Azure Required Permissions
Focus
Focus
Prisma AIRS

Azure Required Permissions

Table of Contents

Azure Required Permissions

Review what Azure permissions are required when onboarding your account to Prisma AIRS.
Where Can I Use This?What Do I Need?
  • Prisma AIRS Network Intercept
  • Azure
Prisma AIRS requires the permissions listed below to ensure that you can use the following functions in your onboarded cloud account
  • Discovery—this option is pre-selected and cannot be disabled. This allows Prisma AIRS to identify and monitor assets in your AWS environment.
  • Fully orchestrated security VPC—provides the necessary permissions for Prisma AIRS to read and write in your security VPC account.
  • Fully automated traffic redirection application VPCs—provides the necessary permissions for Prisma AIRS to read and write in your application VPC account.
  • IP-Tag Harvesting—grants the necessary permissions to collect IP address to tag information to enforce tag-based security policy that adapts to IP address changes in your Azure environment.

Discovery

Discovery on Azure uses three predefined roles and one additional permission.
Roles: "Azure Kubernetes Service Cluster User Role", "Storage Blob Data Reader", "Reader"
Permissions:
"Microsoft.Network/networkInterfaces/effectiveRouteTable/action"

Security VNet Deployment

"Microsoft.AlertsManagement/smartDetectorAlertRules/read", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.Compute/disks/delete", "Microsoft.Compute/disks/read", "Microsoft.Compute/virtualMachineScaleSets/delete", "Microsoft.Compute/virtualMachineScaleSets/read", "Microsoft.Compute/virtualMachineScaleSets/rollingUpgrades/read", "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read", "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read", "Microsoft.Compute/virtualMachineScaleSets/write", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/write", "Microsoft.Insights/autoScaleSettings/delete", "Microsoft.Insights/autoScaleSettings/read", "Microsoft.Insights/autoScaleSettings/write", "Microsoft.Insights/components/currentbillingfeatures/read", "Microsoft.Insights/components/delete", "Microsoft.Insights/components/read", "Microsoft.Network/loadBalancers/backendAddressPools/delete", "Microsoft.Network/loadBalancers/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/backendAddressPools/read", "Microsoft.Network/loadBalancers/delete", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/loadBalancers/write", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkSecurityGroups/delete", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/securityRules/delete", "Microsoft.Network/networkSecurityGroups/securityRules/read", "Microsoft.Network/publicIPAddresses/delete", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/routeTables/delete", "Microsoft.Network/routeTables/join/action", "Microsoft.Network/routeTables/read", "Microsoft.Network/routeTables/routes/delete", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/routes/write", "Microsoft.Network/routeTables/write", "Microsoft.Network/virtualNetworks/delete", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/delete", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.Network/virtualNetworks/write", "Microsoft.OperationalInsights/workspaces/delete", "Microsoft.OperationalInsights/workspaces/read", "Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/resourcegroups/delete", "Microsoft.Resources/subscriptions/resourcegroups/read"

Traffic Redirection

"Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/routeTables/delete", "Microsoft.Network/routeTables/join/action", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/routes/write", "Microsoft.Network/routeTables/write", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Resources/subscriptions/resourceGroups/read"