Prisma AIRS
Azure Required Permissions
Table of Contents
                    
          Expand All
          |
          Collapse All
        
        Prisma AIRS Docs
Azure Required Permissions
Review what Azure permissions are required when onboarding your account to Prisma
        AIRS.
    
  | Where Can I Use This? | What Do I Need? | 
|---|---|
| 
 |  | 
Prisma AIRS requires the permissions listed below to ensure that you can use the
            following functions in your onboarded cloud account
- Discovery—this option is pre-selected and cannot be disabled. This allows Prisma AIRS to identify and monitor assets in your AWS environment.
- Fully orchestrated security VPC—provides the necessary permissions for Prisma AIRS to read and write in your security VPC account.
- Fully automated traffic redirection application VPCs—provides the necessary permissions for Prisma AIRS to read and write in your application VPC account.
- IP-Tag Harvesting—grants the necessary permissions to collect IP address to tag information to enforce tag-based security policy that adapts to IP address changes in your Azure environment.
Discovery
Discovery on Azure uses three predefined roles and one additional permission.
Roles: "Azure Kubernetes Service Cluster User Role", "Storage Blob Data Reader",
                "Reader"
Permissions:
"Microsoft.Network/networkInterfaces/effectiveRouteTable/action"
Security VNet Deployment
"Microsoft.AlertsManagement/smartDetectorAlertRules/read", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.Compute/disks/delete", "Microsoft.Compute/disks/read", "Microsoft.Compute/virtualMachineScaleSets/delete", "Microsoft.Compute/virtualMachineScaleSets/read", "Microsoft.Compute/virtualMachineScaleSets/rollingUpgrades/read", "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read", "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read", "Microsoft.Compute/virtualMachineScaleSets/write", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/write", "Microsoft.Insights/autoScaleSettings/delete", "Microsoft.Insights/autoScaleSettings/read", "Microsoft.Insights/autoScaleSettings/write", "Microsoft.Insights/components/currentbillingfeatures/read", "Microsoft.Insights/components/delete", "Microsoft.Insights/components/read", "Microsoft.Network/loadBalancers/backendAddressPools/delete", "Microsoft.Network/loadBalancers/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/backendAddressPools/read", "Microsoft.Network/loadBalancers/delete", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/loadBalancers/write", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkSecurityGroups/delete", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/securityRules/delete", "Microsoft.Network/networkSecurityGroups/securityRules/read", "Microsoft.Network/publicIPAddresses/delete", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/routeTables/delete", "Microsoft.Network/routeTables/join/action", "Microsoft.Network/routeTables/read", "Microsoft.Network/routeTables/routes/delete", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/routes/write", "Microsoft.Network/routeTables/write", "Microsoft.Network/virtualNetworks/delete", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/delete", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.Network/virtualNetworks/write", "Microsoft.OperationalInsights/workspaces/delete", "Microsoft.OperationalInsights/workspaces/read", "Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/resourcegroups/delete", "Microsoft.Resources/subscriptions/resourcegroups/read"
Traffic Redirection
"Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/routeTables/delete", "Microsoft.Network/routeTables/join/action", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/routes/write", "Microsoft.Network/routeTables/write", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Resources/subscriptions/resourceGroups/read"
