Azure Required Permissions

Table of Contents

Onboard Azure Cloud Account in Strata Cloud Manager

Azure Required Permissions

Review what Azure permissions are required when onboarding your account to Prisma AIRS.

Where Can I Use This?	What Do I Need?
Prisma AIRS Network Intercept Azure

Prisma AIRS requires the permissions listed below to ensure that you can use the following functions in your onboarded cloud account

Discovery—this option is pre-selected and cannot be disabled. This allows Prisma AIRS to identify and monitor assets in your AWS environment.
Fully orchestrated security VPC—provides the necessary permissions for Prisma AIRS to read and write in your security VPC account.
Fully automated traffic redirection application VPCs—provides the necessary permissions for Prisma AIRS to read and write in your application VPC account.
IP-Tag Harvesting—grants the necessary permissions to collect IP address to tag information to enforce tag-based security policy that adapts to IP address changes in your Azure environment.

Discovery

Discovery on Azure uses three predefined roles and one additional permission.

Roles: "Azure Kubernetes Service Cluster User Role", "Storage Blob Data Reader", "Reader"

Permissions:

"Microsoft.Network/networkInterfaces/effectiveRouteTable/action"

Security VNet Deployment

"Microsoft.AlertsManagement/smartDetectorAlertRules/read",
  "Microsoft.Authorization/roleAssignments/read",
  "Microsoft.Authorization/roleDefinitions/read",
  "Microsoft.Compute/disks/delete",
  "Microsoft.Compute/disks/read",
  "Microsoft.Compute/virtualMachineScaleSets/delete",
  "Microsoft.Compute/virtualMachineScaleSets/read",
  "Microsoft.Compute/virtualMachineScaleSets/rollingUpgrades/read",
  "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
  "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
  "Microsoft.Compute/virtualMachineScaleSets/write",
  "Microsoft.Compute/virtualMachines/delete",
  "Microsoft.Compute/virtualMachines/read",
  "Microsoft.Compute/virtualMachines/write",
  "Microsoft.Insights/autoScaleSettings/delete",
  "Microsoft.Insights/autoScaleSettings/read",
  "Microsoft.Insights/autoScaleSettings/write",
  "Microsoft.Insights/components/currentbillingfeatures/read",
  "Microsoft.Insights/components/delete",
  "Microsoft.Insights/components/read",
  "Microsoft.Network/loadBalancers/backendAddressPools/delete",
  "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
  "Microsoft.Network/loadBalancers/backendAddressPools/read",
  "Microsoft.Network/loadBalancers/delete",
  "Microsoft.Network/loadBalancers/read",
  "Microsoft.Network/loadBalancers/write",
  "Microsoft.Network/networkInterfaces/delete",
  "Microsoft.Network/networkInterfaces/join/action",
  "Microsoft.Network/networkInterfaces/read",
  "Microsoft.Network/networkSecurityGroups/delete",
  "Microsoft.Network/networkSecurityGroups/join/action",
  "Microsoft.Network/networkSecurityGroups/read",
  "Microsoft.Network/networkSecurityGroups/securityRules/delete",
  "Microsoft.Network/networkSecurityGroups/securityRules/read",
  "Microsoft.Network/publicIPAddresses/delete",
  "Microsoft.Network/publicIPAddresses/join/action",
  "Microsoft.Network/publicIPAddresses/read",
  "Microsoft.Network/routeTables/delete",
  "Microsoft.Network/routeTables/join/action",
  "Microsoft.Network/routeTables/read",
  "Microsoft.Network/routeTables/routes/delete",
  "Microsoft.Network/routeTables/routes/read",
  "Microsoft.Network/routeTables/routes/write",
  "Microsoft.Network/routeTables/write",
  "Microsoft.Network/virtualNetworks/delete",
  "Microsoft.Network/virtualNetworks/peer/action",
  "Microsoft.Network/virtualNetworks/read",
  "Microsoft.Network/virtualNetworks/subnets/delete",
  "Microsoft.Network/virtualNetworks/subnets/join/action",
  "Microsoft.Network/virtualNetworks/subnets/read",
  "Microsoft.Network/virtualNetworks/subnets/write",
  "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
  "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
  "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
  "Microsoft.Network/virtualNetworks/write",
  "Microsoft.OperationalInsights/workspaces/delete",
  "Microsoft.OperationalInsights/workspaces/read",
  "Microsoft.Resources/deployments/read",
  "Microsoft.Resources/deployments/write",
  "Microsoft.Resources/subscriptions/resourcegroups/delete",
  "Microsoft.Resources/subscriptions/resourcegroups/read"

Traffic Redirection

 "Microsoft.Authorization/roleAssignments/read",
  "Microsoft.Authorization/roleDefinitions/read",
  "Microsoft.Network/networkSecurityGroups/read",
  "Microsoft.Network/publicIPAddresses/read",
  "Microsoft.Network/routeTables/delete",
  "Microsoft.Network/routeTables/join/action",
  "Microsoft.Network/routeTables/routes/read",
  "Microsoft.Network/routeTables/routes/write",
  "Microsoft.Network/routeTables/write",
  "Microsoft.Network/virtualNetworks/read",
  "Microsoft.Network/virtualNetworks/subnets/join/action",
  "Microsoft.Resources/subscriptions/resourceGroups/read"

Onboard Azure Cloud Account in Strata Cloud Manager

Onboard Cloud Account in AWS

Prisma AIRS

Azure Required Permissions

Prisma AIRS

Azure Required Permissions

Discovery

Security VNet Deployment

Traffic Redirection

Activation & Onboarding

Next-Generation Firewalls

Network Security