Onboarding Permissions for Azure - Assessment + Governance

Introduction

As part of the Azure account preparation required before onboarding cloud accounts into CoreStack, you will need to create least privilege policies— individual policies that must be attached to your cross-account role that allow CoreStack to access the Azure data it needs in order to create its reports.

Each least privilege policy provides the necessary permissions to enable core functions in the CoreStack application, and are listed below organized by product bundle:

FinOps

CapabilityDescriptionLeast Privilege PermissionsSubscription Level AccessReservations
Cost Visibility and UsageEnabling these permissions allows CoreStack to fetch cost data from Azure and display it for Cost Posture, which provides visibility into cloud costs across all your cloud accounts.Microsoft.Authorization
Microsoft.Billing
Microsoft.Commerce
Microsoft.Consumption
Microsoft.CostManagement
Microsoft.Support
Microsoft.Insights
Microsoft.Management
Contributor and
Resource Policy Contributor
Reservation Reader
Cost Optimization DashboardThese permissions allow the monitoring of utilization data resources and the reclaiming of native recommendations from Azure, which enables CoreStack to help users achieve potential cost savings through FinOps policies.Microsoft.Authorization
Microsoft.Billing
Microsoft.Commerce
Microsoft.Consumption
Microsoft.CostManagement
Microsoft.Support
Microsoft.Insights
Microsoft.Management
Contributor and
Resource Policy Contributor
Reservation Reader
Resource InventoryEnabling these permissions allows CoreStack to pull resources from Azure in order to provide cost recommendations through FinOps policies.Microsoft.Authorization
Microsoft.Automation
Microsoft.Compute
Microsoft.Devices
Microsoft.Insights
Microsoft.Network
Microsoft.Resources
Microsoft.HybridCompute
Microsoft.Sql
Microsoft.SqlVirtualMachine
Microsoft.Storage
Microsoft.Web
Microsoft.RecoveryServices
Microsoft.CognitiveServices
Microsoft.ContainerRegistry
Microsoft.ContainerInstance
Microsoft.ContainerService
Microsoft.Databricks
Microsoft.DataFactory
Microsoft.DBforPostgreSQL
Microsoft.DBforMySQL
Microsoft.DBforMariaDB
Microsoft.KeyVault
Microsoft.Kubernetes
Microsoft.ServiceBus
Microsoft.Synapse
Contributor and
Resource Policy Contributor
Reservation Reader
Cost BudgetThese permissions help to display cloud-native budgets in the CoreStack portal.Microsoft.Authorization
Microsoft.Billing
Microsoft.Commerce
Microsoft.Consumption
Microsoft.CostManagement
Microsoft.Support
Microsoft.Insights
Microsoft.Management
Contributor and
Resource Policy Contributor
Reservation Reader

SecOps

CapabilityDescriptionLeast Privilege PermissionsSubscription Level AccessReservations
Security and Compliance > Threat ManagementEnabling these permissions is required for CoreStack to be able to fetch threat management information.Microsoft.Authorization
Microsoft.Billing
Microsoft.Commerce
Microsoft.Compute
Microsoft.Insights
Microsoft.Network
Microsoft.PolicyInsights
Microsoft.Security
Contributor and
Resource Policy Contributor
Reservation Reader
Vulnerability AssessmentsEnabling these permissions is required for CoreStack to be able to fetch Vulnerability Assessment information.Microsoft.securityContributor and
Resource Policy Contributor
Reservation Reader

CloudOps

CapabilityDescriptionLeast Privilege PermissionsSubscription Level AccessReservations
Activity and Alerts: Governance Configuration > OperationsFor configuring activity logs and alerts, write permission is required.Microsoft.Authorization
Microsoft.Insights
Contributor and
Resource Policy Contributor
Reservation Reader
Resource InventoryEnabling these permissions allows CoreStack to retrieve resource inventory details needed for read and write activities.Microsoft.Authorization
Microsoft.Automation
Microsoft.Compute
Microsoft.Devices
Microsoft.Insights
Microsoft.Network
Microsoft.Resources
Microsoft.HybridCompute
Microsoft.Sql
Microsoft.SqlVirtualMachine
Microsoft.Storage
Microsoft.Web
Microsoft.RecoveryServices
Microsoft.CognitiveServices
Microsoft.ContainerRegistry
Microsoft.ContainerInstance
Microsoft.ContainerService
Microsoft.Databricks
Microsoft.DataFactory
Microsoft.DBforPostgreSQL
Microsoft.DBforMySQL
Microsoft.DBforMariaDB
Microsoft.KeyVault
Microsoft.Kubernetes
Microsoft.ServiceBus
Microsoft.Synapse
Contributor and
Resource Policy Contributor
Reservation Reader

Resource Provider Glossary

The following table is available for your reference, and lists the resource providers featured in the above sections, along with descriptions of why their permissions need to be enabled.

Resource Provider NameCS ActionDescription
Microsoft.AuthorizationFetch details for Azure Policy, Azure RBAC, and Azure Resource Manager.Reads the administrators for the subscription. Does not have an effect if used as a NotAction in a custom role, etc.
Microsoft.BillingFetch the cost details and Cost Management + Billing.Lists the tenants that can collaborate with the billing account on commerce activities like viewing and downloading invoices, managing payments, making purchases, and managing licenses.
Microsoft.CommerceFetch the consumption and core details.Retrieves Microsoft Azure's consumption by a subscription. The result contains aggregates usage data, subscription and resource related information, on a particular time range.
Microsoft.ConsumptionFetch the usage details and Cost Management.Lists the utilization summary for a billing period for a management group and lists all supported operations by the Microsoft.Consumption resource provider.
Microsoft.CostManagementFetch the Cost Management information.Register actions for the scope of Microsoft.CostManagement by a subscription, etc.
Microsoft.ManagementFetch Management Groups in the tenant.Checks if the specified management group name is valid and unique and lists all entities (Management Groups, Subscriptions, etc.) for the authenticated user etc.
Microsoft.SupportFetch core and list all operations that are available.Lists all operations available on the Microsoft.Support resource provider. Checks that the name is valid and not in use for resource type, etc.
Microsoft.AutomationFor all Azure Automation services.Registers the subscription to Azure Automation, etc.
Microsoft.ComputeFor Virtual Machines and Virtual Machine Scale Sets.Registers Subscription with the Microsoft.Compute resource provider and lists available sizes for creating or updating a virtual machine in the availability set.
Microsoft.InsightsFetch Azure Monitor and alerts.Metric Action, register the Microsoft Insights provider and read an activity log alert, etc.
Microsoft.NetworkFor Application Gateway, Azure Bastion, Azure DDoS Protection, Azure DNS, Azure ExpressRoute, Azure Firewall, Azure Front Door Service, Azure Private Link, Load Balancer, Network Watcher, Traffic Manager, Virtual Network, Virtual WAN, and VPN Gateway.Registers the subscription. Checks the availability of a Traffic Manager Relative DNS name, etc.
Microsoft.DevicesFor IoT Hub and the IoT Hub Device Provisioning Service.Register the subscription for the IotHub resource provider and enables the creation of IotHub resources, etc.
Microsoft.ResourcesFor Azure Resource Manager.Check the resource name for validity and calculate the hash of the provided template.
Microsoft.HybridComputeFetch all Azure Arc related resources.Registers the subscription for the Microsoft.HybridCompute Resource Provider, etc.
Microsoft.PolicyInsightsFor Azure Policy and enabling actions.Registers the Microsoft Policy Insights resource provider and enables actions on it, etc.
Microsoft.SecurityFor Security Center, Threats.Registers the subscription for Azure Security Center and gets Adaptive Network Hardening recommendations for an Azure protected resource.
Microsoft.ResourcesFetch all Azure Resource Manager resources.Check the resource name for validity and calculate the hash of the provided template.
Microsoft.SqlFor Azure SQL Database, SQL Managed Instance, and Synapse Analytics.Verify whether a given server name is available for provisioning worldwide for a given subscription, registers the subscription for the Microsoft SQL Database resource provider, and enables the creation of Microsoft SQL Databases.
Microsoft.SqlVirtualMachineFetch SQL Server on Azure Virtual Machine resources.Register subscription with the Microsoft.SqlVirtualMachine resource provider and register the SQL VM Candidate.
Microsoft.StorageFetch Azure Storage accounts, blob containers, etc.Registers the subscription for the storage resource provider and enables the creation of storage accounts. Checks that the account name is valid and is not in use.
Microsoft.WebFetch Azure App Service, Functions, and web apps.Unregisters the Microsoft.Web resource provider for the subscription and validates.
Microsoft.RecoveryServicesFetch Azure Site Recovery.Registers subscription for a given Resource Provider and unregisters the subscription for a given Resource Provider.
Microsoft.CognitiveServicesFetch Azure Cognitive Services.Subscription Registration Action and registers the subscription for Cognitive Services.
Microsoft.ContainerRegistryFetch Azure Container Registry.Registers the subscription for the container registry resource provider and enables the creation of container registries.
Microsoft.ContainerInstanceFetch Azure Container Instances.Registers the subscription for the container instance resource provider and enables the creation of container groups.
Microsoft.ContainerServiceFetch Azure Kubernetes Service (AKS).Registers the subscription with the Microsoft.ContainerService resource provider.
Microsoft.DatabricksFetch Azure Databricks.Registers to Databricks and retrieves a list of Azure Databricks Access Connectors.
Microsoft.DataFactoryFetch Azure Data Factory.Registers the subscription for the Data Factory Resource Provider and checks if the Data Factory Name is available to use.
Microsoft.DBforPostgreSQLFetch Azure Database for PostgreSQL.Performs a migration assessment with the specified parameters and determines if the user is allowed to approve a private endpoint connection.
Microsoft.DBforMySQLFetch Azure Database for MySQL.Determines if the user is allowed to approve a private endpoint connection and verifies whether a given server name is available for provisioning worldwide for a given subscription.
Microsoft.DBforMariaDBFetch Azure Database for MariaDB.Registers the MariaDB Resource Provider and determines if the user is allowed to approve a private endpoint connection.
Microsoft.KeyVaultFetch Azure Key Vault.Registers a subscription and checks that a key vault name is valid and not in use.
Microsoft.KubernetesFetch Azure Arc-enabled Kubernetes.Registers a subscription with the Microsoft.Kubernetes resource provider and unregisters the subscription with the Microsoft.Kubernetes resource provider.
Microsoft.ServiceBusFetch Azure Service BusRegisters the subscription for the ServiceBus resource provider and enables the creation of ServiceBus resources. Checks availability of namespace under a given subscription.
Microsoft.SynapseFetch Azure Synapse Analytics.Registers the Azure Synapse Analytics (workspaces) Resource Provider and enables the creation of Workspaces. Checks resource name availability.