Onboarding Permissions for Azure - Read-Write
Introduction
As part of the Azure account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies— individual policies that must be attached to your cross-account role that allow the platform to access the Azure data it needs in order to create its reports.
Least Privilege Polices by Product (Read-Write)
Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Write access to the platform are listed below organized by product and platform capability:
FinOps
Capability | Description | Least Privilege Permissions | Subscription Level Access | Reservations |
---|---|---|---|---|
Cost Visibility and Usage | Enabling these permissions allows the platform to fetch cost data from Azure and display it for Cost Posture, which provides visibility into cloud costs across all your cloud accounts. | Microsoft.Authorization Microsoft.Billing Microsoft.Commerce Microsoft.Consumption Microsoft.CostManagement Microsoft.Support Microsoft.Insights Microsoft.Management | Contributor and Resource Policy Contributor | Reservation Reader |
Cost Optimization Dashboard | These permissions allow the monitoring of utilization data resources and the reclaiming of native recommendations from Azure, which enables the platform to help users achieve potential cost savings through FinOps policies. | Microsoft.Authorization Microsoft.Billing Microsoft.Commerce Microsoft.Consumption Microsoft.CostManagement Microsoft.Support Microsoft.Insights Microsoft.Management | Contributor and Resource Policy Contributor | Reservation Reader |
Resource Inventory | Enabling these permissions allows the platform to pull resources from Azure in order to provide cost recommendations through FinOps policies. | Microsoft.Authorization Microsoft.Automation Microsoft.Compute Microsoft.Devices Microsoft.Insights Microsoft.Network Microsoft.Resources Microsoft.HybridCompute Microsoft.Sql Microsoft.SqlVirtualMachine Microsoft.Storage Microsoft.Web Microsoft.RecoveryServices Microsoft.CognitiveServices Microsoft.ContainerRegistry Microsoft.ContainerInstance Microsoft.ContainerService Microsoft.Databricks Microsoft.DataFactory Microsoft.DBforPostgreSQL Microsoft.DBforMySQL Microsoft.DBforMariaDB Microsoft.KeyVault Microsoft.Kubernetes Microsoft.ServiceBus Microsoft.Synapse | Contributor and Resource Policy Contributor | Reservation Reader |
Cost Budget | These permissions help to display cloud-native budgets in the CoreStack portal. | Microsoft.Authorization Microsoft.Billing Microsoft.Commerce Microsoft.Consumption Microsoft.CostManagement Microsoft.Support Microsoft.Insights Microsoft.Management | Contributor and Resource Policy Contributor | Reservation Reader |
SecOps
Capability | Description | Least Privilege Permissions | Subscription Level Access | Reservations |
---|---|---|---|---|
Security and Compliance > Threat Management | Enabling these permissions is required for the platform to be able to fetch threat management information. | Microsoft.Authorization Microsoft.Billing Microsoft.Commerce Microsoft.Compute Microsoft.Insights Microsoft.Network Microsoft.PolicyInsights Microsoft.Security | Contributor and Resource Policy Contributor | Reservation Reader |
Vulnerability Assessments | Enabling these permissions is required for the platform to be able to fetch Vulnerability Assessment information. | Microsoft.security | Contributor and Resource Policy Contributor | Reservation Reader |
CloudOps
Capability | Description | Least Privilege Permissions | Subscription Level Access | Reservations |
---|---|---|---|---|
Activity and Alerts: Governance Configuration > Operations | For configuring activity logs and alerts, write permission is required. | Microsoft.Authorization Microsoft.Insights | Contributor and Resource Policy Contributor | Reservation Reader |
Resource Inventory | Enabling these permissions allows the platform to retrieve resource inventory details needed for read and write activities. | Microsoft.Authorization Microsoft.Automation Microsoft.Compute Microsoft.Devices Microsoft.Insights Microsoft.Network Microsoft.Resources Microsoft.HybridCompute Microsoft.Sql Microsoft.SqlVirtualMachine Microsoft.Storage Microsoft.Web Microsoft.RecoveryServices Microsoft.CognitiveServices Microsoft.ContainerRegistry Microsoft.ContainerInstance Microsoft.ContainerService Microsoft.Databricks Microsoft.DataFactory Microsoft.DBforPostgreSQL Microsoft.DBforMySQL Microsoft.DBforMariaDB Microsoft.KeyVault Microsoft.Kubernetes Microsoft.ServiceBus Microsoft.Synapse | Contributor and Resource Policy Contributor | Reservation Reader |
Resource Provider Glossary
The following table is available for your reference, and lists the resource providers featured in the above sections, along with descriptions of why their permissions need to be enabled.
Resource Provider Name | CS Action | Description |
---|---|---|
Microsoft.Authorization | Fetch details for Azure Policy, Azure RBAC, and Azure Resource Manager. | Reads the administrators for the subscription. Does not have an effect if used as a NotAction in a custom role, etc. |
Microsoft.Billing | Fetch the cost details and Cost Management + Billing. | Lists the tenants that can collaborate with the billing account on commerce activities like viewing and downloading invoices, managing payments, making purchases, and managing licenses. |
Microsoft.Commerce | Fetch the consumption and core details. | Retrieves Microsoft Azure's consumption by a subscription. The result contains aggregates usage data, subscription and resource related information, on a particular time range. |
Microsoft.Consumption | Fetch the usage details and Cost Management. | Lists the utilization summary for a billing period for a management group and lists all supported operations by the Microsoft.Consumption resource provider. |
Microsoft.CostManagement | Fetch the Cost Management information. | Register actions for the scope of Microsoft.CostManagement by a subscription, etc. |
Microsoft.Management | Fetch Management Groups in the tenant. | Checks if the specified management group name is valid and unique and lists all entities (Management Groups, Subscriptions, etc.) for the authenticated user etc. |
Microsoft.Support | Fetch core and list all operations that are available. | Lists all operations available on the Microsoft.Support resource provider. Checks that the name is valid and not in use for resource type, etc. |
Microsoft.Automation | For all Azure Automation services. | Registers the subscription to Azure Automation, etc. |
Microsoft.Compute | For Virtual Machines and Virtual Machine Scale Sets. | Registers Subscription with the Microsoft.Compute resource provider and lists available sizes for creating or updating a virtual machine in the availability set. |
Microsoft.Insights | Fetch Azure Monitor and alerts. | Metric Action, register the Microsoft Insights provider and read an activity log alert, etc. |
Microsoft.Network | For Application Gateway, Azure Bastion, Azure DDoS Protection, Azure DNS, Azure ExpressRoute, Azure Firewall, Azure Front Door Service, Azure Private Link, Load Balancer, Network Watcher, Traffic Manager, Virtual Network, Virtual WAN, and VPN Gateway. | Registers the subscription. Checks the availability of a Traffic Manager Relative DNS name, etc. |
Microsoft.Devices | For IoT Hub and the IoT Hub Device Provisioning Service. | Register the subscription for the IotHub resource provider and enables the creation of IotHub resources, etc. |
Microsoft.Resources | For Azure Resource Manager. | Check the resource name for validity and calculate the hash of the provided template. |
Microsoft.HybridCompute | Fetch all Azure Arc related resources. | Registers the subscription for the Microsoft.HybridCompute Resource Provider, etc. |
Microsoft.PolicyInsights | For Azure Policy and enabling actions. | Registers the Microsoft Policy Insights resource provider and enables actions on it, etc. |
Microsoft.Security | For Security Center, Threats. | Registers the subscription for Azure Security Center and gets Adaptive Network Hardening recommendations for an Azure protected resource. |
Microsoft.Resources | Fetch all Azure Resource Manager resources. | Check the resource name for validity and calculate the hash of the provided template. |
Microsoft.Sql | For Azure SQL Database, SQL Managed Instance, and Synapse Analytics. | Verify whether a given server name is available for provisioning worldwide for a given subscription, registers the subscription for the Microsoft SQL Database resource provider, and enables the creation of Microsoft SQL Databases. |
Microsoft.SqlVirtualMachine | Fetch SQL Server on Azure Virtual Machine resources. | Register subscription with the Microsoft.SqlVirtualMachine resource provider and register the SQL VM Candidate. |
Microsoft.Storage | Fetch Azure Storage accounts, blob containers, etc. | Registers the subscription for the storage resource provider and enables the creation of storage accounts. Checks that the account name is valid and is not in use. |
Microsoft.Web | Fetch Azure App Service, Functions, and web apps. | Unregisters the Microsoft.Web resource provider for the subscription and validates. |
Microsoft.RecoveryServices | Fetch Azure Site Recovery. | Registers subscription for a given Resource Provider and unregisters the subscription for a given Resource Provider. |
Microsoft.CognitiveServices | Fetch Azure Cognitive Services. | Subscription Registration Action and registers the subscription for Cognitive Services. |
Microsoft.ContainerRegistry | Fetch Azure Container Registry. | Registers the subscription for the container registry resource provider and enables the creation of container registries. |
Microsoft.ContainerInstance | Fetch Azure Container Instances. | Registers the subscription for the container instance resource provider and enables the creation of container groups. |
Microsoft.ContainerService | Fetch Azure Kubernetes Service (AKS). | Registers the subscription with the Microsoft.ContainerService resource provider. |
Microsoft.Databricks | Fetch Azure Databricks. | Registers to Databricks and retrieves a list of Azure Databricks Access Connectors. |
Microsoft.DataFactory | Fetch Azure Data Factory. | Registers the subscription for the Data Factory Resource Provider and checks if the Data Factory Name is available to use. |
Microsoft.DBforPostgreSQL | Fetch Azure Database for PostgreSQL. | Performs a migration assessment with the specified parameters and determines if the user is allowed to approve a private endpoint connection. |
Microsoft.DBforMySQL | Fetch Azure Database for MySQL. | Determines if the user is allowed to approve a private endpoint connection and verifies whether a given server name is available for provisioning worldwide for a given subscription. |
Microsoft.DBforMariaDB | Fetch Azure Database for MariaDB. | Registers the MariaDB Resource Provider and determines if the user is allowed to approve a private endpoint connection. |
Microsoft.KeyVault | Fetch Azure Key Vault. | Registers a subscription and checks that a key vault name is valid and not in use. |
Microsoft.Kubernetes | Fetch Azure Arc-enabled Kubernetes. | Registers a subscription with the Microsoft.Kubernetes resource provider and unregisters the subscription with the Microsoft.Kubernetes resource provider. |
Microsoft.ServiceBus | Fetch Azure Service Bus | Registers the subscription for the ServiceBus resource provider and enables the creation of ServiceBus resources. Checks availability of namespace under a given subscription. |
Microsoft.Synapse | Fetch Azure Synapse Analytics. | Registers the Azure Synapse Analytics (workspaces) Resource Provider and enables the creation of Workspaces. Checks resource name availability. |
Updated 4 months ago