MicrosoftDocs
diff --git a/‎articles/role-based-access-control/built-in-roles.md
Lines changed: 107 additions & 1 deletion b/‎articles/role-based-access-control/built-in-roles.md
Lines changed: 107 additions & 1 deletion
diff --git a/‎articles/role-based-access-control/includes/resource-provider-operations/integration.md
Lines changed: 79 additions & 0 deletions b/‎articles/role-based-access-control/includes/resource-provider-operations/integration.md
Lines changed: 79 additions & 0 deletions
@@ -8,7 +8,7 @@ ms.workload: identity
 author: rolyon
 manager: amycolannino
 ms.author: rolyon
-ms.date: 01/30/2024
+ms.date: 02/07/2024
 ms.custom: generated
 ---
 
@@ -248,6 +248,7 @@ The following table provides a brief description of each built-in role. Click th
 > | [Attestation Contributor](#attestation-contributor) | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e |
 > | [Attestation Reader](#attestation-reader) | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 |
 > | [Key Vault Administrator](#key-vault-administrator) | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e74483 |
+> | [Key Vault Certificate User](#key-vault-certificate-user) | Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | db79e9a7-68ee-4b58-9aeb-b90e7c24fcba |
 > | [Key Vault Certificates Officer](#key-vault-certificates-officer) | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | a4417e6f-fecd-4de8-b567-7b0420556985 |
 > | [Key Vault Contributor](#key-vault-contributor) | Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. | f25e0fa2-a7c8-4377-a976-54943a77a395 |
 > | [Key Vault Crypto Officer](#key-vault-crypto-officer) | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 |
@@ -304,6 +305,7 @@ The following table provides a brief description of each built-in role. Click th
 > | [Cost Management Contributor](#cost-management-contributor) | Can view costs and manage cost configuration (e.g. budgets, exports) | 434105ed-43f6-45c7-a02f-909b2ba83430 |
 > | [Cost Management Reader](#cost-management-reader) | Can view cost data and configuration (e.g. budgets, exports) | 72fafb9e-0641-4937-9268-a91bfd8191a3 |
 > | [Hierarchy Settings Administrator](#hierarchy-settings-administrator) | Allows users to edit and delete Hierarchy Settings | 350f8d15-c687-4448-8ae1-157740a3936d |
+> | [Kubernetes Agentless Operator](#kubernetes-agentless-operator) | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | d5a2ae44-610b-4500-93be-660a0c5f5ca6 |
 > | [Kubernetes Cluster - Azure Arc Onboarding](#kubernetes-cluster---azure-arc-onboarding) | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 |
 > | [Kubernetes Extension Contributor](#kubernetes-extension-contributor) | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 |
 > | [Managed Application Contributor Role](#managed-application-contributor-role) | Allows for creating managed application resources. | 641177b8-a67a-45b9-a033-47bc880bb21e |
@@ -12955,6 +12957,53 @@ Perform all data plane operations on a key vault and all objects in it, includin
 }
 ```
 
+### Key Vault Certificate User
+
+Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.
+
+[Learn more](/azure/key-vault/general/rbac-guide)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | *none* |  |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificates/read | List certificates in a specified key vault, or get information about a certificate. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/getSecret/action | Gets the value of a secret. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
+  "name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
+  "permissions": [
+    {
+      "actions": [],
+      "notActions": [],
+      "dataActions": [
+        "Microsoft.KeyVault/vaults/certificates/read",
+        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
+        "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
+        "Microsoft.KeyVault/vaults/keys/read"
+      ],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Key Vault Certificate User",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
 ### Key Vault Certificates Officer
 
 Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
@@ -13840,6 +13889,7 @@ Microsoft Sentinel Responder
 > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/automationRules/* |  |
 > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/cases/* |  |
 > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/incidents/* |  |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/entities/runPlaybook/action | Run playbook on entity |
 > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator |
 > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators |
 > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/bulkTag/action | Bulk Tags Threat Intelligence |
@@ -13888,6 +13938,7 @@ Microsoft Sentinel Responder
         "Microsoft.SecurityInsights/automationRules/*",
         "Microsoft.SecurityInsights/cases/*",
         "Microsoft.SecurityInsights/incidents/*",
+        "Microsoft.SecurityInsights/entities/runPlaybook/action",
         "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
         "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
         "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
@@ -16435,6 +16486,61 @@ Allows users to edit and delete Hierarchy Settings
 }
 ```
 
+### Kubernetes Agentless Operator
+
+Grants Microsoft Defender for Cloud access to Azure Kubernetes Services
+
+[Learn more](/azure/defender-for-cloud/defender-for-containers-architecture)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/write | Create or update trusted access role bindings for managed cluster |
+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/read | Get trusted access role bindings for managed cluster |
+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/delete | Delete trusted access role bindings for managed cluster |
+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster |
+> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/features/read | Gets the features of a subscription. |
+> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. |
+> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/register/action | Registers the feature for a subscription in a given resource provider. |
+> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/pricings/securityoperators/read | Gets the security operators for the scope |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
+  "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
+        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
+        "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
+        "Microsoft.ContainerService/managedClusters/read",
+        "Microsoft.Features/features/read",
+        "Microsoft.Features/providers/features/read",
+        "Microsoft.Features/providers/features/register/action",
+        "Microsoft.Security/pricings/securityoperators/read"
+      ],
+      "notActions": [],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Kubernetes Agentless Operator",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
 ### Kubernetes Cluster - Azure Arc Onboarding
 
 Role definition to authorize any user/service to create connectedClusters resource
 
@@ -541,6 +541,85 @@ Azure service: core
 > | Microsoft.AppConfiguration/configurationStores/snapshots/write | Creates or updates a snapshot in the configuration store. |
 > | Microsoft.AppConfiguration/configurationStores/snapshots/archive/action | Modifies archival state for an existing snapshot in the configuration store. |
 
+### Microsoft.AVS
+
+Azure service: [Azure VMware Solution](/azure/azure-vmware/introduction)
+
+> [!div class="mx-tableFixed"]
+> | Action | Description |
+> | --- | --- |
+> | Microsoft.AVS/register/action | Register Subscription for Microsoft.AVS resource provider. |
+> | Microsoft.AVS/unregister/action | Unregister Subscription for Microsoft.AVS resource provider. |
+> | Microsoft.AVS/checkNameAvailability/read | Checks if the privateCloud Name is available |
+> | Microsoft.AVS/locations/checkNameAvailability/read | Checks if the privateCloud Name is available |
+> | Microsoft.AVS/locations/checkQuotaAvailability/read | Checks if quota is available for the subscription |
+> | Microsoft.AVS/locations/checkTrialAvailability/read | Checks if trial is available for the subscription |
+> | Microsoft.AVS/operations/read | Lists operations available on Microsoft.AVS resource provider. |
+> | Microsoft.AVS/privateClouds/register/action | Registers the Microsoft Microsoft.AVS resource provider and enables creation of Private Clouds. |
+> | Microsoft.AVS/privateClouds/write | Creates or updates a PrivateCloud resource. |
+> | Microsoft.AVS/privateClouds/read | Gets the settings for the specified PrivateCloud. |
+> | Microsoft.AVS/privateClouds/delete | Delete a specific PrivateCloud. |
+> | Microsoft.AVS/privateClouds/addOns/read | Read addOns. |
+> | Microsoft.AVS/privateClouds/addOns/write | Write addOns. |
+> | Microsoft.AVS/privateClouds/addOns/delete | Delete addOns. |
+> | Microsoft.AVS/privateClouds/addOns/operationStatuses/read | Read addOns operationStatuses. |
+> | Microsoft.AVS/privateClouds/authorizations/read | Gets the authorization settings for a PrivateCloud cluster. |
+> | Microsoft.AVS/privateClouds/authorizations/write | Create or update a PrivateCloud authorization resource. |
+> | Microsoft.AVS/privateClouds/authorizations/delete | Delete a specific PrivateCloud authorization. |
+> | Microsoft.AVS/privateClouds/clusters/read | Gets the cluster settings for a PrivateCloud cluster. |
+> | Microsoft.AVS/privateClouds/clusters/write | Create or update a PrivateCloud cluster resource. |
+> | Microsoft.AVS/privateClouds/clusters/delete | Delete a specific PrivateCloud cluster. |
+> | Microsoft.AVS/privateClouds/clusters/datastores/read | Get the datastore properties in a private cloud cluster. |
+> | Microsoft.AVS/privateClouds/clusters/datastores/write | Create or update datastore in private cloud cluster. |
+> | Microsoft.AVS/privateClouds/clusters/datastores/delete | Delete datastore in private cloud cluster. |
+> | Microsoft.AVS/privateclouds/clusters/datastores/operationresults/read | Read privateClouds/clusters/datastores operationresults. |
+> | Microsoft.AVS/privateClouds/clusters/datastores/operationstatuses/read | Read privateClouds/clusters/datastores operationstatuses. |
+> | Microsoft.AVS/privateclouds/clusters/operationresults/read | Reads privateClouds/clusters operationresults. |
+> | Microsoft.AVS/privateClouds/clusters/operationstatuses/read | Reads privateClouds/clusters operationstatuses. |
+> | Microsoft.AVS/privateClouds/globalReachConnections/delete | Delete globalReachConnections. |
+> | Microsoft.AVS/privateClouds/globalReachConnections/write | Write globalReachConnections. |
+> | Microsoft.AVS/privateClouds/globalReachConnections/read | Read globalReachConnections. |
+> | Microsoft.AVS/privateClouds/globalReachConnections/operationStatuses/read | Read globalReachConnections operationStatuses. |
+> | Microsoft.AVS/privateClouds/hcxEnterpriseSites/read | Gets the hcxEnterpriseSites for a PrivateCloud. |
+> | Microsoft.AVS/privateClouds/hcxEnterpriseSites/write | Create or update a hcxEnterpriseSites. |
+> | Microsoft.AVS/privateClouds/hcxEnterpriseSites/delete | Delete a specific hcxEnterpriseSites. |
+> | Microsoft.AVS/privateClouds/hostInstances/read | Gets the hostInstances for a PrivateCloud. |
+> | Microsoft.AVS/privateClouds/hostInstances/write | Create or update a hostInstances. |
+> | Microsoft.AVS/privateClouds/hostInstances/delete | Delete a specific hostInstances. |
+> | Microsoft.AVS/privateClouds/operationresults/read | Reads privateClouds operationresults. |
+> | Microsoft.AVS/privateClouds/operationstatuses/read | Reads privateClouds operationstatuses. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/delete | Delete dhcpConfigurations. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/write | Write dhcpConfigurations. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/read | Read dhcpConfigurations. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/operationStatuses/read | Read dhcpConfigurations operationStatuses. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/delete | Delete dnsServices. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/write | Write dnsServices. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/read | Read dnsServices. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/operationStatuses/read | Read dnsServices operationStatuses. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/delete | Delete dnsZones. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/write | Write dnsZones. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/read | Read dnsZones. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/operationStatuses/read | Read dnsZones operationStatuses. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/gateways/read | Read gateways. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/delete | Delete portMirroringProfiles. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/write | Write portMirroringProfiles. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/read | Read portMirroringProfiles. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/operationStatuses/read | Read portMirroringProfiles operationStatuses. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/segments/delete | Delete segments. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/segments/write | Write segments. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/segments/read | Read segments. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/segments/operationStatuses/read | Read segments operationStatuses. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/virtualMachines/read | Read virtualMachines. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/delete | Delete vmGroups. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/write | Write vmGroups. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/read | Read vmGroups. |
+> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/operationStatuses/read | Read vmGroups operationStatuses. |
+> | **DataAction** | **Description** |
+> | Microsoft.AVS/privateClouds/listAdminCredentials/action | Lists the AdminCredentials for privateClouds. |
+> | Microsoft.AVS/privateClouds/rotateVcenterPassword/action | Rotate Vcenter password for the PrivateCloud. |
+> | Microsoft.AVS/privateClouds/rotateNsxtPassword/action | Rotate Nsxt CloudAdmin password for the PrivateCloud. |
+> | Microsoft.AVS/privateClouds/rotateNsxtCloudAdminPassword/action | Rotate Nsxt CloudAdmin password for the PrivateCloud. |
+
 ### Microsoft.AzureStack
 
 Azure service: [Azure Stack](/azure-stack/)