microsoftstorage)/storageAccounts/fileServices/shares/read | Get file share |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "This role provides full access to manage all Azure File Sync (Storage Sync Service) resources, including the ability to assign roles in Azure RBAC.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/92b92042-07d9-4307-87f7-36a593fc5850",
+  "name": "92b92042-07d9-4307-87f7-36a593fc5850",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.StorageSync/register/action",
+        "Microsoft.StorageSync/unregister/action",
+        "Microsoft.StorageSync/locations/*",
+        "Microsoft.StorageSync/deployments/preflight/action",
+        "Microsoft.StorageSync/storageSyncServices/*",
+        "Microsoft.StorageSync/operations/read",
+        "Microsoft.Insights/AlertRules/*",
+        "Microsoft.Resources/deployments/*",
+        "Microsoft.Resources/subscriptions/resourceGroups/read",
+        "Microsoft.Support/*",
+        "Microsoft.Authorization/roleAssignments/write",
+        "Microsoft.Authorization/roleAssignments/read",
+        "Microsoft.Storage/storageAccounts/read",
+        "Microsoft.Storage/storageAccounts/fileServices/read",
+        "Microsoft.Storage/storageAccounts/fileServices/shares/read"
+      ],
+      "notActions": [],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Azure File Sync Administrator",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+## Azure File Sync Reader
+
+This role provides read access to Azure File Sync service (Storage Sync Service).
+
+[Learn more](/azure/storage/file-sync/file-sync-deployment-guide)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.StorageSync](../permissions/storage.md#microsoftstoragesync)/*/read |  |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "This role provides full access to manage all Azure File Sync (Storage Sync Service) resources, including the ability to assign roles in Azure RBAC.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/754c1a27-40dc-4708-8ad4-2bffdeee09e8",
+  "name": "754c1a27-40dc-4708-8ad4-2bffdeee09e8",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.StorageSync/*/read"
+      ],
+      "notActions": [],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Azure File Sync Reader",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
 ## Backup Contributor
 
 Lets you manage backup service, but can't create vaults and give access to others
@@ -2366,4 +2471,4 @@ Allows for read access to Azure Storage tables and entities
 
 ## Next steps
 
-- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal)
+- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal)

articles/storage/file-sync/file-sync-deployment-guide.md

@@ -356,7 +356,7 @@ Registering your Windows Server with a Storage Sync Service establishes a trust
 > [!NOTE]
 > Server registration uses your Azure credentials to create a trust relationship between the Storage Sync Service and your Windows Server. Subsequently, the server creates and uses its own identity that is valid as long as the server stays registered and the current Shared Access Signature (SAS) token is valid. A new SAS token can't be issued to the server once the server is unregistered, thus removing the server's ability to access your Azure file shares, stopping any sync.
 
-The administrator registering the server must be a member of the management roles **Owner** or **Contributor** for the given Storage Sync Service. This can be configured under **Access Control (IAM)** in the Azure portal for the Storage Sync Service.
+The administrator registering the server must be a member of the management roles **Azure File Sync Administrator**, **Owner** or **Contributor** for the given Storage Sync Service. This can be configured under **Access Control (IAM)** in the Azure portal for the Storage Sync Service.
 
 It's also possible to differentiate administrators able to register servers from those allowed to also configure sync in a Storage Sync Service. To do this, you must create a custom role where you list the administrators that are only allowed to register servers and give your custom role the following permissions:
 
@@ -408,7 +408,7 @@ A cloud endpoint is a pointer to an Azure file share. All server endpoints will
 > [!IMPORTANT]
 > You can make changes to any cloud endpoint or server endpoint in the sync group and have your files synced to the other endpoints in the sync group. If you make a change to the cloud endpoint (Azure file share) directly, changes first need to be discovered by an Azure File Sync change detection job. A change detection job is initiated for a cloud endpoint only once every 24 hours. For more information, see [Azure Files frequently asked questions](../files/storage-files-faq.md?toc=/azure/storage/filesync/toc.json#afs-change-detection).
 
-The administrator creating the cloud endpoint must be a member of the management role **Owner** for the storage account that contains the Azure file share the cloud endpoint is pointing to. Configure this under **Access Control (IAM)** in the Azure portal for the storage account.
+The administrator creating the cloud endpoint must be a member of the management role **Azure File Sync Administrator** or **Owner** for the storage account that contains the Azure file share the cloud endpoint is pointing to. Configure this under **Access Control (IAM)** in the Azure portal for the storage account.
 
 # [Portal](#tab/azure-portal)
 

articles/storage/file-sync/file-sync-managed-identities.md

@@ -25,12 +25,12 @@ To configure your Azure File Sync deployment to utilize system-assigned managed
 # [Portal](#tab/azure-portal) 
 - **Azure File Sync agent version 20.0.0.0 or later** must be installed on the registered server. 
 
-- On your **storage accounts** used by Azure File Sync, you must be a **member of the Owner management role** or have `Microsoft.Authorization/roleassignments/write` permissions. 
+- On your **storage accounts** used by Azure File Sync, you must be a **member of the Azure File Sync Administrator or Owner management role** or have “Microsoft.Authorization/roleassignments/write” permissions. 
 
 # [PowerShell](#tab/azure-powershell) 
 - **Azure File Sync agent version 20.0.0.0 or later** must be installed on the registered server. 
 
-- On your **storage accounts** used by Azure File Sync, you must be a **member of the Owner management role** or have `Microsoft.Authorization/roleassignments/write` permissions. 
+- On your **storage accounts** used by Azure File Sync, you must be a **member of the Azure File Sync Administrator or Owner management role** or have “Microsoft.Authorization/roleassignments/write” permissions.